From 2ed5289fc9a18884a571a3735b4b74aed98f7d79 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jul 19 2011 15:44:23 +0000 Subject: - Add initial policy for abrt_dump_oops_t - xtables-multi wants to getattr of the proc fs - Smoltclient is connecting to abrt - Dontaudit leaked file descriptors to postdrop - Allow abrt_dump_oops to look at kernel sysctls - Abrt_dump_oops_t reads kernel ring buffer - Allow mysqld to request the kernel to load modules - systemd-login needs fowner - Allow postfix_cleanup_t to searh maildrop --- diff --git a/policy-F16.patch b/policy-F16.patch index e3ba6d4..f6c009f 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1514,7 +1514,7 @@ index 7f1d18e..a68d519 100644 ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..e12af8e 100644 +index af55369..5ede07b 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1556,7 +1556,7 @@ index af55369..e12af8e 100644 selinux_get_enforce_mode(prelink_t) libs_exec_ld_so(prelink_t) -@@ -98,7 +102,11 @@ libs_delete_lib_symlinks(prelink_t) +@@ -98,7 +102,13 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) @@ -1565,11 +1565,13 @@ index af55369..e12af8e 100644 +userdom_manage_user_home_content(prelink_t) +userdom_execmod_user_home_files(prelink_t) + ++systemd_read_unit_files(prelink_t) ++ +term_use_all_inherited_terms(prelink_t) optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,13 +117,22 @@ optional_policy(` +@@ -109,13 +119,22 @@ optional_policy(` ') optional_policy(` @@ -1594,7 +1596,7 @@ index af55369..e12af8e 100644 ######################################## # # Prelink Cron system Policy -@@ -129,6 +146,7 @@ optional_policy(` +@@ -129,6 +148,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1602,7 +1604,7 @@ index af55369..e12af8e 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +166,28 @@ optional_policy(` +@@ -148,17 +168,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -2554,7 +2556,7 @@ index 8966ec9..8fbe943 100644 + xserver_xdm_append_log(shutdown_t) ') diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te -index bc00875..819a10b 100644 +index bc00875..2efc0d7 100644 --- a/policy/modules/admin/smoltclient.te +++ b/policy/modules/admin/smoltclient.te @@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0) @@ -2573,7 +2575,7 @@ index bc00875..819a10b 100644 fs_getattr_all_fs(smoltclient_t) fs_getattr_all_dirs(smoltclient_t) -@@ -46,15 +46,21 @@ fs_list_auto_mountpoints(smoltclient_t) +@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t) files_getattr_generic_locks(smoltclient_t) files_read_etc_files(smoltclient_t) @@ -2588,6 +2590,10 @@ index bc00875..819a10b 100644 miscfiles_read_localization(smoltclient_t) optional_policy(` ++ abrt_stream_connect(smoltclient_t) ++') ++ ++optional_policy(` + cron_system_entry(smoltclient_t, smoltclient_exec_t) +') + @@ -13117,10 +13123,18 @@ index c19518a..ba08cfe 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..c0e0b1e 100644 +index ff006ea..d6ca227 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` +@@ -55,6 +55,7 @@ + ##
  • files_pid_file()
  • + ##
  • files_security_file()
  • + ##
  • files_security_mountpoint()
  • ++##
  • files_spool_file()
  • + ##
  • files_tmp_file()
  • + ##
  • files_tmpfs_file()
  • + ##
  • logging_log_file()
  • +@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -13133,7 +13147,7 @@ index ff006ea..c0e0b1e 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1482,6 +1480,42 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -13176,7 +13190,7 @@ index ff006ea..c0e0b1e 100644 ## List the contents of the root directory. ## ## -@@ -1562,7 +1596,7 @@ interface(`files_root_filetrans',` +@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',` type root_t; ') @@ -13185,7 +13199,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -1848,7 +1882,7 @@ interface(`files_boot_filetrans',` +@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -13194,7 +13208,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -2372,6 +2406,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -13219,7 +13233,7 @@ index ff006ea..c0e0b1e 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2503,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -13228,7 +13242,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -2525,6 +2577,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -13253,7 +13267,7 @@ index ff006ea..c0e0b1e 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2694,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -13262,7 +13276,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -2680,24 +2750,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -13287,7 +13301,7 @@ index ff006ea..c0e0b1e 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2790,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -13312,7 +13326,7 @@ index ff006ea..c0e0b1e 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2845,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -13320,7 +13334,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3364,7 +3435,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -13329,7 +13343,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3502,20 +3573,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -13373,7 +13387,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -3900,6 +3989,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13473,7 +13487,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4127,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -13482,7 +13496,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4017,7 +4199,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13491,7 +13505,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4029,6 +4211,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13516,7 +13530,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4285,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13549,7 +13563,7 @@ index ff006ea..c0e0b1e 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4139,6 +4365,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13592,7 +13606,7 @@ index ff006ea..c0e0b1e 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4202,7 +4464,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13601,7 +13615,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4262,7 +4524,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13610,7 +13624,7 @@ index ff006ea..c0e0b1e 100644 ## ## # -@@ -4318,7 +4580,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -13619,7 +13633,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -4342,6 +4604,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13636,7 +13650,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -4681,7 +4953,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -13645,7 +13659,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5084,7 +5356,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -13654,7 +13668,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5219,7 +5491,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13663,7 +13677,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5304,6 +5576,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -13689,7 +13703,7 @@ index ff006ea..c0e0b1e 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5608,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5609,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -13698,7 +13712,7 @@ index ff006ea..c0e0b1e 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5629,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -13714,7 +13728,7 @@ index ff006ea..c0e0b1e 100644 ## ## ## -@@ -5349,12 +5644,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -13747,7 +13761,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5373,6 +5686,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -13755,7 +13769,7 @@ index ff006ea..c0e0b1e 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5699,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -13763,7 +13777,7 @@ index ff006ea..c0e0b1e 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5725,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -13772,7 +13786,7 @@ index ff006ea..c0e0b1e 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5741,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -13789,7 +13803,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5452,7 +5765,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -13798,7 +13812,7 @@ index ff006ea..c0e0b1e 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5806,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -13807,7 +13821,7 @@ index ff006ea..c0e0b1e 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5828,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -13816,7 +13830,7 @@ index ff006ea..c0e0b1e 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5860,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -13827,7 +13841,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5608,6 +5921,43 @@ interface(`files_search_pids',` +@@ -5608,6 +5922,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -13871,7 +13885,7 @@ index ff006ea..c0e0b1e 100644 ######################################## ## ## Do not audit attempts to search -@@ -5736,7 +6086,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -13880,7 +13894,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -5815,6 +6165,98 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,6 +6166,98 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -13979,7 +13993,7 @@ index ff006ea..c0e0b1e 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6274,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6275,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14024,7 +14038,98 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -6042,7 +6522,7 @@ interface(`files_spool_filetrans',` +@@ -5900,6 +6381,90 @@ interface(`files_delete_all_pid_dirs',` + + ######################################## + ## ++## Make the specified type a file ++## used for spool files. ++## ++## ++##

    ++## Make the specified type usable for spool files. ++## This will also make the type usable for files, making ++## calls to files_type() redundant. Failure to use this interface ++## for a spool file may result in problems with ++## purging spool files. ++##

    ++##

    ++## Related interfaces: ++##

    ++##
      ++##
    • files_spool_filetrans()
    • ++##
    ++##

    ++## Example usage with a domain that can create and ++## write its spool file in the system spool file ++## directories (/var/spool): ++##

    ++##

    ++## type myspoolfile_t; ++## files_spool_file(myfile_spool_t) ++## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ++## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ++##

    ++##
    ++## ++## ++## Type of the file to be used as a ++## spool file. ++## ++## ++## ++# ++interface(`files_spool_file',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ files_type($1) ++ typeattribute $1 spoolfile; ++') ++ ++######################################## ++## ++## Create all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## + ## Search the contents of generic spool + ## directories (/var/spool). + ## +@@ -6042,7 +6607,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14033,7 +14138,7 @@ index ff006ea..c0e0b1e 100644 ') ######################################## -@@ -6117,3 +6597,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6682,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -14319,18 +14424,20 @@ index ff006ea..c0e0b1e 100644 + dontaudit $1 file_type:dir_file_class_set write; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 22821ff..567322b 100644 +index 22821ff..20251b0 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te -@@ -11,6 +11,7 @@ attribute lockfile; +@@ -10,7 +10,9 @@ attribute files_unconfined_type; + attribute lockfile; attribute mountpoint; attribute pidfile; ++attribute spoolfile; attribute configfile; +attribute etcfile; # For labeling types that are to be polyinstantiated attribute polydir; -@@ -58,12 +59,21 @@ files_type(etc_t) +@@ -58,12 +60,21 @@ files_type(etc_t) typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; @@ -14353,7 +14460,7 @@ index 22821ff..567322b 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t) +@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t) # type var_lock_t; files_lock_file(var_lock_t) @@ -14361,6 +14468,14 @@ index 22821ff..567322b 100644 # # var_run_t is the type of /var/run, usually +@@ -181,6 +193,7 @@ files_mountpoint(var_run_t) + # + type var_spool_t; + files_tmp_file(var_spool_t) ++files_spool_file(var_spool_t) + + ######################################## + # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 97fcdac..3babb37 100644 --- a/policy/modules/kernel/filesystem.if @@ -18888,14 +19003,14 @@ index e88b95f..0eb55db 100644 -#gen_user(xguest_u,, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc -index 1bd5812..f7a7a96 100644 +index 1bd5812..b3631d6 100644 --- a/policy/modules/services/abrt.fc +++ b/policy/modules/services/abrt.fc @@ -1,11 +1,9 @@ /etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) /etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) -+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) ++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0) /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) @@ -19124,7 +19239,7 @@ index 0b827c5..7382308 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..ffe6d41 100644 +index 30861ec..b8f91da 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) @@ -19142,7 +19257,20 @@ index 30861ec..ffe6d41 100644 type abrt_t; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -43,14 +51,37 @@ ifdef(`enable_mcs',` +@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t) + type abrt_var_run_t; + files_pid_file(abrt_var_run_t) + ++type abrt_dump_oops_t; ++type abrt_dump_oops_exec_t; ++init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) ++ ++permissive abrt_dump_oops_t; ++ + # type needed to allow all domains + # to handle /var/cache/abrt + type abrt_helper_t; +@@ -43,14 +57,37 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -19167,7 +19295,7 @@ index 30861ec..ffe6d41 100644 +files_type(abrt_retrace_cache_t) + +type abrt_retrace_spool_t; -+files_type(abrt_retrace_spool_t) ++files_spool_file(abrt_retrace_spool_t) + ######################################## # @@ -19182,7 +19310,7 @@ index 30861ec..ffe6d41 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +90,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -19190,7 +19318,7 @@ index 30861ec..ffe6d41 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +101,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -19198,7 +19326,7 @@ index 30861ec..ffe6d41 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +115,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -19207,7 +19335,7 @@ index 30861ec..ffe6d41 100644 kernel_read_ring_buffer(abrt_t) kernel_read_system_state(abrt_t) -@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -19215,7 +19343,7 @@ index 30861ec..ffe6d41 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -19225,7 +19353,7 @@ index 30861ec..ffe6d41 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -19234,7 +19362,7 @@ index 30861ec..ffe6d41 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -19243,7 +19371,7 @@ index 30861ec..ffe6d41 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t) +@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -19260,7 +19388,7 @@ index 30861ec..ffe6d41 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +197,11 @@ optional_policy(` +@@ -150,6 +203,11 @@ optional_policy(` ') optional_policy(` @@ -19272,7 +19400,7 @@ index 30861ec..ffe6d41 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +219,7 @@ optional_policy(` +@@ -167,6 +225,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -19280,7 +19408,7 @@ index 30861ec..ffe6d41 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +231,18 @@ optional_policy(` +@@ -178,12 +237,18 @@ optional_policy(` ') optional_policy(` @@ -19300,7 +19428,7 @@ index 30861ec..ffe6d41 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,9 +259,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -19313,7 +19441,7 @@ index 30861ec..ffe6d41 100644 fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +278,8 @@ miscfiles_read_localization(abrt_helper_t) +@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t) term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -19323,7 +19451,7 @@ index 30861ec..ffe6d41 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +287,100 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +293,130 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -19331,7 +19459,7 @@ index 30861ec..ffe6d41 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -19423,7 +19551,37 @@ index 30861ec..ffe6d41 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') ++ ++######################################## ++# ++# abrt_dump_oops local policy ++# ++ ++allow abrt_dump_oops_t self:capability dac_override; ++allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; ++allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; ++ ++files_search_spool(abrt_dump_oops_t) ++manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t) ++files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir }) ++ ++read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t) ++ ++kernel_read_kernel_sysctls(abrt_dump_oops_t) ++kernel_read_ring_buffer(abrt_dump_oops_t) ++ ++domain_use_interactive_fds(abrt_dump_oops_t) ++ ++files_read_etc_files(abrt_dump_oops_t) ++ ++logging_read_generic_logs(abrt_helper_t) ++logging_send_syslog_msg(abrt_dump_oops_t) ++ ++miscfiles_read_localization(abrt_dump_oops_t) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858d..d639ae0 100644 --- a/policy/modules/services/accountsd.if @@ -19802,9 +19960,18 @@ index d96fdfa..e07158f 100644 ifdef(`distro_debian',` /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index deca9d3..4556eb2 100644 +index deca9d3..ae8c579 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te +@@ -38,7 +38,7 @@ type amavis_quarantine_t; + files_type(amavis_quarantine_t) + + type amavis_spool_t; +-files_type(amavis_spool_t) ++files_spool_file(amavis_spool_t) + + ######################################## + # @@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t) dev_read_rand(amavis_t) @@ -20575,7 +20742,7 @@ index 6480167..b32b10e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..a079c51 100644 +index 3136c6a..edeae62 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -20877,7 +21044,7 @@ index 3136c6a..a079c51 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,6 +334,9 @@ files_type(httpd_var_lib_t) +@@ -254,9 +334,13 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -20887,7 +21054,11 @@ index 3136c6a..a079c51 100644 # File Type of squirrelmail attachments type squirrelmail_spool_t; files_tmp_file(squirrelmail_spool_t) -@@ -281,11 +364,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; ++files_spool_file(squirrelmail_spool_t) + + optional_policy(` + prelink_object_file(httpd_modules_t) +@@ -281,11 +365,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -20901,7 +21072,7 @@ index 3136c6a..a079c51 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +414,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +415,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -20912,7 +21083,7 @@ index 3136c6a..a079c51 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +441,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +442,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -20921,7 +21092,7 @@ index 3136c6a..a079c51 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +453,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +454,14 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -20937,7 +21108,7 @@ index 3136c6a..a079c51 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +470,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -20953,7 +21124,7 @@ index 3136c6a..a079c51 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +482,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +483,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -20961,7 +21132,7 @@ index 3136c6a..a079c51 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +494,13 @@ files_read_etc_files(httpd_t) +@@ -402,6 +495,13 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -20975,7 +21146,7 @@ index 3136c6a..a079c51 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +515,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +516,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -21052,7 +21223,7 @@ index 3136c6a..a079c51 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +595,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +596,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -21063,7 +21234,7 @@ index 3136c6a..a079c51 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +609,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +610,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -21093,7 +21264,7 @@ index 3136c6a..a079c51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +639,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +640,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -21110,7 +21281,7 @@ index 3136c6a..a079c51 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +663,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +664,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -21131,7 +21302,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -513,7 +687,13 @@ optional_policy(` +@@ -513,7 +688,13 @@ optional_policy(` ') optional_policy(` @@ -21146,7 +21317,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -528,7 +708,18 @@ optional_policy(` +@@ -528,7 +709,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -21166,7 +21337,7 @@ index 3136c6a..a079c51 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +728,13 @@ optional_policy(` +@@ -537,8 +729,13 @@ optional_policy(` ') optional_policy(` @@ -21181,7 +21352,7 @@ index 3136c6a..a079c51 100644 ') ') -@@ -556,7 +752,13 @@ optional_policy(` +@@ -556,7 +753,13 @@ optional_policy(` ') optional_policy(` @@ -21195,7 +21366,7 @@ index 3136c6a..a079c51 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +769,7 @@ optional_policy(` +@@ -567,6 +770,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -21203,7 +21374,7 @@ index 3136c6a..a079c51 100644 ') optional_policy(` -@@ -577,6 +780,16 @@ optional_policy(` +@@ -577,6 +781,16 @@ optional_policy(` ') optional_policy(` @@ -21220,7 +21391,7 @@ index 3136c6a..a079c51 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +804,11 @@ optional_policy(` +@@ -591,6 +805,11 @@ optional_policy(` ') optional_policy(` @@ -21232,7 +21403,7 @@ index 3136c6a..a079c51 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +821,12 @@ optional_policy(` +@@ -603,6 +822,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -21245,7 +21416,7 @@ index 3136c6a..a079c51 100644 ######################################## # # Apache helper local policy -@@ -616,7 +840,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +841,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -21258,7 +21429,7 @@ index 3136c6a..a079c51 100644 ######################################## # -@@ -654,28 +882,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +883,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -21302,7 +21473,7 @@ index 3136c6a..a079c51 100644 ') ######################################## -@@ -685,6 +915,8 @@ optional_policy(` +@@ -685,6 +916,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -21311,7 +21482,7 @@ index 3136c6a..a079c51 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +931,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +932,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21337,7 +21508,7 @@ index 3136c6a..a079c51 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +977,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +978,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -21370,7 +21541,7 @@ index 3136c6a..a079c51 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1024,25 @@ optional_policy(` +@@ -769,6 +1025,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21396,7 +21567,7 @@ index 3136c6a..a079c51 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1063,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1064,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21414,7 +21585,7 @@ index 3136c6a..a079c51 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1082,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1083,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21471,7 +21642,7 @@ index 3136c6a..a079c51 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1133,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1134,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21502,7 +21673,7 @@ index 3136c6a..a079c51 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1168,20 @@ optional_policy(` +@@ -842,10 +1169,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21523,7 +21694,7 @@ index 3136c6a..a079c51 100644 ') ######################################## -@@ -891,11 +1227,21 @@ optional_policy(` +@@ -891,11 +1228,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -21781,10 +21952,15 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..0e8a352 100644 +index b3b0176..c873197 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te -@@ -23,6 +23,7 @@ files_type(asterisk_spool_t) +@@ -19,10 +19,11 @@ type asterisk_log_t; + logging_log_file(asterisk_log_t) + + type asterisk_spool_t; +-files_type(asterisk_spool_t) ++files_spool_file(asterisk_spool_t) type asterisk_tmp_t; files_tmp_file(asterisk_tmp_t) @@ -23381,7 +23557,7 @@ index 0000000..564acbd +') diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te new file mode 100644 -index 0000000..a67f732 +index 0000000..a7c96a5 --- /dev/null +++ b/policy/modules/services/callweaver.te @@ -0,0 +1,79 @@ @@ -23411,7 +23587,7 @@ index 0000000..a67f732 +files_pid_file(callweaver_var_run_t) + +type callweaver_spool_t; -+files_type(callweaver_spool_t) ++files_spool_file(callweaver_spool_t) + +######################################## +# @@ -25244,9 +25420,18 @@ index 9971337..f081899 100644 ') diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te -index 838dec7..452741c 100644 +index 838dec7..59d0f96 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te +@@ -15,7 +15,7 @@ courier_domain_template(pcp) + courier_domain_template(pop) + + type courier_spool_t; +-files_type(courier_spool_t) ++files_spool_file(courier_spool_t) + + courier_domain_template(tcpd) + @@ -95,7 +95,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; @@ -25688,7 +25873,7 @@ index 35241ed..2976df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..1812563 100644 +index f7583ab..894130f 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -25718,7 +25903,15 @@ index f7583ab..1812563 100644 ## gen_tunable(fcron_crond, false) -@@ -38,7 +38,7 @@ type cron_var_lib_t; +@@ -31,14 +31,14 @@ type anacron_exec_t; + application_executable_file(anacron_exec_t) + + type cron_spool_t; +-files_type(cron_spool_t) ++files_spool_file(cron_spool_t) + + # var/lib files + type cron_var_lib_t; files_type(cron_var_lib_t) type cron_var_run_t; @@ -25740,15 +25933,17 @@ index f7583ab..1812563 100644 type crontab_exec_t; application_executable_file(crontab_exec_t) -@@ -79,6 +82,7 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; +@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t }; typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t }; +allow admin_crontab_t crond_t:process signal; type system_cron_spool_t, cron_spool_type; - files_type(system_cron_spool_t) -@@ -87,6 +91,7 @@ type system_cronjob_t alias system_crond_t; +-files_type(system_cron_spool_t) ++files_spool_file(system_cron_spool_t) + + type system_cronjob_t alias system_crond_t; init_daemon_domain(system_cronjob_t, anacron_exec_t) corecmd_shell_entry_type(system_cronjob_t) role system_r types system_cronjob_t; @@ -25767,9 +25962,12 @@ index f7583ab..1812563 100644 type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) -@@ -108,6 +109,18 @@ typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t uncon +@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t) + type user_cron_spool_t, cron_spool_type; + typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t }; typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t }; - files_type(user_cron_spool_t) +-files_type(user_cron_spool_t) ++files_spool_file(user_cron_spool_t) ubac_constrained(user_cron_spool_t) +mta_system_content(user_cron_spool_t) + @@ -26368,7 +26566,7 @@ index 0000000..3317390 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..8ce09c4 +index 0000000..82ba45e --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,90 @@ @@ -26392,7 +26590,7 @@ index 0000000..8ce09c4 +logging_log_file(ctdbd_log_t) + +type ctdbd_spool_t; -+files_type(ctdbd_spool_t) ++files_spool_file(ctdbd_spool_t) + +type ctdbd_tmp_t; +files_tmp_file(ctdbd_tmp_t) @@ -29013,7 +29211,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..4bbff24 100644 +index acf6d4f..87949e8 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -29035,6 +29233,15 @@ index acf6d4f..4bbff24 100644 type dovecot_etc_t; files_config_file(dovecot_etc_t) +@@ -36,7 +39,7 @@ type dovecot_passwd_t; + files_type(dovecot_passwd_t) + + type dovecot_spool_t; +-files_type(dovecot_spool_t) ++files_spool_file(dovecot_spool_t) + + type dovecot_tmp_t; + files_tmp_file(dovecot_tmp_t) @@ -56,9 +59,9 @@ files_pid_file(dovecot_var_run_t) # dovecot local policy # @@ -29933,7 +30140,7 @@ index 6bef7f8..464669c 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..0b19f11 100644 +index f28f64b..6419b55 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -29971,7 +30178,7 @@ index f28f64b..0b19f11 100644 ## gen_tunable(exim_manage_user_files, false) -@@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t) +@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t) application_executable_file(exim_exec_t) mta_agent_executable(exim_exec_t) @@ -29981,6 +30188,12 @@ index f28f64b..0b19f11 100644 type exim_log_t; logging_log_file(exim_log_t) + type exim_spool_t; +-files_type(exim_spool_t) ++files_spool_file(exim_spool_t) + + type exim_tmp_t; + files_tmp_file(exim_tmp_t) @@ -171,6 +174,10 @@ optional_policy(` ') @@ -32397,7 +32610,7 @@ index ebc9e0d..2f3d8dc 100644 allow $1 innd_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te -index 9fab1dc..dc7dd01 100644 +index 9fab1dc..2462aa7 100644 --- a/policy/modules/services/inn.te +++ b/policy/modules/services/inn.te @@ -4,6 +4,7 @@ policy_module(inn, 1.9.0) @@ -32408,7 +32621,13 @@ index 9fab1dc..dc7dd01 100644 type innd_t; type innd_exec_t; init_daemon_domain(innd_t, innd_exec_t) -@@ -30,6 +31,7 @@ files_mountpoint(news_spool_t) +@@ -25,11 +26,13 @@ files_pid_file(innd_var_run_t) + + type news_spool_t; + files_mountpoint(news_spool_t) ++files_spool_file(news_spool_t) + + ######################################## # # Local policy # @@ -32416,7 +32635,7 @@ index 9fab1dc..dc7dd01 100644 allow innd_t self:capability { dac_override kill setgid setuid }; dontaudit innd_t self:capability sys_tty_config; allow innd_t self:process { setsched signal_perms }; -@@ -46,7 +48,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) +@@ -46,7 +49,7 @@ read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t) can_exec(innd_t, innd_exec_t) manage_files_pattern(innd_t, innd_log_t, innd_log_t) @@ -32425,7 +32644,7 @@ index 9fab1dc..dc7dd01 100644 logging_log_filetrans(innd_t, innd_log_t, file) manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t) -@@ -56,7 +58,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) +@@ -56,7 +59,7 @@ files_var_lib_filetrans(innd_t, innd_var_lib_t, file) manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t) @@ -32434,7 +32653,7 @@ index 9fab1dc..dc7dd01 100644 manage_dirs_pattern(innd_t, news_spool_t, news_spool_t) manage_files_pattern(innd_t, news_spool_t, news_spool_t) -@@ -105,6 +107,7 @@ sysnet_read_config(innd_t) +@@ -105,6 +108,7 @@ sysnet_read_config(innd_t) userdom_dontaudit_use_unpriv_user_fds(innd_t) userdom_dontaudit_search_user_home_dirs(innd_t) @@ -32648,7 +32867,7 @@ index 9878499..81fcd0f 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..0ba2bdc 100644 +index da2127e..6538d66 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0) @@ -32684,7 +32903,7 @@ index da2127e..0ba2bdc 100644 -######################################## +type pyicqt_var_spool_t; -+files_type(pyicqt_var_spool_t) ++files_spool_file(pyicqt_var_spool_t) + +type pyicqt_var_run_t; +files_pid_file(pyicqt_var_run_t) @@ -32861,7 +33080,7 @@ index da2127e..0ba2bdc 100644 + +sysnet_read_config(jabberd_domain) diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc -index 3525d24..923e979 100644 +index 3525d24..74ec098 100644 --- a/policy/modules/services/kerberos.fc +++ b/policy/modules/services/kerberos.fc @@ -8,7 +8,7 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -32873,9 +33092,13 @@ index 3525d24..923e979 100644 /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) -@@ -31,3 +31,4 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +@@ -30,4 +30,8 @@ HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) + /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++ ++krb5_host_rcache_t /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if @@ -34251,7 +34474,7 @@ index a4f32f5..ea7dca0 100644 type lpr_t, lpr_exec_t; ') diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te -index 93c14ca..c08de17 100644 +index 93c14ca..f28acd2 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0) @@ -34267,7 +34490,15 @@ index 93c14ca..c08de17 100644 ## gen_tunable(use_lpd_server, false) -@@ -54,7 +54,7 @@ type printer_t; +@@ -47,14 +47,14 @@ ubac_constrained(lpr_tmp_t) + type print_spool_t; + typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t }; + typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t }; +-files_type(print_spool_t) ++files_spool_file(print_spool_t) + ubac_constrained(print_spool_t) + + type printer_t; files_type(printer_t) type printconf_t; @@ -36275,10 +36506,10 @@ index 343cee3..5e792cc 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..dbddbef 100644 +index 64268e4..3bd4ceb 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te -@@ -20,8 +20,8 @@ files_type(etc_aliases_t) +@@ -20,14 +20,16 @@ files_type(etc_aliases_t) type etc_mail_t; files_config_file(etc_mail_t) @@ -36289,7 +36520,15 @@ index 64268e4..dbddbef 100644 type mqueue_spool_t; files_mountpoint(mqueue_spool_t) -@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t) ++files_spool_file(mqueue_spool_t) + + type mail_spool_t; + files_mountpoint(mail_spool_t) ++files_spool_file(mail_spool_t) + + type sendmail_exec_t; + mta_agent_executable(sendmail_exec_t) +@@ -50,22 +52,11 @@ ubac_constrained(user_mail_tmp_t) # newalias required this, not sure if it is needed in 'if' file allow system_mail_t self:capability { dac_override fowner }; @@ -36313,7 +36552,7 @@ index 64268e4..dbddbef 100644 dev_read_sysfs(system_mail_t) dev_read_rand(system_mail_t) dev_read_urand(system_mail_t) -@@ -80,8 +69,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t) +@@ -80,8 +71,14 @@ term_dontaudit_use_unallocated_ttys(system_mail_t) init_use_script_ptys(system_mail_t) @@ -36329,7 +36568,7 @@ index 64268e4..dbddbef 100644 optional_policy(` apache_read_squirrelmail_data(system_mail_t) -@@ -92,17 +87,28 @@ optional_policy(` +@@ -92,17 +89,28 @@ optional_policy(` apache_dontaudit_rw_stream_sockets(system_mail_t) apache_dontaudit_rw_tcp_sockets(system_mail_t) apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t) @@ -36359,7 +36598,7 @@ index 64268e4..dbddbef 100644 clamav_stream_connect(system_mail_t) clamav_append_log(system_mail_t) ') -@@ -111,6 +117,8 @@ optional_policy(` +@@ -111,6 +119,8 @@ optional_policy(` cron_read_system_job_tmp_files(system_mail_t) cron_dontaudit_write_pipes(system_mail_t) cron_rw_system_job_stream_sockets(system_mail_t) @@ -36368,7 +36607,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -124,12 +132,9 @@ optional_policy(` +@@ -124,12 +134,9 @@ optional_policy(` ') optional_policy(` @@ -36383,7 +36622,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -146,6 +151,10 @@ optional_policy(` +@@ -146,6 +153,10 @@ optional_policy(` ') optional_policy(` @@ -36394,7 +36633,7 @@ index 64268e4..dbddbef 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +167,6 @@ optional_policy(` +@@ -158,18 +169,6 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -36413,7 +36652,7 @@ index 64268e4..dbddbef 100644 ') optional_policy(` -@@ -189,6 +186,10 @@ optional_policy(` +@@ -189,6 +188,10 @@ optional_policy(` ') optional_policy(` @@ -36424,7 +36663,7 @@ index 64268e4..dbddbef 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,7 +200,7 @@ optional_policy(` +@@ -199,7 +202,7 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -36433,7 +36672,7 @@ index 64268e4..dbddbef 100644 arpwatch_dontaudit_rw_packet_sockets(mta_user_agent) ') -@@ -220,7 +221,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -36443,7 +36682,7 @@ index 64268e4..dbddbef 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +244,10 @@ optional_policy(` +@@ -242,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -36454,7 +36693,7 @@ index 64268e4..dbddbef 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +255,25 @@ optional_policy(` +@@ -249,16 +257,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -36482,7 +36721,7 @@ index 64268e4..dbddbef 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +307,44 @@ optional_policy(` +@@ -292,3 +309,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -36973,7 +37212,7 @@ index e9c0982..14af30a 100644 + mysql_stream_connect($1) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te -index 0a0d63c..91de41a 100644 +index 0a0d63c..a02ffc9 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0) @@ -37003,7 +37242,7 @@ index 0a0d63c..91de41a 100644 allow mysqld_t mysqld_etc_t:dir list_dir_perms; allow mysqld_t mysqld_log_t:file manage_file_perms; -@@ -78,13 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) +@@ -78,12 +79,17 @@ manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) @@ -37015,14 +37254,14 @@ index 0a0d63c..91de41a 100644 kernel_read_system_state(mysqld_t) kernel_read_kernel_sysctls(mysqld_t) - ++kernel_request_load_module(mysqld_t) ++ +corecmd_exec_bin(mysqld_t) +corecmd_exec_shell(mysqld_t) -+ + corenet_all_recvfrom_unlabeled(mysqld_t) corenet_all_recvfrom_netlabel(mysqld_t) - corenet_tcp_sendrecv_generic_if(mysqld_t) -@@ -127,8 +132,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) +@@ -127,8 +133,7 @@ userdom_dontaudit_use_unpriv_user_fds(mysqld_t) userdom_read_user_home_content_files(mysqld_t) ifdef(`distro_redhat',` @@ -37032,7 +37271,7 @@ index 0a0d63c..91de41a 100644 ') tunable_policy(`mysql_connect_any',` -@@ -155,6 +159,7 @@ optional_policy(` +@@ -155,6 +160,7 @@ optional_policy(` allow mysqld_safe_t self:capability { chown dac_override fowner kill }; dontaudit mysqld_safe_t self:capability sys_ptrace; @@ -37040,7 +37279,7 @@ index 0a0d63c..91de41a 100644 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) -@@ -175,21 +180,27 @@ dev_list_sysfs(mysqld_safe_t) +@@ -175,21 +181,27 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -37302,9 +37541,18 @@ index 8581040..2367841 100644 allow $1 nagios_t:process { ptrace signal_perms }; diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te -index bf64a4c..8a9789c 100644 +index bf64a4c..971f741 100644 --- a/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te +@@ -25,7 +25,7 @@ type nagios_var_run_t; + files_pid_file(nagios_var_run_t) + + type nagios_spool_t; +-files_type(nagios_spool_t) ++files_spool_file(nagios_spool_t) + + nagios_plugin_template(admin) + nagios_plugin_template(checkdisk) @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file) kernel_read_system_state(nagios_t) @@ -39742,10 +39990,10 @@ index 9759ed8..48a5431 100644 admin_pattern($1, plymouthd_var_run_t) ') diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te -index 06e217d..208ef3a 100644 +index 06e217d..4f9a575 100644 --- a/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te -@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1) +@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1) type plymouth_t; type plymouth_exec_t; application_domain(plymouth_t, plymouth_exec_t) @@ -39753,7 +40001,12 @@ index 06e217d..208ef3a 100644 type plymouthd_t; type plymouthd_exec_t; -@@ -19,6 +20,9 @@ files_type(plymouthd_spool_t) + init_daemon_domain(plymouthd_t, plymouthd_exec_t) + + type plymouthd_spool_t; +-files_type(plymouthd_spool_t) ++files_spool_file(plymouthd_spool_t) + type plymouthd_var_lib_t; files_type(plymouthd_var_lib_t) @@ -40302,7 +40555,7 @@ index a3e85c9..c0e0959 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..c22af86 100644 +index 46bee12..9e2714e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -40538,7 +40791,7 @@ index 46bee12..c22af86 100644 ') ######################################## -@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',` +@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',` typeattribute $1 postfix_user_domtrans; ') @@ -40641,9 +40894,13 @@ index 46bee12..c22af86 100644 + + postfix_domtrans_postdrop($1) + role $2 types postfix_postdrop_t; ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write }; ++ ') +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..701607c 100644 +index a32c4b3..3f5751c 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -40661,15 +40918,17 @@ index a32c4b3..701607c 100644 attribute postfix_user_domains; # domains that transition to the # postfix user domains -@@ -12,7 +20,7 @@ attribute postfix_user_domtrans; +@@ -12,8 +20,8 @@ attribute postfix_user_domtrans; postfix_server_domain_template(bounce) -type postfix_spool_bounce_t; +-files_type(postfix_spool_bounce_t) +type postfix_spool_bounce_t, postfix_spool_type; - files_type(postfix_spool_bounce_t) ++files_spool_file(postfix_spool_bounce_t) postfix_server_domain_template(cleanup) + @@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t; # generation macro work mta_mailserver(postfix_t, postfix_master_exec_t) @@ -40688,23 +40947,27 @@ index a32c4b3..701607c 100644 type postfix_private_t; files_type(postfix_private_t) -@@ -65,13 +77,13 @@ mta_mailserver_sender(postfix_smtp_t) +@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t) postfix_server_domain_template(smtpd) -type postfix_spool_t; +-files_type(postfix_spool_t) +type postfix_spool_t, postfix_spool_type; - files_type(postfix_spool_t) ++files_spool_file(postfix_spool_t) -type postfix_spool_maildrop_t; +-files_type(postfix_spool_maildrop_t) +type postfix_spool_maildrop_t, postfix_spool_type; - files_type(postfix_spool_maildrop_t) ++files_spool_file(postfix_spool_maildrop_t) -type postfix_spool_flush_t; +-files_type(postfix_spool_flush_t) +type postfix_spool_flush_t, postfix_spool_type; - files_type(postfix_spool_flush_t) ++files_spool_file(postfix_spool_flush_t) type postfix_public_t; + files_type(postfix_public_t) @@ -94,23 +106,25 @@ mta_mailserver_delivery(postfix_virtual_t) # chown is to set the correct ownership of queue dirs @@ -40774,7 +41037,18 @@ index a32c4b3..701607c 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) -@@ -264,8 +285,8 @@ optional_policy(` +@@ -249,6 +270,10 @@ manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + ++allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms; ++allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; ++ + allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; + + corecmd_exec_bin(postfix_cleanup_t) +@@ -264,8 +289,8 @@ optional_policy(` # Postfix local local policy # @@ -40784,7 +41058,7 @@ index a32c4b3..701607c 100644 # connect to master process stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t) -@@ -273,6 +294,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,6 +298,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -40793,7 +41067,7 @@ index a32c4b3..701607c 100644 allow postfix_local_t postfix_spool_t:file rw_file_perms; corecmd_exec_shell(postfix_local_t) -@@ -286,10 +309,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +313,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -40812,7 +41086,7 @@ index a32c4b3..701607c 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +325,10 @@ optional_policy(` +@@ -297,6 +329,10 @@ optional_policy(` ') optional_policy(` @@ -40823,7 +41097,7 @@ index a32c4b3..701607c 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +336,22 @@ optional_policy(` +@@ -304,9 +340,22 @@ optional_policy(` ') optional_policy(` @@ -40846,7 +41120,7 @@ index a32c4b3..701607c 100644 ######################################## # # Postfix map local policy -@@ -372,6 +417,7 @@ optional_policy(` +@@ -372,6 +421,7 @@ optional_policy(` # Postfix pickup local policy # @@ -40854,7 +41128,7 @@ index a32c4b3..701607c 100644 allow postfix_pickup_t self:tcp_socket create_socket_perms; stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) -@@ -385,13 +431,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; +@@ -385,13 +435,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -40872,7 +41146,7 @@ index a32c4b3..701607c 100644 write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +450,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +454,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -40881,7 +41155,7 @@ index a32c4b3..701607c 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +471,7 @@ optional_policy(` +@@ -420,6 +475,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -40889,7 +41163,7 @@ index a32c4b3..701607c 100644 ') optional_policy(` -@@ -436,11 +488,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +492,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -40907,7 +41181,7 @@ index a32c4b3..701607c 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +545,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +549,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -40918,7 +41192,7 @@ index a32c4b3..701607c 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -507,6 +565,8 @@ optional_policy(` +@@ -507,6 +569,8 @@ optional_policy(` # Postfix qmgr local policy # @@ -40927,7 +41201,7 @@ index a32c4b3..701607c 100644 stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t) -@@ -519,7 +579,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +583,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -40939,7 +41213,7 @@ index a32c4b3..701607c 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +602,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +606,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -40950,7 +41224,7 @@ index a32c4b3..701607c 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +630,10 @@ optional_policy(` +@@ -565,6 +634,10 @@ optional_policy(` ') optional_policy(` @@ -40961,7 +41235,7 @@ index a32c4b3..701607c 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +657,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +661,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -40978,7 +41252,7 @@ index a32c4b3..701607c 100644 ') optional_policy(` -@@ -611,8 +686,8 @@ optional_policy(` +@@ -611,8 +690,8 @@ optional_policy(` # Postfix virtual local policy # @@ -40988,7 +41262,7 @@ index a32c4b3..701607c 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +705,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +709,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -41278,6 +41552,19 @@ index ad15fde..6f55445 100644 ') allow $1 postgrey_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te +index db843e2..4389e81 100644 +--- a/policy/modules/services/postgrey.te ++++ b/policy/modules/services/postgrey.te +@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; + init_script_file(postgrey_initrc_exec_t) + + type postgrey_spool_t; +-files_type(postgrey_spool_t) ++files_spool_file(postgrey_spool_t) + + type postgrey_var_lib_t; + files_type(postgrey_var_lib_t) diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc index 2d82c6d..352032a 100644 --- a/policy/modules/services/ppp.fc @@ -41586,9 +41873,18 @@ index 2316653..77ef768 100644 + admin_pattern($1, prelude_lml_tmp_t) ') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te -index b1bc02c..8f0b07e 100644 +index b1bc02c..e0c0f70 100644 --- a/policy/modules/services/prelude.te +++ b/policy/modules/services/prelude.te +@@ -13,7 +13,7 @@ type prelude_initrc_exec_t; + init_script_file(prelude_initrc_exec_t) + + type prelude_spool_t; +-files_type(prelude_spool_t) ++files_spool_file(prelude_spool_t) + + type prelude_log_t; + logging_log_file(prelude_log_t) @@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t) type prelude_correlator_t; type prelude_correlator_exec_t; @@ -42238,6 +42534,19 @@ index 64c5f95..cb7c5e2 100644 + usermanage_access_check_passwd(puppetmaster_t) + usermanage_access_check_useradd(puppetmaster_t) +') +diff --git a/policy/modules/services/pyicqt.te b/policy/modules/services/pyicqt.te +index a841221..b62a01f 100644 +--- a/policy/modules/services/pyicqt.te ++++ b/policy/modules/services/pyicqt.te +@@ -13,7 +13,7 @@ type pyicqt_conf_t; + files_config_file(pyicqt_conf_t) + + type pyicqt_spool_t; +-files_type(pyicqt_spool_t) ++files_spool_file(pyicqt_spool_t) + + type pyicqt_var_run_t; + files_pid_file(pyicqt_var_run_t) diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index d4a7750..705196e 100644 --- a/policy/modules/services/pyzor.fc @@ -42488,9 +42797,18 @@ index a55bf44..77a25f5 100644 ') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te -index 355b2a2..54329f9 100644 +index 355b2a2..88e6f40 100644 --- a/policy/modules/services/qmail.te +++ b/policy/modules/services/qmail.te +@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t) + qmail_child_domain_template(qmail_splogger, qmail_start_t) + + type qmail_spool_t; +-files_type(qmail_spool_t) ++files_spool_file(qmail_spool_t) + + type qmail_start_t; + type qmail_start_exec_t; @@ -60,7 +60,7 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t) ######################################## # @@ -45287,7 +45605,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..e8ee29b 100644 +index b1468ed..06e637c 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -45393,14 +45711,14 @@ index b1468ed..e8ee29b 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -196,6 +214,7 @@ kernel_signal(gssd_t) - - corecmd_exec_bin(gssd_t) - -+fs_search_nfsd_fs(gssd_t) +@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) ++fs_search_nfsd_fs(gssd_t) + + fs_list_inotifyfs(gssd_t) + files_list_tmp(gssd_t) @@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -45774,9 +46092,18 @@ index 71ea0ea..664e68e 100644 # interface(`rwho_domtrans',` diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te -index a07b2f4..0ba4495 100644 +index a07b2f4..ee39810 100644 --- a/policy/modules/services/rwho.te +++ b/policy/modules/services/rwho.te +@@ -16,7 +16,7 @@ type rwho_log_t; + files_type(rwho_log_t) + + type rwho_spool_t; +-files_type(rwho_spool_t) ++files_spool_file(rwho_spool_t) + + ######################################## + # @@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) @@ -46952,6 +47279,19 @@ index 086cd5f..79347e7 100644 optional_policy(` rpm_signull(setroubleshoot_fixit_t) rpm_read_db(setroubleshoot_fixit_t) +diff --git a/policy/modules/services/slrnpull.te b/policy/modules/services/slrnpull.te +index e5e72fd..92eecec 100644 +--- a/policy/modules/services/slrnpull.te ++++ b/policy/modules/services/slrnpull.te +@@ -13,7 +13,7 @@ type slrnpull_var_run_t; + files_pid_file(slrnpull_var_run_t) + + type slrnpull_spool_t; +-files_type(slrnpull_spool_t) ++files_spool_file(slrnpull_spool_t) + + type slrnpull_log_t; + logging_log_file(slrnpull_log_t) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index adea9f9..d5b2d93 100644 --- a/policy/modules/services/smartmon.if @@ -47503,10 +47843,10 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..7573826 100644 +index ec1eb1e..e1f3477 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te -@@ -6,54 +6,93 @@ policy_module(spamassassin, 2.4.0) +@@ -6,56 +6,95 @@ policy_module(spamassassin, 2.4.0) # ## @@ -47634,8 +47974,11 @@ index ec1eb1e..7573826 100644 +logging_log_file(spamd_log_t) + type spamd_spool_t; - files_type(spamd_spool_t) +-files_type(spamd_spool_t) ++files_spool_file(spamd_spool_t) + type spamd_tmp_t; + files_tmp_file(spamd_tmp_t) @@ -108,6 +147,7 @@ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) @@ -49585,9 +49928,18 @@ index 3b953f5..70f687a 100644 # config files read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) diff --git a/policy/modules/services/uptime.te b/policy/modules/services/uptime.te -index c2cf97e..037a1e8 100644 +index c2cf97e..1f8f768 100644 --- a/policy/modules/services/uptime.te +++ b/policy/modules/services/uptime.te +@@ -13,7 +13,7 @@ type uptimed_etc_t alias etc_uptimed_t; + files_config_file(uptimed_etc_t) + + type uptimed_spool_t; +-files_type(uptimed_spool_t) ++files_spool_file(uptimed_spool_t) + + type uptimed_var_run_t; + files_pid_file(uptimed_var_run_t) @@ -25,7 +25,7 @@ files_pid_file(uptimed_var_run_t) dontaudit uptimed_t self:capability sys_tty_config; @@ -49610,9 +49962,18 @@ index 4440aa6..34ffbfd 100644 + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index d4349e9..4d112ba 100644 +index d4349e9..5e7be4f 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te +@@ -24,7 +24,7 @@ type uucpd_ro_t; + files_type(uucpd_ro_t) + + type uucpd_spool_t; +-files_type(uucpd_spool_t) ++files_spool_file(uucpd_spool_t) + + type uucpd_log_t; + logging_log_file(uucpd_log_t) @@ -125,6 +125,8 @@ optional_policy(` allow uux_t self:capability { setuid setgid }; allow uux_t self:fifo_file write_fifo_file_perms; @@ -52729,7 +53090,7 @@ index 130ced9..10b57e0 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..bc547bf 100644 +index 143c893..0ad8e41 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -52864,7 +53225,7 @@ index 143c893..bc547bf 100644 +files_config_file(xdm_rw_etc_t) + +type xdm_spool_t; -+files_type(xdm_spool_t) ++files_spool_file(xdm_spool_t) type xdm_var_lib_t; files_type(xdm_var_lib_t) @@ -54228,7 +54589,7 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..c2dc2c5 100644 +index 73554ec..dedb917 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -54301,7 +54662,7 @@ index 73554ec..c2dc2c5 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +171,113 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +171,89 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -54349,30 +54710,10 @@ index 73554ec..c2dc2c5 100644 + ') + + optional_policy(` ++ systemd_dbus_chat_logind($1) + systemd_use_fds_logind($1) + systemd_write_inherited_logind_sessions_pipes($1) - ') - ') - - ######################################## - ## -+## Send and receive messages from -+## login program domains over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`authlogin_dbus_chat',` -+ gen_require(` -+ attribute polydomain; -+ class dbus send_msg; + ') -+ -+ allow $1 polydomain:dbus send_msg; -+ allow polydomain $1:dbus send_msg; +') + +######################################## @@ -54407,17 +54748,13 @@ index 73554ec..c2dc2c5 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; -+ ') + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## - ## Use the login program as an entry point program. - ## - ## -@@ -368,13 +484,15 @@ interface(`auth_domtrans_chk_passwd',` + ') + + ######################################## +@@ -368,13 +464,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -54434,7 +54771,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -421,6 +539,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +519,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -54460,7 +54797,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -736,7 +873,47 @@ interface(`auth_rw_faillog',` +@@ -736,7 +853,47 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -54509,7 +54846,7 @@ index 73554ec..c2dc2c5 100644 ') ####################################### -@@ -932,9 +1109,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1089,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -54543,7 +54880,7 @@ index 73554ec..c2dc2c5 100644 ') ######################################## -@@ -1387,6 +1585,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1565,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -54569,7 +54906,7 @@ index 73554ec..c2dc2c5 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1541,24 +1758,6 @@ interface(`auth_manage_login_records',` +@@ -1541,24 +1738,6 @@ interface(`auth_manage_login_records',` ######################################## ## @@ -54594,7 +54931,7 @@ index 73554ec..c2dc2c5 100644 ## Use nsswitch to look up user, password, group, or ## host information. ## -@@ -1579,28 +1778,36 @@ interface(`auth_relabel_login_records',` +@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',` # interface(`auth_use_nsswitch',` @@ -54638,7 +54975,7 @@ index 73554ec..c2dc2c5 100644 optional_policy(` kerberos_use($1) ') -@@ -1610,7 +1817,7 @@ interface(`auth_use_nsswitch',` +@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -55860,7 +56197,7 @@ index 94fd8dd..0d7aa40 100644 + read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..82cf8ae 100644 +index 29a9565..308297d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56035,7 +56372,7 @@ index 29a9565..82cf8ae 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +244,126 @@ tunable_policy(`init_upstart',` +@@ -186,12 +244,129 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56081,6 +56418,7 @@ index 29a9565..82cf8ae 100644 + dev_manage_sysfs_dirs(init_t) + dev_relabel_sysfs_dirs(init_t) + ++ files_search_all(init_t) + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) + files_manage_all_pid_dirs(init_t) @@ -56088,6 +56426,8 @@ index 29a9565..82cf8ae 100644 + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) + files_delete_all_pid_sockets(init_t) ++ files_create_all_spool_sockets(init_t) ++ files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) + files_list_locks(init_t) + files_list_spool(init_t) @@ -56162,7 +56502,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -199,10 +371,26 @@ optional_policy(` +@@ -199,10 +374,26 @@ optional_policy(` ') optional_policy(` @@ -56189,7 +56529,7 @@ index 29a9565..82cf8ae 100644 unconfined_domain(init_t) ') -@@ -212,7 +400,7 @@ optional_policy(` +@@ -212,7 +403,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56198,7 +56538,7 @@ index 29a9565..82cf8ae 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +429,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56214,7 +56554,7 @@ index 29a9565..82cf8ae 100644 init_write_initctl(initrc_t) -@@ -258,20 +449,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56251,7 +56591,7 @@ index 29a9565..82cf8ae 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +482,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56259,7 +56599,7 @@ index 29a9565..82cf8ae 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +493,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56270,7 +56610,7 @@ index 29a9565..82cf8ae 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +504,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -56287,7 +56627,7 @@ index 29a9565..82cf8ae 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +523,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56295,7 +56635,7 @@ index 29a9565..82cf8ae 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +531,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56307,7 +56647,7 @@ index 29a9565..82cf8ae 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +550,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56321,7 +56661,7 @@ index 29a9565..82cf8ae 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +565,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56330,7 +56670,7 @@ index 29a9565..82cf8ae 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +579,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56338,7 +56678,7 @@ index 29a9565..82cf8ae 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +591,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56346,7 +56686,7 @@ index 29a9565..82cf8ae 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +612,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56368,7 +56708,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +675,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56379,7 +56719,7 @@ index 29a9565..82cf8ae 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +699,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +702,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56388,7 +56728,7 @@ index 29a9565..82cf8ae 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +714,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +717,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56396,7 +56736,7 @@ index 29a9565..82cf8ae 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +744,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +747,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56430,7 +56770,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -531,10 +778,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +781,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56457,7 +56797,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -549,6 +812,39 @@ ifdef(`distro_suse',` +@@ -549,6 +815,39 @@ ifdef(`distro_suse',` ') ') @@ -56497,7 +56837,7 @@ index 29a9565..82cf8ae 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +857,8 @@ optional_policy(` +@@ -561,6 +860,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56506,7 +56846,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -577,6 +875,7 @@ optional_policy(` +@@ -577,6 +878,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56514,7 +56854,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -589,6 +888,11 @@ optional_policy(` +@@ -589,6 +891,11 @@ optional_policy(` ') optional_policy(` @@ -56526,7 +56866,7 @@ index 29a9565..82cf8ae 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +909,13 @@ optional_policy(` +@@ -605,9 +912,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -56540,7 +56880,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -649,6 +957,11 @@ optional_policy(` +@@ -649,6 +960,11 @@ optional_policy(` ') optional_policy(` @@ -56552,7 +56892,7 @@ index 29a9565..82cf8ae 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1002,7 @@ optional_policy(` +@@ -689,6 +1005,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -56560,7 +56900,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -706,7 +1020,13 @@ optional_policy(` +@@ -706,7 +1023,13 @@ optional_policy(` ') optional_policy(` @@ -56574,7 +56914,7 @@ index 29a9565..82cf8ae 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1049,10 @@ optional_policy(` +@@ -729,6 +1052,10 @@ optional_policy(` ') optional_policy(` @@ -56585,7 +56925,7 @@ index 29a9565..82cf8ae 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1062,20 @@ optional_policy(` +@@ -738,10 +1065,20 @@ optional_policy(` ') optional_policy(` @@ -56606,7 +56946,7 @@ index 29a9565..82cf8ae 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1084,10 @@ optional_policy(` +@@ -750,6 +1087,10 @@ optional_policy(` ') optional_policy(` @@ -56617,7 +56957,7 @@ index 29a9565..82cf8ae 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1109,6 @@ optional_policy(` +@@ -771,8 +1112,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -56626,7 +56966,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -790,10 +1126,12 @@ optional_policy(` +@@ -790,10 +1129,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -56639,7 +56979,7 @@ index 29a9565..82cf8ae 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1143,6 @@ optional_policy(` +@@ -805,7 +1146,6 @@ optional_policy(` ') optional_policy(` @@ -56647,7 +56987,7 @@ index 29a9565..82cf8ae 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1152,24 @@ optional_policy(` +@@ -815,11 +1155,24 @@ optional_policy(` ') optional_policy(` @@ -56673,7 +57013,7 @@ index 29a9565..82cf8ae 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1179,25 @@ optional_policy(` +@@ -829,6 +1182,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -56699,7 +57039,7 @@ index 29a9565..82cf8ae 100644 ') optional_policy(` -@@ -844,6 +1213,10 @@ optional_policy(` +@@ -844,6 +1216,10 @@ optional_policy(` ') optional_policy(` @@ -56710,7 +57050,7 @@ index 29a9565..82cf8ae 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1227,45 @@ optional_policy(` +@@ -854,3 +1230,45 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -56959,7 +57299,7 @@ index 05fb364..6b895d1 100644 -/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index f3e1b57..a7b2adc 100644 +index f3e1b57..d6a93ac 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -13,9 +13,6 @@ role system_r types iptables_t; @@ -56983,7 +57323,15 @@ index f3e1b57..a7b2adc 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -61,6 +58,9 @@ corenet_relabelto_all_packets(iptables_t) +@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; + allow iptables_t iptables_tmp_t:file manage_file_perms; + files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) + ++kernel_getattr_proc(iptables_t) + kernel_request_load_module(iptables_t) + kernel_read_system_state(iptables_t) + kernel_read_network_state(iptables_t) +@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -56993,7 +57341,7 @@ index f3e1b57..a7b2adc 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -69,11 +69,13 @@ fs_list_inotifyfs(iptables_t) +@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -57008,7 +57356,7 @@ index f3e1b57..a7b2adc 100644 auth_use_nsswitch(iptables_t) -@@ -82,6 +84,7 @@ init_use_script_ptys(iptables_t) +@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -57016,7 +57364,7 @@ index f3e1b57..a7b2adc 100644 logging_send_syslog_msg(iptables_t) -@@ -90,7 +93,7 @@ miscfiles_read_localization(iptables_t) +@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t) sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) @@ -57025,7 +57373,7 @@ index f3e1b57..a7b2adc 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -99,6 +102,8 @@ ifdef(`hide_broken_symptoms',` +@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -57034,7 +57382,7 @@ index f3e1b57..a7b2adc 100644 ') optional_policy(` -@@ -121,6 +126,7 @@ optional_policy(` +@@ -121,6 +127,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -57042,7 +57390,7 @@ index f3e1b57..a7b2adc 100644 ') optional_policy(` -@@ -134,6 +140,7 @@ optional_policy(` +@@ -134,6 +141,7 @@ optional_policy(` optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) @@ -57946,14 +58294,14 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..eedd444 100644 +index b6ec597..fa034d6 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; -+files_type(audit_spool_t) ++files_spool_file(audit_spool_t) files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) @@ -61082,10 +61430,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..9cc3fb6 +index 0000000..16371df --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,325 @@ +@@ -0,0 +1,344 @@ +## SELinux policy for systemd components + +####################################### @@ -61198,6 +61546,25 @@ index 0000000..9cc3fb6 + +###################################### +## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_read_pid_files',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++###################################### ++## +## Use and and inherited systemd +## logind file descriptors. +## @@ -61413,10 +61780,10 @@ index 0000000..9cc3fb6 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..06e5b12 +index 0000000..155a839 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,310 @@ +@@ -0,0 +1,309 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -61484,7 +61851,7 @@ index 0000000..06e5b12 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override }; ++allow systemd_logind_t self:capability { chown dac_override fowner }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -61522,7 +61889,6 @@ index 0000000..06e5b12 +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) + -+authlogin_dbus_chat(systemd_logind_t) +authlogin_read_state(systemd_logind_t) + +dbus_connect_system_bus(systemd_logind_t) @@ -61949,7 +62315,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..ca207d7 100644 +index d88f7c3..73c1dbc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -62068,7 +62434,16 @@ index d88f7c3..ca207d7 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +200,16 @@ ifdef(`distro_redhat',` +@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t) + sysnet_manage_config(udev_t) + sysnet_etc_filetrans_config(udev_t) + ++systemd_login_read_pid_files(udev_t) ++ + userdom_dontaudit_search_user_home_content(udev_t) + + ifdef(`distro_gentoo',` +@@ -186,15 +202,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -62089,7 +62464,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -216,11 +231,16 @@ optional_policy(` +@@ -216,11 +233,16 @@ optional_policy(` ') optional_policy(` @@ -62107,7 +62482,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -230,6 +250,15 @@ optional_policy(` +@@ -230,6 +252,15 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -62123,7 +62498,7 @@ index d88f7c3..ca207d7 100644 ') optional_policy(` -@@ -259,6 +288,10 @@ optional_policy(` +@@ -259,6 +290,10 @@ optional_policy(` ') optional_policy(` @@ -62134,7 +62509,7 @@ index d88f7c3..ca207d7 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +306,11 @@ optional_policy(` +@@ -273,6 +308,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index b8fbc05..ad718c0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,17 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jul 19 2011 Miroslav Grepl 3.10.0-6 +- Add initial policy for abrt_dump_oops_t +- xtables-multi wants to getattr of the proc fs +- Smoltclient is connecting to abrt +- Dontaudit leaked file descriptors to postdrop +- Allow abrt_dump_oops to look at kernel sysctls +- Abrt_dump_oops_t reads kernel ring buffer +- Allow mysqld to request the kernel to load modules +- systemd-login needs fowner +- Allow postfix_cleanup_t to searh maildrop + * Mon Jul 18 2011 Miroslav Grepl 3.10.0-5 - Initial systemd_logind policy - Add policy for systemd_logger and additional proivs for systemd_logind