From 16d305b0ec0cc7d671880bc2d52ba07aa9e74771 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 10 2013 21:14:26 +0000 Subject: Update to latest F19 --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f491cf2..459d84d 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2042,7 +2042,7 @@ index 0960199..aa51ab2 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..ed65dbc 100644 +index d9fce57..fc6d1d3 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,100 @@ attribute sudodomain; @@ -2115,7 +2115,7 @@ index d9fce57..ed65dbc 100644 +#auth_run_chk_passwd(sudodomain) +# sudo stores a token in the pam_pid directory +auth_manage_pam_pid(sudodomain) -+#auth_use_nsswitch(sudodomain) ++auth_manage_faillog(sudodomain) + +application_signal(sudodomain) + @@ -3027,7 +3027,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..4debbf2 100644 +index 644d4d7..38a8a2d 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3185,7 +3185,7 @@ index 644d4d7..4debbf2 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -215,18 +246,30 @@ ifdef(`distro_gentoo',` +@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3198,6 +3198,7 @@ index 644d4d7..4debbf2 100644 +/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/urlize -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nagios/plugins/utils.pm -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) @@ -3223,7 +3224,7 @@ index 644d4d7..4debbf2 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -241,10 +284,15 @@ ifdef(`distro_gentoo',` +@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3239,7 +3240,7 @@ index 644d4d7..4debbf2 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -257,10 +305,17 @@ ifdef(`distro_gentoo',` +@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3260,7 +3261,7 @@ index 644d4d7..4debbf2 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -276,10 +331,15 @@ ifdef(`distro_gentoo',` +@@ -276,10 +332,15 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3276,7 +3277,7 @@ index 644d4d7..4debbf2 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -294,16 +354,22 @@ ifdef(`distro_gentoo',` +@@ -294,16 +355,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3301,7 +3302,7 @@ index 644d4d7..4debbf2 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -321,20 +387,27 @@ ifdef(`distro_redhat', ` +@@ -321,20 +388,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3330,7 +3331,7 @@ index 644d4d7..4debbf2 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +456,15 @@ ifdef(`distro_suse', ` +@@ -383,11 +457,15 @@ ifdef(`distro_suse', ` # # /var # @@ -3347,7 +3348,7 @@ index 644d4d7..4debbf2 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +474,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +475,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -5082,7 +5083,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..a69e038 100644 +index 4edc40d..73d7b76 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5168,7 +5169,15 @@ index 4edc40d..a69e038 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -107,7 +129,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0) +@@ -96,6 +118,7 @@ network_port(boinc, tcp,31416,s0) + network_port(boinc_client, tcp,1043,s0, udp,1034,s0) + network_port(biff) # no defined portcon + network_port(certmaster, tcp,51235,s0) ++network_port(collectd, udp,25826,s0) + network_port(chronyd, udp,323,s0) + network_port(clamd, tcp,3310,s0) + network_port(clockspeed, udp,4041,s0) +@@ -107,7 +130,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) @@ -5176,7 +5185,7 @@ index 4edc40d..a69e038 100644 network_port(ctdb, tcp,4379,s0, udp,4397,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -119,18 +140,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, +@@ -119,18 +141,23 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5201,7 +5210,7 @@ index 4edc40d..a69e038 100644 network_port(glance_registry, tcp,9191,s0, udp,9191,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) -@@ -139,45 +165,51 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +166,51 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5267,7 +5276,7 @@ index 4edc40d..a69e038 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -188,21 +220,28 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -188,21 +221,28 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -5299,7 +5308,7 @@ index 4edc40d..a69e038 100644 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -214,38 +253,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +254,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5347,7 +5356,7 @@ index 4edc40d..a69e038 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +299,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +300,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5358,7 +5367,7 @@ index 4edc40d..a69e038 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +311,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +312,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5371,7 +5380,7 @@ index 4edc40d..a69e038 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +335,16 @@ network_port(zope, tcp,8021,s0) +@@ -292,12 +336,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -5390,7 +5399,7 @@ index 4edc40d..a69e038 100644 ######################################## # -@@ -330,6 +377,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +378,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5399,7 +5408,7 @@ index 4edc40d..a69e038 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +391,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +392,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5451,10 +5460,10 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..3a628fe 100644 +index b31c054..3035b45 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -15,15 +15,17 @@ +@@ -15,15 +15,18 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -5471,10 +5480,11 @@ index b31c054..3a628fe 100644 /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh) ++/dev/ptp.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) -@@ -61,7 +63,8 @@ +@@ -61,7 +64,8 @@ /dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) @@ -5484,7 +5494,15 @@ index b31c054..3a628fe 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +132,14 @@ ifdef(`distro_suse', ` +@@ -118,6 +122,7 @@ + ifdef(`distro_suse', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) + ') ++/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) + /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) + /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) + /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +@@ -129,12 +134,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -5499,7 +5517,7 @@ index b31c054..3a628fe 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -198,12 +203,22 @@ ifdef(`distro_debian',` +@@ -198,12 +205,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -5525,7 +5543,7 @@ index b31c054..3a628fe 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..059e984 100644 +index 76f285e..09ccba4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6424,7 +6442,7 @@ index 76f285e..059e984 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; + ') + @@ -6443,7 +6461,7 @@ index 76f285e..059e984 100644 +## +# +interface(`dev_relabel_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -6457,11 +6475,81 @@ index 76f285e..059e984 100644 ######################################## ## ## Read hardware state information. -@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,7 +4445,7 @@ interface(`dev_rw_sysfs',` ######################################## ## +-## Read and write the TPM device. +## Relabel hardware state directories. + ## + ## + ## +@@ -4024,58 +4453,114 @@ interface(`dev_rw_sysfs',` + ## + ## + # +-interface(`dev_rw_tpm',` ++interface(`dev_relabel_sysfs_dirs',` + gen_require(` +- type device_t, tpm_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## Relabel hardware state files + ## +-## +-##

+-## Allow the specified domain to read from pseudo random number +-## generator devices (e.g., /dev/urandom). Typically this is +-## used in situations when a cryptographically secure random +-## number is not necessarily needed. One example is the Stack +-## Smashing Protector (SSP, formerly known as ProPolice) support +-## that may be compiled into programs. +-##

+-##

+-## Related interface: +-##

+-##
    +-##
  • dev_read_rand()
  • +-##
+-##

+-## Related tunable: +-##

+-##
    +-##
  • global_ssp
  • +-##
+-##
+ ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`dev_read_urand',` ++interface(`dev_relabel_all_sysfs',` + gen_require(` +- type device_t, urandom_device_t; ++ type sysfs_t; + ') + +- read_chr_files_pattern($1, device_t, urandom_device_t) ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to read from pseudo ++## Allow caller to modify hardware state information. +## +## +## @@ -6469,17 +6557,17 @@ index 76f285e..059e984 100644 +## +## +# -+interface(`dev_relabel_sysfs_dirs',` ++interface(`dev_manage_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ manage_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Relabel hardware state files ++## Read and write the TPM device. +## +## +## @@ -6487,37 +6575,59 @@ index 76f285e..059e984 100644 +## +## +# -+interface(`dev_relabel_all_sysfs',` ++interface(`dev_rw_tpm',` + gen_require(` -+ type sysfs_t; ++ type device_t, tpm_device_t; + ') + -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) -+ relabel_files_pattern($1, sysfs_t, sysfs_t) -+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ rw_chr_files_pattern($1, device_t, tpm_device_t) +') + +######################################## +## -+## Allow caller to modify hardware state information. ++## Read from pseudo random number generator devices (e.g., /dev/urandom). +## ++## ++##

++## Allow the specified domain to read from pseudo random number ++## generator devices (e.g., /dev/urandom). Typically this is ++## used in situations when a cryptographically secure random ++## number is not necessarily needed. One example is the Stack ++## Smashing Protector (SSP, formerly known as ProPolice) support ++## that may be compiled into programs. ++##

++##

++## Related interface: ++##

++##
    ++##
  • dev_read_rand()
  • ++##
++##

++## Related tunable: ++##

++##
    ++##
  • global_ssp
  • ++##
++##
+## +## +## Domain allowed access. +## +## ++## +# -+interface(`dev_manage_sysfs_dirs',` ++interface(`dev_read_urand',` + gen_require(` -+ type sysfs_t; ++ type device_t, urandom_device_t; + ') + -+ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ read_chr_files_pattern($1, device_t, urandom_device_t) +') + +######################################## +## - ## Read and write the TPM device. ++## Do not audit attempts to read from pseudo + ## random devices (e.g., /dev/urandom) ## ## @@ -4113,6 +4598,25 @@ interface(`dev_write_urand',` @@ -6546,7 +6656,193 @@ index 76f285e..059e984 100644 ## Getattr generic the USB devices. ##
## -@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',` +@@ -4409,9 +4913,9 @@ interface(`dev_rw_usbfs',` + read_lnk_files_pattern($1, usbfs_t, usbfs_t) + ') + +-######################################## ++###################################### + ## +-## Get the attributes of video4linux devices. ++## Read and write userio device. + ## + ## + ## +@@ -4419,17 +4923,17 @@ interface(`dev_rw_usbfs',` + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_rw_userio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, userio_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, userio_device_t) + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Get the attributes of video4linux devices. + ## + ## + ## +@@ -4437,12 +4941,12 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_getattr_video_dev',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, v4l_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## +@@ -4539,6 +5043,134 @@ interface(`dev_write_video_dev',` + + ######################################## + ## ++## Get the attributes of vfio devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of vfio device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_vfio_dev',` ++ gen_require(` ++ type vfio_device_t; ++ ') ++ ++ dontaudit $1 vfio_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Set the attributes of vfio device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of vfio device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_setattr_vfio_dev',` ++ gen_require(` ++ type vfio_device_t; ++ ') ++ ++ dontaudit $1 vfio_device_t:chr_file setattr; ++') ++ ++######################################## ++## ++## Read the vfio devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Write the vfio devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Read and write the VFIO devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_vfio_dev',` ++ gen_require(` ++ type device_t, vfio_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## + ## Allow read/write the vhost net device + ## + ## +@@ -4557,6 +5189,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -6571,7 +6867,7 @@ index 76f285e..059e984 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5412,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -6598,7 +6894,7 @@ index 76f285e..059e984 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',` +@@ -4851,3 +5521,943 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -6758,6 +7054,7 @@ index 76f285e..059e984 100644 + type dlm_control_device_t; + type clock_device_t; + type v4l_device_t; ++ type vfio_device_t; + type event_device_t; + type xen_device_t; + type framebuf_device_t; @@ -6901,7 +7198,12 @@ index 76f285e..059e984 100644 + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2") ++ filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3") + filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201") ++ filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002") @@ -7537,7 +7839,7 @@ index 76f285e..059e984 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 6529bd9..cfec99c 100644 +index 6529bd9..831344c 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -7603,7 +7905,17 @@ index 6529bd9..cfec99c 100644 # # Type for /dev/tpm # -@@ -274,6 +283,7 @@ dev_node(v4l_device_t) +@@ -266,6 +275,9 @@ dev_node(usbmon_device_t) + type userio_device_t; + dev_node(userio_device_t) + ++type vfio_device_t; ++dev_node(vfio_device_t) ++ + type v4l_device_t; + dev_node(v4l_device_t) + +@@ -274,6 +286,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -7611,7 +7923,7 @@ index 6529bd9..cfec99c 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +329,5 @@ files_associate_tmp(device_node) +@@ -319,5 +332,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -7757,7 +8069,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..ff7b3f4 100644 +index cf04cb5..3a38af0 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -7790,11 +8102,13 @@ index cf04cb5..ff7b3f4 100644 ## ##

-@@ -86,23 +109,43 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -86,23 +109,45 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; +allow domain self:fifo_file rw_fifo_file_perms; ++allow domain self:sem create_sem_perms; ++allow domain self:shm create_shm_perms; + kernel_read_proc_symlinks(domain) +kernel_read_crypto_sysctls(domain) @@ -7835,7 +8149,7 @@ index cf04cb5..ff7b3f4 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +164,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +166,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -7854,7 +8168,7 @@ index cf04cb5..ff7b3f4 100644 ') optional_policy(` -@@ -133,6 +186,8 @@ optional_policy(` +@@ -133,6 +188,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -7863,7 +8177,7 @@ index cf04cb5..ff7b3f4 100644 ') ######################################## -@@ -147,12 +202,18 @@ optional_policy(` +@@ -147,12 +204,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -7883,7 +8197,7 @@ index cf04cb5..ff7b3f4 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +227,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,267 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8395,7 +8709,7 @@ index c2c6e05..be423a7 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..87c124c 100644 +index 64ff4d7..9389e60 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -8543,7 +8857,7 @@ index 64ff4d7..87c124c 100644 ##

  • files_tmp_file()
  • ##
  • files_tmpfs_file()
  • ##
  • logging_log_file()
  • -@@ -125,30 +256,31 @@ interface(`files_security_file',` +@@ -125,44 +256,59 @@ interface(`files_security_file',` typeattribute $1 file_type, security_file_type, non_auth_file_type; ') @@ -8575,55 +8889,74 @@ index 64ff4d7..87c124c 100644 ######################################## ## - ## Make the specified type usable for +-## Make the specified type usable for -## filesystem mount points. -+## security file filesystem mount points. ++## Create a private type object in mountpoint dir ++## with an automatic type transition ## - ## +-## ++## ## -@@ -156,33 +288,33 @@ interface(`files_lock_file',` +-## Type to be used for mount points. ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ## ## # -interface(`files_mountpoint',` -+interface(`files_security_mountpoint',` ++interface(`files_mountpoint_filetrans',` gen_require(` attribute mountpoint; ') - files_type($1) -+ files_security_file($1) - typeattribute $1 mountpoint; +- typeattribute $1 mountpoint; ++ filetrans_pattern($1, mountpoint, $2, $3, $4) ') ######################################## +@@ -188,6 +334,26 @@ interface(`files_security_mountpoint',` + ######################################## ## ## Make the specified type usable for --## security file filesystem mount points. +## lock files. - ## - ## - ## --## Type to be used for mount points. ++## ++## ++## +## Type to be used for lock files. - ## - ## - # --interface(`files_security_mountpoint',` ++## ++## ++# +interface(`files_lock_file',` - gen_require(` -- attribute mountpoint; ++ gen_require(` + attribute lockfile; - ') - -- files_security_file($1) -- typeattribute $1 mountpoint; ++ ') ++ + files_type($1) + typeattribute $1 lockfile; - ') - - ######################################## -@@ -521,7 +653,7 @@ interface(`files_mounton_non_security',` ++') ++ ++######################################## ++## ++## Make the specified type usable for + ## runtime process ID files. + ## + ## +@@ -521,7 +687,7 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') @@ -8632,7 +8965,7 @@ index 64ff4d7..87c124c 100644 allow $1 non_security_file_type:file mounton; ') -@@ -620,6 +752,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -620,6 +786,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -8696,7 +9029,7 @@ index 64ff4d7..87c124c 100644 ## Read all files. ## ## -@@ -683,12 +872,82 @@ interface(`files_read_non_security_files',` +@@ -683,12 +906,82 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -8779,7 +9112,7 @@ index 64ff4d7..87c124c 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ## -@@ -953,6 +1212,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1246,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -8805,7 +9138,7 @@ index 64ff4d7..87c124c 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1269,25 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1303,25 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -8831,7 +9164,7 @@ index 64ff4d7..87c124c 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,10 +1370,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1404,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8844,7 +9177,7 @@ index 64ff4d7..87c124c 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1477,6 @@ interface(`files_list_all',` +@@ -1182,24 +1511,6 @@ interface(`files_list_all',` ######################################## ## @@ -8869,17 +9202,19 @@ index 64ff4d7..87c124c 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1720,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,10 +1754,7 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) - ') +-') ++') ############################################# -@@ -1583,6 +1857,24 @@ interface(`files_getattr_all_mountpoints',` + ## +@@ -1583,6 +1891,24 @@ interface(`files_getattr_all_mountpoints',` ######################################## ## @@ -8904,54 +9239,35 @@ index 64ff4d7..87c124c 100644 ## Set the attributes of all mount points. ## ## -@@ -1673,25 +1965,61 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1673,6 +1999,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## --## Do not audit attempts to write to mount points. +## Write all mount points. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_write_all_mountpoints',` -- gen_require(` -- attribute mountpoint; -- ') -+interface(`files_write_all_mountpoints',` -+ gen_require(` -+ attribute mountpoint; -+ ') - -- dontaudit $1 mountpoint:dir write; -+ allow $1 mountpoint:dir write; - ') - - ######################################## - ## --## List the contents of the root directory. -+## Do not audit attempts to write to mount points. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_write_all_mountpoints',` -+ gen_require(` -+ attribute mountpoint; -+ ') ++interface(`files_write_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') + -+ dontaudit $1 mountpoint:dir write; ++ allow $1 mountpoint:dir write; +') + +######################################## +## + ## Do not audit attempts to write to mount points. + ## + ## +@@ -1691,6 +2035,24 @@ interface(`files_dontaudit_write_all_mountpoints',` + + ######################################## + ## +## Write all file type directories. +## +## @@ -8970,11 +9286,10 @@ index 64ff4d7..87c124c 100644 + +######################################## +## -+## List the contents of the root directory. + ## List the contents of the root directory. ## ## - ## -@@ -1874,25 +2202,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2236,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -9006,7 +9321,7 @@ index 64ff4d7..87c124c 100644 ## ## ## -@@ -1905,7 +2233,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2267,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -9015,7 +9330,7 @@ index 64ff4d7..87c124c 100644 ') ######################################## -@@ -1928,6 +2256,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2290,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -9040,7 +9355,7 @@ index 64ff4d7..87c124c 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2973,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +3007,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -9065,7 +9380,7 @@ index 64ff4d7..87c124c 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +3062,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3096,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -9073,7 +9388,7 @@ index 64ff4d7..87c124c 100644 ') ######################################## -@@ -2706,7 +3071,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3105,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -9082,7 +9397,7 @@ index 64ff4d7..87c124c 100644 ## ## # -@@ -2762,6 +3127,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3161,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -9108,7 +9423,7 @@ index 64ff4d7..87c124c 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +3164,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3198,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -9133,7 +9448,7 @@ index 64ff4d7..87c124c 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3347,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3381,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -9158,7 +9473,7 @@ index 64ff4d7..87c124c 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3003,9 +3387,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3421,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -9169,7 +9484,7 @@ index 64ff4d7..87c124c 100644 ## ## ## -@@ -3013,18 +3395,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3429,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -9191,7 +9506,7 @@ index 64ff4d7..87c124c 100644 ## ## ## -@@ -3042,6 +3423,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3457,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -9218,7 +9533,7 @@ index 64ff4d7..87c124c 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3460,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3494,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -9226,7 +9541,7 @@ index 64ff4d7..87c124c 100644 ') ######################################## -@@ -3080,6 +3482,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3516,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -9234,7 +9549,7 @@ index 64ff4d7..87c124c 100644 ') ######################################## -@@ -3132,6 +3535,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3569,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -9260,7 +9575,7 @@ index 64ff4d7..87c124c 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3630,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3664,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -9286,7 +9601,7 @@ index 64ff4d7..87c124c 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3896,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3930,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -9312,7 +9627,7 @@ index 64ff4d7..87c124c 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4256,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4290,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -9356,7 +9671,7 @@ index 64ff4d7..87c124c 100644 ') ######################################## -@@ -4199,156 +4677,176 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,58 +4711,225 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9441,13 +9756,11 @@ index 64ff4d7..87c124c 100644 -interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; -- ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t; + ') - -- dontaudit $1 tmp_t:dir getattr; ++ + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -9464,473 +9777,386 @@ index 64ff4d7..87c124c 100644 + filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") + filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") - ') - --######################################## ++') ++ +###################################### - ## --## Search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') - -- allow $1 tmp_t:dir search_dir_perms; ++ + relabelto_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +###################################### - ## --## Do not audit attempts to search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_search_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') - -- dontaudit $1 tmp_t:dir search_dir_perms; ++ + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) - ') - --######################################## ++') ++ +################################### - ## --## Read the tmp directory (/tmp). ++## +## Create files in /etc with the type used for +## the manageable system config files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## The type of the process performing this action. +## - ## - # --interface(`files_list_tmp',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir list_dir_perms; ++ + filetrans_pattern($1, etc_t, system_conf_t, file) - ') - - ######################################## - ## --## Do not audit listing of the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). - ## --## ++## +## - ## --## Domain not to audit. ++## +## Type of the file to associate. - ## - ## - # --interface(`files_dontaudit_list_tmp',` ++## ++## ++# +interface(`files_associate_tmp',` - gen_require(` - type tmp_t; - ') - -- dontaudit $1 tmp_t:dir list_dir_perms; ++ gen_require(` ++ type tmp_t; ++ ') ++ + allow $1 tmp_t:filesystem associate; - ') - - ######################################## - ## --## Remove entries from the tmp directory. ++') ++ ++######################################## ++## +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system - ## --## ++## +## - ## --## Domain allowed access. ++## +## Type of the file to associate. - ## - ## - # --interface(`files_delete_tmp_dir_entry',` ++## ++## ++# +interface(`files_associate_rootfs',` - gen_require(` -- type tmp_t; ++ gen_require(` + type root_t; - ') - -- allow $1 tmp_t:dir del_entry_dir_perms; ++ ') ++ + allow $1 root_t:filesystem associate; - ') - - ######################################## - ## --## Read files in the tmp directory (/tmp). ++') ++ ++######################################## ++## +## Get the attributes of the tmp directory (/tmp). - ## - ## - ## -@@ -4356,53 +4854,56 @@ interface(`files_delete_tmp_dir_entry',` - ## - ## - # --interface(`files_read_generic_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_getattr_tmp_dirs',` - gen_require(` - type tmp_t; - ') - -- read_files_pattern($1, tmp_t, tmp_t) ++ gen_require(` ++ type tmp_t; ++ ') ++ + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; - ') - - ######################################## - ## --## Manage temporary directories in /tmp. ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on tmp files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_generic_tmp_dirs',` ++## ++## ++# +interface(`files_dontaudit_access_check_tmp',` - gen_require(` -- type tmp_t; ++ gen_require(` + type etc_t; - ') - -- manage_dirs_pattern($1, tmp_t, tmp_t) ++ ') ++ + dontaudit $1 tmp_t:dir_file_class_set audit_access; - ') - - ######################################## - ## --## Manage temporary files and directories in /tmp. ++') ++ ++######################################## ++## +## Do not audit attempts to get the +## attributes of the tmp directory (/tmp). - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_generic_tmp_files',` ++## ++## ++# +interface(`files_dontaudit_getattr_tmp_dirs',` - gen_require(` - type tmp_t; ++ gen_require(` ++ type tmp_t; ') -- manage_files_pattern($1, tmp_t, tmp_t) -+ dontaudit $1 tmp_t:dir getattr; - ') - - ######################################## - ## --## Read symbolic links in the tmp directory (/tmp). -+## Search the tmp directory (/tmp). - ## - ## - ## -@@ -4410,35 +4911,36 @@ interface(`files_manage_generic_tmp_files',` - ## - ## - # --interface(`files_read_generic_tmp_symlinks',` -+interface(`files_search_tmp',` - gen_require(` + dontaudit $1 tmp_t:dir getattr; +@@ -4271,6 +4950,7 @@ interface(`files_search_tmp',` type tmp_t; ') - read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir search_dir_perms; ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; ') - ######################################## - ## --## Read and write generic named sockets in the tmp directory (/tmp). -+## Do not audit attempts to search the tmp directory (/tmp). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_rw_generic_tmp_sockets',` -+interface(`files_dontaudit_search_tmp',` - gen_require(` +@@ -4307,6 +4987,7 @@ interface(`files_list_tmp',` type tmp_t; ') -- rw_sock_files_pattern($1, tmp_t, tmp_t) -+ dontaudit $1 tmp_t:dir search_dir_perms; - ') - - ######################################## - ## --## Set the attributes of all tmp directories. -+## Read the tmp directory (/tmp). - ## - ## - ## -@@ -4446,77 +4948,74 @@ interface(`files_rw_generic_tmp_sockets',` - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` -+interface(`files_list_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir { search_dir_perms setattr }; + read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir list_dir_perms; + allow $1 tmp_t:dir list_dir_perms; ') - ######################################## - ## --## List all tmp directories. -+## Do not audit listing of the tmp directory (/tmp). +@@ -4316,7 +4997,7 @@ interface(`files_list_tmp',` ## ## ## --## Domain allowed access. +-## Domain not to audit. +## Domain to not audit. ## ## # --interface(`files_list_all_tmp',` -+interface(`files_dontaudit_list_tmp',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir list_dir_perms; -+ dontaudit $1 tmp_t:dir list_dir_perms; +@@ -4328,6 +5009,25 @@ interface(`files_dontaudit_list_tmp',` + dontaudit $1 tmp_t:dir list_dir_perms; ') --######################################## +####################################### - ## --## Relabel to and from all temporary --## directory types. ++## +## Allow read and write to the tmp directory (/tmp). - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain not to audit. +## - ## --## - # --interface(`files_relabel_all_tmp_dirs',` -- gen_require(` -- attribute tmpfile; -- type var_t; -- ') ++## ++# +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; + ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) ++ + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; - ') - ++') ++ ######################################## ## --## Do not audit attempts to get the attributes --## of all tmp files. -+## Remove entries from the tmp directory. - ## - ## - ## --## Domain not to audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -+interface(`files_delete_tmp_dir_entry',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; + ## Remove entries from the tmp directory. +@@ -4343,6 +5043,7 @@ interface(`files_delete_tmp_dir_entry',` + type tmp_t; ') -- dontaudit $1 tmpfile:file getattr; + files_search_tmp($1) -+ allow $1 tmp_t:dir del_entry_dir_perms; + allow $1 tmp_t:dir del_entry_dir_perms; ') +@@ -4384,6 +5085,32 @@ interface(`files_manage_generic_tmp_dirs',` + ######################################## ## --## Allow attempts to get the attributes --## of all tmp files. -+## Read files in the tmp directory (/tmp). ++## Allow shared library text relocations in tmp files. ++## ++## ++##

    ++## Allow shared library text relocations in tmp files. ++##

    ++##

    ++## This is added to support java policy. ++##

    ++##
    ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_execmod_tmp',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file execmod; ++') ++ ++######################################## ++## + ## Manage temporary files and directories in /tmp. ## ## - ## -@@ -4524,58 +5023,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',` - ## - ## - # --interface(`files_getattr_all_tmp_files',` -+interface(`files_read_generic_tmp_files',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:file getattr; -+ read_files_pattern($1, tmp_t, tmp_t) - ') +@@ -4438,6 +5165,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Relabel to and from all temporary --## file types. -+## Manage temporary directories in /tmp. ++## Relabel a dir from the type used in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_tmp_dirs',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++') ++ ++######################################## ++## ++## Relabel a file from the type used in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelfrom_tmp_files',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++') ++ ++######################################## ++## + ## Set the attributes of all tmp directories. ## ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_files',` -+interface(`files_manage_generic_tmp_dirs',` - gen_require(` -- attribute tmpfile; -- type var_t; -+ type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_files_pattern($1, tmpfile, tmpfile) -+ manage_dirs_pattern($1, tmp_t, tmp_t) - ') +@@ -4456,6 +5219,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## --## Do not audit attempts to get the attributes --## of all tmp sock_file. -+## Allow shared library text relocations in tmp files. ++## Allow caller to read inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_inherited_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ++') ++ ++######################################## ++## ++## Allow caller to append inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_append_inherited_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Allow caller to read and write inherited tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_tmp_file',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## List all tmp directories. + ## + ## +@@ -4501,7 +5318,7 @@ interface(`files_relabel_all_tmp_dirs',` ##
    -+## -+##

    -+## Allow shared library text relocations in tmp files. -+##

    -+##

    -+## This is added to support java policy. -+##

    -+##
    ## ## -## Domain not to audit. -+## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_dontaudit_getattr_all_tmp_sockets',` -+interface(`files_execmod_tmp',` - gen_require(` - attribute tmpfile; - ') - -- dontaudit $1 tmpfile:sock_file getattr; -+ allow $1 tmpfile:file execmod; - ') - - ######################################## - ## --## Read all tmp files. -+## Manage temporary files and directories in /tmp. +@@ -4561,7 +5378,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## -@@ -4583,51 +5085,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +-## Domain not to audit. ++## Domain to not audit. ## ## # --interface(`files_read_all_tmp_files',` -+interface(`files_manage_generic_tmp_files',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- read_files_pattern($1, tmpfile, tmpfile) -+ manage_files_pattern($1, tmp_t, tmp_t) - ') +@@ -4593,59 +5410,107 @@ interface(`files_read_all_tmp_files',` ######################################## ## -## Create an object in the tmp directories, with a private -## type using a type transition. -+## Read symbolic links in the tmp directory (/tmp). ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. ## ## ## - ## Domain allowed access. - ## - ## +-## Domain allowed access. +-##
    +-## -## -## -## The type of the object to be created. @@ -9944,2805 +10170,815 @@ index 64ff4d7..87c124c 100644 -## -## -## The name of the object being created. --## --## ++## Domain to not audit. + ## + ## # -interface(`files_tmp_filetrans',` -+interface(`files_read_generic_tmp_symlinks',` ++interface(`files_dontaudit_tmp_file_leaks',` gen_require(` - type tmp_t; +- type tmp_t; ++ attribute tmpfile; ') - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Delete the contents of /tmp. -+## Read and write generic named sockets in the tmp directory (/tmp). ++## Do allow attempts to read or write ++## all leaked tmpfiles files. ## ## ## -@@ -4635,22 +5121,17 @@ interface(`files_tmp_filetrans',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`files_purge_tmp',` -+interface(`files_rw_generic_tmp_sockets',` ++interface(`files_rw_tmp_file_leaks',` gen_require(` -- attribute tmpfile; -+ type tmp_t; + attribute tmpfile; ') - allow $1 tmpfile:dir list_dir_perms; - delete_dirs_pattern($1, tmpfile, tmpfile) -- delete_files_pattern($1, tmpfile, tmpfile) -- delete_lnk_files_pattern($1, tmpfile, tmpfile) -- delete_fifo_files_pattern($1, tmpfile, tmpfile) -- delete_sock_files_pattern($1, tmpfile, tmpfile) -+ rw_sock_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Create an object in the tmp directories, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_tmp_filetrans',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ filetrans_pattern($1, tmp_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Delete the contents of /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_purge_tmp',` ++ gen_require(` ++ attribute tmpfile; ++ ') ++ ++ allow $1 tmpfile:dir list_dir_perms; ++ delete_dirs_pattern($1, tmpfile, tmpfile) + delete_files_pattern($1, tmpfile, tmpfile) + delete_lnk_files_pattern($1, tmpfile, tmpfile) + delete_fifo_files_pattern($1, tmpfile, tmpfile) + delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) ') ######################################## +@@ -5223,6 +6088,24 @@ interface(`files_list_var',` + + ######################################## ## --## Set the attributes of the /usr directory. -+## Relabel a dir from the type used in /tmp. ++## Do not audit listing of the var directory (/var). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_var',` ++ gen_require(` ++ type var_t; ++ ') ++ ++ dontaudit $1 var_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete directories + ## in the /var directory. ## - ## - ## -@@ -4658,17 +5139,17 @@ interface(`files_purge_tmp',` - ## - ## - # --interface(`files_setattr_usr_dirs',` -+interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- allow $1 usr_t:dir setattr; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) +@@ -5578,6 +6461,25 @@ interface(`files_read_var_lib_symlinks',` + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') ++######################################## ++## ++## manage generic symbolic links ++## in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_var_lib_symlinks',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++') ++ + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. + +@@ -5623,7 +6525,7 @@ interface(`files_manage_mounttab',` + ######################################## ## --## Search the content of /usr. -+## Relabel a file from the type used in /tmp. +-## Set the attributes of the generic lock directories. ++## List generic lock directories. ## ## ## -@@ -4676,18 +5157,17 @@ interface(`files_setattr_usr_dirs',` +@@ -5631,12 +6533,13 @@ interface(`files_manage_mounttab',` ## ## # --interface(`files_search_usr',` -+interface(`files_relabelfrom_tmp_files',` +-interface(`files_setattr_lock_dirs',` ++interface(`files_list_locks',` gen_require(` -- type usr_t; -+ type tmp_t; + type var_t, var_lock_t; ') -- allow $1 usr_t:dir search_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) ') ######################################## - ## --## List the contents of generic --## directories in /usr. -+## Set the attributes of all tmp directories. - ## - ## - ## -@@ -4695,35 +5175,35 @@ interface(`files_search_usr',` - ## - ## - # --interface(`files_list_usr',` -+interface(`files_setattr_all_tmp_dirs',` - gen_require(` -- type usr_t; -+ attribute tmpfile; +@@ -5654,6 +6557,7 @@ interface(`files_search_locks',` + type var_t, var_lock_t; ') -- allow $1 usr_t:dir list_dir_perms; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; ++ files_search_pids($1) + allow $1 var_lock_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_lock_t) ') +@@ -5680,7 +6584,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## --## Do not audit write of /usr dirs -+## Allow caller to read inherited tmp files. +-## List generic lock directories. ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -5688,13 +6611,12 @@ interface(`files_dontaudit_search_locks',` ## ## # --interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_read_inherited_tmp_files',` +-interface(`files_list_locks',` ++interface(`files_setattr_lock_dirs',` gen_require(` -- type usr_t; -+ attribute tmpfile; +- type var_t, var_lock_t; ++ type var_lock_t; ') -- dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_lock_t:dir setattr; ') ######################################## - ## --## Add and remove entries from /usr directories. -+## Allow caller to append inherited tmp files. - ## - ## - ## -@@ -4731,36 +5211,35 @@ interface(`files_dontaudit_write_usr_dirs',` - ## - ## - # --interface(`files_rw_usr_dirs',` -+interface(`files_append_inherited_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; +@@ -5713,7 +6635,7 @@ interface(`files_rw_lock_dirs',` + type var_t, var_lock_t; ') -- allow $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file append_inherited_file_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + rw_dirs_pattern($1, var_t, var_lock_t) ') - ######################################## - ## --## Do not audit attempts to add and remove --## entries from /usr directories. -+## Allow caller to read and write inherited tmp files. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. +@@ -5746,7 +6668,6 @@ interface(`files_create_lock_dirs',` + ## Domain allowed access. ## ## +-## # --interface(`files_dontaudit_rw_usr_dirs',` -+interface(`files_rw_inherited_tmp_file',` + interface(`files_relabel_all_lock_dirs',` gen_require(` -- type usr_t; -+ attribute tmpfile; +@@ -5774,8 +6695,7 @@ interface(`files_getattr_generic_locks',` + type var_t, var_lock_t; ') -- dontaudit $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file rw_inherited_file_perms; +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + allow $1 var_lock_t:dir list_dir_perms; + getattr_files_pattern($1, var_lock_t, var_lock_t) ') - - ######################################## - ## --## Delete generic directories in /usr in the caller domain. -+## List all tmp directories. - ## - ## - ## -@@ -4768,111 +5247,100 @@ interface(`files_dontaudit_rw_usr_dirs',` - ## +@@ -5791,13 +6711,12 @@ interface(`files_getattr_generic_locks',` ## # --interface(`files_delete_usr_dirs',` -+interface(`files_list_all_tmp',` - gen_require(` -- type usr_t; -+ attribute tmpfile; - ') + interface(`files_delete_generic_locks',` +- gen_require(` ++ gen_require(` + type var_t, var_lock_t; +- ') ++ ') -- delete_dirs_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) ') ######################################## - ## --## Delete generic files in /usr in the caller domain. -+## Relabel to and from all temporary -+## directory types. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_delete_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` - gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; +@@ -5816,9 +6735,7 @@ interface(`files_manage_generic_locks',` + type var_t, var_lock_t; ') -- delete_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) ++ files_search_locks($1) + manage_files_pattern($1, var_lock_t, var_lock_t) + ') + +@@ -5860,8 +6777,7 @@ interface(`files_read_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + allow $1 lockfile:dir list_dir_perms; + read_files_pattern($1, lockfile, lockfile) + read_lnk_files_pattern($1, lockfile, lockfile) +@@ -5883,8 +6799,7 @@ interface(`files_manage_all_locks',` + type var_t, var_lock_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; ++ files_search_locks($1) + manage_dirs_pattern($1, lockfile, lockfile) + manage_files_pattern($1, lockfile, lockfile) + manage_lnk_files_pattern($1, lockfile, lockfile) +@@ -5921,8 +6836,7 @@ interface(`files_lock_filetrans',` + type var_t, var_lock_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ files_search_locks($1) + filetrans_pattern($1, var_lock_t, $2, $3, $4) + ') + +@@ -5961,7 +6875,7 @@ interface(`files_setattr_pid_dirs',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:dir setattr; + ') + +@@ -5981,10 +6895,48 @@ interface(`files_search_pids',` + type var_t, var_run_t; + ') + ++ allow $1 var_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) ') ++###################################### ++## ++## Add and remove entries from pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir rw_dir_perms; ++') ++ ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to search +@@ -6007,6 +6959,25 @@ interface(`files_dontaudit_search_pids',` + ######################################## ## --## Get the attributes of files in /usr. -+## Do not audit attempts to get the attributes -+## of all tmp files. - ## - ## - ## --## Domain allowed access. ++## Do not audit attempts to search ++## the all /var/run directory. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_getattr_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` - gen_require(` -- type usr_t; -+ attribute tmpfile; ++## ++## ++# ++interface(`files_dontaudit_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6021,7 +6992,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6040,7 +7011,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6060,7 +7031,7 @@ interface(`files_write_generic_pid_pipes',` + type var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:fifo_file write; + ') + +@@ -6122,7 +7093,6 @@ interface(`files_pid_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, var_run_t, $2, $3, $4) + ') + +@@ -6164,7 +7134,7 @@ interface(`files_rw_generic_pids',` + type var_t, var_run_t; ') -- getattr_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) ') +@@ -6231,55 +7201,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read generic files in /usr. -+## Allow attempts to get the attributes -+## of all tmp files. +-## Read all process ID files. ++## Relable all pid directories ## --## --##

    --## Allow the specified domain to read generic --## files in /usr. These files are various program --## files that do not have more specific SELinux types. --## Some examples of these files are: --##

    --##
      --##
    • /usr/include/*
    • --##
    • /usr/share/doc/*
    • --##
    • /usr/share/info/*
    • --##
    --##

    --## Generally, it is safe for many domains to have --## this access. --##

    --##
    ## ## ## Domain allowed access. ## ## --## +-## # --interface(`files_read_usr_files',` -+interface(`files_getattr_all_tmp_files',` +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` gen_require(` -- type usr_t; -+ attribute tmpfile; + attribute pidfile; +- type var_t, var_run_t; ') -- allow $1 usr_t:dir list_dir_perms; -- read_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) ') ######################################## ## --## Execute generic programs in /usr in the caller domain. -+## Relabel to and from all temporary -+## file types. +-## Delete all process IDs. ++## Delete all pid sockets ## ## ## ## Domain allowed access. ## ## -+## +-## # --interface(`files_exec_usr_files',` -+interface(`files_relabel_all_tmp_files',` +-interface(`files_delete_all_pids',` ++interface(`files_delete_all_pid_sockets',` gen_require(` -- type usr_t; -+ attribute tmpfile; -+ type var_t; + attribute pidfile; +- type var_t, var_run_t; ') -- allow $1 usr_t:dir list_dir_perms; -- exec_files_pattern($1, usr_t, usr_t) -- read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file delete_sock_file_perms; ') ######################################## ## --## dontaudit write of /usr files -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. +-## Delete all process ID directories. ++## Create all pid sockets ## ## ## -@@ -4880,35 +5348,17 @@ interface(`files_exec_usr_files',` +@@ -6287,42 +7245,35 @@ interface(`files_delete_all_pids',` ## ## # --interface(`files_dontaudit_write_usr_files',` -- gen_require(` -- type usr_t; -- ') -- -- dontaudit $1 usr_t:file write; --') -- --######################################## --## --## Create, read, write, and delete files in the /usr directory. --## --## --## --## Domain allowed access. --## --## --# --interface(`files_manage_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_sockets',` +-interface(`files_delete_all_pid_dirs',` ++interface(`files_create_all_pid_sockets',` gen_require(` -- type usr_t; -+ attribute tmpfile; + attribute pidfile; +- type var_t, var_run_t; ') -- manage_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:sock_file getattr; +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:sock_file create_sock_file_perms; ') ######################################## ## --## Relabel a file to the type used in /usr. -+## Read all tmp files. +-## Create, read, write and delete all +-## var_run (pid) content ++## Create all pid named pipes ## ## ## -@@ -4916,67 +5366,70 @@ interface(`files_manage_usr_files',` +-## Domain alloed access. ++## Domain allowed access. ## ## # --interface(`files_relabelto_usr_files',` -+interface(`files_read_all_tmp_files',` +-interface(`files_manage_all_pids',` ++interface(`files_create_all_pid_pipes',` gen_require(` -- type usr_t; -+ attribute tmpfile; + attribute pidfile; ') -- relabelto_files_pattern($1, usr_t, usr_t) -+ read_files_pattern($1, tmpfile, tmpfile) +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ') ######################################## ## --## Relabel a file from the type used in /usr. -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all pid named pipes ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -6330,18 +7281,18 @@ interface(`files_manage_all_pids',` ## ## # --interface(`files_relabelfrom_usr_files',` -+interface(`files_dontaudit_tmp_file_leaks',` +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_pipes',` gen_require(` -- type usr_t; -+ attribute tmpfile; +- attribute polymember; ++ attribute pidfile; ') -- relabelfrom_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; +- allow $1 polymember:dir mounton; ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ') ######################################## ## --## Read symbolic links in /usr. -+## Do allow attempts to read or write -+## all leaked tmpfiles files. +-## Search the contents of generic spool +-## directories (/var/spool). ++## manage all pidfile directories ++## in the /var/run directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -6349,37 +7300,40 @@ interface(`files_mounton_all_poly_members',` ## ## # --interface(`files_read_usr_symlinks',` -+interface(`files_rw_tmp_file_leaks',` +-interface(`files_search_spool',` ++interface(`files_manage_all_pid_dirs',` gen_require(` -- type usr_t; -+ attribute tmpfile; +- type var_t, var_spool_t; ++ attribute pidfile; ') -- read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file rw_inherited_file_perms; +- search_dirs_pattern($1, var_t, var_spool_t) ++ manage_dirs_pattern($1,pidfile,pidfile) ') ++ ######################################## ## --## Create objects in the /usr directory -+## Create an object in the tmp directories, with a private -+## type using a type transition. +-## Do not audit attempts to search generic +-## spool directories. ++## Read all process ID files. ## ## ## - ## Domain allowed access. - ## - ## --## -+## - ## --## The type of the object to be created -+## The type of the object to be created. - ## - ## --## -+## - ## --## The object class. -+## The object class of the object being created. - ## - ## - ## -@@ -4985,35 +5438,50 @@ interface(`files_read_usr_symlinks',` - ##
    - ## - # --interface(`files_usr_filetrans',` -+interface(`files_tmp_filetrans',` - gen_require(` -- type usr_t; -+ type tmp_t; - ') - -- filetrans_pattern($1, usr_t, $2, $3, $4) -+ filetrans_pattern($1, tmp_t, $2, $3, $4) - ') - - ######################################## - ## --## Do not audit attempts to search /usr/src. -+## Delete the contents of /tmp. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_src',` -+interface(`files_purge_tmp',` - gen_require(` -- type src_t; -+ attribute tmpfile; - ') - -- dontaudit $1 src_t:dir search_dir_perms; -+ allow $1 tmpfile:dir list_dir_perms; -+ delete_dirs_pattern($1, tmpfile, tmpfile) -+ delete_files_pattern($1, tmpfile, tmpfile) -+ delete_lnk_files_pattern($1, tmpfile, tmpfile) -+ delete_fifo_files_pattern($1, tmpfile, tmpfile) -+ delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) - ') - - ######################################## - ## --## Get the attributes of files in /usr/src. -+## Set the attributes of the /usr directory. - ## - ## - ## -@@ -5021,20 +5489,17 @@ interface(`files_dontaudit_search_src',` - ## - ## - # --interface(`files_getattr_usr_src_files',` -+interface(`files_setattr_usr_dirs',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') - -- getattr_files_pattern($1, src_t, src_t) -- -- # /usr/src/linux symlink: -- read_lnk_files_pattern($1, usr_t, src_t) -+ allow $1 usr_t:dir setattr; - ') - - ######################################## - ## --## Read files in /usr/src. -+## Search the content of /usr. - ## - ## - ## -@@ -5042,20 +5507,18 @@ interface(`files_getattr_usr_src_files',` - ## - ## - # --interface(`files_read_usr_src_files',` -+interface(`files_search_usr',` - gen_require(` -- type usr_t, src_t; -+ type usr_t; - ') - - allow $1 usr_t:dir search_dir_perms; -- read_files_pattern($1, { usr_t src_t }, src_t) -- read_lnk_files_pattern($1, { usr_t src_t }, src_t) -- allow $1 src_t:dir list_dir_perms; - ') - - ######################################## - ## --## Execute programs in /usr/src in the caller domain. -+## List the contents of generic -+## directories in /usr. - ## - ## - ## -@@ -5063,38 +5526,35 @@ interface(`files_read_usr_src_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## ++## # --interface(`files_exec_usr_src_files',` -+interface(`files_list_usr',` +-interface(`files_dontaudit_search_spool',` ++interface(`files_read_all_pids',` gen_require(` -- type usr_t, src_t; -+ type usr_t; +- type var_spool_t; ++ attribute pidfile; ++ type var_t; ') -- list_dirs_pattern($1, usr_t, src_t) -- exec_files_pattern($1, src_t, src_t) -- read_lnk_files_pattern($1, src_t, src_t) -+ allow $1 usr_t:dir list_dir_perms; +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) ') ######################################## ## --## Install a system.map into the /boot directory. -+## Do not audit write of /usr dirs +-## List the contents of generic spool +-## (/var/spool) directories. ++## Relable all pid files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -6387,18 +7341,17 @@ interface(`files_dontaudit_search_spool',` ## ## # --interface(`files_create_kernel_symbol_table',` -+interface(`files_dontaudit_write_usr_dirs',` +-interface(`files_list_spool',` ++interface(`files_relabel_all_pid_files',` gen_require(` -- type boot_t, system_map_t; -+ type usr_t; +- type var_t, var_spool_t; ++ attribute pidfile; ') -- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -- allow $1 system_map_t:file { create_file_perms rw_file_perms }; -+ dontaudit $1 usr_t:dir write; +- list_dirs_pattern($1, var_t, var_spool_t) ++ relabel_files_pattern($1, pidfile, pidfile) ') ######################################## ## --## Read system.map in the /boot directory. -+## Add and remove entries from /usr directories. +-## Create, read, write, and delete generic +-## spool directories (/var/spool). ++## Execute generic programs in /var/run in the caller domain. ## ## ## -@@ -5102,37 +5562,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -6406,18 +7359,18 @@ interface(`files_list_spool',` ## ## # --interface(`files_read_kernel_symbol_table',` -+interface(`files_rw_usr_dirs',` +-interface(`files_manage_generic_spool_dirs',` ++interface(`files_exec_generic_pid_files',` gen_require(` -- type boot_t, system_map_t; -+ type usr_t; +- type var_t, var_spool_t; ++ type var_run_t; ') -- allow $1 boot_t:dir list_dir_perms; -- read_files_pattern($1, boot_t, system_map_t) -+ allow $1 usr_t:dir rw_dir_perms; +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ exec_files_pattern($1, var_run_t, var_run_t) ') ######################################## ## --## Delete a system.map in the /boot directory. -+## Do not audit attempts to add and remove -+## entries from /usr directories. +-## Read generic spool files. ++## manage all pidfiles ++## in the /var/run directory. ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -6425,19 +7378,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # --interface(`files_delete_kernel_symbol_table',` -+interface(`files_dontaudit_rw_usr_dirs',` +-interface(`files_read_generic_spool',` ++interface(`files_manage_all_pids',` gen_require(` -- type boot_t, system_map_t; -+ type usr_t; +- type var_t, var_spool_t; ++ attribute pidfile; ') -- allow $1 boot_t:dir list_dir_perms; -- delete_files_pattern($1, boot_t, system_map_t) -+ dontaudit $1 usr_t:dir rw_dir_perms; +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) ++ manage_files_pattern($1,pidfile,pidfile) ') ######################################## ## --## Search the contents of /var. -+## Delete generic directories in /usr in the caller domain. +-## Create, read, write, and delete generic +-## spool files. ++## Mount filesystems on all polyinstantiation ++## member directories. ## ## ## -@@ -5140,35 +5599,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -6445,29 +7397,296 @@ interface(`files_read_generic_spool',` ## ## # --interface(`files_search_var',` -+interface(`files_delete_usr_dirs',` +-interface(`files_manage_generic_spool',` ++interface(`files_mounton_all_poly_members',` gen_require(` -- type var_t; -+ type usr_t; +- type var_t, var_spool_t; ++ attribute polymember; ') - allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to write to /var. -+## Delete generic files in /usr in the caller domain. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_write_var_dirs',` -+interface(`files_delete_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:dir write; -+ delete_files_pattern($1, usr_t, usr_t) +- manage_files_pattern($1, var_spool_t, var_spool_t) ++ allow $1 polymember:dir mounton; ') ######################################## ## --## Allow attempts to write to /var.dirs -+## Get the attributes of files in /usr. +-## Create objects in the spool directory +-## with a private type with a type transition. ++## Delete all process IDs. ## ## ## -@@ -5176,36 +5635,55 @@ interface(`files_dontaudit_write_var_dirs',` + ## Domain allowed access. ## ## - # --interface(`files_write_var_dirs',` -+interface(`files_getattr_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir write; -+ getattr_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to search --## the contents of /var. -+## Read generic files in /usr. - ## +-## +-## +-## Type to which the created node will be transitioned. +-## ++## ++# ++interface(`files_delete_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Make the specified type a file ++## used for spool files. ++## +## +##

    -+## Allow the specified domain to read generic -+## files in /usr. These files are various program -+## files that do not have more specific SELinux types. -+## Some examples of these files are: ++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

    ++##

    ++## Related interfaces: +##

    +##
      -+##
    • /usr/include/*
    • -+##
    • /usr/share/doc/*
    • -+##
    • /usr/share/info/*
    • ++##
    • files_spool_filetrans()
    • +##
    +##

    -+## Generally, it is safe for many domains to have -+## this access. -+##

    -+##
    - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_search_var',` -+interface(`files_read_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:dir search_dir_perms; -+ allow $1 usr_t:dir list_dir_perms; -+ read_files_pattern($1, usr_t, usr_t) -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## List the contents of /var. -+## Execute generic programs in /usr in the caller domain. - ## - ## - ## -@@ -5213,36 +5691,37 @@ interface(`files_dontaudit_search_var',` - ## - ## - # --interface(`files_list_var',` -+interface(`files_exec_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir list_dir_perms; -+ allow $1 usr_t:dir list_dir_perms; -+ exec_files_pattern($1, usr_t, usr_t) -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Create, read, write, and delete directories --## in the /var directory. -+## dontaudit write of /usr files - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_var_dirs',` -+interface(`files_dontaudit_write_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- allow $1 var_t:dir manage_dir_perms; -+ dontaudit $1 usr_t:file write; - ') - - ######################################## - ## --## Read files in the /var directory. -+## Create, read, write, and delete files in the /usr directory. - ## - ## - ## -@@ -5250,17 +5729,17 @@ interface(`files_manage_var_dirs',` - ## - ## - # --interface(`files_read_var_files',` -+interface(`files_manage_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- read_files_pattern($1, var_t, var_t) -+ manage_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Append files in the /var directory. -+## Relabel a file to the type used in /usr. - ## - ## - ## -@@ -5268,17 +5747,17 @@ interface(`files_read_var_files',` - ## - ## - # --interface(`files_append_var_files',` -+interface(`files_relabelto_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- append_files_pattern($1, var_t, var_t) -+ relabelto_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Read and write files in the /var directory. -+## Relabel a file from the type used in /usr. - ## - ## - ## -@@ -5286,73 +5765,86 @@ interface(`files_append_var_files',` - ## - ## - # --interface(`files_rw_var_files',` -+interface(`files_relabelfrom_usr_files',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- rw_files_pattern($1, var_t, var_t) -+ relabelfrom_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Do not audit attempts to read and write --## files in the /var directory. -+## Read symbolic links in /usr. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_rw_var_files',` -+interface(`files_read_usr_symlinks',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- dontaudit $1 var_t:file rw_file_perms; -+ read_lnk_files_pattern($1, usr_t, usr_t) - ') - - ######################################## - ## --## Create, read, write, and delete files in the /var directory. -+## Create objects in the /usr directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_manage_var_files',` -+interface(`files_usr_filetrans',` - gen_require(` -- type var_t; -+ type usr_t; - ') - -- manage_files_pattern($1, var_t, var_t) -+ filetrans_pattern($1, usr_t, $2, $3, $4) - ') - - ######################################## - ## --## Read symbolic links in the /var directory. -+## Do not audit attempts to search /usr/src. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_var_symlinks',` -+interface(`files_dontaudit_search_src',` - gen_require(` -- type var_t; -+ type src_t; - ') - -- read_lnk_files_pattern($1, var_t, var_t) -+ dontaudit $1 src_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete symbolic --## links in the /var directory. -+## Get the attributes of files in /usr/src. - ## - ## - ## -@@ -5360,50 +5852,41 @@ interface(`files_read_var_symlinks',` - ## - ## - # --interface(`files_manage_var_symlinks',` -+interface(`files_getattr_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- manage_lnk_files_pattern($1, var_t, var_t) -+ getattr_files_pattern($1, src_t, src_t) -+ -+ # /usr/src/linux symlink: -+ read_lnk_files_pattern($1, usr_t, src_t) - ') - - ######################################## - ## --## Create objects in the /var directory -+## Read files in /usr/src. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`files_var_filetrans',` -+interface(`files_read_usr_src_files',` - gen_require(` -- type var_t; -+ type usr_t, src_t; - ') - -- filetrans_pattern($1, var_t, $2, $3, $4) -+ allow $1 usr_t:dir search_dir_perms; -+ read_files_pattern($1, { usr_t src_t }, src_t) -+ read_lnk_files_pattern($1, { usr_t src_t }, src_t) -+ allow $1 src_t:dir list_dir_perms; - ') - - ######################################## - ## --## Get the attributes of the /var/lib directory. -+## Execute programs in /usr/src in the caller domain. - ## - ## - ## -@@ -5411,69 +5894,57 @@ interface(`files_var_filetrans',` - ## - ## - # --interface(`files_getattr_var_lib_dirs',` -+interface(`files_exec_usr_src_files',` - gen_require(` -- type var_t, var_lib_t; -+ type usr_t, src_t; - ') - -- getattr_dirs_pattern($1, var_t, var_lib_t) -+ list_dirs_pattern($1, usr_t, src_t) -+ exec_files_pattern($1, src_t, src_t) -+ read_lnk_files_pattern($1, src_t, src_t) - ') - - ######################################## - ## --## Search the /var/lib directory. -+## Install a system.map into the /boot directory. - ## --## --##

    --## Search the /var/lib directory. This is --## necessary to access files or directories under --## /var/lib that have a private type. For example, a --## domain accessing a private library file in the --## /var/lib directory: --##

    --##

    --## allow mydomain_t mylibfile_t:file read_file_perms; --## files_search_var_lib(mydomain_t) --##

    --##
    - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_search_var_lib',` -+interface(`files_create_kernel_symbol_table',` - gen_require(` -- type var_t, var_lib_t; -+ type boot_t, system_map_t; - ') - -- search_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; -+ allow $1 system_map_t:file { create_file_perms rw_file_perms }; - ') - - ######################################## - ## --## Do not audit attempts to search the --## contents of /var/lib. -+## Read system.map in the /boot directory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## --## - # --interface(`files_dontaudit_search_var_lib',` -+interface(`files_read_kernel_symbol_table',` - gen_require(` -- type var_lib_t; -+ type boot_t, system_map_t; - ') - -- dontaudit $1 var_lib_t:dir search_dir_perms; -+ allow $1 boot_t:dir list_dir_perms; -+ read_files_pattern($1, boot_t, system_map_t) - ') - - ######################################## - ## --## List the contents of the /var/lib directory. -+## Delete a system.map in the /boot directory. - ## - ## - ## -@@ -5481,17 +5952,18 @@ interface(`files_dontaudit_search_var_lib',` - ## - ## - # --interface(`files_list_var_lib',` -+interface(`files_delete_kernel_symbol_table',` - gen_require(` -- type var_t, var_lib_t; -+ type boot_t, system_map_t; - ') - -- list_dirs_pattern($1, var_t, var_lib_t) -+ allow $1 boot_t:dir list_dir_perms; -+ delete_files_pattern($1, boot_t, system_map_t) - ') - --########################################### -+######################################## - ## --## Read-write /var/lib directories -+## Search the contents of /var. - ## - ## - ## -@@ -5499,51 +5971,35 @@ interface(`files_list_var_lib',` - ## - ## - # --interface(`files_rw_var_lib_dirs',` -+interface(`files_search_var',` - gen_require(` -- type var_lib_t; -+ type var_t; - ') - -- rw_dirs_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir search_dir_perms; - ') - - ######################################## - ## --## Create objects in the /var/lib directory -+## Do not audit attempts to write to /var. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## The type of the object to be created --## --## --## --## --## The object class. --## --## --## --## --## The name of the object being created. -+## Domain to not audit. - ## - ## - # --interface(`files_var_lib_filetrans',` -+interface(`files_dontaudit_write_var_dirs',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_lib_t, $2, $3, $4) -+ dontaudit $1 var_t:dir write; - ') - - ######################################## - ## --## Read generic files in /var/lib. -+## Allow attempts to write to /var.dirs - ## - ## - ## -@@ -5551,40 +6007,36 @@ interface(`files_var_lib_filetrans',` - ## - ## - # --interface(`files_read_var_lib_files',` -+interface(`files_write_var_dirs',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_lib_t:dir list_dir_perms; -- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ allow $1 var_t:dir write; - ') - - ######################################## - ## --## Read generic symbolic links in /var/lib -+## Do not audit attempts to search -+## the contents of /var. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_var_lib_symlinks',` -+interface(`files_dontaudit_search_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) -+ dontaudit $1 var_t:dir search_dir_perms; - ') - --# cjp: the next two interfaces really need to be fixed --# in some way. They really neeed their own types. -- - ######################################## - ## --## Create, read, write, and delete the --## pseudorandom number generator seed. -+## List the contents of /var. - ## - ## - ## -@@ -5592,38 +6044,36 @@ interface(`files_read_var_lib_symlinks',` - ## - ## - # --interface(`files_manage_urandom_seed',` -+interface(`files_list_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_lib_t, var_lib_t) -+ allow $1 var_t:dir list_dir_perms; - ') - - ######################################## - ## --## Allow domain to manage mount tables --## necessary for rpcd, nfsd, etc. -+## Do not audit listing of the var directory (/var). - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_manage_mounttab',` -+interface(`files_dontaudit_list_var',` - gen_require(` -- type var_t, var_lib_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_lib_t, var_lib_t) -+ dontaudit $1 var_t:dir list_dir_perms; - ') - - ######################################## - ## --## Set the attributes of the generic lock directories. -+## Create, read, write, and delete directories -+## in the /var directory. - ## - ## - ## -@@ -5631,17 +6081,17 @@ interface(`files_manage_mounttab',` - ## - ## - # --interface(`files_setattr_lock_dirs',` -+interface(`files_manage_var_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_t:dir manage_dir_perms; - ') - - ######################################## - ## --## Search the locks directory (/var/lock). -+## Read files in the /var directory. - ## - ## - ## -@@ -5649,38 +6099,35 @@ interface(`files_setattr_lock_dirs',` - ## - ## - # --interface(`files_search_locks',` -+interface(`files_read_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_lock_t) -+ read_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Do not audit attempts to search the --## locks directory (/var/lock). -+## Append files in the /var directory. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_locks',` -+interface(`files_append_var_files',` - gen_require(` -- type var_lock_t; -+ type var_t; - ') - -- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_lock_t:dir search_dir_perms; -+ append_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## List generic lock directories. -+## Read and write files in the /var directory. - ## - ## - ## -@@ -5688,80 +6135,73 @@ interface(`files_dontaudit_search_locks',` - ## - ## - # --interface(`files_list_locks',` -+interface(`files_rw_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ rw_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Add and remove entries in the /var/lock --## directories. -+## Do not audit attempts to read and write -+## files in the /var directory. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_rw_lock_dirs',` -+interface(`files_dontaudit_rw_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- rw_dirs_pattern($1, var_t, var_lock_t) -+ dontaudit $1 var_t:file rw_file_perms; - ') - - ######################################## - ## --## Create lock directories -+## Create, read, write, and delete files in the /var directory. - ## - ## --## --## Domain allowed access -+## -+## Domain allowed access. - ## - ## - # --interface(`files_create_lock_dirs',` -+interface(`files_manage_var_files',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- create_dirs_pattern($1, var_lock_t, var_lock_t) -+ manage_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Relabel to and from all lock directory types. -+## Read symbolic links in the /var directory. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_lock_dirs',` -+interface(`files_read_var_symlinks',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- relabel_dirs_pattern($1, lockfile, lockfile) -+ read_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Get the attributes of generic lock files. -+## Create, read, write, and delete symbolic -+## links in the /var directory. - ## - ## - ## -@@ -5769,41 +6209,50 @@ interface(`files_relabel_all_lock_dirs',` - ## - ## - # --interface(`files_getattr_generic_locks',` -+interface(`files_manage_var_symlinks',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 var_lock_t:dir list_dir_perms; -- getattr_files_pattern($1, var_lock_t, var_lock_t) -+ manage_lnk_files_pattern($1, var_t, var_t) - ') - - ######################################## - ## --## Delete generic lock files. -+## Create objects in the /var directory - ## - ## - ## - ## Domain allowed access. - ## - ## -+## -+## -+## The type of the object to be created -+## -+## -+## -+## -+## The object class. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## - # --interface(`files_delete_generic_locks',` -+interface(`files_var_filetrans',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ filetrans_pattern($1, var_t, $2, $3, $4) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## lock files. -+## Get the attributes of the /var/lib directory. - ## - ## - ## -@@ -5811,65 +6260,69 @@ interface(`files_delete_generic_locks',` - ## - ## - # --interface(`files_manage_generic_locks',` -+interface(`files_getattr_var_lib_dirs',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -- manage_files_pattern($1, var_lock_t, var_lock_t) -+ getattr_dirs_pattern($1, var_t, var_lib_t) - ') - - ######################################## - ## --## Delete all lock files. -+## Search the /var/lib directory. - ## -+## -+##

    -+## Search the /var/lib directory. This is -+## necessary to access files or directories under -+## /var/lib that have a private type. For example, a -+## domain accessing a private library file in the -+## /var/lib directory: -+##

    -+##

    -+## allow mydomain_t mylibfile_t:file read_file_perms; -+## files_search_var_lib(mydomain_t) -+##

    -+##
    - ## - ## - ## Domain allowed access. - ## - ## --## -+## - # --interface(`files_delete_all_locks',` -+interface(`files_search_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, lockfile, lockfile) -+ search_dirs_pattern($1, var_t, var_lib_t) - ') - - ######################################## - ## --## Read all lock files. -+## Do not audit attempts to search the -+## contents of /var/lib. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## -+## - # --interface(`files_read_all_locks',` -+interface(`files_dontaudit_search_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) -+ dontaudit $1 var_lib_t:dir search_dir_perms; - ') - - ######################################## - ## --## manage all lock files. -+## List the contents of the /var/lib directory. - ## - ## - ## -@@ -5877,37 +6330,49 @@ interface(`files_read_all_locks',` - ## - ## - # --interface(`files_manage_all_locks',` -+interface(`files_list_var_lib',` - gen_require(` -- attribute lockfile; -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -- manage_lnk_files_pattern($1, lockfile, lockfile) -+ list_dirs_pattern($1, var_t, var_lib_t) -+') -+ -+########################################### -+## -+## Read-write /var/lib directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_var_lib_dirs',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ rw_dirs_pattern($1, var_lib_t, var_lib_t) - ') - - ######################################## - ## --## Create an object in the locks directory, with a private --## type using a type transition. -+## Create objects in the /var/lib directory - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## - ## --## The type of the object to be created. -+## The type of the object to be created - ## - ## --## -+## - ## --## The object class of the object being created. -+## The object class. - ## - ## - ## -@@ -5916,39 +6381,37 @@ interface(`files_manage_all_locks',` - ##
    - ## - # --interface(`files_lock_filetrans',` -+interface(`files_var_lib_filetrans',` - gen_require(` -- type var_t, var_lock_t; -+ type var_t, var_lib_t; - ') - - allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_lock_t, $2, $3, $4) -+ filetrans_pattern($1, var_lib_t, $2, $3, $4) - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of the /var/run directory. -+## Read generic files in /var/lib. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_pid_dirs',` -+interface(`files_read_var_lib_files',` - gen_require(` -- type var_run_t; -+ type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir getattr; -+ allow $1 var_lib_t:dir list_dir_perms; -+ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - - ######################################## - ## --## Set the attributes of the /var/run directory. -+## Read generic symbolic links in /var/lib - ## - ## - ## -@@ -5956,19 +6419,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` - ## - ## - # --interface(`files_setattr_pid_dirs',` -+interface(`files_read_var_lib_symlinks',` - gen_require(` -- type var_run_t; -+ type var_t, var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir setattr; -+ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - - ######################################## - ## --## Search the contents of runtime process --## ID directories (/var/run). -+## manage generic symbolic links -+## in the /var/lib directory. - ## - ## - ## -@@ -5976,19 +6438,1114 @@ interface(`files_setattr_pid_dirs',` - ## - ## - # --interface(`files_search_pids',` -+interface(`files_manage_var_lib_symlinks',` - gen_require(` -- type var_t, var_run_t; -+ type var_lib_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- search_dirs_pattern($1, var_t, var_run_t) -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) - ') - -+# cjp: the next two interfaces really need to be fixed -+# in some way. They really neeed their own types. -+ - ######################################## - ## --## Do not audit attempts to search --## the /var/run directory. -+## Create, read, write, and delete the -+## pseudorandom number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_urandom_seed',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## -+## Allow domain to manage mount tables -+## necessary for rpcd, nfsd, etc. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_mounttab',` -+ gen_require(` -+ type var_t, var_lib_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## -+## List generic lock directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Search the locks directory (/var/lock). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ search_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search the -+## locks directory (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_lock_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_lock_dirs',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ allow $1 var_lock_t:dir setattr; -+') -+ -+######################################## -+## -+## Add and remove entries in the /var/lock -+## directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_lock_dirs',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ rw_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## -+## Create lock directories -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`files_create_lock_dirs',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ create_dirs_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Relabel to and from all lock directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_lock_dirs',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_dirs_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Get the attributes of generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ allow $1 var_lock_t:dir list_dir_perms; -+ getattr_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Delete generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ manage_files_pattern($1, var_lock_t, var_lock_t) -+') -+ -+######################################## -+## -+## Delete all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_delete_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ delete_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Read all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ allow $1 lockfile:dir list_dir_perms; -+ read_files_pattern($1, lockfile, lockfile) -+ read_lnk_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## manage all lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_locks',` -+ gen_require(` -+ attribute lockfile; -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ manage_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, lockfile, lockfile) -+ manage_lnk_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Create an object in the locks directory, with a private -+## type using a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_lock_filetrans',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) -+ filetrans_pattern($1, var_lock_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_run_t:dir getattr; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_run_t:dir setattr; -+') -+ -+######################################## -+## -+## Search the contents of runtime process -+## ID directories (/var/run). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:lnk_file read_lnk_file_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ search_dirs_pattern($1, var_t, var_run_t) -+') -+ -+###################################### -+## -+## Add and remove entries from pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:dir rw_dir_perms; -+') -+ -+####################################### -+## -+## Create generic pid directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search -+## the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_pids',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 var_run_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of the runtime process -+## ID directories (/var/run). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+') -+ -+######################################## -+## -+## Read generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## Write named generic process ID pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_write_generic_pid_pipes',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_run_t:fifo_file write; -+') -+ -+######################################## -+## -+## Create an object in the process ID directory, with a private type. -+## -+## -+##

    -+## Create an object in the process ID directory (e.g., /var/run) -+## with a private type. Typically this is used for creating -+## private PID files in /var/run with the private type instead -+## of the general PID file type. To accomplish this goal, -+## either the program must be SELinux-aware, or use this interface. -+##

    -+##

    -+## Related interfaces: -+##

    -+##
      -+##
    • files_pid_file()
    • -+##
    -+##

    -+## Example usage with a domain that can create and -+## write its PID file with a private PID file type in the -+## /var/run directory: -+##

    -+##

    -+## type mypidfile_t; -+## files_pid_file(mypidfile_t) -+## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; -+## files_pid_filetrans(mydomain_t, mypidfile_t, file) -+##

    -+##
    -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+## -+# -+interface(`files_pid_filetrans',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_run_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Create a generic lock directory within the run directories -+## -+## -+## -+## Domain allowed access -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_pid_filetrans_lock_dir',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ files_pid_filetrans($1, var_lock_t, dir, $2) -+') -+ -+######################################## -+## -+## Read and write generic process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_generic_pids',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ rw_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes of -+## daemon runtime data files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to write to daemon runtime data files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_write_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file write; -+') -+ -+######################################## -+## -+## Do not audit attempts to ioctl daemon runtime data files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_ioctl_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ type var_run_t; -+ ') -+ -+ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -+ dontaudit $1 pidfile:file ioctl; -+') -+ -+######################################## -+## -+## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## -+## Create all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## -+## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## -+## manage all pidfile directories -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## -+## Read all process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_read_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ type var_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Relable all pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_relabel_all_pid_files',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Execute generic programs in /var/run in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_exec_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## -+## manage all pidfiles -+## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ manage_files_pattern($1,pidfile,pidfile) -+') -+ -+######################################## -+## -+## Mount filesystems on all polyinstantiation -+## member directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_mounton_all_poly_members',` -+ gen_require(` -+ attribute polymember; -+ ') -+ -+ allow $1 polymember:dir mounton; -+') -+ -+######################################## -+## -+## Delete all process IDs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_delete_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+') -+ -+######################################## -+## -+## Delete all process ID directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ type var_t, var_run_t; -+ ') -+ -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## -+## Make the specified type a file -+## used for spool files. -+## -+## -+##

    -+## Make the specified type usable for spool files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a spool file may result in problems with -+## purging spool files. -+##

    -+##

    -+## Related interfaces: -+##

    -+##
      -+##
    • files_spool_filetrans()
    • -+##
    -+##

    -+## Example usage with a domain that can create and -+## write its spool file in the system spool file -+## directories (/var/spool): -+##

    -+##

    -+## type myspoolfile_t; -+## files_spool_file(myfile_spool_t) -+## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; -+## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

    ++##

    ++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) +##

    +##
    +## @@ -12788,300 +11024,137 @@ index 64ff4d7..87c124c 100644 +## +## Domain allowed access. +## -+## -+# -+interface(`files_delete_all_spool_sockets',` -+ gen_require(` -+ attribute spoolfile; -+ ') -+ -+ allow $1 spoolfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## -+## Relabel to and from all spool -+## directory types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`files_relabel_all_spool_dirs',` -+ gen_require(` -+ attribute spoolfile; -+ type var_t; -+ ') -+ -+ relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+## -+## Search the contents of generic spool -+## directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search generic -+## spool directories. - ## - ## - ## -@@ -5996,19 +7553,18 @@ interface(`files_search_pids',` - ## - ## - # --interface(`files_dontaudit_search_pids',` -+interface(`files_dontaudit_search_spool',` - gen_require(` -- type var_run_t; -+ type var_spool_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; -+ dontaudit $1 var_spool_t:dir search_dir_perms; - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). -+## List the contents of generic spool -+## (/var/spool) directories. - ## - ## - ## -@@ -6016,18 +7572,18 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` -+interface(`files_list_spool',` - gen_require(` -- type var_t, var_run_t; -+ type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -+ list_dirs_pattern($1, var_t, var_spool_t) - ') - - ######################################## - ## --## Read generic process ID files. -+## Create, read, write, and delete generic -+## spool directories (/var/spool). - ## - ## - ## -@@ -6035,19 +7591,18 @@ interface(`files_list_pids',` - ## - ## - # --interface(`files_read_generic_pids',` -+interface(`files_manage_generic_spool_dirs',` - gen_require(` -- type var_t, var_run_t; -+ type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) - ') - - ######################################## - ## --## Write named generic process ID pipes -+## Read generic spool files. - ## - ## - ## -@@ -6055,103 +7610,220 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` -+interface(`files_read_generic_spool',` - gen_require(` -- type var_run_t; -+ type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. -+## Create, read, write, and delete generic -+## spool files. - ## --## --##

    --## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

    --##

    --## Related interfaces: --##

    --##
      --##
    • files_pid_file()
    • --##
    --##

    --## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

    --##

    --## type mypidfile_t; --## files_pid_file(mypidfile_t) --## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; --## files_pid_filetrans(mydomain_t, mypidfile_t, file) --##

    --##
    - ## - ## - ## Domain allowed access. - ## - ## --## ++## +# -+interface(`files_manage_generic_spool',` ++interface(`files_delete_all_spool_sockets',` + gen_require(` -+ type var_t, var_spool_t; ++ attribute spoolfile; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) ++ allow $1 spoolfile:sock_file delete_sock_file_perms; +') + +######################################## +## -+## Create objects in the spool directory -+## with a private type with a type transition. ++## Relabel to and from all spool ++## directory types. +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## --## -+## - ## --## The object class of the object being created. -+## Type to which the created node will be transitioned. +## +## -+## ++## ++# ++interface(`files_relabel_all_spool_dirs',` ++ gen_require(` ++ attribute spoolfile; ++ type var_t; ++ ') ++ ++ relabel_dirs_pattern($1, spoolfile, spoolfile) ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## +## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. - ## - ## - ## - ## --## The name of the object being created. -+## The name of the object being created. ++## Domain allowed access. +## +## +# -+interface(`files_spool_filetrans',` ++interface(`files_search_spool',` + gen_require(` + type var_t, var_spool_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ search_dirs_pattern($1, var_t, var_spool_t) +') + +######################################## +## -+## Allow access to manage all polyinstantiated -+## directories on the system. ++## Do not audit attempts to search generic ++## spool directories. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_polyinstantiate_all',` ++interface(`files_dontaudit_search_spool',` + gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; ++ type var_spool_t; + ') + -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; ++ dontaudit $1 var_spool_t:dir search_dir_perms; ++') + -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; ++######################################## ++## ++## List the contents of generic spool ++## (/var/spool) directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') + -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ list_dirs_pattern($1, var_t, var_spool_t) ++') + -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool_dirs',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') + -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ++') + -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) ++######################################## ++## ++## Read generic spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; + ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## -+## Unconfined access to files. ++## Create, read, write, and delete generic ++## spool files. +## +## +## @@ -13089,16 +11162,39 @@ index 64ff4d7..87c124c 100644 +## +## +# -+interface(`files_unconfined',` ++interface(`files_manage_generic_spool',` + gen_require(` -+ attribute files_unconfined_type; ++ type var_t, var_spool_t; + ') + -+ typeattribute $1 files_unconfined_type; ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) +') + +######################################## +## ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## + ## + ## + ## +@@ -6562,3 +7781,459 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') ++ ++######################################## ++## +## Create a core files in / +## +## @@ -13109,37 +11205,28 @@ index 64ff4d7..87c124c 100644 +## +## +## Domain allowed access. - ## - ## --## ++## ++## +## - # --interface(`files_pid_filetrans',` ++# +interface(`files_manage_root_files',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type root_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- filetrans_pattern($1, var_run_t, $2, $3, $4) ++ ') ++ + manage_files_pattern($1, root_t, root_t) - ') - - ######################################## - ## --## Create a generic lock directory within the run directories ++') ++ ++######################################## ++## +## Create a default directory - ## ++## +## +##

    +## Create a default_t direcrory +##

    +##
    - ## --## --## Domain allowed access ++## +## +## Domain allowed access. +## @@ -13162,367 +11249,272 @@ index 64ff4d7..87c124c 100644 +## +## +## Domain allowed access. - ## - ## --## ++## ++## +## - ## --## The name of the object being created. ++## +## The class of the object being created. - ## - ## - # --interface(`files_pid_filetrans_lock_dir',` -- gen_require(` -- type var_lock_t; -- ') ++## ++## ++# +interface(`files_root_filetrans_default',` + gen_require(` + type root_t, default_t; + ') - -- files_pid_filetrans($1, var_lock_t, dir, $2) ++ + filetrans_pattern($1, root_t, default_t, $2) - ') - - ######################################## - ## --## Read and write generic process ID files. ++') ++ ++######################################## ++## +## manage generic symbolic links +## in the /var/run directory. - ## - ## - ## -@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',` - ## - ## - # --interface(`files_rw_generic_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_generic_pids_symlinks',` - gen_require(` -- type var_t, var_run_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) ++ ') ++ + manage_lnk_files_pattern($1,var_run_t,var_run_t) - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of --## daemon runtime data files. ++') ++ ++######################################## ++## +## Do not audit attempts to getattr +## all tmpfs files. - ## - ## - ## -@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',` - ## - ## - # --interface(`files_dontaudit_getattr_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_getattr_tmpfs_files',` - gen_require(` -- attribute pidfile; -- type var_run_t; ++ gen_require(` + attribute tmpfsfile; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file getattr; ++ ') ++ + allow $1 tmpfsfile:file getattr; - ') - - ######################################## - ## --## Do not audit attempts to write to daemon runtime data files. ++') ++ ++######################################## ++## +## Allow read write all tmpfs files - ## - ## - ## -@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',` - ## - ## - # --interface(`files_dontaudit_write_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_rw_tmpfs_files',` - gen_require(` -- attribute pidfile; ++ gen_require(` + attribute tmpfsfile; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file write; ++ ') ++ + allow $1 tmpfsfile:file { read write }; - ') - - ######################################## - ## --## Do not audit attempts to ioctl daemon runtime data files. ++') ++ ++######################################## ++## +## Do not audit attempts to read security files - ## - ## - ## -@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',` - ## - ## - # --interface(`files_dontaudit_ioctl_all_pids',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_read_security_files',` - gen_require(` -- attribute pidfile; -- type var_run_t; ++ gen_require(` + attribute security_file_type; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 pidfile:file ioctl; ++ ') ++ + dontaudit $1 security_file_type:file read_file_perms; - ') - - ######################################## - ## --## Read all process ID files. ++') ++ ++######################################## ++## +## rw any files inherited from another process - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## +## +## Object type. +## +## - # --interface(`files_read_all_pids',` ++# +interface(`files_rw_all_inherited_files',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute file_type; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ ') ++ + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## Allow any file point to be the entrypoint of this domain - ## - ## - ## -@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',` - ## - ## - # --interface(`files_delete_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# +interface(`files_entrypoint_all_files',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute file_type; - ') -- -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ ') + allow $1 file_type:file entrypoint; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Do not audit attempts to rw inherited file perms +## of non security files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_delete_all_pid_dirs',` ++## ++## ++# +interface(`files_dontaudit_all_non_security_leaks',` - gen_require(` -- attribute pidfile; -- type var_t, var_run_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ ') ++ + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## Do not audit attempts to read or write +## all leaked files. - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_manage_all_pids',` ++## ++## ++# +interface(`files_dontaudit_leaks',` - gen_require(` -- attribute pidfile; ++ gen_require(` + attribute file_type; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++ ') ++ + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Allow domain to create_file_ass all types - ## - ## - ## -@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_as_is_all_files',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute file_type; + class kernel_service create_files_as; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + allow $1 file_type:kernel_service create_files_as; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## Do not audit attempts to check the +## access on all files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_search_spool',` ++## ++## ++# +interface(`files_dontaudit_all_access_check',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute file_type; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + dontaudit $1 file_type:dir_file_class_set audit_access; - ') - - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. ++') ++ ++######################################## ++## +## Do not audit attempts to write to all files - ## - ## - ## -@@ -6368,186 +8025,169 @@ interface(`files_search_spool',` - ## - ## - # --interface(`files_dontaudit_search_spool',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# +interface(`files_dontaudit_write_all_files',` - gen_require(` -- type var_spool_t; ++ gen_require(` + attribute file_type; - ') - -- dontaudit $1 var_spool_t:dir search_dir_perms; ++ ') ++ + dontaudit $1 file_type:dir_file_class_set write; - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++') ++ ++######################################## ++## +## Allow domain to delete to all files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_spool',` ++## ++## ++# +interface(`files_delete_all_non_security_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute non_security_file_type; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Transition named content in the var_run_t directory - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++# +interface(`files_filetrans_named_content',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type mnt_t; + type usr_t; + type var_t; + type tmp_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -13544,15 +11536,13 @@ index 64ff4d7..87c124c 100644 + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## Make the specified type a +## base file. - ## --## ++## +## +##

    +## Identify file type as base file type. Tools will use this attribute, @@ -13560,185 +11550,103 @@ index 64ff4d7..87c124c 100644 +##

    +##
    +## - ## --## Domain allowed access. ++## +## Type to be used as a base files. - ## - ## ++## ++## +## - # --interface(`files_read_generic_spool',` ++# +interface(`files_base_file',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_file_type; - ') -- -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) ++ ') + files_type($1) + typeattribute $1 base_file_type; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. ++') ++ ++######################################## ++## +## Make the specified type a +## base read only file. - ## --## ++## +## +##

    +## Make the specified type readable for all domains. +##

    +##
    +## - ## --## Domain allowed access. ++## +## Type to be used as a base read only files. - ## - ## ++## ++## +## - # --interface(`files_manage_generic_spool',` ++# +interface(`files_ro_base_file',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_ro_file_type; - ') -- -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') + files_base_file($1) + typeattribute $1 base_ro_file_type; - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Read all ro base files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## --## --## The name of the object being created. --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_spool_filetrans',` ++# +interface(`files_read_all_base_ro_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute base_ro_file_type; - ') - -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ ') ++ + list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) + read_files_pattern($1, base_ro_file_type, base_ro_file_type) + read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Execute all base ro files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_polyinstantiate_all',` ++# +interface(`files_exec_all_base_ro_files',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute base_ro_file_type; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') ++ ') ++ + can_exec($1, base_ro_file_type) - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Allow the specified domain to modify the systemd configuration of +## any file. - ## - ## - ## -@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',` - ## - ## - # --interface(`files_unconfined',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_config_all_files',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + attribute file_type; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + allow $1 file_type:service all_service_perms; - ') ++') + diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 148d87a..822f6be 100644 @@ -13961,7 +11869,7 @@ index cda5588..3035829 100644 +/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..60b2ce1 100644 +index 8416beb..0776923 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -14024,7 +11932,14 @@ index 8416beb..60b2ce1 100644 ## list cgroup directories. ##
    ## -@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', ` +@@ -659,15 +700,35 @@ interface(`fs_search_cgroup_dirs',` + ##
    + ## + # +-interface(`fs_list_cgroup_dirs', ` ++interface(`fs_list_cgroup_dirs',` + gen_require(` + type cgroup_t; ') list_dirs_pattern($1, cgroup_t, cgroup_t) @@ -18196,7 +16111,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..8bd910a 100644 +index 5da7870..3577c24 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,67 @@ policy_module(staff, 2.3.1) @@ -18516,7 +16431,7 @@ index 5da7870..8bd910a 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +363,21 @@ ifndef(`distro_redhat',` +@@ -176,3 +363,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -18535,7 +16450,8 @@ index 5da7870..8bd910a 100644 + allow staff_t self:fifo_file relabelfrom; + dev_rw_kvm(staff_t) + virt_manage_images(staff_t) -+ virt_stream_connect_svirt(staff_t) ++ virt_stream_connect_svirt(staff_t) ++ virt_exec(staff_t) + ') +') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if @@ -25455,7 +23371,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..792df83 100644 +index 3efd5b6..5188076 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -25477,7 +23393,12 @@ index 3efd5b6..792df83 100644 ') ######################################## -@@ -57,6 +63,8 @@ interface(`auth_use_pam',` +@@ -53,10 +59,12 @@ interface(`auth_use_pam',` + auth_read_login_records($1) + auth_append_login_records($1) + auth_rw_lastlog($1) +- auth_rw_faillog($1) ++ auth_manage_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) @@ -34542,7 +32463,7 @@ index 3822072..1029e3b 100644 + userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..d08ae58 100644 +index ec01d0b..73ef1e8 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -34761,7 +32682,7 @@ index ec01d0b..d08ae58 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -276,25 +310,38 @@ term_relabel_all_ptys(newrole_t) +@@ -276,25 +310,34 @@ term_relabel_all_ptys(newrole_t) term_getattr_unallocated_ttys(newrole_t) term_dontaudit_use_unallocated_ttys(newrole_t) @@ -34769,10 +32690,6 @@ index ec01d0b..d08ae58 100644 -auth_run_chk_passwd(newrole_t, newrole_roles) -auth_run_upd_passwd(newrole_t, newrole_roles) -auth_rw_faillog(newrole_t) -+#auth_use_nsswitch(newrole_t) -+#auth_run_chk_passwd(newrole_t, newrole_roles) -+#auth_run_upd_passwd(newrole_t, newrole_roles) -+#auth_rw_faillog(newrole_t) +auth_use_pam(newrole_t) # Write to utmp. @@ -34807,7 +32724,7 @@ index ec01d0b..d08ae58 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -309,7 +356,7 @@ if(secure_mode) { +@@ -309,7 +352,7 @@ if(secure_mode) { userdom_spec_domtrans_all_users(newrole_t) } @@ -34816,7 +32733,7 @@ index ec01d0b..d08ae58 100644 files_polyinstantiate_all(newrole_t) ') -@@ -328,9 +375,13 @@ kernel_use_fds(restorecond_t) +@@ -328,9 +371,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -34831,7 +32748,7 @@ index ec01d0b..d08ae58 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,16 +392,17 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,16 +388,17 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -34851,7 +32768,7 @@ index ec01d0b..d08ae58 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -366,21 +418,24 @@ optional_policy(` +@@ -366,21 +414,24 @@ optional_policy(` # Run_init local policy # @@ -34878,7 +32795,7 @@ index ec01d0b..d08ae58 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,23 +453,30 @@ selinux_compute_create_context(run_init_t) +@@ -398,23 +449,30 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) @@ -34914,7 +32831,7 @@ index ec01d0b..d08ae58 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +487,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +483,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -34934,7 +32851,7 @@ index ec01d0b..d08ae58 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +515,87 @@ optional_policy(` +@@ -440,81 +511,87 @@ optional_policy(` # semodule local policy # @@ -35075,7 +32992,7 @@ index ec01d0b..d08ae58 100644 ') ######################################## -@@ -522,108 +603,178 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 18b44ed..e01db22 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -6715,7 +6715,7 @@ index f3c0aba..5189407 100644 + allow $1 apcupsd_unit_file_t:service all_service_perms; ') diff --git a/apcupsd.te b/apcupsd.te -index b236327..7e05d8c 100644 +index b236327..f194ee1 100644 --- a/apcupsd.te +++ b/apcupsd.te @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t) @@ -6728,7 +6728,18 @@ index b236327..7e05d8c 100644 ######################################## # # Local policy -@@ -54,7 +57,6 @@ kernel_read_system_state(apcupsd_t) +@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms; + allow apcupsd_t apcupsd_lock_t:file manage_file_perms; + files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file) + +-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) +-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) ++manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t) + logging_log_filetrans(apcupsd_t, apcupsd_log_t, file) + + manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t) +@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t) corecmd_exec_bin(apcupsd_t) corecmd_exec_shell(apcupsd_t) @@ -6736,7 +6747,7 @@ index b236327..7e05d8c 100644 corenet_all_recvfrom_netlabel(apcupsd_t) corenet_tcp_sendrecv_generic_if(apcupsd_t) corenet_tcp_sendrecv_generic_node(apcupsd_t) -@@ -67,6 +69,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) +@@ -67,6 +67,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t) corenet_sendrecv_apcupsd_server_packets(apcupsd_t) corenet_tcp_sendrecv_apcupsd_port(apcupsd_t) corenet_tcp_connect_apcupsd_port(apcupsd_t) @@ -6744,7 +6755,7 @@ index b236327..7e05d8c 100644 corenet_udp_bind_snmp_port(apcupsd_t) corenet_sendrecv_snmp_server_packets(apcupsd_t) -@@ -74,19 +77,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) +@@ -74,19 +75,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t) dev_rw_generic_usb_dev(apcupsd_t) @@ -6772,7 +6783,7 @@ index b236327..7e05d8c 100644 optional_policy(` hostname_exec(apcupsd_t) -@@ -112,7 +119,6 @@ optional_policy(` +@@ -112,7 +117,6 @@ optional_policy(` allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms; allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms; @@ -8088,7 +8099,7 @@ index 866a1e2..6c2dbe4 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 076ffee..6bf02f0 100644 +index 076ffee..e3dbd11 100644 --- a/bind.te +++ b/bind.te @@ -34,7 +34,7 @@ type named_checkconf_exec_t; @@ -8110,9 +8121,12 @@ index 076ffee..6bf02f0 100644 type named_log_t; logging_log_file(named_log_t) -@@ -70,6 +73,7 @@ role ndc_roles types ndc_t; +@@ -68,8 +71,9 @@ role ndc_roles types ndc_t; + # Local policy + # - allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; +-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource }; ++allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource }; dontaudit named_t self:capability sys_tty_config; +allow named_t self:capability2 block_suspend; allow named_t self:process { setsched getcap setcap setrlimit signal_perms }; @@ -9905,7 +9919,7 @@ index 2354e21..fb8c9ed 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 403af41..8da9f32 100644 +index 403af41..48a40cd 100644 --- a/certwatch.te +++ b/certwatch.te @@ -20,33 +20,42 @@ role certwatch_roles types certwatch_t; @@ -9943,7 +9957,7 @@ index 403af41..8da9f32 100644 +userdom_dontaudit_list_admin_dir(certwatch_t) optional_policy(` -+ apache_exec(certwatch_t) ++ apache_domtrans(certwatch_t) apache_exec_modules(certwatch_t) apache_read_config(certwatch_t) ') @@ -10183,19 +10197,22 @@ index fdee107..7a38b63 100644 +logging_send_syslog_msg(cgred_t) diff --git a/chrome.fc b/chrome.fc new file mode 100644 -index 0000000..88107d7 +index 0000000..57866f6 --- /dev/null +++ b/chrome.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,9 @@ +/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + +/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0) + +/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) +/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0) ++ ++HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) ++HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0) diff --git a/chrome.if b/chrome.if new file mode 100644 -index 0000000..36bd6be +index 0000000..5977d96 --- /dev/null +++ b/chrome.if @@ -0,0 +1,134 @@ @@ -10285,9 +10302,9 @@ index 0000000..36bd6be + + allow chrome_sandbox_t $2:unix_dgram_socket { read write }; + allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; -+ allow chrome_sandbox_t $2:unix_stream_socket { append getattr read write }; ++ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;; + dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown; -+ allow chrome_sandbox_nacl_t $2:unix_stream_socket { getattr read write }; ++ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms; + allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; + allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; + @@ -10335,10 +10352,10 @@ index 0000000..36bd6be +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..6300c78 +index 0000000..41d3959 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,205 @@ +@@ -0,0 +1,220 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -10365,6 +10382,9 @@ index 0000000..6300c78 +role system_r types chrome_sandbox_nacl_t; +ubac_constrained(chrome_sandbox_nacl_t) + ++type chrome_sandbox_home_t; ++userdom_user_home_content(chrome_sandbox_home_t) ++ +######################################## +# +# chrome_sandbox local policy @@ -10382,12 +10402,17 @@ index 0000000..6300c78 +allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms; +dontaudit chrome_sandbox_t self:memprotect mmap_zero; + ++manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++ +manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t) +files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) ++userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file }) + +manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) -+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, file) ++fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir }) + +kernel_read_system_state(chrome_sandbox_t) +kernel_read_kernel_sysctls(chrome_sandbox_t) @@ -10444,6 +10469,9 @@ index 0000000..6300c78 +optional_policy(` + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_read_home_config(chrome_sandbox_t) ++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") ++ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome") ++ +') + +optional_policy(` @@ -10520,10 +10548,14 @@ index 0000000..6300c78 +domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t) +ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t) + ++manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t) ++ +kernel_read_state(chrome_sandbox_nacl_t) +kernel_read_system_state(chrome_sandbox_nacl_t) + -+corecmd_sbin_entry_type(chrome_sandbox_nacl_t) ++corecmd_bin_entry_type(chrome_sandbox_nacl_t) + +dev_read_urand(chrome_sandbox_nacl_t) +dev_read_sysfs(chrome_sandbox_nacl_t) @@ -11887,7 +11919,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..afeb58c 100644 +index 6471fa8..ace40ae 100644 --- a/collectd.te +++ b/collectd.te @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) @@ -11905,28 +11937,37 @@ index 6471fa8..afeb58c 100644 ######################################## # # Local policy -@@ -38,6 +44,7 @@ allow collectd_t self:process { getsched setsched signal }; +@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; -+allow collectd_t self:netlink_tcpdiag_socket create_socket_perms; ++allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow collectd_t self:udp_socket create_socket_perms; manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t) -@@ -48,21 +55,18 @@ files_pid_filetrans(collectd_t, collectd_var_run_t, file) +@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir) + manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t) + files_pid_filetrans(collectd_t, collectd_var_run_t, file) - domain_use_interactive_fds(collectd_t) +-domain_use_interactive_fds(collectd_t) ++kernel_read_all_sysctls(collectd_t) ++kernel_read_all_proc(collectd_t) ++kernel_list_all_proc(collectd_t) -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) -+kernel_read_all_sysctls(collectd_t) -+kernel_read_all_proc(collectd_t) ++corenet_udp_bind_generic_node(collectd_t) ++corenet_udp_bind_collectd_port(collectd_t) dev_read_rand(collectd_t) dev_read_sysfs(collectd_t) dev_read_urand(collectd_t) ++domain_use_interactive_fds(collectd_t) ++domain_read_all_domains_state(collectd_t) ++ files_getattr_all_dirs(collectd_t) -files_read_etc_files(collectd_t) -files_read_usr_files(collectd_t) @@ -11938,7 +11979,7 @@ index 6471fa8..afeb58c 100644 logging_send_syslog_msg(collectd_t) -@@ -80,11 +84,17 @@ optional_policy(` +@@ -80,11 +90,17 @@ optional_policy(` ######################################## # @@ -16289,7 +16330,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..c861b5b 100644 +index 9f34c2e..52c170f 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16629,7 +16670,7 @@ index 9f34c2e..c861b5b 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +410,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16639,9 +16680,10 @@ index 9f34c2e..c861b5b 100644 stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) can_exec(cupsd_config_t, cupsd_config_exec_t) - --domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) - +-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) ++can_exec(cupsd_config_t, cupsd_exec_t) + kernel_read_system_state(cupsd_config_t) kernel_read_all_sysctls(cupsd_config_t) @@ -16649,7 +16691,7 @@ index 9f34c2e..c861b5b 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +427,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16670,7 +16712,7 @@ index 9f34c2e..c861b5b 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +444,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16682,7 +16724,7 @@ index 9f34c2e..c861b5b 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +471,12 @@ optional_policy(` +@@ -452,9 +472,12 @@ optional_policy(` ') optional_policy(` @@ -16696,7 +16738,7 @@ index 9f34c2e..c861b5b 100644 ') optional_policy(` -@@ -490,10 +512,6 @@ optional_policy(` +@@ -490,10 +513,6 @@ optional_policy(` # Lpd local policy # @@ -16707,7 +16749,7 @@ index 9f34c2e..c861b5b 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +529,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -16740,7 +16782,7 @@ index 9f34c2e..c861b5b 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +555,6 @@ optional_policy(` +@@ -546,7 +556,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -16748,7 +16790,7 @@ index 9f34c2e..c861b5b 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +570,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -16900,7 +16942,7 @@ index 9f34c2e..c861b5b 100644 ######################################## # -@@ -731,7 +614,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -16908,7 +16950,7 @@ index 9f34c2e..c861b5b 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +623,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -16922,7 +16964,7 @@ index 9f34c2e..c861b5b 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +635,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -23993,7 +24035,7 @@ index 9eacb2c..229782f 100644 init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) diff --git a/glance.te b/glance.te -index e0a4f46..16c0ddd 100644 +index e0a4f46..79bc951 100644 --- a/glance.te +++ b/glance.te @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2) @@ -24027,7 +24069,7 @@ index e0a4f46..16c0ddd 100644 allow glance_domain self:fifo_file rw_fifo_file_perms; allow glance_domain self:unix_stream_socket create_stream_socket_perms; allow glance_domain self:tcp_socket { accept listen }; -@@ -56,27 +58,21 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) +@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t) manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t) manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) @@ -24040,6 +24082,7 @@ index e0a4f46..16c0ddd 100644 corenet_tcp_sendrecv_all_ports(glance_domain) corenet_tcp_bind_generic_node(glance_domain) +corenet_tcp_connect_mysqld_port(glance_domain) ++corenet_tcp_connect_http_port(glance_domain) corecmd_exec_bin(glance_domain) corecmd_exec_shell(glance_domain) @@ -24057,7 +24100,7 @@ index e0a4f46..16c0ddd 100644 sysnet_dns_name_resolve(glance_domain) ######################################## -@@ -88,8 +84,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm +@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t) files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file }) @@ -24072,7 +24115,7 @@ index e0a4f46..16c0ddd 100644 logging_send_syslog_msg(glance_registry_t) -@@ -108,13 +110,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) +@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t) files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file }) can_exec(glance_api_t, glance_tmp_t) @@ -32070,7 +32113,7 @@ index e736c45..4b1e1e4 100644 /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/ksmtuned.if b/ksmtuned.if -index c530214..eadf7e0 100644 +index c530214..641f494 100644 --- a/ksmtuned.if +++ b/ksmtuned.if @@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',` @@ -32103,7 +32146,7 @@ index c530214..eadf7e0 100644 ######################################## ## ## All of the rules required to -@@ -57,21 +80,26 @@ interface(`ksmtuned_initrc_domtrans',` +@@ -57,21 +80,24 @@ interface(`ksmtuned_initrc_domtrans',` # interface(`ksmtuned_admin',` gen_require(` @@ -32132,11 +32175,9 @@ index c530214..eadf7e0 100644 logging_search_logs($1) admin_pattern($1, ksmtuned_log_t) + -+ ksmtuned_systemctl($1) -+ admin_pattern($1, ksmtuned_unit_file_t) -+ allow $1 ksmtuned_unit_file_t:service all_service_perms; -+ -+ ++ ksmtuned_systemctl($1) ++ admin_pattern($1, ksmtuned_unit_file_t) ++ allow $1 ksmtuned_unit_file_t:service all_service_perms; ') diff --git a/ksmtuned.te b/ksmtuned.te index c1539b5..fd0a17f 100644 @@ -37336,7 +37377,7 @@ index 6194b80..116d9d2 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..3ac5d92 100644 +index 6a306ee..66e7ada 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -37345,7 +37386,7 @@ index 6a306ee..3ac5d92 100644 ######################################## # -@@ -6,17 +6,27 @@ policy_module(mozilla, 2.7.4) +@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4) # ## @@ -37362,6 +37403,13 @@ index 6a306ee..3ac5d92 100644 + +## +##

    ++## Allow mozilla plugin to support spice protocols. ++##

    ++##
    ++gen_tunable(mozilla_plugin_use_spice, false) ++ ++## ++##

    +## Allow confined web browsers to read home directory content +##

    +##
    @@ -37378,7 +37426,7 @@ index 6a306ee..3ac5d92 100644 type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -@@ -24,6 +34,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; @@ -37388,7 +37436,7 @@ index 6a306ee..3ac5d92 100644 type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,29 +44,24 @@ userdom_user_home_content(mozilla_home_t) +@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -37423,7 +37471,7 @@ index 6a306ee..3ac5d92 100644 type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -63,10 +71,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -37434,7 +37482,7 @@ index 6a306ee..3ac5d92 100644 ######################################## # # Local policy -@@ -75,27 +79,30 @@ optional_policy(` +@@ -75,27 +86,30 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -37478,7 +37526,7 @@ index 6a306ee..3ac5d92 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +110,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -37586,7 +37634,7 @@ index 6a306ee..3ac5d92 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +181,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -37594,15 +37642,15 @@ index 6a306ee..3ac5d92 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) - -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -37697,7 +37745,7 @@ index 6a306ee..3ac5d92 100644 ') optional_policy(` -@@ -244,19 +261,12 @@ optional_policy(` +@@ -244,19 +268,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -37719,7 +37767,7 @@ index 6a306ee..3ac5d92 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +275,32 @@ optional_policy(` +@@ -265,33 +282,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -37732,34 +37780,34 @@ index 6a306ee..3ac5d92 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) -+') -+ -+optional_policy(` -+ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ lpd_domtrans_lpr(mozilla_t) ++ java_domtrans(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ nscd_socket_use(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) ++ nscd_socket_use(mozilla_t) ++') ++ ++optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -37767,7 +37815,7 @@ index 6a306ee..3ac5d92 100644 ') optional_policy(` -@@ -300,221 +309,174 @@ optional_policy(` +@@ -300,221 +316,174 @@ optional_policy(` ######################################## # @@ -37849,12 +37897,12 @@ index 6a306ee..3ac5d92 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; -- --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -38084,7 +38132,7 @@ index 6a306ee..3ac5d92 100644 ') optional_policy(` -@@ -523,36 +485,47 @@ optional_policy(` +@@ -523,36 +492,47 @@ optional_policy(` ') optional_policy(` @@ -38145,7 +38193,7 @@ index 6a306ee..3ac5d92 100644 ') optional_policy(` -@@ -560,7 +533,7 @@ optional_policy(` +@@ -560,7 +540,7 @@ optional_policy(` ') optional_policy(` @@ -38154,7 +38202,7 @@ index 6a306ee..3ac5d92 100644 ') optional_policy(` -@@ -568,108 +541,109 @@ optional_policy(` +@@ -568,108 +548,113 @@ optional_policy(` ') optional_policy(` @@ -38310,13 +38358,10 @@ index 6a306ee..3ac5d92 100644 -optional_policy(` - automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) --') +#tunable_policy(`mozilla_plugin_enable_homedirs',` +# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) +#', ` - --optional_policy(` -- xserver_use_user_fonts(mozilla_plugin_config_t) ++ + #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file) + #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir) +#') @@ -38324,6 +38369,12 @@ index 6a306ee..3ac5d92 100644 +tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(mozilla_plugin_t) ') + +-optional_policy(` +- xserver_use_user_fonts(mozilla_plugin_config_t) ++tunable_policy(`mozilla_plugin_use_spice',` ++ dev_rw_generic_usb_dev(mozilla_plugin_t) + ') diff --git a/mpd.fc b/mpd.fc index 313ce52..6aa46d2 100644 --- a/mpd.fc @@ -42355,7 +42406,7 @@ index 0641e97..d7d9a79 100644 + admin_pattern($1, nrpe_etc_t) ') diff --git a/nagios.te b/nagios.te -index 44ad3b7..5ba0194 100644 +index 44ad3b7..d731adf 100644 --- a/nagios.te +++ b/nagios.te @@ -27,7 +27,7 @@ type nagios_var_run_t; @@ -42505,7 +42556,15 @@ index 44ad3b7..5ba0194 100644 corecmd_exec_bin(nagios_services_plugin_t) -@@ -411,6 +411,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ +@@ -391,6 +391,7 @@ optional_policy(` + + optional_policy(` + mysql_stream_connect(nagios_services_plugin_t) ++ mysql_read_config(nagios_services_plugin_t) + ') + + optional_policy(` +@@ -411,6 +412,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t) files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file }) @@ -42513,7 +42572,7 @@ index 44ad3b7..5ba0194 100644 kernel_read_kernel_sysctls(nagios_system_plugin_t) corecmd_exec_bin(nagios_system_plugin_t) -@@ -420,10 +421,10 @@ dev_read_sysfs(nagios_system_plugin_t) +@@ -420,10 +422,10 @@ dev_read_sysfs(nagios_system_plugin_t) domain_read_all_domains_state(nagios_system_plugin_t) @@ -42526,7 +42585,7 @@ index 44ad3b7..5ba0194 100644 optional_policy(` init_read_utmp(nagios_system_plugin_t) ') -@@ -442,6 +443,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) +@@ -442,6 +444,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t) init_domtrans_script(nagios_eventhandler_plugin_t) @@ -42541,7 +42600,7 @@ index 44ad3b7..5ba0194 100644 ######################################## # # Unconfined plugin policy -@@ -450,3 +459,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t) +@@ -450,3 +460,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t) optional_policy(` unconfined_domain(nagios_unconfined_plugin_t) ') @@ -46962,7 +47021,7 @@ index 57c0161..54bd4d7 100644 + ps_process_pattern($1, swift_t) ') diff --git a/nut.te b/nut.te -index 0c9deb7..dbc52a1 100644 +index 0c9deb7..ea0ba5c 100644 --- a/nut.te +++ b/nut.te @@ -1,121 +1,108 @@ @@ -47163,7 +47222,13 @@ index 0c9deb7..dbc52a1 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -144,17 +144,28 @@ auth_use_nsswitch(nut_upsdrvctl_t) +@@ -139,22 +139,34 @@ dev_read_urand(nut_upsdrvctl_t) + dev_rw_generic_usb_dev(nut_upsdrvctl_t) + + term_use_unallocated_ttys(nut_upsdrvctl_t) ++term_use_usb_ttys(nut_upsdrvctl_t) + + auth_use_nsswitch(nut_upsdrvctl_t) init_sigchld(nut_upsdrvctl_t) @@ -50670,28 +50735,59 @@ index dfd46e4..9515043 100644 /usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) diff --git a/pegasus.if b/pegasus.if -index d2fc677..22b745a 100644 +index d2fc677..ded726f 100644 --- a/pegasus.if +++ b/pegasus.if -@@ -1,52 +1,37 @@ +@@ -1,52 +1,59 @@ ## The Open Group Pegasus CIM/WBEM Server. --######################################## +###################################### - ## --## All of the rules required to --## administrate an pegasus environment. ++## +## Creates types and rules for a basic +## openlmi init daemon domain. - ## --## --## --## Domain allowed access. --## ++## +## +## +## Prefix for the domain. +## ++## ++# ++template(`pegasus_openlmi_domain_template',` ++ gen_require(` ++ attribute pegasus_openlmi_domain; ++ type pegasus_t; ++ ') ++ ++ ############################## ++ # ++ # Declarations ++ # ++ ++ type pegasus_openlmi_$1_t, pegasus_openlmi_domain; ++ type pegasus_openlmi_$1_exec_t; ++ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t) ++ ++ ############################## ++ # ++ # Local policy ++ # ++ ++ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t) ++ ++ kernel_read_system_state(pegasus_openlmi_$1_t) ++ logging_send_syslog_msg(pegasus_openlmi_$1_t) ++') ++ + ######################################## + ## +-## All of the rules required to +-## administrate an pegasus environment. ++## Connect to pegasus over a unix stream socket. + ## + ## + ## + ## Domain allowed access. + ## ## -## -## @@ -50701,12 +50797,14 @@ index d2fc677..22b745a 100644 -## # -interface(`pegasus_admin',` -- gen_require(` ++interface(`pegasus_stream_connect',` + gen_require(` - type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t; - type pegasus_cache_t, pegasus_data_t, pegasus_conf_t; - type pegasus_mof_t, pegasus_var_run_t; -- ') -- ++ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t; + ') + - allow $1 pegasus_t:process { ptrace signal_perms }; - ps_process_pattern($1, pegasus_t) - @@ -50730,34 +50828,14 @@ index d2fc677..22b745a 100644 - files_search_var_lib($1) - admin_pattern($1, pegasus_data_t) - -- files_search_pids($1) + files_search_pids($1) - admin_pattern($1, pegasus_var_run_t) -+template(`pegasus_openlmi_domain_template',` -+ gen_require(` -+ attribute pegasus_openlmi_domain; -+ ') -+ -+ ############################## -+ # -+ # Declarations -+ # -+ -+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain; -+ type $1_exec_t; -+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t) -+ -+ ############################## -+ # -+ # Local policy -+ # -+ -+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t) -+ -+ kernel_read_system_state(pegasus_openlmi_$1_t) -+ logging_send_syslog_msg(pegasus_openlmi_$1_t) ++ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t) ++ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t) ') ++ diff --git a/pegasus.te b/pegasus.te -index 7bcf327..36032a6 100644 +index 7bcf327..832de74 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -50781,22 +50859,62 @@ index 7bcf327..36032a6 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,33 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,73 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) +# pegasus openlmi providers -+#pegasus_openlmi_domain_template(account) ++pegasus_openlmi_domain_template(account) + +####################################### +# +# pegasus openlmi providers local policy +# + ++allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms; ++ ++list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++read_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t) ++ +corecmd_exec_bin(pegasus_openlmi_domain) + +sysnet_read_config(pegasus_openlmi_domain) + ++optional_policy(` ++ pegasus_stream_connect(pegasus_openlmi_domain) ++') ++ ++###################################### ++# ++# pegasus openlmi account local policy ++# ++ ++allow pegasus_openlmi_account_t self:capability { setuid chown setgid dac_override }; ++allow pegasus_openlmi_account_t self:process setfscreate; ++ ++auth_manage_passwd(pegasus_openlmi_account_t) ++auth_manage_shadow(pegasus_openlmi_account_t) ++auth_relabel_shadow(pegasus_openlmi_account_t) ++auth_etc_filetrans_shadow(pegasus_openlmi_account_t) ++ ++init_rw_utmp(pegasus_openlmi_account_t) ++ ++logging_send_syslog_msg(pegasus_openlmi_account_t) ++ ++seutil_read_config(pegasus_openlmi_account_t) ++seutil_read_file_contexts(pegasus_openlmi_account_t) ++seutil_read_default_contexts(pegasus_openlmi_account_t) ++ ++# Add/remove user home directories ++userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t) ++userdom_manage_home_role(system_r, pegasus_openlmi_account_t) ++userdom_delete_all_user_home_content(pegasus_openlmi_account_t) ++ ++optional_policy(` ++ # run userdel ++ usermanage_domtrans_useradd(pegasus_openlmi_account_t) ++') ++ ######################################## # -# Local policy @@ -50819,7 +50937,7 @@ index 7bcf327..36032a6 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +66,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +106,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -50850,7 +50968,7 @@ index 7bcf327..36032a6 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +92,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +132,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -50883,7 +51001,7 @@ index 7bcf327..36032a6 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +120,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +160,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -50891,7 +51009,7 @@ index 7bcf327..36032a6 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +135,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +175,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -50923,7 +51041,7 @@ index 7bcf327..36032a6 100644 ') optional_policy(` -@@ -151,16 +165,19 @@ optional_policy(` +@@ -151,16 +205,19 @@ optional_policy(` ') optional_policy(` @@ -50947,7 +51065,7 @@ index 7bcf327..36032a6 100644 ') optional_policy(` -@@ -168,7 +185,7 @@ optional_policy(` +@@ -168,7 +225,7 @@ optional_policy(` ') optional_policy(` @@ -53258,7 +53376,7 @@ index 032a84d..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 49694e8..3ad3019 100644 +index 49694e8..12483ae 100644 --- a/policykit.te +++ b/policykit.te @@ -1,4 +1,4 @@ @@ -53290,7 +53408,7 @@ index 49694e8..3ad3019 100644 type policykit_resolve_t, policykit_domain; type policykit_resolve_exec_t; -@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t) +@@ -42,63 +37,65 @@ files_pid_file(policykit_var_run_t) ####################################### # @@ -53357,6 +53475,7 @@ index 49694e8..3ad3019 100644 +fs_getattr_all_fs(policykit_t) fs_list_inotifyfs(policykit_t) ++fs_list_cgroup_dirs(policykit_t) auth_use_nsswitch(policykit_t) @@ -53374,7 +53493,7 @@ index 49694e8..3ad3019 100644 optional_policy(` consolekit_dbus_chat(policykit_t) ') -@@ -109,29 +105,43 @@ optional_policy(` +@@ -109,29 +106,43 @@ optional_policy(` ') optional_policy(` @@ -53426,7 +53545,7 @@ index 49694e8..3ad3019 100644 rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t) -@@ -145,9 +155,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) +@@ -145,9 +156,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir }) @@ -53436,7 +53555,7 @@ index 49694e8..3ad3019 100644 kernel_dontaudit_search_kernel_sysctl(policykit_auth_t) dev_read_video_dev(policykit_auth_t) -@@ -157,53 +164,64 @@ files_search_home(policykit_auth_t) +@@ -157,53 +165,64 @@ files_search_home(policykit_auth_t) fs_getattr_all_fs(policykit_auth_t) fs_search_tmpfs(policykit_auth_t) @@ -53511,7 +53630,7 @@ index 49694e8..3ad3019 100644 rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t) -@@ -211,23 +229,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t +@@ -211,23 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t) @@ -53538,7 +53657,7 @@ index 49694e8..3ad3019 100644 optional_policy(` consolekit_dbus_chat(policykit_grant_t) ') -@@ -235,26 +250,28 @@ optional_policy(` +@@ -235,26 +251,28 @@ optional_policy(` ######################################## # @@ -53573,7 +53692,7 @@ index 49694e8..3ad3019 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -266,6 +283,7 @@ optional_policy(` +@@ -266,6 +284,7 @@ optional_policy(` ') optional_policy(` @@ -55197,7 +55316,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..a9c1d4b 100644 +index 191a66f..e9e96bd 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -55291,9 +55410,8 @@ index 191a66f..a9c1d4b 100644 ######################################## # -# Common postfix domain local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_domain self:capability { sys_nice sys_chroot }; -dontaudit postfix_domain self:capability sys_tty_config; -allow postfix_domain self:process { signal_perms setpgid setsched }; @@ -55381,8 +55499,9 @@ index 191a66f..a9c1d4b 100644 -######################################## -# -# Master local policy --# -- ++# Postfix master process local policy + # + -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -55406,10 +55525,10 @@ index 191a66f..a9c1d4b 100644 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock }; +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock }; -+ -+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms; ++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms; ++ +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; + +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) @@ -55456,17 +55575,17 @@ index 191a66f..a9c1d4b 100644 +rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop") - +- -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") -+kernel_read_all_sysctls(postfix_master_t) - --can_exec(postfix_master_t, postfix_exec_t) - +-can_exec(postfix_master_t, postfix_exec_t) + -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -- ++kernel_read_all_sysctls(postfix_master_t) + -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) @@ -55869,7 +55988,7 @@ index 191a66f..a9c1d4b 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -647,67 +577,78 @@ optional_policy(` +@@ -647,67 +577,77 @@ optional_policy(` ######################################## # @@ -55915,12 +56034,11 @@ index 191a66f..a9c1d4b 100644 +allow postfix_showq_t self:tcp_socket create_socket_perms; allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms }; -+rw_files_pattern(postfix_showq_t, postfix_var_run_t, postfix_var_run_t) -+ + +allow postfix_showq_t postfix_spool_t:file read_file_perms; + +postfix_list_spool(postfix_showq_t) - ++ allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; @@ -55966,7 +56084,7 @@ index 191a66f..a9c1d4b 100644 ') optional_policy(` -@@ -720,24 +661,27 @@ optional_policy(` +@@ -720,24 +660,27 @@ optional_policy(` ######################################## # @@ -56000,7 +56118,7 @@ index 191a66f..a9c1d4b 100644 fs_getattr_all_dirs(postfix_smtpd_t) fs_getattr_all_fs(postfix_smtpd_t) -@@ -754,6 +698,7 @@ optional_policy(` +@@ -754,6 +697,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -56008,7 +56126,7 @@ index 191a66f..a9c1d4b 100644 ') optional_policy(` -@@ -764,31 +709,99 @@ optional_policy(` +@@ -764,31 +708,99 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -56075,7 +56193,7 @@ index 191a66f..a9c1d4b 100644 + +allow postfix_domain postfix_spool_t:dir list_dir_perms; + -+manage_files_pattern(postfix_t, postfix_var_run_t, postfix_var_run_t) ++manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t) +files_pid_filetrans(postfix_domain, postfix_var_run_t, file) + +kernel_read_network_state(postfix_domain) @@ -63874,7 +63992,7 @@ index 04babe3..3b92679 100644 + +/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) diff --git a/realmd.if b/realmd.if -index bff31df..3b5faf0 100644 +index bff31df..3b2a829 100644 --- a/realmd.if +++ b/realmd.if @@ -1,8 +1,9 @@ @@ -63889,7 +64007,7 @@ index bff31df..3b5faf0 100644 ## ## ## -@@ -39,3 +40,80 @@ interface(`realmd_dbus_chat',` +@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',` allow $1 realmd_t:dbus send_msg; allow realmd_t $1:dbus send_msg; ') @@ -63970,8 +64088,29 @@ index bff31df..3b5faf0 100644 + files_search_var($1) + manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t) +') ++ ++ ++######################################## ++## ++## Read realmd tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`realmd_read_tmp_files',` ++ gen_require(` ++ type realmd_tmp_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t) ++') ++ diff --git a/realmd.te b/realmd.te -index 9a8f052..c558c79 100644 +index 9a8f052..3baa71a 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -63980,11 +64119,12 @@ index 9a8f052..c558c79 100644 ######################################## # -@@ -7,47 +7,88 @@ policy_module(realmd, 1.0.2) +@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; -init_system_domain(realmd_t, realmd_exec_t) ++init_daemon_domain(realmd_t, realmd_exec_t) +application_domain(realmd_t, realmd_exec_t) +role system_r types realmd_t; + @@ -64081,7 +64221,7 @@ index 9a8f052..c558c79 100644 networkmanager_dbus_chat(realmd_t) ') -@@ -63,21 +104,40 @@ optional_policy(` +@@ -63,21 +105,40 @@ optional_policy(` optional_policy(` kerberos_use(realmd_t) kerberos_rw_keytab(realmd_t) @@ -64125,7 +64265,7 @@ index 9a8f052..c558c79 100644 ') optional_policy(` -@@ -86,5 +146,27 @@ optional_policy(` +@@ -86,5 +147,27 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) @@ -67995,7 +68135,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..427ea8c 100644 +index e5212e6..ede6c81 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -68206,7 +68346,7 @@ index e5212e6..427ea8c 100644 ') ######################################## -@@ -195,41 +141,54 @@ optional_policy(` +@@ -195,41 +141,55 @@ optional_policy(` # allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource }; @@ -68231,9 +68371,10 @@ index e5212e6..427ea8c 100644 +corenet_udp_bind_all_rpc_ports(nfsd_t) corenet_tcp_bind_nfs_port(nfsd_t) corenet_udp_bind_nfs_port(nfsd_t) - --corecmd_exec_shell(nfsd_t) - +-corecmd_exec_shell(nfsd_t) ++corenet_udp_bind_mountd_port(nfsd_t) + dev_dontaudit_getattr_all_blk_files(nfsd_t) dev_dontaudit_getattr_all_chr_files(nfsd_t) dev_rw_lvm_control(nfsd_t) @@ -68268,7 +68409,7 @@ index e5212e6..427ea8c 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -68276,7 +68417,7 @@ index e5212e6..427ea8c 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',` +@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -68291,7 +68432,7 @@ index e5212e6..427ea8c 100644 ') ######################################## -@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) @@ -68299,7 +68440,7 @@ index e5212e6..427ea8c 100644 kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_request_load_module(gssd_t) -@@ -279,25 +238,29 @@ kernel_signal(gssd_t) +@@ -279,25 +239,29 @@ kernel_signal(gssd_t) corecmd_exec_bin(gssd_t) @@ -68332,7 +68473,7 @@ index e5212e6..427ea8c 100644 ') optional_policy(` -@@ -306,8 +269,7 @@ optional_policy(` +@@ -306,8 +270,7 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -71385,7 +71526,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..7369a2c 100644 +index 57c034b..31e7d21 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -71656,11 +71797,12 @@ index 57c034b..7369a2c 100644 ') optional_policy(` -@@ -245,38 +236,47 @@ optional_policy(` +@@ -245,38 +236,48 @@ optional_policy(` ') optional_policy(` + realmd_read_cache_files(samba_net_t) ++ realmd_read_tmp_files(samba_net_t) +') + +optional_policy(` @@ -71716,7 +71858,7 @@ index 57c034b..7369a2c 100644 manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t) filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) -@@ -292,6 +292,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -292,6 +293,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -71725,7 +71867,7 @@ index 57c034b..7369a2c 100644 manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) -@@ -301,11 +303,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) +@@ -301,11 +304,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) @@ -71741,7 +71883,7 @@ index 57c034b..7369a2c 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -315,43 +317,33 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -315,43 +318,33 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -71796,7 +71938,7 @@ index 57c034b..7369a2c 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -360,44 +352,54 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -360,44 +353,54 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -71862,7 +72004,7 @@ index 57c034b..7369a2c 100644 ') tunable_policy(`samba_domain_controller',` -@@ -413,20 +415,10 @@ tunable_policy(`samba_domain_controller',` +@@ -413,20 +416,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -71885,7 +72027,7 @@ index 57c034b..7369a2c 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -435,6 +427,7 @@ tunable_policy(`samba_share_nfs',` +@@ -435,6 +428,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -71893,7 +72035,7 @@ index 57c034b..7369a2c 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -442,17 +435,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -442,17 +436,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -71911,7 +72053,7 @@ index 57c034b..7369a2c 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -473,6 +455,11 @@ optional_policy(` +@@ -473,6 +456,11 @@ optional_policy(` ') optional_policy(` @@ -71923,7 +72065,7 @@ index 57c034b..7369a2c 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +480,33 @@ optional_policy(` +@@ -493,9 +481,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -71958,7 +72100,7 @@ index 57c034b..7369a2c 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +517,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +518,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -71973,7 +72115,7 @@ index 57c034b..7369a2c 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +533,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +534,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -71997,7 +72139,7 @@ index 57c034b..7369a2c 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +550,40 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +551,40 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -72062,7 +72204,7 @@ index 57c034b..7369a2c 100644 ') optional_policy(` -@@ -600,17 +596,24 @@ optional_policy(` +@@ -600,17 +597,24 @@ optional_policy(` ######################################## # @@ -72091,7 +72233,7 @@ index 57c034b..7369a2c 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -620,16 +623,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +624,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -72109,7 +72251,7 @@ index 57c034b..7369a2c 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +636,23 @@ optional_policy(` +@@ -637,22 +637,23 @@ optional_policy(` ######################################## # @@ -72141,7 +72283,7 @@ index 57c034b..7369a2c 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +661,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +662,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -72177,7 +72319,7 @@ index 57c034b..7369a2c 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +688,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +689,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -72269,7 +72411,7 @@ index 57c034b..7369a2c 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +767,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +768,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -72293,7 +72435,7 @@ index 57c034b..7369a2c 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +781,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +782,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -72336,7 +72478,7 @@ index 57c034b..7369a2c 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +811,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +812,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -72350,7 +72492,7 @@ index 57c034b..7369a2c 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -837,13 +838,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +@@ -837,13 +839,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; @@ -72370,7 +72512,7 @@ index 57c034b..7369a2c 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +856,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +857,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -72381,7 +72523,7 @@ index 57c034b..7369a2c 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +867,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +868,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -72411,7 +72553,7 @@ index 57c034b..7369a2c 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +890,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +891,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -72432,7 +72574,7 @@ index 57c034b..7369a2c 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +908,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +909,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -72443,7 +72585,7 @@ index 57c034b..7369a2c 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,18 +916,24 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,18 +917,24 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -72470,7 +72612,7 @@ index 57c034b..7369a2c 100644 optional_policy(` ctdbd_stream_connect(winbind_t) -@@ -936,7 +941,12 @@ optional_policy(` +@@ -936,7 +942,12 @@ optional_policy(` ') optional_policy(` @@ -72483,7 +72625,7 @@ index 57c034b..7369a2c 100644 ') optional_policy(` -@@ -952,31 +962,29 @@ optional_policy(` +@@ -952,31 +963,29 @@ optional_policy(` # Winbind helper local policy # @@ -72521,7 +72663,7 @@ index 57c034b..7369a2c 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +998,38 @@ optional_policy(` +@@ -990,25 +999,38 @@ optional_policy(` ######################################## # @@ -79781,10 +79923,10 @@ index 9992e62..47f1802 100644 + allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/svnserve.fc b/svnserve.fc -index effffd0..5ab0840 100644 +index effffd0..12ca090 100644 --- a/svnserve.fc +++ b/svnserve.fc -@@ -1,8 +1,12 @@ +@@ -1,8 +1,13 @@ -/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) +/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0) @@ -79800,6 +79942,7 @@ index effffd0..5ab0840 100644 +/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0) +/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0) + ++/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) diff --git a/svnserve.if b/svnserve.if @@ -79939,10 +80082,10 @@ index 2ac91b6..dd2ac36 100644 ') + diff --git a/svnserve.te b/svnserve.te -index c6aaac7..dc3f167 100644 +index c6aaac7..a5600a8 100644 --- a/svnserve.te +++ b/svnserve.te -@@ -12,6 +12,9 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) +@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t) type svnserve_initrc_exec_t; init_script_file(svnserve_initrc_exec_t) @@ -79952,7 +80095,28 @@ index c6aaac7..dc3f167 100644 type svnserve_content_t; files_type(svnserve_content_t) -@@ -34,9 +37,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) + type svnserve_var_run_t; + files_pid_file(svnserve_var_run_t) + ++type svnserve_tmp_t; ++files_tmp_file(svnserve_tmp_t) ++ + ######################################## + # + # Local policy +@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms; + allow svnserve_t self:tcp_socket create_stream_socket_perms; + allow svnserve_t self:unix_stream_socket { listen accept }; + ++manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) ++manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) ++manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t) ++files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir }) ++ + manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) + manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t) + +@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t) files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file }) @@ -79962,7 +80126,7 @@ index c6aaac7..dc3f167 100644 corenet_all_recvfrom_unlabeled(svnserve_t) corenet_all_recvfrom_netlabel(svnserve_t) corenet_tcp_sendrecv_generic_if(svnserve_t) -@@ -54,6 +54,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t) +@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t) logging_send_syslog_msg(svnserve_t) @@ -85215,7 +85379,7 @@ index c30da4c..d60e3e4 100644 +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..6e25af1 100644 +index 9dec06c..7877729 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -85357,38 +85521,19 @@ index 9dec06c..6e25af1 100644 ## ## # -@@ -125,51 +56,32 @@ interface(`virt_image',` +@@ -125,31 +56,32 @@ interface(`virt_image',` typeattribute $1 virt_image_type; files_type($1) -- dev_node($1) --') -- --######################################## --## --## Execute a domain transition to run virtd. --## --## --## --## Domain allowed to transition. --## --## --# --interface(`virt_domtrans',` -- gen_require(` -- type virtd_t, virtd_exec_t; -- ') - -- corecmd_search_bin($1) -- domtrans_pattern($1, virtd_exec_t, virtd_t) ++ + # virt images can be assigned to blk devices -+ dev_node($1) + dev_node($1) ') -######################################## +####################################### ## --## Execute a domain transition to run virt qmf. +-## Execute a domain transition to run virtd. +## Getattr on virt executable. ## ## @@ -85400,9 +85545,9 @@ index 9dec06c..6e25af1 100644 +##
    ## # --interface(`virt_domtrans_qmf',` +-interface(`virt_domtrans',` - gen_require(` -- type virt_qmf_t, virt_qmf_exec_t; +- type virtd_t, virtd_exec_t; - ') +interface(`virt_getattr_exec',` + gen_require(` @@ -85410,32 +85555,56 @@ index 9dec06c..6e25af1 100644 + ') - corecmd_search_bin($1) -- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) +- domtrans_pattern($1, virtd_exec_t, virtd_t) + allow $1 virtd_exec_t:file getattr; ') ######################################## ## +-## Execute a domain transition to run virt qmf. ++## Execute a domain transition to run virt. + ## + ## + ## +@@ -157,162 +89,71 @@ interface(`virt_domtrans',` + ## + ## + # +-interface(`virt_domtrans_qmf',` ++interface(`virt_domtrans',` + gen_require(` +- type virt_qmf_t, virt_qmf_exec_t; ++ type virtd_t, virtd_exec_t; + ') + +- corecmd_search_bin($1) +- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t) ++ domtrans_pattern($1, virtd_exec_t, virtd_t) + ') + + ######################################## + ## -## Execute a domain transition to -## run virt bridgehelper. -+## Execute a domain transition to run virt. ++## Execute virtd in the caller domain. ## ## ## -@@ -177,142 +89,53 @@ interface(`virt_domtrans_qmf',` +-## Domain allowed to transition. ++## Domain allowed access. ## ## # -interface(`virt_domtrans_bridgehelper',` -+interface(`virt_domtrans',` ++interface(`virt_exec',` gen_require(` - type virt_bridgehelper_t, virt_bridgehelper_exec_t; -+ type virtd_t, virtd_exec_t; ++ type virtd_exec_t; ') - corecmd_search_bin($1) - domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) -+ domtrans_pattern($1, virtd_exec_t, virtd_t) ++ can_exec($1, virtd_exec_t) ') ######################################## @@ -85579,7 +85748,7 @@ index 9dec06c..6e25af1 100644 ##
    ## ## -@@ -320,18 +143,18 @@ interface(`virt_run_svirt_lxc_domain',` +@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',` ## ## # @@ -85603,7 +85772,7 @@ index 9dec06c..6e25af1 100644 ##
    ## ## -@@ -339,18 +162,17 @@ interface(`virt_getattr_virtd_exec_files',` +@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',` ## ## # @@ -85626,7 +85795,7 @@ index 9dec06c..6e25af1 100644 ##
    ## ## -@@ -369,7 +191,7 @@ interface(`virt_attach_tun_iface',` +@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',` ######################################## ## @@ -85635,7 +85804,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -383,7 +205,6 @@ interface(`virt_read_config',` +@@ -383,7 +223,6 @@ interface(`virt_read_config',` ') files_search_etc($1) @@ -85643,7 +85812,7 @@ index 9dec06c..6e25af1 100644 read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -391,8 +212,7 @@ interface(`virt_read_config',` +@@ -391,8 +230,7 @@ interface(`virt_read_config',` ######################################## ## @@ -85653,7 +85822,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -406,7 +226,6 @@ interface(`virt_manage_config',` +@@ -406,7 +244,6 @@ interface(`virt_manage_config',` ') files_search_etc($1) @@ -85661,7 +85830,7 @@ index 9dec06c..6e25af1 100644 manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -414,8 +233,7 @@ interface(`virt_manage_config',` +@@ -414,8 +251,7 @@ interface(`virt_manage_config',` ######################################## ## @@ -85671,7 +85840,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -450,8 +268,7 @@ interface(`virt_read_content',` +@@ -450,8 +286,7 @@ interface(`virt_read_content',` ######################################## ## @@ -85681,7 +85850,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -459,35 +276,17 @@ interface(`virt_read_content',` +@@ -459,35 +294,17 @@ interface(`virt_read_content',` ## ## # @@ -85720,7 +85889,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -495,53 +294,40 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +312,40 @@ interface(`virt_manage_virt_content',` ## ## # @@ -85787,7 +85956,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -549,67 +335,36 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,67 +353,36 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -85868,7 +86037,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -618,54 +373,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +391,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -85932,7 +86101,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -673,54 +410,38 @@ interface(`virt_home_filetrans',` +@@ -673,54 +428,38 @@ interface(`virt_home_filetrans',` ## ## # @@ -85999,7 +86168,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -728,52 +449,78 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +467,39 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # @@ -86033,58 +86202,75 @@ index 9dec06c..6e25af1 100644 ## ## -## +-## +-## Class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## -+# + # +-interface(`virt_home_filetrans_virt_home',` +interface(`virt_read_log',` -+ gen_require(` + gen_require(` +- type virt_home_t; + type virt_log_t; -+ ') -+ + ') + +- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) + logging_search_logs($1) + read_files_pattern($1, virt_log_t, virt_log_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read virt pid files. +## Allow the specified domain to append +## virt log files. -+## -+## + ## + ## ## --## Class of the object being created. -+## Domain allowed access. +@@ -781,19 +507,18 @@ interface(`virt_home_filetrans_virt_home',` ## ## --## -+# + # +-interface(`virt_read_pid_files',` +interface(`virt_append_log',` -+ gen_require(` + gen_require(` +- type virt_var_run_t; + type virt_log_t; -+ ') -+ + ') + +- files_search_pids($1) +- read_files_pattern($1, virt_var_run_t, virt_var_run_t) + logging_search_logs($1) + append_files_pattern($1, virt_log_t, virt_log_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt pid files. +## Allow domain to manage virt log files -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. +@@ -801,18 +526,19 @@ interface(`virt_read_pid_files',` ## ## # --interface(`virt_home_filetrans_virt_home',` +-interface(`virt_manage_pid_files',` +interface(`virt_manage_log',` gen_require(` -- type virt_home_t; +- type virt_var_run_t; + type virt_log_t; ') -- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) +- files_search_pids($1) +- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + manage_dirs_pattern($1, virt_log_t, virt_log_t) + manage_files_pattern($1, virt_log_t, virt_log_t) + manage_lnk_files_pattern($1, virt_log_t, virt_log_t) @@ -86092,50 +86278,49 @@ index 9dec06c..6e25af1 100644 ######################################## ## --## Read virt pid files. +-## Search virt lib directories. +## Allow domain to search virt image direcories ## ## ## -@@ -781,19 +528,18 @@ interface(`virt_home_filetrans_virt_home',` +@@ -820,18 +546,18 @@ interface(`virt_manage_pid_files',` ## ## # --interface(`virt_read_pid_files',` +-interface(`virt_search_lib',` +interface(`virt_search_images',` gen_require(` -- type virt_var_run_t; +- type virt_var_lib_t; + attribute virt_image_type; ') -- files_search_pids($1) -- read_files_pattern($1, virt_var_run_t, virt_var_run_t) +- files_search_var_lib($1) +- allow $1 virt_var_lib_t:dir search_dir_perms; + virt_search_lib($1) + allow $1 virt_image_type:dir search_dir_perms; ') ######################################## ## --## Create, read, write, and delete --## virt pid files. +-## Read virt lib files. +## Allow domain to read virt image files ## ## ## -@@ -801,18 +547,36 @@ interface(`virt_read_pid_files',` +@@ -839,20 +565,73 @@ interface(`virt_search_lib',` ## ## # --interface(`virt_manage_pid_files',` +-interface(`virt_read_lib_files',` +interface(`virt_read_images',` gen_require(` -- type virt_var_run_t; -+ type virt_var_lib_t; + type virt_var_lib_t; + attribute virt_image_type; ') -- files_search_pids($1) -- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) +- files_search_var_lib($1) +- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + list_dirs_pattern($1, virt_image_type, virt_image_type) @@ -86155,52 +86340,41 @@ index 9dec06c..6e25af1 100644 + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') - ') - - ######################################## - ## --## Search virt lib directories. ++') ++ ++######################################## ++## +## Allow domain to read virt blk image files - ## - ## - ## -@@ -820,18 +584,17 @@ interface(`virt_manage_pid_files',` - ## - ## - # --interface(`virt_search_lib',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_read_blk_images',` - gen_require(` -- type virt_var_lib_t; ++ gen_require(` + attribute virt_image_type; - ') - -- files_search_var_lib($1) -- allow $1 virt_var_lib_t:dir search_dir_perms; ++ ') ++ + read_blk_files_pattern($1, virt_image_type, virt_image_type) - ') - - ######################################## - ## --## Read virt lib files. ++') ++ ++######################################## ++## +## Allow domain to read/write virt image chr files - ## - ## - ## -@@ -839,20 +602,18 @@ interface(`virt_search_lib',` - ## - ## - # --interface(`virt_read_lib_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_rw_chr_files',` - gen_require(` -- type virt_var_lib_t; ++ gen_require(` + attribute virt_image_type; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ ') ++ + rw_chr_files_pattern($1, virt_image_type, virt_image_type) ') @@ -86212,7 +86386,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -860,115 +621,245 @@ interface(`virt_read_lib_files',` +@@ -860,115 +639,245 @@ interface(`virt_read_lib_files',` ## ## # @@ -86495,7 +86669,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -976,18 +867,17 @@ interface(`virt_manage_log',` +@@ -976,18 +885,17 @@ interface(`virt_manage_log',` ## ## # @@ -86518,7 +86692,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -995,36 +885,35 @@ interface(`virt_search_images',` +@@ -995,36 +903,35 @@ interface(`virt_search_images',` ## ## # @@ -86574,7 +86748,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -1032,58 +921,57 @@ interface(`virt_read_images',` +@@ -1032,58 +939,57 @@ interface(`virt_read_images',` ## ## # @@ -86654,7 +86828,7 @@ index 9dec06c..6e25af1 100644 ## ## ## -@@ -1091,95 +979,168 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +997,168 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -86883,7 +87057,7 @@ index 9dec06c..6e25af1 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..9d71252 100644 +index 1f22fba..3f1bc45 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -87525,7 +87699,7 @@ index 1f22fba..9d71252 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,22 +343,12 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +343,15 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -87548,8 +87722,11 @@ index 1f22fba..9d71252 100644 - corenet_rw_tun_tap_dev(virtd_t) ++dev_rw_vfio_dev(virtd_t) dev_rw_sysfs(virtd_t) -@@ -548,22 +361,22 @@ dev_rw_vhost(virtd_t) + dev_read_urand(virtd_t) + dev_read_rand(virtd_t) +@@ -548,22 +362,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -87571,13 +87748,14 @@ index 1f22fba..9d71252 100644 -# files_manage_system_conf_files(virtd_t) +files_manage_system_conf_files(virtd_t) ++fs_read_tmpfs_symlinks(virtd_t) fs_list_auto_mountpoints(virtd_t) -fs_getattr_all_fs(virtd_t) +fs_getattr_xattr_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +407,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +409,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -87597,7 +87775,7 @@ index 1f22fba..9d71252 100644 selinux_validate_context(virtd_t) -@@ -613,18 +429,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +431,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -87632,7 +87810,7 @@ index 1f22fba..9d71252 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +455,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +457,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -87641,7 +87819,7 @@ index 1f22fba..9d71252 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -646,107 +468,327 @@ optional_policy(` +@@ -646,107 +470,328 @@ optional_policy(` consoletype_exec(virtd_t) ') @@ -87836,6 +88014,7 @@ index 1f22fba..9d71252 100644 +dev_read_urand(virt_domain) +dev_write_sound(virt_domain) +dev_rw_ksm(virt_domain) ++dev_rw_vfio_dev(virt_domain) +dev_rw_kvm(virt_domain) +dev_rw_qemu(virt_domain) +dev_rw_inherited_vhost(virt_domain) @@ -88027,7 +88206,7 @@ index 1f22fba..9d71252 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +800,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -88057,7 +88236,7 @@ index 1f22fba..9d71252 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +819,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -88084,7 +88263,7 @@ index 1f22fba..9d71252 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +839,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +842,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -88116,7 +88295,7 @@ index 1f22fba..9d71252 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +872,19 @@ optional_policy(` +@@ -847,14 +875,20 @@ optional_policy(` ') optional_policy(` @@ -88130,6 +88309,7 @@ index 1f22fba..9d71252 100644 optional_policy(` xen_manage_image_dirs(virsh_t) + xen_read_image_files(virsh_t) ++ xen_read_lib_files(virsh_t) xen_append_log(virsh_t) xen_domtrans(virsh_t) - xen_read_xenstored_pid_files(virsh_t) @@ -88137,7 +88317,7 @@ index 1f22fba..9d71252 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +909,44 @@ optional_policy(` +@@ -879,34 +913,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -88191,7 +88371,7 @@ index 1f22fba..9d71252 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +956,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +960,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -88209,7 +88389,7 @@ index 1f22fba..9d71252 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +978,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +982,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -88220,7 +88400,7 @@ index 1f22fba..9d71252 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +987,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +991,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -88228,7 +88408,7 @@ index 1f22fba..9d71252 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +999,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1003,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -88247,7 +88427,7 @@ index 1f22fba..9d71252 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1013,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1017,36 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -88292,7 +88472,7 @@ index 1f22fba..9d71252 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1050,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1054,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -88319,7 +88499,7 @@ index 1f22fba..9d71252 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1072,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -88338,7 +88518,7 @@ index 1f22fba..9d71252 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1087,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1091,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -88365,7 +88545,7 @@ index 1f22fba..9d71252 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1112,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1116,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -88424,7 +88604,8 @@ index 1f22fba..9d71252 100644 allow svirt_lxc_net_t self:socket create_socket_perms; allow svirt_lxc_net_t self:rawip_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_socket create_socket_perms; - allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; +-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; ++allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; kernel_read_network_state(svirt_lxc_net_t) @@ -88503,7 +88684,7 @@ index 1f22fba..9d71252 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1210,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1214,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -88518,7 +88699,7 @@ index 1f22fba..9d71252 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1228,8 @@ optional_policy(` +@@ -1183,9 +1232,8 @@ optional_policy(` ######################################## # @@ -88529,7 +88710,7 @@ index 1f22fba..9d71252 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1242,75 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1246,75 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -89800,7 +89981,7 @@ index 42d83b0..7977c2c 100644 -/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) +/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0) diff --git a/xen.if b/xen.if -index f93558c..cc73c96 100644 +index f93558c..16e29c1 100644 --- a/xen.if +++ b/xen.if @@ -1,13 +1,13 @@ @@ -89851,44 +90032,58 @@ index f93558c..cc73c96 100644 can_exec($1, xend_exec_t) ') -@@ -75,24 +74,24 @@ interface(`xen_dontaudit_use_fds',` +@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',` dontaudit $1 xend_t:fd use; ') --######################################## +####################################### ++## ++## Read xend pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xen_read_pid_files_xenstored',` ++ gen_require(` ++ type xenstored_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ ++ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) ++') ++ + ######################################## ## -## Create, read, write, and delete -## xend image directories. -+## Read xend pid files. ++## Read xend lib files. ## ## -## --## Domain allowed access. ++## + ## Domain allowed access. -## -+## -+## Domain allowed access. -+## ++## ## # -interface(`xen_manage_image_dirs',` -- gen_require(` -- type xend_var_lib_t; -- ') -+interface(`xen_read_pid_files_xenstored',` -+ gen_require(` -+ type xenstored_var_run_t; -+ ') ++interface(`xen_read_lib_files',` + gen_require(` + type xend_var_lib_t; + ') - files_search_var_lib($1) - manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) -+ files_search_pids($1) -+ -+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) ++ files_list_var_lib($1) ++ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t) ') ######################################## -@@ -100,9 +99,9 @@ interface(`xen_manage_image_dirs',` +@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',` ## Read xend image files. ## ## @@ -89900,7 +90095,7 @@ index f93558c..cc73c96 100644 ## # interface(`xen_read_image_files',` -@@ -111,18 +110,40 @@ interface(`xen_read_image_files',` +@@ -111,18 +129,40 @@ interface(`xen_read_image_files',` ') files_list_var_lib($1) @@ -89944,7 +90139,7 @@ index f93558c..cc73c96 100644 ## # interface(`xen_rw_image_files',` -@@ -137,7 +158,8 @@ interface(`xen_rw_image_files',` +@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',` ######################################## ## @@ -89954,7 +90149,7 @@ index f93558c..cc73c96 100644 ## ## ## -@@ -157,13 +179,13 @@ interface(`xen_append_log',` +@@ -157,13 +198,13 @@ interface(`xen_append_log',` ######################################## ## @@ -89971,7 +90166,7 @@ index f93558c..cc73c96 100644 ## # interface(`xen_manage_log',` -@@ -176,29 +198,11 @@ interface(`xen_manage_log',` +@@ -176,29 +217,11 @@ interface(`xen_manage_log',` manage_files_pattern($1, xend_var_log_t, xend_var_log_t) ') @@ -90003,7 +90198,7 @@ index f93558c..cc73c96 100644 ## ## ## -@@ -216,8 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` +@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` ######################################## ## @@ -90013,7 +90208,7 @@ index f93558c..cc73c96 100644 ## ## ## -@@ -236,8 +239,7 @@ interface(`xen_stream_connect_xenstore',` +@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',` ######################################## ## @@ -90023,7 +90218,7 @@ index f93558c..cc73c96 100644 ## ## ## -@@ -270,16 +272,15 @@ interface(`xen_stream_connect',` +@@ -270,16 +291,15 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; @@ -90043,7 +90238,7 @@ index f93558c..cc73c96 100644 ## ## ## -@@ -289,7 +290,7 @@ interface(`xen_domtrans_xm',` +@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 65a4025..192605c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 41%{?dist} +Release: 43%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,6 +530,50 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon May 10 2013 Miroslav Grepl 3.12.1-43 +- Transition directories and files when in a user_tmp_t directory +- Change certwatch to domtrans to apache instead of just execute +- Allow virsh_t to read xen lib files +- update policy rules for pegasus_openlmi_account_t +- Add support for svnserve_tmp_t +- Activate account openlmi policy +- pegasus_openlmi_domain_template needs also require pegasus_t +- One more fix for policykit.te +- Call fs_list_cgroups_dirs() in policykit.te +- Allow nagios service plugin to read mysql config files +- Add labeling for /var/svn +- Fix chrome.te +- Fix pegasus_openlmi_domain_template() interfaces +- Fix dev_rw_vfio_dev definiton, allow virtd_t to read tmpfs_t symlinks +- Fix location of google-chrome data +- Add support for chome_sandbox to store content in the homedir +- Allow policykit to watch for changes in cgroups file system +- Add boolean to allow mozilla_plugin_t to use spice +- Allow collectd to bind to udp port +- Allow collected_t to read all of /proc +- Should use netlink socket_perms +- Should use netlink socket_perms +- Allow glance domains to connect to apache ports +- Allow apcupsd_t to manage its log files +- Allow chrome objects to rw_inherited unix_stream_socket from callers +- Allow staff_t to execute virtd_exec_t for running vms +- nfsd_t needs to bind mountd port to make nfs-mountd.service working +- Allow unbound net_admin capability because of setsockopt syscall +- Fix fs_list_cgroup_dirs() +- Label /usr/lib/nagios/plugins/utils.pm as bin_t +- Remove uplicate definition of fs_read_cgroup_files() +- Remove duplicate definition of fs_read_cgroup_files() +- Add files_mountpoint_filetrans interface to be used by quotadb_t and snapperd +- Additional interfaces needed to list and read cgroups config +- Add port definition for collectd port +- Add labels for /dev/ptp* +- Allow staff_t to execute virtd_exec_t for running vms + +* Mon May 6 2013 Miroslav Grepl 3.12.1-42 +- Allow samba-net to also read realmd tmp files +- Allow NUT to use serial ports +- realmd can be started by systemctl now + * Mon May 6 2013 Miroslav Grepl 3.12.1-41 - Remove userdom_home_manager for xdm_t and move all rules to xserver.te directly - Add new xdm_write_home boolean to allow xdm_t to create files in HOME dirs with xdm_home_t