From 2885bf8a6eccb03e955b6c44f93676d499195b88 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 27 2011 06:43:05 +0000 Subject: - More fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git --- diff --git a/policy-F16.patch b/policy-F16.patch index 221fa48..1b5e1ca 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -2873,7 +2873,7 @@ index d5aaf0e..689b2fd 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..1ef8f1c 100644 +index 6a5004b..de58aeb 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -2901,7 +2901,7 @@ index 6a5004b..1ef8f1c 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -38,12 +44,15 @@ logging_send_syslog_msg(tmpreaper_t) +@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t) miscfiles_read_localization(tmpreaper_t) miscfiles_delete_man_pages(tmpreaper_t) @@ -2912,13 +2912,18 @@ index 6a5004b..1ef8f1c 100644 ifdef(`distro_redhat',` userdom_list_user_home_content(tmpreaper_t) - userdom_delete_user_home_content_dirs(tmpreaper_t) - userdom_delete_user_home_content_files(tmpreaper_t) -+ userdom_delete_user_home_content_sock_files(tmpreaper_t) - userdom_delete_user_home_content_symlinks(tmpreaper_t) +- userdom_delete_user_home_content_dirs(tmpreaper_t) +- userdom_delete_user_home_content_files(tmpreaper_t) +- userdom_delete_user_home_content_symlinks(tmpreaper_t) ++ userdom_delete_all_user_home_content_dirs(tmpreaper_t) ++ userdom_delete_all_user_home_content_files(tmpreaper_t) ++ userdom_delete_all_user_home_content_sock_files(tmpreaper_t) ++ userdom_delete_all_user_home_content_symlinks(tmpreaper_t) ++ userdom_setattr_all_user_home_content_dirs(tmpreaper_t) ') -@@ -52,7 +61,9 @@ optional_policy(` + optional_policy(` +@@ -52,7 +62,9 @@ optional_policy(` ') optional_policy(` @@ -2928,7 +2933,7 @@ index 6a5004b..1ef8f1c 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +77,17 @@ optional_policy(` +@@ -66,9 +78,17 @@ optional_policy(` ') optional_policy(` @@ -3543,10 +3548,10 @@ index 0000000..7b1047f +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..41336ff +index 0000000..0fbe8cc --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,111 @@ +@@ -0,0 +1,115 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -3645,13 +3650,17 @@ index 0000000..41336ff + +tunable_policy(`use_nfs_home_dirs',` + fs_search_nfs(chrome_sandbox_t) -+ fs_read_inherited_nfs_files(chrome_sandbox_t) ++ fs_exec_nfs_files(chrome_sandbox_t) ++ fs_read_nfs_files(chrome_sandbox_t) + fs_read_nfs_symlinks(chrome_sandbox_t) ++ fs_dontaudit_append_nfs_files(chrome_sandbox_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_search_cifs(chrome_sandbox_t) -+ fs_read_inherited_cifs_files(chrome_sandbox_t) ++ fs_exec_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_files(chrome_sandbox_t) ++ fs_read_cifs_symlinks(chrome_sandbox_t) + fs_dontaudit_append_cifs_files(chrome_sandbox_t) +') + @@ -6564,14 +6573,14 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..5298652 100644 +index 9a6d67d..319aac2 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` allow mozilla_t $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; -+ mozilla_run_plugin(mozilla_t, $2) ++ mozilla_run_plugin(mozilla_t, $1) + # Allow the user domain to signal/ps. ps_process_pattern($2, mozilla_t) @@ -6717,7 +6726,7 @@ index 9a6d67d..5298652 100644 + +######################################## +## -+## Delete mozilla_plugin tmpf files ++## Delete mozilla_plugin tmpfs files +## +## +## @@ -6730,7 +6739,7 @@ index 9a6d67d..5298652 100644 + type mozilla_plugin_tmpfs_t; + ') + -+ allow $1 mozilla_plugin_tmpfs_t:file unlink; ++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; +') + +######################################## @@ -6769,7 +6778,7 @@ index 9a6d67d..5298652 100644 + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..b231fab 100644 +index 2a91fa8..50e279c 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -6857,7 +6866,7 @@ index 2a91fa8..b231fab 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +288,198 @@ optional_policy(` +@@ -266,3 +288,214 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -6878,6 +6887,7 @@ index 2a91fa8..b231fab 100644 +allow mozilla_plugin_t self:sem create_sem_perms; +allow mozilla_plugin_t self:shm create_shm_perms; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; ++allow mozilla_plugin_t self:unix_dgram_socket sendto; +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +can_exec(mozilla_plugin_t, mozilla_home_t) @@ -6886,8 +6896,9 @@ index 2a91fa8..b231fab 100644 +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) ++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) + +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) @@ -6991,6 +7002,11 @@ index 2a91fa8..b231fab 100644 +') + +optional_policy(` ++ consolekit_dbus_chat(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ dbus_connect_session_bus(mozilla_plugin_t) + dbus_system_bus_client(mozilla_plugin_t) + dbus_session_bus_client(mozilla_plugin_t) + dbus_read_lib_files(mozilla_plugin_t) @@ -7030,6 +7046,7 @@ index 2a91fa8..b231fab 100644 + pulseaudio_stream_connect(mozilla_plugin_t) + pulseaudio_setattr_home_dir(mozilla_plugin_t) + pulseaudio_manage_home_files(mozilla_plugin_t) ++ pulseaudio_manage_home_symlinks(mozilla_plugin_t) +') + +optional_policy(` @@ -7037,6 +7054,14 @@ index 2a91fa8..b231fab 100644 +') + +optional_policy(` ++ rtkit_scheduled(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ udev_read_db(mozilla_plugin_t) ++') ++ ++optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) + xserver_use_user_fonts(mozilla_plugin_t) @@ -8309,7 +8334,7 @@ index 84f23dc..af5b87d 100644 /var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index 2ba7787..fe1284b 100644 +index 2ba7787..9a5e99c 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -17,7 +17,7 @@ @@ -8348,13 +8373,33 @@ index 2ba7787..fe1284b 100644 userdom_search_user_home_dirs($1) ') -@@ -256,3 +262,43 @@ interface(`pulseaudio_manage_home_files',` +@@ -256,3 +262,63 @@ interface(`pulseaudio_manage_home_files',` manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') + +######################################## +## ++## Create, read, write, and delete pulseaudio ++## home directory symlinks. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pulseaudio_manage_home_symlinks',` ++ gen_require(` ++ type pulseaudio_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++') ++ ++######################################## ++## +## Create pulseaudio content in the user home directory +## with an correct label. +## @@ -8393,7 +8438,7 @@ index 2ba7787..fe1284b 100644 + userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") +') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index c2d20a2..e5d85d1 100644 +index c2d20a2..8610868 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -8438,7 +8483,7 @@ index c2d20a2..e5d85d1 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -127,10 +127,23 @@ optional_policy(` +@@ -127,10 +127,24 @@ optional_policy(` ') optional_policy(` @@ -8451,6 +8496,7 @@ index c2d20a2..e5d85d1 100644 ') optional_policy(` ++ mozilla_plugin_delete_tmpfs_files(pulseaudio_t) + mozilla_plugin_read_tmpfs_files(pulseaudio_t) +') + @@ -8462,7 +8508,7 @@ index c2d20a2..e5d85d1 100644 policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +161,7 @@ optional_policy(` +@@ -148,3 +162,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -14242,7 +14288,7 @@ index aad8c52..53b0624 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index bc534c1..6190297 100644 +index bc534c1..0ffb0e4 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.0) @@ -14335,7 +14381,7 @@ index bc534c1..6190297 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,88 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -14367,7 +14413,6 @@ index bc534c1..6190297 100644 + abrt_read_pid_files(domain) + abrt_read_state(domain) + abrt_signull(domain) -+ abrt_stream_connect(domain) +') + +optional_policy(` @@ -14568,7 +14613,7 @@ index 16108f6..d993f7e 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..473eacc 100644 +index 958ca84..62352ec 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -15635,7 +15680,7 @@ index 958ca84..473eacc 100644 ') ######################################## -@@ -5542,6 +6166,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5542,6 +6166,80 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -15665,7 +15710,7 @@ index 958ca84..473eacc 100644 +## +## +# -+interface(`files_unlink_all_pid_sockets',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` + attribute pidfile; + ') @@ -15675,6 +15720,24 @@ index 958ca84..473eacc 100644 + +######################################## +## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++') ++ ++######################################## ++## +## manage all pidfile directories +## in the /var/run directory. +## @@ -15698,7 +15761,7 @@ index 958ca84..473eacc 100644 ## Read all process ID files. ## ## -@@ -5559,6 +6239,44 @@ interface(`files_read_all_pids',` +@@ -5559,6 +6257,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -15743,7 +15806,7 @@ index 958ca84..473eacc 100644 ') ######################################## -@@ -5769,7 +6487,7 @@ interface(`files_spool_filetrans',` +@@ -5769,7 +6505,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -15752,7 +15815,7 @@ index 958ca84..473eacc 100644 ') ######################################## -@@ -5844,3 +6562,284 @@ interface(`files_unconfined',` +@@ -5844,3 +6580,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -17364,7 +17427,7 @@ index 0e5b661..3168d72 100644 +attribute mcsuntrustedproc; +attribute mcsnetwrite; diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 786449a..15368b1 100644 +index 786449a..23a065c 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -17416,16 +17479,15 @@ index 786449a..15368b1 100644 allow $1 security_t:filesystem unmount; ') -@@ -220,6 +225,8 @@ interface(`selinux_search_fs',` +@@ -220,6 +225,7 @@ interface(`selinux_search_fs',` type security_t; ') -+ fs_getattr_xattr_fs($1) + dev_search_sysfs($1) allow $1 security_t:dir search_dir_perms; ') -@@ -243,6 +250,26 @@ interface(`selinux_dontaudit_search_fs',` +@@ -243,6 +249,26 @@ interface(`selinux_dontaudit_search_fs',` ######################################## ## @@ -17452,7 +17514,7 @@ index 786449a..15368b1 100644 ## Do not audit attempts to read ## generic selinuxfs entries ## -@@ -257,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',` +@@ -257,6 +283,7 @@ interface(`selinux_dontaudit_read_fs',` type security_t; ') @@ -17460,7 +17522,7 @@ index 786449a..15368b1 100644 dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; ') -@@ -278,6 +306,7 @@ interface(`selinux_get_enforce_mode',` +@@ -278,6 +305,7 @@ interface(`selinux_get_enforce_mode',` type security_t; ') @@ -17468,7 +17530,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -311,6 +340,7 @@ interface(`selinux_set_enforce_mode',` +@@ -311,6 +339,7 @@ interface(`selinux_set_enforce_mode',` bool secure_mode_policyload; ') @@ -17476,7 +17538,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; -@@ -342,6 +372,7 @@ interface(`selinux_load_policy',` +@@ -342,6 +371,7 @@ interface(`selinux_load_policy',` bool secure_mode_policyload; ') @@ -17484,7 +17546,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_load_policy; -@@ -358,6 +389,27 @@ interface(`selinux_load_policy',` +@@ -358,6 +388,27 @@ interface(`selinux_load_policy',` ######################################## ## @@ -17512,7 +17574,7 @@ index 786449a..15368b1 100644 ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. (Deprecated) ## -@@ -416,6 +468,7 @@ interface(`selinux_set_generic_booleans',` +@@ -416,6 +467,7 @@ interface(`selinux_set_generic_booleans',` bool secure_mode_policyload; ') @@ -17520,7 +17582,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; -@@ -458,7 +511,9 @@ interface(`selinux_set_all_booleans',` +@@ -458,7 +510,9 @@ interface(`selinux_set_all_booleans',` bool secure_mode_policyload; ') @@ -17530,7 +17592,7 @@ index 786449a..15368b1 100644 allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { -@@ -499,6 +554,7 @@ interface(`selinux_set_parameters',` +@@ -499,6 +553,7 @@ interface(`selinux_set_parameters',` attribute can_setsecparam; ') @@ -17538,7 +17600,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; -@@ -522,6 +578,7 @@ interface(`selinux_validate_context',` +@@ -522,6 +577,7 @@ interface(`selinux_validate_context',` type security_t; ') @@ -17546,7 +17608,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security check_context; -@@ -564,6 +621,7 @@ interface(`selinux_compute_access_vector',` +@@ -564,6 +620,7 @@ interface(`selinux_compute_access_vector',` type security_t; ') @@ -17554,7 +17616,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; -@@ -585,6 +643,7 @@ interface(`selinux_compute_create_context',` +@@ -585,6 +642,7 @@ interface(`selinux_compute_create_context',` type security_t; ') @@ -17562,7 +17624,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; -@@ -606,6 +665,7 @@ interface(`selinux_compute_member',` +@@ -606,6 +664,7 @@ interface(`selinux_compute_member',` type security_t; ') @@ -17570,7 +17632,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; -@@ -635,6 +695,7 @@ interface(`selinux_compute_relabel_context',` +@@ -635,6 +694,7 @@ interface(`selinux_compute_relabel_context',` type security_t; ') @@ -17578,7 +17640,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; -@@ -655,6 +716,7 @@ interface(`selinux_compute_user_contexts',` +@@ -655,6 +715,7 @@ interface(`selinux_compute_user_contexts',` type security_t; ') @@ -17586,7 +17648,7 @@ index 786449a..15368b1 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; -@@ -677,3 +739,24 @@ interface(`selinux_unconfined',` +@@ -677,3 +738,24 @@ interface(`selinux_unconfined',` typeattribute $1 selinux_unconfined_type; ') @@ -18040,7 +18102,7 @@ index 3994e57..a1923fe 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f3acfee..70c384c 100644 +index f3acfee..590c2c0 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -18079,7 +18141,7 @@ index f3acfee..70c384c 100644 # interface(`term_use_console',` gen_require(` -@@ -299,9 +319,11 @@ interface(`term_use_console',` +@@ -299,9 +319,12 @@ interface(`term_use_console',` interface(`term_dontaudit_use_console',` gen_require(` type console_device_t; @@ -18087,12 +18149,13 @@ index f3acfee..70c384c 100644 ') - dontaudit $1 console_device_t:chr_file rw_chr_file_perms; ++ init_dontaudit_use_fds($1) + dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## -@@ -341,7 +363,7 @@ interface(`term_relabel_console',` +@@ -341,7 +364,7 @@ interface(`term_relabel_console',` ') dev_list_all_dev_nodes($1) @@ -18101,7 +18164,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -462,6 +484,24 @@ interface(`term_list_ptys',` +@@ -462,6 +485,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -18126,7 +18189,15 @@ index f3acfee..70c384c 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',` +@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',` + type devpts_t; + ') + ++ init_dontaudit_use_fds($1) + dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; + ') + +@@ -658,6 +700,25 @@ interface(`term_use_controlling_term',` allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') @@ -18152,7 +18223,7 @@ index f3acfee..70c384c 100644 ######################################## ## ## Do not audit attempts to get attributes -@@ -842,6 +901,26 @@ interface(`term_use_all_ptys',` +@@ -842,6 +903,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -18179,7 +18250,7 @@ index f3acfee..70c384c 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -855,7 +934,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -855,7 +936,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -18188,7 +18259,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -903,7 +982,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -903,7 +984,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -18197,7 +18268,7 @@ index f3acfee..70c384c 100644 ## ## # -@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',` +@@ -1123,7 +1204,7 @@ interface(`term_relabel_unallocated_ttys',` ') dev_list_all_dev_nodes($1) @@ -18206,16 +18277,17 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -1222,7 +1301,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1222,7 +1303,8 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') - dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ++ init_dontaudit_use_fds($1) + dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## -@@ -1238,11 +1317,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1238,11 +1320,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -18229,7 +18301,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -1259,10 +1340,12 @@ interface(`term_getattr_all_ttys',` +@@ -1259,10 +1343,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -18242,7 +18314,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -1301,7 +1384,7 @@ interface(`term_relabel_all_ttys',` +@@ -1301,7 +1387,7 @@ interface(`term_relabel_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -18251,7 +18323,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -1340,7 +1423,27 @@ interface(`term_use_all_ttys',` +@@ -1340,7 +1426,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -18280,7 +18352,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -1359,7 +1462,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1359,7 +1465,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -18289,7 +18361,7 @@ index f3acfee..70c384c 100644 ') ######################################## -@@ -1467,7 +1570,7 @@ interface(`term_use_all_user_ttys',` +@@ -1467,7 +1573,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -18298,7 +18370,7 @@ index f3acfee..70c384c 100644 ## ## # -@@ -1475,3 +1578,392 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1475,3 +1581,393 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -18628,6 +18700,7 @@ index f3acfee..70c384c 100644 + dev_filetrans($1, tty_device_t, chr_file, "isdn7") + dev_filetrans($1, tty_device_t, chr_file, "isdn8") + dev_filetrans($1, tty_device_t, chr_file, "isdn9") ++ #filetrans_pattern($1, devpts_t, chr_file, "ptmx") + dev_filetrans($1, ptmx_t, chr_file, "ptmx") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm0") + dev_filetrans($1, tty_device_t, chr_file, "rfcomm1") @@ -21055,10 +21128,21 @@ index e88b95f..4b5f106 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..b4d006a 100644 +index 1bd5812..7112560 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc -@@ -15,6 +15,21 @@ +@@ -3,8 +3,9 @@ + + /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + +-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) + + /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) + +@@ -15,6 +16,21 @@ /var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) @@ -21280,7 +21364,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..2f6627b 100644 +index 30861ec..28604d3 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -21331,7 +21415,7 @@ index 30861ec..2f6627b 100644 # -allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; -+allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override }; ++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; dontaudit abrt_t self:capability sys_rawio; -allow abrt_t self:process { signal signull setsched getsched }; +allow abrt_t self:process { sigkill signal signull setsched getsched }; @@ -21363,7 +21447,15 @@ index 30861ec..2f6627b 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -113,7 +146,8 @@ domain_read_all_domains_state(abrt_t) +@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) + corenet_sendrecv_http_client_packets(abrt_t) + + dev_getattr_all_chr_files(abrt_t) ++dev_read_rand(abrt_t) + dev_read_urand(abrt_t) + dev_rw_sysfs(abrt_t) + dev_dontaudit_read_raw_memory(abrt_t) +@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -21373,7 +21465,7 @@ index 30861ec..2f6627b 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +155,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -21382,7 +21474,7 @@ index 30861ec..2f6627b 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +167,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -21391,7 +21483,7 @@ index 30861ec..2f6627b 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +176,15 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -21402,12 +21494,13 @@ index 30861ec..2f6627b 100644 +') + +optional_policy(` ++ apache_list_modules(abrt_t) + apache_read_modules(abrt_t) +') optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +195,11 @@ optional_policy(` +@@ -150,6 +197,11 @@ optional_policy(` ') optional_policy(` @@ -21419,7 +21512,7 @@ index 30861ec..2f6627b 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +217,7 @@ optional_policy(` +@@ -167,6 +219,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -21427,7 +21520,7 @@ index 30861ec..2f6627b 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +229,18 @@ optional_policy(` +@@ -178,12 +231,18 @@ optional_policy(` ') optional_policy(` @@ -21447,7 +21540,7 @@ index 30861ec..2f6627b 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -203,6 +260,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) +@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) domain_read_all_domains_state(abrt_helper_t) files_read_etc_files(abrt_helper_t) @@ -21455,7 +21548,7 @@ index 30861ec..2f6627b 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +274,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -21465,7 +21558,7 @@ index 30861ec..2f6627b 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +283,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -24443,10 +24536,10 @@ index 44a1e3d..7e9d2fb 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..256bd70 100644 +index 4deca04..be16209 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te -@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0) +@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) # ## @@ -24468,7 +24561,14 @@ index 4deca04..256bd70 100644 ## gen_tunable(named_write_master_zones, false) -@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t) + # for DNSSEC key files + type dnssec_t; + files_security_file(dnssec_t) ++files_mountpoint(dnssec_t) + + type named_t; + type named_exec_t; +@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t) # A type for configuration files of named. type named_conf_t; @@ -24477,7 +24577,7 @@ index 4deca04..256bd70 100644 files_mountpoint(named_conf_t) # for secondary zone files -@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) +@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) manage_files_pattern(named_t, named_tmp_t, named_tmp_t) files_tmp_filetrans(named_t, named_tmp_t, { file dir }) @@ -24489,7 +24589,7 @@ index 4deca04..256bd70 100644 # read zone files allow named_t named_zone_t:dir list_dir_perms; -@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t) +@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) @@ -24500,7 +24600,7 @@ index 4deca04..256bd70 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms; +@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms; allow ndc_t self:netlink_route_socket r_netlink_socket_perms; allow ndc_t dnssec_t:file read_file_perms; @@ -24515,7 +24615,7 @@ index 4deca04..256bd70 100644 allow ndc_t named_zone_t:dir search_dir_perms; -@@ -238,13 +250,13 @@ miscfiles_read_localization(ndc_t) +@@ -238,13 +251,13 @@ miscfiles_read_localization(ndc_t) sysnet_read_config(ndc_t) sysnet_dns_name_resolve(ndc_t) @@ -27575,10 +27675,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..760d092 +index 0000000..08d2de0 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,111 @@ +@@ -0,0 +1,115 @@ +policy_module(colord,1.0.0) + +######################################## @@ -27681,6 +27781,10 @@ index 0000000..760d092 +') + +optional_policy(` ++ gnome_read_home_icc_data_content(colord_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) @@ -29323,7 +29427,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..6e35cb2 100644 +index 0d5711c..5a0ca9f 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -29503,7 +29607,7 @@ index 0d5711c..6e35cb2 100644 ') ######################################## -@@ -431,14 +473,29 @@ interface(`dbus_system_domain',` +@@ -431,14 +473,33 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -29523,6 +29627,10 @@ index 0d5711c..6e35cb2 100644 - ifdef(`hide_broken_symptoms', ` + optional_policy(` ++ abrt_stream_connect($1) ++ ') ++ ++ optional_policy(` + rpm_script_dbus_chat($1) + ') + @@ -29534,7 +29642,7 @@ index 0d5711c..6e35cb2 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -463,26 +520,25 @@ interface(`dbus_use_system_bus_fds',` +@@ -463,26 +524,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -29567,7 +29675,7 @@ index 0d5711c..6e35cb2 100644 ## ## ## -@@ -490,10 +546,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -490,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -34525,10 +34633,21 @@ index 978c32f..3b96342 100644 type ifplugd_initrc_exec_t; init_script_file(ifplugd_initrc_exec_t) diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if -index df48e5e..6985546 100644 +index df48e5e..878d9df 100644 --- a/policy/modules/services/inetd.if +++ b/policy/modules/services/inetd.if -@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',` +@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',` + + domtrans_pattern(inetd_t, $2, $1) + allow inetd_t $1:process { siginh sigkill }; ++ ++ optional_policy(` ++ abrt_stream_connect($1) ++ ') + ') + + ######################################## +@@ -55,7 +59,6 @@ interface(`inetd_core_service_domain',` ## # interface(`inetd_tcp_service_domain',` @@ -35155,7 +35274,7 @@ index 3525d24..923e979 100644 /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..b80c8f0 100644 +index 604f67b..be8a805 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -35318,7 +35437,7 @@ index 604f67b..b80c8f0 100644 +## +## +# -+template(`kerberos_read_home_content',` ++interface(`kerberos_read_home_content',` + gen_require(` + type krb5_home_t; + ') @@ -36226,7 +36345,7 @@ index 0000000..6463cee + diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te new file mode 100644 -index 0000000..a91120c +index 0000000..e231877 --- /dev/null +++ b/policy/modules/services/lldpad.te @@ -0,0 +1,64 @@ @@ -36262,7 +36381,7 @@ index 0000000..a91120c + +allow lldpad_t self:capability { net_admin net_raw }; + -+allow lldpad_t self:shm rw_shm_perms; ++allow lldpad_t self:shm create_shm_perms; +allow lldpad_t self:fifo_file rw_fifo_file_perms; + +allow lldpad_t self:unix_stream_socket create_stream_socket_perms; @@ -38331,7 +38450,7 @@ index 256166a..6321a93 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..0c22d93 100644 +index 343cee3..5e792cc 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -38439,12 +38558,13 @@ index 343cee3..0c22d93 100644 ') ######################################## -@@ -391,12 +408,15 @@ interface(`mta_send_mail',` +@@ -391,12 +408,17 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` - type sendmail_exec_t; + attribute mta_exec_type; ++ attribute mta_user_agent; ') files_search_usr($1) @@ -38454,10 +38574,11 @@ index 343cee3..0c22d93 100644 + + allow $2 mta_exec_type:file entrypoint; + domtrans_pattern($1, mta_exec_type, $2) ++ allow mta_user_agent $1:fifo_file { read write }; ') ######################################## -@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +431,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -38465,7 +38586,7 @@ index 343cee3..0c22d93 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +441,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -38490,7 +38611,7 @@ index 343cee3..0c22d93 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +475,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +477,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -38517,7 +38638,7 @@ index 343cee3..0c22d93 100644 ## Read mail server configuration. ## ## -@@ -474,7 +531,8 @@ interface(`mta_write_config',` +@@ -474,7 +533,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -38527,7 +38648,7 @@ index 343cee3..0c22d93 100644 ') ######################################## -@@ -494,6 +552,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +554,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -38535,7 +38656,7 @@ index 343cee3..0c22d93 100644 ') ######################################## -@@ -532,7 +591,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +593,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -38544,7 +38665,7 @@ index 343cee3..0c22d93 100644 ') ######################################## -@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +613,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -38553,7 +38674,7 @@ index 343cee3..0c22d93 100644 ') ####################################### -@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +707,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -38564,7 +38685,7 @@ index 343cee3..0c22d93 100644 ') ####################################### -@@ -697,8 +756,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +758,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -38575,7 +38696,7 @@ index 343cee3..0c22d93 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +899,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -38584,7 +38705,7 @@ index 343cee3..0c22d93 100644 ') ######################################## -@@ -899,3 +958,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +960,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -42844,7 +42965,7 @@ index 55e62d2..f2674e8 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..398a32d 100644 +index 46bee12..c22af86 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -42880,7 +43001,7 @@ index 46bee12..398a32d 100644 files_tmp_file(postfix_$1_tmp_t) - allow postfix_$1_t self:capability { setuid setgid dac_override }; -+ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override }; ++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override }; allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; @@ -43185,7 +43306,7 @@ index 46bee12..398a32d 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index 06e37d4..fda5e3f 100644 +index 06e37d4..ea5feb2 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0) @@ -43469,16 +43590,20 @@ index 06e37d4..fda5e3f 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +579,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +579,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read }; +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; ++ ++allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms; ++allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms; ++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +599,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +603,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -43489,7 +43614,7 @@ index 06e37d4..fda5e3f 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +627,10 @@ optional_policy(` +@@ -565,6 +631,10 @@ optional_policy(` ') optional_policy(` @@ -43500,7 +43625,7 @@ index 06e37d4..fda5e3f 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +654,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -43517,7 +43642,7 @@ index 06e37d4..fda5e3f 100644 ') optional_policy(` -@@ -611,8 +683,8 @@ optional_policy(` +@@ -611,8 +687,8 @@ optional_policy(` # Postfix virtual local policy # @@ -43527,7 +43652,7 @@ index 06e37d4..fda5e3f 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +702,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -44161,7 +44286,7 @@ index b1bc02c..8f0b07e 100644 dev_read_rand(prelude_lml_t) diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te -index 2dbf4d4..3625895 100644 +index 2dbf4d4..28d7fe5 100644 --- a/policy/modules/services/privoxy.te +++ b/policy/modules/services/privoxy.te @@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0) @@ -44179,7 +44304,18 @@ index 2dbf4d4..3625895 100644 ## gen_tunable(privoxy_connect_any, false) -@@ -87,7 +87,7 @@ miscfiles_read_localization(privoxy_t) +@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file) + manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t) + files_pid_filetrans(privoxy_t, privoxy_var_run_t, file) + +-kernel_read_system_state(privoxy_t) + kernel_read_kernel_sysctls(privoxy_t) ++kernel_read_network_state(privoxy_t) ++kernel_read_system_state(privoxy_t) + + corenet_all_recvfrom_unlabeled(privoxy_t) + corenet_all_recvfrom_netlabel(privoxy_t) +@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t) userdom_dontaudit_use_unpriv_user_fds(privoxy_t) userdom_dontaudit_search_user_home_dirs(privoxy_t) # cjp: this should really not be needed @@ -46677,10 +46813,10 @@ index 0000000..88f6a9e +') diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te new file mode 100644 -index 0000000..988f82c +index 0000000..bc97a21 --- /dev/null +++ b/policy/modules/services/rhev.te -@@ -0,0 +1,81 @@ +@@ -0,0 +1,84 @@ +policy_module(rhev,1.0) + +######################################## @@ -46758,9 +46894,12 @@ index 0000000..988f82c +') + +optional_policy(` -+ xserver_dbus_chat_xdm(rhev_agentd_t) ++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t) +') + ++optional_policy(` ++ xserver_dbus_chat_xdm(rhev_agentd_t) ++') + diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if index 96efae7..793a29f 100644 @@ -47003,7 +47142,7 @@ index f7826f9..3128dd8 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..b71d193 100644 +index 33e72e8..a61bb94 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -47060,16 +47199,17 @@ index 33e72e8..b71d193 100644 unconfined_use_fds(ricci_t) ') -@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t) +@@ -193,7 +202,8 @@ corecmd_exec_shell(ricci_modcluster_t) corecmd_exec_bin(ricci_modcluster_t) corenet_tcp_bind_cluster_port(ricci_modclusterd_t) -corenet_tcp_bind_reserved_port(ricci_modclusterd_t) +corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t) ++corenet_tcp_connect_cluster_port(ricci_modclusterd_t) domain_read_all_domains_state(ricci_modcluster_t) -@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t) +@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t) miscfiles_read_localization(ricci_modcluster_t) @@ -47086,7 +47226,7 @@ index 33e72e8..b71d193 100644 optional_policy(` aisexec_stream_connect(ricci_modcluster_t) -@@ -233,6 +238,18 @@ optional_policy(` +@@ -233,6 +239,18 @@ optional_policy(` ') optional_policy(` @@ -47105,7 +47245,7 @@ index 33e72e8..b71d193 100644 nscd_socket_use(ricci_modcluster_t) ') -@@ -241,8 +258,7 @@ optional_policy(` +@@ -241,8 +259,7 @@ optional_policy(` ') optional_policy(` @@ -47115,7 +47255,7 @@ index 33e72e8..b71d193 100644 ') ######################################## -@@ -261,6 +277,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; +@@ -261,6 +278,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -47126,7 +47266,7 @@ index 33e72e8..b71d193 100644 allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +292,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock +@@ -272,6 +293,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -47134,7 +47274,7 @@ index 33e72e8..b71d193 100644 corecmd_exec_bin(ricci_modclusterd_t) -@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t) +@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t) # Needed for running chkconfig files_manage_etc_symlinks(ricci_modservice_t) @@ -47143,7 +47283,7 @@ index 33e72e8..b71d193 100644 init_domtrans_script(ricci_modservice_t) miscfiles_read_localization(ricci_modservice_t) -@@ -405,6 +424,10 @@ optional_policy(` +@@ -405,6 +425,10 @@ optional_policy(` ') optional_policy(` @@ -47154,7 +47294,7 @@ index 33e72e8..b71d193 100644 nscd_dontaudit_search_pid(ricci_modservice_t) ') -@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -444,22 +468,20 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -47183,7 +47323,7 @@ index 33e72e8..b71d193 100644 optional_policy(` aisexec_stream_connect(ricci_modstorage_t) corosync_stream_connect(ricci_modstorage_t) -@@ -471,11 +492,27 @@ optional_policy(` +@@ -471,11 +493,27 @@ optional_policy(` ') optional_policy(` @@ -48471,15 +48611,17 @@ index 150c85d..71e9315 100644 # diff --git a/policy/modules/services/sanlock.fc b/policy/modules/services/sanlock.fc new file mode 100644 -index 0000000..19d7347 +index 0000000..630960e --- /dev/null +++ b/policy/modules/services/sanlock.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,8 @@ + +/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0) + +/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0) + ++/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0) ++ +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if new file mode 100644 @@ -48599,10 +48741,10 @@ index 0000000..486d53d +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..f7cfc54 +index 0000000..f050bc5 --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,55 @@ +@@ -0,0 +1,61 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -48619,6 +48761,9 @@ index 0000000..f7cfc54 +type sanlock_var_run_t; +files_pid_file(sanlock_var_run_t) + ++type sanlock_log_t; ++logging_log_file(sanlock_log_t) ++ +type sanlock_initrc_exec_t; +init_script_file(sanlock_initrc_exec_t) + @@ -48632,6 +48777,9 @@ index 0000000..f7cfc54 +allow sanlock_t self:fifo_file rw_fifo_file_perms; +allow sanlock_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t) ++logging_log_filetrans(sanlock_t, sanlock_log_t, file) ++ +manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) @@ -53748,7 +53896,7 @@ index 6f1e3c7..ade9046 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..cb751f8 100644 +index 130ced9..ea8077d 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -53833,12 +53981,14 @@ index 130ced9..cb751f8 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',` +@@ -106,12 +116,27 @@ interface(`xserver_restricted_role',` xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + xserver_read_xdm_etc_files($2) + ++ modutils_run_insmod(xserver_t, $1) ++ + ifdef(`hide_broken_symptoms',` + dontaudit iceauth_t $2:socket_class_set { read write }; + ') @@ -53859,7 +54009,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -143,13 +166,15 @@ interface(`xserver_role',` +@@ -143,13 +168,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -53877,7 +54027,7 @@ index 130ced9..cb751f8 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +187,6 @@ interface(`xserver_role',` +@@ -162,7 +189,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -53885,7 +54035,7 @@ index 130ced9..cb751f8 100644 ') ####################################### -@@ -197,7 +221,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +223,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -53894,7 +54044,7 @@ index 130ced9..cb751f8 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +251,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +253,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -53903,7 +54053,7 @@ index 130ced9..cb751f8 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +281,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -53912,7 +54062,7 @@ index 130ced9..cb751f8 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +315,13 @@ interface(`xserver_user_client',` +@@ -291,13 +317,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -53930,7 +54080,7 @@ index 130ced9..cb751f8 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -342,19 +366,23 @@ interface(`xserver_user_client',` +@@ -342,19 +368,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -53957,7 +54107,7 @@ index 130ced9..cb751f8 100644 ') ############################## -@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +416,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -53973,7 +54123,7 @@ index 130ced9..cb751f8 100644 ') ####################################### -@@ -444,8 +481,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +483,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -53985,7 +54135,7 @@ index 130ced9..cb751f8 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +494,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +496,18 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -54006,7 +54156,7 @@ index 130ced9..cb751f8 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +517,25 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +519,25 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -54034,7 +54184,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -54042,7 +54192,7 @@ index 130ced9..cb751f8 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -545,6 +596,28 @@ interface(`xserver_domtrans_xauth',` +@@ -545,6 +598,28 @@ interface(`xserver_domtrans_xauth',` ') domtrans_pattern($1, xauth_exec_t, xauth_t) @@ -54071,7 +54221,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -54079,7 +54229,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -54088,7 +54238,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -651,7 +725,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +727,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -54097,7 +54247,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -670,7 +744,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +746,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -54106,7 +54256,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -688,7 +762,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +764,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -54115,7 +54265,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -703,12 +777,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +779,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -54129,7 +54279,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -724,11 +797,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +799,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -54163,7 +54313,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -765,7 +858,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +860,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -54172,7 +54322,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -805,7 +898,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +900,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -54200,7 +54350,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -897,7 +1009,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1011,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -54209,7 +54359,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -916,7 +1028,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1030,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -54218,7 +54368,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -963,6 +1075,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1077,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -54264,7 +54414,7 @@ index 130ced9..cb751f8 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1127,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1129,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -54273,7 +54423,7 @@ index 130ced9..cb751f8 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1189,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1191,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -54316,7 +54466,7 @@ index 130ced9..cb751f8 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1239,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1241,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -54325,7 +54475,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -1070,8 +1257,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1259,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -54337,7 +54487,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -1185,6 +1374,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1376,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -54364,7 +54514,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -1210,7 +1419,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1421,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -54373,7 +54523,7 @@ index 130ced9..cb751f8 100644 ## ## ## -@@ -1220,13 +1429,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1431,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -54398,7 +54548,7 @@ index 130ced9..cb751f8 100644 ') ######################################## -@@ -1243,10 +1462,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1464,458 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -57695,7 +57845,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..7947c80 100644 +index cc83689..6569096 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,41 @@ interface(`init_script_domain',` @@ -57854,7 +58004,7 @@ index cc83689..7947c80 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -353,6 +432,37 @@ interface(`init_system_domain',` +@@ -353,6 +432,41 @@ interface(`init_system_domain',` kernel_dontaudit_use_fds($1) ') ') @@ -57875,6 +58025,10 @@ index cc83689..7947c80 100644 + logging_inherit_append_all_logs($1) + + optional_policy(` ++ abrt_stream_connect($1) ++ ') ++ ++ optional_policy(` + cron_rw_pipes($1) + ') + @@ -57892,7 +58046,7 @@ index cc83689..7947c80 100644 ') ######################################## -@@ -401,16 +511,19 @@ interface(`init_system_domain',` +@@ -401,16 +515,19 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -57912,7 +58066,7 @@ index cc83689..7947c80 100644 mls_rangetrans_target($1) ') ') -@@ -451,6 +564,10 @@ interface(`init_exec',` +@@ -451,6 +568,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -57923,7 +58077,7 @@ index cc83689..7947c80 100644 ') ######################################## -@@ -509,6 +626,24 @@ interface(`init_sigchld',` +@@ -509,6 +630,24 @@ interface(`init_sigchld',` ######################################## ## @@ -57948,7 +58102,7 @@ index cc83689..7947c80 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +654,29 @@ interface(`init_sigchld',` +@@ -519,10 +658,29 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -57980,7 +58134,7 @@ index cc83689..7947c80 100644 ') ######################################## -@@ -688,19 +842,25 @@ interface(`init_telinit',` +@@ -688,19 +846,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -58007,7 +58161,7 @@ index cc83689..7947c80 100644 ') ') -@@ -730,7 +890,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +894,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -58016,7 +58170,7 @@ index cc83689..7947c80 100644 ## ## # -@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +937,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -58040,7 +58194,7 @@ index cc83689..7947c80 100644 ') ') -@@ -800,19 +961,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +965,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -58086,7 +58240,7 @@ index cc83689..7947c80 100644 ') ######################################## -@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1055,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -58101,7 +58255,7 @@ index cc83689..7947c80 100644 files_search_etc($1) ') -@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1271,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -58126,7 +58280,7 @@ index cc83689..7947c80 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1340,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -58140,7 +58294,7 @@ index cc83689..7947c80 100644 ') ######################################## -@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1580,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -58168,7 +58322,7 @@ index cc83689..7947c80 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1687,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -58194,7 +58348,7 @@ index cc83689..7947c80 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1764,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -58219,7 +58373,7 @@ index cc83689..7947c80 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1937,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -58228,7 +58382,7 @@ index cc83689..7947c80 100644 ') ######################################## -@@ -1715,6 +1974,92 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1978,92 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -58321,7 +58475,7 @@ index cc83689..7947c80 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2094,156 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2098,156 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -58479,7 +58633,7 @@ index cc83689..7947c80 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..822d7a0 100644 +index ea29513..34ac96c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -58654,7 +58808,7 @@ index ea29513..822d7a0 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,121 @@ tunable_policy(`init_upstart',` +@@ -186,12 +244,122 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -58705,7 +58859,7 @@ index ea29513..822d7a0 100644 + files_manage_all_pid_dirs(init_t) + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) -+ files_unlink_all_pid_sockets(init_t) ++ files_delete_all_pid_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_create_lock_dirs(init_t) @@ -58718,7 +58872,8 @@ index ea29513..822d7a0 100644 + fs_relabel_tmpfs_dirs(init_t) + fs_relabel_tmpfs_files(init_t) + fs_mount_all_fs(init_t) -+ fs_remount_autofs(init_t) ++ fs_unmount_all_fs(init_t) ++ fs_remount_all_fs(init_t) + fs_list_auto_mountpoints(init_t) + fs_relabel_cgroup_dirs(init_t) + fs_search_cgroup_dirs(daemon) @@ -58776,7 +58931,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -199,10 +366,26 @@ optional_policy(` +@@ -199,10 +367,26 @@ optional_policy(` ') optional_policy(` @@ -58803,7 +58958,7 @@ index ea29513..822d7a0 100644 unconfined_domain(init_t) ') -@@ -212,7 +395,7 @@ optional_policy(` +@@ -212,7 +396,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -58812,7 +58967,7 @@ index ea29513..822d7a0 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +424,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +425,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -58828,7 +58983,7 @@ index ea29513..822d7a0 100644 init_write_initctl(initrc_t) -@@ -258,20 +444,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +445,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -58865,7 +59020,7 @@ index ea29513..822d7a0 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +477,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +478,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -58873,7 +59028,7 @@ index ea29513..822d7a0 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +488,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +489,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -58884,7 +59039,7 @@ index ea29513..822d7a0 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +499,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +500,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -58901,7 +59056,7 @@ index ea29513..822d7a0 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +518,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +519,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -58909,7 +59064,7 @@ index ea29513..822d7a0 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +526,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +527,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -58921,7 +59076,7 @@ index ea29513..822d7a0 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +545,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +546,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -58935,7 +59090,7 @@ index ea29513..822d7a0 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +560,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +561,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -58944,7 +59099,7 @@ index ea29513..822d7a0 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +574,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +575,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -58952,7 +59107,7 @@ index ea29513..822d7a0 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +586,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +587,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -58960,7 +59115,7 @@ index ea29513..822d7a0 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +607,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +608,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -58982,7 +59137,7 @@ index ea29513..822d7a0 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +670,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +671,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -58993,7 +59148,7 @@ index ea29513..822d7a0 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +694,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +695,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -59002,7 +59157,7 @@ index ea29513..822d7a0 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +709,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +710,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -59010,12 +59165,12 @@ index ea29513..822d7a0 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +739,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +740,33 @@ ifdef(`distro_redhat',` ') optional_policy(` -+ abrt_manage_pid_files(initrc_t) -+ ') ++ abrt_manage_pid_files(initrc_t) ++ ') + + optional_policy(` bind_manage_config_dirs(initrc_t) @@ -59044,7 +59199,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -531,10 +773,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +774,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -59067,7 +59222,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -549,6 +803,39 @@ ifdef(`distro_suse',` +@@ -549,6 +804,39 @@ ifdef(`distro_suse',` ') ') @@ -59107,7 +59262,7 @@ index ea29513..822d7a0 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +848,8 @@ optional_policy(` +@@ -561,6 +849,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -59116,7 +59271,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -577,6 +866,7 @@ optional_policy(` +@@ -577,6 +867,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -59124,7 +59279,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -589,6 +879,11 @@ optional_policy(` +@@ -589,6 +880,11 @@ optional_policy(` ') optional_policy(` @@ -59136,7 +59291,7 @@ index ea29513..822d7a0 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +900,13 @@ optional_policy(` +@@ -605,9 +901,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -59150,7 +59305,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -649,6 +948,11 @@ optional_policy(` +@@ -649,6 +949,11 @@ optional_policy(` ') optional_policy(` @@ -59162,7 +59317,7 @@ index ea29513..822d7a0 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +1010,13 @@ optional_policy(` +@@ -706,7 +1011,13 @@ optional_policy(` ') optional_policy(` @@ -59176,7 +59331,7 @@ index ea29513..822d7a0 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1039,10 @@ optional_policy(` +@@ -729,6 +1040,10 @@ optional_policy(` ') optional_policy(` @@ -59187,7 +59342,7 @@ index ea29513..822d7a0 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1052,20 @@ optional_policy(` +@@ -738,10 +1053,20 @@ optional_policy(` ') optional_policy(` @@ -59208,7 +59363,7 @@ index ea29513..822d7a0 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1074,10 @@ optional_policy(` +@@ -750,6 +1075,10 @@ optional_policy(` ') optional_policy(` @@ -59219,7 +59374,7 @@ index ea29513..822d7a0 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1099,6 @@ optional_policy(` +@@ -771,8 +1100,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -59228,7 +59383,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -781,14 +1107,21 @@ optional_policy(` +@@ -781,14 +1108,21 @@ optional_policy(` ') optional_policy(` @@ -59250,7 +59405,7 @@ index ea29513..822d7a0 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1133,6 @@ optional_policy(` +@@ -800,7 +1134,6 @@ optional_policy(` ') optional_policy(` @@ -59258,7 +59413,7 @@ index ea29513..822d7a0 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1142,24 @@ optional_policy(` +@@ -810,11 +1143,24 @@ optional_policy(` ') optional_policy(` @@ -59284,7 +59439,7 @@ index ea29513..822d7a0 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1169,25 @@ optional_policy(` +@@ -824,6 +1170,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -59310,7 +59465,7 @@ index ea29513..822d7a0 100644 ') optional_policy(` -@@ -839,6 +1203,10 @@ optional_policy(` +@@ -839,6 +1204,10 @@ optional_policy(` ') optional_policy(` @@ -59321,7 +59476,7 @@ index ea29513..822d7a0 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -849,3 +1217,42 @@ optional_policy(` +@@ -849,3 +1218,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -59351,6 +59506,10 @@ index ea29513..822d7a0 100644 +init_rw_script_stream_sockets(daemon) + +optional_policy(` ++ abrt_stream_connect(daemon) ++') ++ ++optional_policy(` + fail2ban_read_lib_files(daemon) +') + @@ -59363,7 +59522,6 @@ index ea29513..822d7a0 100644 +allow init_t var_run_t:dir relabelto; + +init_stream_connect(initrc_t) -+ diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 07eba2b..a75297a 100644 --- a/policy/modules/system/ipsec.fc @@ -60941,7 +61099,7 @@ index c7cfb62..ee89659 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..e3f0566 100644 +index 9b5a9ed..41ee997 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -19,6 +19,11 @@ type auditd_log_t; @@ -61085,7 +61243,7 @@ index 9b5a9ed..e3f0566 100644 # setpgid for metalog # setrlimit for syslog-ng -allow syslogd_t self:process { signal_perms setpgid setrlimit }; -+allow syslogd_t self:process { signal_perms setpgid setsched setrlimit }; ++allow syslogd_t self:process { signal_perms setpgid setsched setrlimit setcap getcap }; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; @@ -64350,10 +64508,10 @@ index 0000000..c59c37c +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..c777159 +index 0000000..747aa58 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,190 @@ +@@ -0,0 +1,191 @@ + +policy_module(systemd, 1.0.0) + @@ -64459,7 +64617,8 @@ index 0000000..c777159 +files_manage_all_pid_dirs(systemd_tmpfiles_t) +files_manage_all_locks(systemd_tmpfiles_t) +files_setattr_all_tmp_dirs(systemd_tmpfiles_t) -+files_unlink_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_sockets(systemd_tmpfiles_t) ++files_delete_all_pid_pipes(systemd_tmpfiles_t) +files_delete_boot_flag(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) +files_manage_generic_tmp_files(systemd_tmpfiles_t) @@ -65735,7 +65894,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..35793ae 100644 +index 28b88de..240fa6c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -65902,12 +66061,16 @@ index 28b88de..35793ae 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +151,16 @@ template(`userdom_base_user_template',` +@@ -116,6 +151,20 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + optional_policy(` ++ abrt_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + fs_list_cgroup_dirs($1_usertype) + ') + @@ -65919,7 +66082,7 @@ index 28b88de..35793ae 100644 ') ####################################### -@@ -149,6 +194,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -65928,7 +66091,7 @@ index 28b88de..35793ae 100644 ############################## # # Domain access to home dir -@@ -166,27 +213,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -65956,7 +66119,7 @@ index 28b88de..35793ae 100644 ') ####################################### -@@ -218,8 +244,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -65968,7 +66131,7 @@ index 28b88de..35793ae 100644 ############################## # # Domain access to home dir -@@ -228,17 +257,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -66000,7 +66163,7 @@ index 28b88de..35793ae 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +279,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -66030,7 +66193,7 @@ index 28b88de..35793ae 100644 ') ') -@@ -286,17 +317,63 @@ interface(`userdom_manage_home_role',` +@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -66099,7 +66262,7 @@ index 28b88de..35793ae 100644 ') ####################################### -@@ -316,6 +393,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -66107,7 +66270,7 @@ index 28b88de..35793ae 100644 files_search_tmp($1) ') -@@ -347,59 +425,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -66202,7 +66365,7 @@ index 28b88de..35793ae 100644 ') ####################################### -@@ -430,6 +511,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -66210,7 +66373,7 @@ index 28b88de..35793ae 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +572,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +576,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -66219,7 +66382,7 @@ index 28b88de..35793ae 100644 ############################## # -@@ -500,73 +582,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +586,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -66241,27 +66404,27 @@ index 28b88de..35793ae 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -66285,10 +66448,10 @@ index 28b88de..35793ae 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) ++ ++ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) -+ application_getattr_socket($1_usertype) -+ + logging_send_syslog_msg($1_usertype) + logging_send_audit_msgs($1_usertype) + selinux_get_enforce_mode($1_usertype) @@ -66340,7 +66503,7 @@ index 28b88de..35793ae 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +664,123 @@ template(`userdom_common_user_template',` +@@ -574,67 +668,123 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -66358,19 +66521,19 @@ index 28b88de..35793ae 100644 + + optional_policy(` + canna_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ colord_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -66439,24 +66602,24 @@ index 28b88de..35793ae 100644 - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_session_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ++ ') ++ ++ optional_policy(` + lircd_stream_connect($1_usertype) + ') + @@ -66482,7 +66645,7 @@ index 28b88de..35793ae 100644 ') optional_policy(` -@@ -650,41 +796,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +800,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -66514,48 +66677,50 @@ index 28b88de..35793ae 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') + ++ optional_policy(` ++ slrnpull_search_spool($1_usertype) ++ ') ++ ') ####################################### -@@ -712,13 +867,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +871,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -66566,9 +66731,7 @@ index 28b88de..35793ae 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -66576,7 +66739,7 @@ index 28b88de..35793ae 100644 userdom_change_password_template($1) -@@ -736,72 +904,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +908,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -66643,10 +66806,10 @@ index 28b88de..35793ae 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) - seutil_read_config($1_t) ++ seutil_read_config($1_usertype) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -66685,7 +66848,7 @@ index 28b88de..35793ae 100644 ') ') -@@ -833,6 +1000,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1004,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -66695,7 +66858,7 @@ index 28b88de..35793ae 100644 ############################## # # Local policy -@@ -874,45 +1044,118 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1048,118 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -66774,26 +66937,27 @@ index 28b88de..35793ae 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) - ') ++ ') optional_policy(` -- cups_dbus_chat($1_t) +- consolekit_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ') -+ -+ optional_policy(` + + optional_policy(` +- cups_dbus_chat($1_t) + fprintd_dbus_chat($1_t) -+ ') -+ ') -+ -+ optional_policy(` + ') + ') + + optional_policy(` +- java_role($1_r, $1_t) + openoffice_role_template($1, $1_r, $1_usertype) + ') + @@ -66805,10 +66969,9 @@ index 28b88de..35793ae 100644 + pulseaudio_role($1_r, $1_usertype) + pulseaudio_filetrans_admin_home_content($1_usertype) + pulseaudio_filetrans_home_content($1_usertype) - ') - - optional_policy(` -- java_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` + rtkit_scheduled($1_usertype) ') @@ -66825,7 +66988,7 @@ index 28b88de..35793ae 100644 ') ') -@@ -947,7 +1190,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1194,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -66834,7 +66997,7 @@ index 28b88de..35793ae 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1199,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1203,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -66920,21 +67083,21 @@ index 28b88de..35793ae 100644 + + optional_policy(` + java_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ mono_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) ++ mono_role_template($1, $1_r, $1_t) ') optional_policy(` - setroubleshoot_stream_connect($1_t) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` + wine_role_template($1, $1_r, $1_t) + ') + @@ -66948,7 +67111,7 @@ index 28b88de..35793ae 100644 ') ') -@@ -1039,7 +1311,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1315,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -66957,7 +67120,7 @@ index 28b88de..35793ae 100644 ') ############################## -@@ -1066,6 +1338,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1342,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -66965,7 +67128,7 @@ index 28b88de..35793ae 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1347,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1351,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -66975,7 +67138,7 @@ index 28b88de..35793ae 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1364,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1368,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -66983,7 +67146,7 @@ index 28b88de..35793ae 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1382,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1386,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -66997,7 +67160,7 @@ index 28b88de..35793ae 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1399,22 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1403,22 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -67021,7 +67184,7 @@ index 28b88de..35793ae 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1426,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1430,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -67033,7 +67196,7 @@ index 28b88de..35793ae 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1498,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1502,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -67042,7 +67205,7 @@ index 28b88de..35793ae 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1512,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1516,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -67050,7 +67213,7 @@ index 28b88de..35793ae 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1234,11 +1525,22 @@ template(`userdom_security_admin_template',` +@@ -1234,11 +1529,22 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -67073,7 +67236,7 @@ index 28b88de..35793ae 100644 optional_policy(` aide_run($1,$2) ') -@@ -1279,11 +1581,60 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1585,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -67082,59 +67245,129 @@ index 28b88de..35793ae 100644 allow $1 user_home_t:filesystem associate; files_type($1) -+ ubac_constrained($1) +- files_poly_member($1) + ubac_constrained($1) + - files_poly_member($1) ++ files_poly_member($1) + typeattribute $1 user_home_type; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow domain to attach to TUN devices created by administrative users. +## Make the specified type usable in a +## generic temporary directory. -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Type to be used as a file in the +## generic temporary directory. -+## -+## -+# + ## + ## + # +-interface(`userdom_attach_admin_tun_iface',` +interface(`userdom_user_tmp_content',` -+ gen_require(` + gen_require(` +- attribute admindomain; + attribute user_tmp_type; -+ ') -+ + ') + +- allow $1 admindomain:tun_socket relabelfrom; +- allow $1 self:tun_socket relabelto; + typeattribute $1 user_tmp_type; + + files_tmp_file($1) + ubac_constrained($1) + ') + + ######################################## + ## +-## Set the attributes of a user pty. ++## Make the specified type usable in a ++## generic tmpfs_t directory. + ## +-## ++## + ## +-## Domain allowed access. ++## Type to be used as a file in the ++## generic temporary directory. + ## + ## + # +-interface(`userdom_setattr_user_ptys',` ++interface(`userdom_user_tmpfs_content',` + gen_require(` +- type user_devpts_t; ++ attribute user_tmpfs_type; + ') + +- allow $1 user_devpts_t:chr_file setattr_chr_file_perms; ++ typeattribute $1 user_tmpfs_type; ++ ++ files_tmpfs_file($1) ++ ubac_constrained($1) + ') + + ######################################## + ## +-## Create a user pty. ++## Allow domain to attach to TUN devices created by administrative users. + ## + ## + ## +@@ -1334,9 +1652,46 @@ interface(`userdom_setattr_user_ptys',` + ## + ## + # +-interface(`userdom_create_user_pty',` ++interface(`userdom_attach_admin_tun_iface',` + gen_require(` +- type user_devpts_t; ++ attribute admindomain; ++ ') ++ ++ allow $1 admindomain:tun_socket relabelfrom; ++ allow $1 self:tun_socket relabelto; +') + +######################################## +## -+## Make the specified type usable in a -+## generic tmpfs_t directory. ++## Set the attributes of a user pty. +## -+## ++## +## -+## Type to be used as a file in the -+## generic temporary directory. ++## Domain allowed access. +## +## +# -+interface(`userdom_user_tmpfs_content',` ++interface(`userdom_setattr_user_ptys',` + gen_require(` -+ attribute user_tmpfs_type; ++ type user_devpts_t; + ') + -+ typeattribute $1 user_tmpfs_type; ++ allow $1 user_devpts_t:chr_file setattr_chr_file_perms; ++') + -+ files_tmpfs_file($1) - ubac_constrained($1) - ') ++######################################## ++## ++## Create a user pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_create_user_pty',` ++ gen_require(` ++ type user_devpts_t; + ') -@@ -1395,6 +1746,7 @@ interface(`userdom_search_user_home_dirs',` + term_create_pty($1, user_devpts_t) +@@ -1395,6 +1750,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -67142,7 +67375,7 @@ index 28b88de..35793ae 100644 files_search_home($1) ') -@@ -1441,6 +1793,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1797,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -67157,7 +67390,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -1456,9 +1816,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1820,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -67169,7 +67402,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -1515,6 +1877,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1881,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -67212,7 +67445,7 @@ index 28b88de..35793ae 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +1987,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1991,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -67221,7 +67454,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -1603,10 +2003,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2007,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -67236,10 +67469,28 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -1649,6 +2051,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2055,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## ++## Delete all directories in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_home_content_dirs',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:dir delete_dir_perms; ++') ++ ++######################################## ++## +## Set the attributes of user home files. +## +## @@ -67262,7 +67513,33 @@ index 28b88de..35793ae 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2121,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1668,6 +2111,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` + + ######################################## + ## ++## Set the attributes of all user home directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_setattr_all_user_home_content_dirs',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:dir setattr_dir_perms; ++') ++ ++######################################## ++## + ## Mmap user home files. + ## + ## +@@ -1700,12 +2162,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -67295,7 +67572,7 @@ index 28b88de..35793ae 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2157,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2198,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -67313,10 +67590,28 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -1779,6 +2223,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2264,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## ++## Delete all files in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_home_content_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:file delete_file_perms; ++') ++ ++######################################## ++## +## Delete sock files in a user home subdirectory. +## +## @@ -67335,10 +67630,28 @@ index 28b88de..35793ae 100644 + +######################################## +## ++## Delete all sock files in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_home_content_sock_files',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:sock_file delete_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2272,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2349,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -67348,7 +67661,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -1827,20 +2288,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2365,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -67373,7 +67686,32 @@ index 28b88de..35793ae 100644 ######################################## ## -@@ -2008,7 +2463,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -1941,6 +2473,24 @@ interface(`userdom_delete_user_home_content_symlinks',` + + ######################################## + ## ++## Delete all symbolic links in a user home directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_home_content_symlinks',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:lnk_file delete_lnk_file_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete named pipes + ## in a user home subdirectory. + ## +@@ -2008,7 +2558,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -67382,7 +67720,7 @@ index 28b88de..35793ae 100644 files_search_home($1) ') -@@ -2182,7 +2637,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2732,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -67391,7 +67729,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -2435,13 +2890,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2985,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -67407,7 +67745,7 @@ index 28b88de..35793ae 100644 ## ## ## -@@ -2462,26 +2918,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3013,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -67434,87 +67772,118 @@ index 28b88de..35793ae 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +3008,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3103,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## +-## Read and write a user domain pty. +## Read and write a inherited user domain tty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2580,70 +3111,138 @@ interface(`userdom_use_user_ttys',` + ## + ## + # +-interface(`userdom_use_user_ptys',` +interface(`userdom_use_inherited_user_ttys',` -+ gen_require(` + gen_require(` +- type user_devpts_t; + type user_tty_device_t; -+ ') -+ + ') + +- allow $1 user_devpts_t:chr_file rw_term_perms; + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; -+') -+ -+######################################## -+## - ## Read and write a user domain pty. - ## - ## -@@ -2590,22 +3044,34 @@ interface(`userdom_use_user_ptys',` + ') ######################################## ## -## Read and write a user TTYs and PTYs. -+## Read and write a inherited user domain pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_inherited_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; -+') -+ -+######################################## -+## -+## Read and write a inherited user TTYs and PTYs. ++## Read and write a user domain pty. ## - ## - ##

+-## +-##

-## Allow the specified domain to read and write user -+## Allow the specified domain to read and write inherited user - ## TTYs and PTYs. This will allow the domain to - ## interact with the user via the terminal. Typically - ## all interactive applications will require this - ## access. - ##

+-## TTYs and PTYs. This will allow the domain to +-## interact with the user via the terminal. Typically +-## all interactive applications will require this +-## access. +-##

-##

-## However, this also allows the applications to spy -## on user sessions or inject information into the -## user session. Thus, this access should likely -## not be allowed for non-interactive domains. -##

- ##
+-## ## ## -@@ -2614,14 +3080,33 @@ interface(`userdom_use_user_ptys',` + ## Domain allowed access. + ## ## - ## +-## # -interface(`userdom_use_user_terminals',` -+interface(`userdom_use_inherited_user_terminals',` ++interface(`userdom_use_user_ptys',` gen_require(` - type user_tty_device_t, user_devpts_t; +- type user_tty_device_t, user_devpts_t; ++ type user_devpts_t; ') - allow $1 user_tty_device_t:chr_file rw_term_perms; -- allow $1 user_devpts_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; - term_list_ptys($1) + ') + + ######################################## + ## +-## Do not audit attempts to read and write +-## a user domain tty and pty. ++## Read and write a inherited user domain pty. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`userdom_dontaudit_use_user_terminals',` ++interface(`userdom_use_inherited_user_ptys',` + gen_require(` +- type user_tty_device_t, user_devpts_t; ++ type user_devpts_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_term_perms; ++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++######################################## ++## ++## Read and write a inherited user TTYs and PTYs. ++## ++## ++##

++## Allow the specified domain to read and write inherited user ++## TTYs and PTYs. This will allow the domain to ++## interact with the user via the terminal. Typically ++## all interactive applications will require this ++## access. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_use_inherited_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ + allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; + allow $1 user_devpts_t:chr_file rw_inherited_term_perms; +') @@ -67537,10 +67906,25 @@ index 28b88de..35793ae 100644 + + allow $1 user_tty_device_t:chr_file rw_term_perms; + allow $1 user_devpts_t:chr_file rw_term_perms; - ') - - ######################################## -@@ -2644,6 +3129,25 @@ interface(`userdom_dontaudit_use_user_terminals',` ++') ++ ++######################################## ++## ++## Do not audit attempts to read and write ++## a user domain tty and pty. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_use_user_terminals',` ++ gen_require(` ++ type user_tty_device_t, user_devpts_t; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms; dontaudit $1 user_devpts_t:chr_file rw_term_perms; ') @@ -67566,7 +67950,7 @@ index 28b88de..35793ae 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2815,7 +3319,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3414,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -67575,7 +67959,7 @@ index 28b88de..35793ae 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3335,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3430,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -67591,7 +67975,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -2917,7 +3423,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3518,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -67600,7 +67984,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -2972,7 +3478,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3573,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -67647,7 +68031,7 @@ index 28b88de..35793ae 100644 ') ######################################## -@@ -3009,6 +3553,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3648,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -67655,7 +68039,7 @@ index 28b88de..35793ae 100644 kernel_search_proc($1) ') -@@ -3087,6 +3632,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3727,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -67680,7 +68064,7 @@ index 28b88de..35793ae 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3702,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3797,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index ab91b44..e3ae491 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 29.1%{?dist} +Release: 30%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,10 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 27 2011 Miroslav Grepl 3.9.16-30 +- More fixes + * http://git.fedorahosted.org/git/?p=selinux-policy.git + * Thu Jun 16 2011 Dan Walsh 3.9.16-29.1 - Fix spec file to not report Verify errors