From 30ab254413fe99527434f2170e4a4b8aba052c81 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Feb 03 2012 09:57:34 +0000 Subject: - Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory - lxdm startup scripts should be labeled bin_t, so confined users will work - mcstransd now creates a pid, needs back port to F16 - qpidd should be allowed to connect to the amqp port - Label devices 010-029 as usb devices - ypserv packager says ypserv does not use tmp_t so removing selinux policy types - Remove all ptrace commands that I believe are caused by the kernel/ps avcs - Add initial Obex policy - Add logging_syslogd_use_tty boolean - Add polipo_connect_all_unreserved bolean - Allow zabbix to connect to ftp port - Allow systemd-logind to be able to switch VTs - Allow apache to communicate with memcached through a sock_file --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 3930c6f..078c411 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2451,3 +2451,10 @@ rabbitmq = module # cloudform daemons # cloudform = module + +# Layer: services +# Module: obex +# +# policy for obex-data-server +# +obex = module diff --git a/policy-F16.patch b/policy-F16.patch index 98113bd..c5aacca 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -2148,10 +2148,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..35ae1db +index 0000000..14d8b32 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,36 @@ +@@ -0,0 +1,44 @@ +policy_module(permissivedomains,17) + + @@ -2188,6 +2188,14 @@ index 0000000..35ae1db + permissive dnssec_trigger_t; +') + ++ ++optional_policy(` ++ gen_require(` ++ type obex_t; ++ ') ++ ++ permissive obex_t; ++') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -2948,7 +2956,7 @@ index d33daa8..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..a485d76 100644 +index 47a8f7d..8bc5a27 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -3023,7 +3031,15 @@ index 47a8f7d..a485d76 100644 auth_dontaudit_read_shadow(rpm_t) auth_use_nsswitch(rpm_t) -@@ -173,11 +193,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -164,7 +184,6 @@ rpm_domtrans_script(rpm_t) + + domain_read_all_domains_state(rpm_t) + domain_getattr_all_domains(rpm_t) +-domain_dontaudit_ptrace_all_domains(rpm_t) + domain_use_interactive_fds(rpm_t) + domain_dontaudit_getattr_all_pipes(rpm_t) + domain_dontaudit_getattr_all_tcp_sockets(rpm_t) +@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -3037,7 +3053,7 @@ index 47a8f7d..a485d76 100644 libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -185,11 +207,13 @@ libs_domtrans_ldconfig(rpm_t) +@@ -185,11 +206,13 @@ libs_domtrans_ldconfig(rpm_t) logging_send_syslog_msg(rpm_t) @@ -3052,7 +3068,7 @@ index 47a8f7d..a485d76 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -207,6 +231,7 @@ optional_policy(` +@@ -207,6 +230,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -3060,7 +3076,7 @@ index 47a8f7d..a485d76 100644 ') optional_policy(` -@@ -214,7 +239,7 @@ optional_policy(` +@@ -214,7 +238,7 @@ optional_policy(` ') optional_policy(` @@ -3069,7 +3085,7 @@ index 47a8f7d..a485d76 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -225,7 +250,8 @@ optional_policy(` +@@ -225,7 +249,8 @@ optional_policy(` # rpm-script Local policy # @@ -3079,7 +3095,7 @@ index 47a8f7d..a485d76 100644 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap }; allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; -@@ -257,12 +283,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) +@@ -257,12 +282,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) can_exec(rpm_script_t, rpm_script_tmpfs_t) @@ -3098,7 +3114,15 @@ index 47a8f7d..a485d76 100644 dev_list_sysfs(rpm_script_t) # ideally we would not need this -@@ -299,15 +331,17 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -282,7 +313,6 @@ fs_unmount_xattr_fs(rpm_script_t) + fs_search_auto_mountpoints(rpm_script_t) + + mcs_killall(rpm_script_t) +-mcs_ptrace_all(rpm_script_t) + + mls_file_read_all_levels(rpm_script_t) + mls_file_write_all_levels(rpm_script_t) +@@ -299,19 +329,20 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -3119,7 +3143,11 @@ index 47a8f7d..a485d76 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -331,23 +365,24 @@ libs_domtrans_ldconfig(rpm_script_t) +-domain_dontaudit_ptrace_all_domains(rpm_script_t) + domain_use_interactive_fds(rpm_script_t) + domain_signal_all_domains(rpm_script_t) + domain_signull_all_domains(rpm_script_t) +@@ -331,23 +362,24 @@ libs_domtrans_ldconfig(rpm_script_t) logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) @@ -3148,7 +3176,7 @@ index 47a8f7d..a485d76 100644 allow rpm_script_t self:process execmem; ') -@@ -368,6 +403,11 @@ optional_policy(` +@@ -368,6 +400,11 @@ optional_policy(` ') optional_policy(` @@ -3160,7 +3188,7 @@ index 47a8f7d..a485d76 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,7 +417,7 @@ optional_policy(` +@@ -377,7 +414,7 @@ optional_policy(` ') optional_policy(` @@ -4941,10 +4969,10 @@ index 0000000..1553356 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..bd1abf4 +index 0000000..8b8f735 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,186 @@ +@@ -0,0 +1,182 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4976,10 +5004,6 @@ index 0000000..bd1abf4 +# chrome_sandbox local policy +# +allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot }; -+tunable_policy(`deny_ptrace',`',` -+ allow chrome_sandbox_t self:capability sys_ptrace; -+') -+ +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; +allow chrome_sandbox_t self:process setsched; +allow chrome_sandbox_t self:fifo_file manage_file_perms; @@ -5089,7 +5113,7 @@ index 0000000..bd1abf4 +# chrome_sandbox_nacl local policy +# + -+allow chrome_sandbox_nacl_t self:process execmem; ++allow chrome_sandbox_nacl_t self:process { execmem setsched }; +allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms; +allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_nacl_t self:shm create_shm_perms; @@ -5099,7 +5123,7 @@ index 0000000..bd1abf4 + +allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms; +allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms; -+allow chrome_sandbox_t chrome_sandbox_nacl_t:process share; ++allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share }; + +manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t) +fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file) @@ -7261,7 +7285,7 @@ index 40e0a2a..46cc164 100644 ## ## Send generic signals to user gpg processes. diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te -index 9050e8c..80f8c31 100644 +index 9050e8c..9cbbfd4 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0) @@ -7319,7 +7343,15 @@ index 9050e8c..80f8c31 100644 manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t) -@@ -123,22 +139,26 @@ logging_send_syslog_msg(gpg_t) +@@ -84,6 +100,7 @@ domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t) + domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t) + + allow gpg_t gpg_secret_t:dir create_dir_perms; ++manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) + manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) + manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t) + userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir) +@@ -123,22 +140,26 @@ logging_send_syslog_msg(gpg_t) miscfiles_read_localization(gpg_t) @@ -7354,7 +7386,7 @@ index 9050e8c..80f8c31 100644 ') optional_policy(` -@@ -147,15 +167,19 @@ optional_policy(` +@@ -147,15 +168,19 @@ optional_policy(` ') optional_policy(` @@ -7378,7 +7410,7 @@ index 9050e8c..80f8c31 100644 ######################################## # # GPG helper local policy -@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t) +@@ -191,7 +216,7 @@ files_read_etc_files(gpg_helper_t) auth_use_nsswitch(gpg_helper_t) @@ -7387,7 +7419,7 @@ index 9050e8c..80f8c31 100644 tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files(gpg_helper_t) -@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -205,15 +230,17 @@ tunable_policy(`use_samba_home_dirs',` # # GPG agent local policy # @@ -7401,7 +7433,12 @@ index 9050e8c..80f8c31 100644 allow gpg_agent_t self:fifo_file rw_fifo_file_perms; # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d ) -@@ -239,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) + manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) ++manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t) + +@@ -239,34 +266,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t) miscfiles_read_localization(gpg_agent_t) # Write to the user domain tty. @@ -7440,7 +7477,15 @@ index 9050e8c..80f8c31 100644 optional_policy(` mozilla_dontaudit_rw_user_home_files(gpg_agent_t) -@@ -332,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t) +@@ -301,6 +319,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) + # read /proc/meminfo + kernel_read_system_state(gpg_pinentry_t) + ++corecmd_exec_shell(gpg_pinentry_t) + corecmd_exec_bin(gpg_pinentry_t) + + corenet_all_recvfrom_netlabel(gpg_pinentry_t) +@@ -332,13 +351,15 @@ miscfiles_read_localization(gpg_pinentry_t) # for .Xauthority userdom_read_user_home_content_files(gpg_pinentry_t) userdom_read_user_tmpfs_files(gpg_pinentry_t) @@ -7461,7 +7506,7 @@ index 9050e8c..80f8c31 100644 ') optional_policy(` -@@ -347,6 +365,12 @@ optional_policy(` +@@ -347,6 +368,12 @@ optional_policy(` ') optional_policy(` @@ -7474,7 +7519,7 @@ index 9050e8c..80f8c31 100644 pulseaudio_exec(gpg_pinentry_t) pulseaudio_rw_home_files(gpg_pinentry_t) pulseaudio_setattr_home_dir(gpg_pinentry_t) -@@ -356,4 +380,28 @@ optional_policy(` +@@ -356,4 +383,28 @@ optional_policy(` optional_policy(` xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t) @@ -7866,18 +7911,14 @@ index b2e27ec..c324f94 100644 ## ## diff --git a/policy/modules/apps/livecd.te b/policy/modules/apps/livecd.te -index a0be4ef..a3d8afd 100644 +index a0be4ef..2c088f5 100644 --- a/policy/modules/apps/livecd.te +++ b/policy/modules/apps/livecd.te -@@ -20,16 +20,36 @@ files_tmp_file(livecd_tmp_t) +@@ -20,16 +20,32 @@ files_tmp_file(livecd_tmp_t) dontaudit livecd_t self:capability2 mac_admin; -domain_ptrace_all_domains(livecd_t) -+tunable_policy(`deny_ptrace',`',` -+ domain_ptrace_all_domains(livecd_t) -+') -+ +domain_interactive_fd(livecd_t) manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) @@ -7976,6 +8017,19 @@ index 0bac996..ca2388d 100644 -userdom_use_user_terminals(lockdev_t) +userdom_use_inherited_user_terminals(lockdev_t) +diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te +index dff0f12..ecab36d 100644 +--- a/policy/modules/apps/mono.te ++++ b/policy/modules/apps/mono.te +@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t) + # Local policy + # + +-allow mono_t self:process { ptrace signal getsched execheap execmem execstack }; ++allow mono_t self:process { signal getsched execheap execmem execstack }; + + init_dbus_chat_script(mono_t) + diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc index 93ac529..4c0895e 100644 --- a/policy/modules/apps/mozilla.fc @@ -12881,7 +12935,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..68b6a44 100644 +index 3fae11a..c2ef1eb 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,7 +1,7 @@ @@ -12893,7 +12947,19 @@ index 3fae11a..68b6a44 100644 /bin/.* gen_context(system_u:object_r:bin_t,s0) /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -97,8 +97,6 @@ ifdef(`distro_redhat',` +@@ -71,6 +71,11 @@ ifdef(`distro_redhat',` + /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0) ++/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0) ++/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0) ++/etc/lxdm/Xsession -- gen_context(system_u:object_r:bin_t,s0) ++ + /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) + /etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0) + /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -97,8 +102,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -12902,7 +12968,7 @@ index 3fae11a..68b6a44 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -130,18 +128,14 @@ ifdef(`distro_debian',` +@@ -130,18 +133,14 @@ ifdef(`distro_debian',` /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -12923,7 +12989,7 @@ index 3fae11a..68b6a44 100644 /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -152,7 +146,7 @@ ifdef(`distro_gentoo',` +@@ -152,7 +151,7 @@ ifdef(`distro_gentoo',` # # /sbin # @@ -12932,7 +12998,7 @@ index 3fae11a..68b6a44 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +162,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +167,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -12940,7 +13006,7 @@ index 3fae11a..68b6a44 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,67 +174,92 @@ ifdef(`distro_gentoo',` +@@ -179,67 +179,92 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -13078,7 +13144,7 @@ index 3fae11a..68b6a44 100644 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -247,11 +267,18 @@ ifdef(`distro_gentoo',` +@@ -247,11 +272,18 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -13098,7 +13164,7 @@ index 3fae11a..68b6a44 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -267,6 +294,10 @@ ifdef(`distro_gentoo',` +@@ -267,6 +299,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -13109,7 +13175,7 @@ index 3fae11a..68b6a44 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -286,15 +317,19 @@ ifdef(`distro_gentoo',` +@@ -286,15 +322,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -13130,7 +13196,7 @@ index 3fae11a..68b6a44 100644 ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -306,10 +341,11 @@ ifdef(`distro_redhat', ` +@@ -306,10 +346,11 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -13144,7 +13210,7 @@ index 3fae11a..68b6a44 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -319,9 +355,11 @@ ifdef(`distro_redhat', ` +@@ -319,9 +360,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13156,7 +13222,7 @@ index 3fae11a..68b6a44 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -363,7 +401,7 @@ ifdef(`distro_redhat', ` +@@ -363,7 +406,7 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -13165,7 +13231,7 @@ index 3fae11a..68b6a44 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +413,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +418,9 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -13177,7 +13243,7 @@ index 3fae11a..68b6a44 100644 /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +424,12 @@ ifdef(`distro_suse', ` +@@ -385,3 +429,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -13189,7 +13255,7 @@ index 3fae11a..68b6a44 100644 +/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 9e9263a..650e796 100644 --- a/policy/modules/kernel/corecommands.if @@ -14949,7 +15015,7 @@ index 6cf8784..2354089 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..85b04c0 100644 +index f820f3b..f27e256 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -15687,7 +15753,7 @@ index f820f3b..85b04c0 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5216,822 @@ interface(`dev_unconfined',` +@@ -4784,3 +5216,842 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -15939,6 +16005,26 @@ index f820f3b..85b04c0 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "010") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "011") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "012") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "013") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "014") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "015") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "016") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "017") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "018") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "019") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "020") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "021") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "022") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "023") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "024") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "025") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "026") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "027") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "028") ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, "029") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") + filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") @@ -16657,7 +16743,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..b3fbad5 100644 +index fae1ab1..6a2f06f 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -16758,7 +16844,7 @@ index fae1ab1..b3fbad5 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -158,5 +199,223 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +199,222 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -16981,7 +17067,6 @@ index fae1ab1..b3fbad5 100644 +') + +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; -+dontaudit domain self:capability sys_ptrace; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c19518a..04ef731 100644 --- a/policy/modules/kernel/files.fc @@ -17105,7 +17190,7 @@ index c19518a..04ef731 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..6af09db 100644 +index ff006ea..3a7eb38 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -17855,7 +17940,33 @@ index ff006ea..6af09db 100644 ') ######################################## -@@ -5304,6 +5702,25 @@ interface(`files_manage_mounttab',` +@@ -5259,6 +5657,25 @@ interface(`files_read_var_lib_symlinks',` + read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + ++######################################## ++## ++## manage generic symbolic links ++## in the /var/lib directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_var_lib_symlinks',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++') ++ + # cjp: the next two interfaces really need to be fixed + # in some way. They really neeed their own types. + +@@ -5304,6 +5721,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -17881,7 +17992,7 @@ index ff006ea..6af09db 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5734,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5753,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -17890,7 +18001,7 @@ index ff006ea..6af09db 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5755,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5774,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -17906,7 +18017,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -5349,12 +5770,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5789,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -17939,7 +18050,7 @@ index ff006ea..6af09db 100644 ') ######################################## -@@ -5373,6 +5812,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5831,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -17947,7 +18058,7 @@ index ff006ea..6af09db 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5825,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5844,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -17955,7 +18066,7 @@ index ff006ea..6af09db 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5851,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5870,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -17964,7 +18075,7 @@ index ff006ea..6af09db 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5867,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5886,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -17981,7 +18092,7 @@ index ff006ea..6af09db 100644 ') ######################################## -@@ -5452,7 +5891,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5910,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -17990,7 +18101,7 @@ index ff006ea..6af09db 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5932,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5951,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -17999,7 +18110,7 @@ index ff006ea..6af09db 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5954,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5973,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -18008,7 +18119,7 @@ index ff006ea..6af09db 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5986,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +6005,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -18019,7 +18130,7 @@ index ff006ea..6af09db 100644 ') ######################################## -@@ -5608,6 +6047,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6066,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -18063,7 +18174,7 @@ index ff006ea..6af09db 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6105,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,6 +6124,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -18089,7 +18200,7 @@ index ff006ea..6af09db 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -5736,7 +6231,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6250,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -18098,7 +18209,7 @@ index ff006ea..6af09db 100644 ') ######################################## -@@ -5815,29 +6310,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6329,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -18132,7 +18243,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -5845,42 +6336,35 @@ interface(`files_read_all_pids',` +@@ -5845,42 +6355,35 @@ interface(`files_read_all_pids',` ## ## # @@ -18182,7 +18293,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -5888,20 +6372,17 @@ interface(`files_delete_all_pids',` +@@ -5888,20 +6391,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -18206,7 +18317,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -5909,56 +6390,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -5909,56 +6409,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -18282,7 +18393,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -5966,18 +6450,17 @@ interface(`files_list_spool',` +@@ -5966,18 +6469,17 @@ interface(`files_list_spool',` ## ## # @@ -18305,7 +18416,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -5985,19 +6468,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5985,19 +6487,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -18330,7 +18441,7 @@ index ff006ea..6af09db 100644 ## ## ## -@@ -6005,70 +6487,333 @@ interface(`files_read_generic_spool',` +@@ -6005,50 +6506,313 @@ interface(`files_read_generic_spool',` ## ## # @@ -18387,30 +18498,20 @@ index ff006ea..6af09db 100644 -## Allow access to manage all polyinstantiated -## directories on the system. +## Delete all process IDs. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_polyinstantiate_all',` ++# +interface(`files_delete_all_pids',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated ++ ') ++ + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; @@ -18674,30 +18775,10 @@ index ff006ea..6af09db 100644 +## +## Allow access to manage all polyinstantiated +## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` -+ gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; -+ ') -+ -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated - allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; - - # Need to give access to the polyinstantiated subdirectories -@@ -6117,3 +6862,284 @@ interface(`files_unconfined',` + ## + ## + ## +@@ -6117,3 +6881,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -23392,7 +23473,7 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..c42d440 +index 0000000..c21c9a4 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,383 @@ @@ -23420,7 +23501,7 @@ index 0000000..c42d440 + +## +##

-+## Allow vidio playing tools to run unconfined ++## Allow video playing tools to run unconfined +##

+##
+gen_tunable(unconfined_mplayer, false) @@ -26204,10 +26285,10 @@ index 6480167..2ad693a 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..1aa2421 100644 +index 3136c6a..d6944c1 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te -@@ -18,136 +18,226 @@ policy_module(apache, 2.2.1) +@@ -18,136 +18,233 @@ policy_module(apache, 2.2.1) # Declarations # @@ -26256,6 +26337,13 @@ index 3136c6a..1aa2421 100644 + +## +##

++## Allow httpd processes to manage IPA content ++##

++##
++gen_tunable(httpd_manage_ipa, false) ++ ++## ++##

+## Allow httpd daemon to change system limits +##

+##
@@ -26330,17 +26418,17 @@ index 3136c6a..1aa2421 100644 +## +gen_tunable(httpd_can_connect_zabbix, false) + -+## + ## +-##

+-## Allow Apache to communicate with avahi service via dbus +-##

+##

+## Allow http daemon to check spam +##

+##
+gen_tunable(httpd_can_check_spam, false) + - ## --##

--## Allow Apache to communicate with avahi service via dbus --##

++## +##

+## Allow Apache to communicate with avahi service via dbus +##

@@ -26490,7 +26578,7 @@ index 3136c6a..1aa2421 100644 attribute httpd_script_exec_type; attribute httpd_user_script_exec_type; -@@ -166,7 +256,7 @@ files_type(httpd_cache_t) +@@ -166,7 +263,7 @@ files_type(httpd_cache_t) # httpd_config_t is the type given to the configuration files type httpd_config_t; @@ -26499,7 +26587,7 @@ index 3136c6a..1aa2421 100644 type httpd_helper_t; type httpd_helper_exec_t; -@@ -177,6 +267,9 @@ role system_r types httpd_helper_t; +@@ -177,6 +274,9 @@ role system_r types httpd_helper_t; type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) @@ -26509,7 +26597,7 @@ index 3136c6a..1aa2421 100644 type httpd_lock_t; files_lock_file(httpd_lock_t) -@@ -216,7 +309,21 @@ files_tmp_file(httpd_suexec_tmp_t) +@@ -216,7 +316,21 @@ files_tmp_file(httpd_suexec_tmp_t) # setup the system domain for system CGI scripts apache_content_template(sys) @@ -26532,7 +26620,7 @@ index 3136c6a..1aa2421 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -226,6 +333,10 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -226,6 +340,10 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -26543,7 +26631,7 @@ index 3136c6a..1aa2421 100644 userdom_user_home_content(httpd_user_content_t) userdom_user_home_content(httpd_user_htaccess_t) userdom_user_home_content(httpd_user_script_exec_t) -@@ -233,6 +344,7 @@ userdom_user_home_content(httpd_user_ra_content_t) +@@ -233,6 +351,7 @@ userdom_user_home_content(httpd_user_ra_content_t) userdom_user_home_content(httpd_user_rw_content_t) typeattribute httpd_user_script_t httpd_script_domains; typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t }; @@ -26551,7 +26639,7 @@ index 3136c6a..1aa2421 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +366,23 @@ files_type(httpd_var_lib_t) +@@ -254,14 +373,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -26575,7 +26663,7 @@ index 3136c6a..1aa2421 100644 ######################################## # # Apache server local policy -@@ -281,11 +402,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +409,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -26589,7 +26677,7 @@ index 3136c6a..1aa2421 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +452,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +459,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -26600,7 +26688,7 @@ index 3136c6a..1aa2421 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +479,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +486,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -26610,7 +26698,7 @@ index 3136c6a..1aa2421 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +492,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +499,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -26627,7 +26715,7 @@ index 3136c6a..1aa2421 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +509,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +516,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -26643,7 +26731,7 @@ index 3136c6a..1aa2421 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +522,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +529,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -26651,7 +26739,7 @@ index 3136c6a..1aa2421 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,48 +534,101 @@ files_read_etc_files(httpd_t) +@@ -402,48 +541,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -26755,7 +26843,7 @@ index 3136c6a..1aa2421 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,25 +641,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,25 +648,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -26813,7 +26901,7 @@ index 3136c6a..1aa2421 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +699,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +706,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -26830,7 +26918,7 @@ index 3136c6a..1aa2421 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +723,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +730,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -26851,7 +26939,7 @@ index 3136c6a..1aa2421 100644 ') optional_policy(` -@@ -513,7 +747,13 @@ optional_policy(` +@@ -513,7 +754,13 @@ optional_policy(` ') optional_policy(` @@ -26866,7 +26954,7 @@ index 3136c6a..1aa2421 100644 ') optional_policy(` -@@ -528,7 +768,19 @@ optional_policy(` +@@ -528,7 +775,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -26887,7 +26975,7 @@ index 3136c6a..1aa2421 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +789,13 @@ optional_policy(` +@@ -537,8 +796,13 @@ optional_policy(` ') optional_policy(` @@ -26902,7 +26990,7 @@ index 3136c6a..1aa2421 100644 ') ') -@@ -556,7 +813,13 @@ optional_policy(` +@@ -556,7 +820,21 @@ optional_policy(` ') optional_policy(` @@ -26911,12 +26999,20 @@ index 3136c6a..1aa2421 100644 +') + +optional_policy(` ++ memcached_stream_connect(httpd_t) ++ ++ tunable_policy(`httpd_manage_ipa',` ++ memcached_manage_pid_files(httpd_t) ++ ') ++') ++ ++optional_policy(` # Allow httpd to work with mysql + mysql_read_config(httpd_t) mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +830,7 @@ optional_policy(` +@@ -567,6 +845,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -26924,7 +27020,7 @@ index 3136c6a..1aa2421 100644 ') optional_policy(` -@@ -577,6 +841,20 @@ optional_policy(` +@@ -577,6 +856,20 @@ optional_policy(` ') optional_policy(` @@ -26945,7 +27041,7 @@ index 3136c6a..1aa2421 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +869,11 @@ optional_policy(` +@@ -591,6 +884,11 @@ optional_policy(` ') optional_policy(` @@ -26957,7 +27053,7 @@ index 3136c6a..1aa2421 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +886,12 @@ optional_policy(` +@@ -603,6 +901,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -26970,7 +27066,7 @@ index 3136c6a..1aa2421 100644 ######################################## # # Apache helper local policy -@@ -616,7 +905,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +920,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -26983,7 +27079,7 @@ index 3136c6a..1aa2421 100644 ######################################## # -@@ -654,28 +947,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +962,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -27027,7 +27123,7 @@ index 3136c6a..1aa2421 100644 ') ######################################## -@@ -685,6 +980,8 @@ optional_policy(` +@@ -685,6 +995,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -27036,7 +27132,7 @@ index 3136c6a..1aa2421 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +996,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +1011,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -27062,7 +27158,7 @@ index 3136c6a..1aa2421 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +1042,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +1057,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -27095,7 +27191,7 @@ index 3136c6a..1aa2421 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1089,25 @@ optional_policy(` +@@ -769,6 +1104,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -27121,7 +27217,7 @@ index 3136c6a..1aa2421 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1128,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1143,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -27139,7 +27235,7 @@ index 3136c6a..1aa2421 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1147,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1162,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -27196,7 +27292,7 @@ index 3136c6a..1aa2421 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1198,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1213,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -27227,7 +27323,7 @@ index 3136c6a..1aa2421 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1233,20 @@ optional_policy(` +@@ -842,10 +1248,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -27248,7 +27344,7 @@ index 3136c6a..1aa2421 100644 ') ######################################## -@@ -891,11 +1292,135 @@ optional_policy(` +@@ -891,11 +1307,135 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -27493,7 +27589,7 @@ index 1ea99b2..3582863 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..01d69d4 100644 +index 1c8c27e..29bb904 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -27534,7 +27630,15 @@ index 1c8c27e..01d69d4 100644 dev_read_realtime_clock(apmd_t) dev_read_urand(apmd_t) dev_rw_apm_bios(apmd_t) -@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? +@@ -101,7 +105,6 @@ selinux_search_fs(apmd_t) + corecmd_exec_all_executables(apmd_t) + + domain_read_all_domains_state(apmd_t) +-domain_dontaudit_ptrace_all_domains(apmd_t) + domain_use_interactive_fds(apmd_t) + domain_dontaudit_getattr_all_sockets(apmd_t) + domain_dontaudit_getattr_all_key_sockets(apmd_t) # Excessive? +@@ -114,6 +117,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive? files_dontaudit_getattr_all_pipes(apmd_t) # Excessive? files_dontaudit_getattr_all_sockets(apmd_t) # Excessive? @@ -27543,7 +27647,7 @@ index 1c8c27e..01d69d4 100644 init_domtrans_script(apmd_t) init_rw_utmp(apmd_t) init_telinit(apmd_t) -@@ -127,10 +133,8 @@ logging_send_audit_msgs(apmd_t) +@@ -127,10 +132,8 @@ logging_send_audit_msgs(apmd_t) miscfiles_read_localization(apmd_t) miscfiles_read_hwdata(apmd_t) @@ -27555,7 +27659,7 @@ index 1c8c27e..01d69d4 100644 userdom_dontaudit_use_unpriv_user_fds(apmd_t) userdom_dontaudit_search_user_home_dirs(apmd_t) -@@ -142,9 +146,8 @@ ifdef(`distro_redhat',` +@@ -142,9 +145,8 @@ ifdef(`distro_redhat',` can_exec(apmd_t, apmd_var_run_t) @@ -27566,7 +27670,7 @@ index 1c8c27e..01d69d4 100644 ') optional_policy(` -@@ -155,6 +158,15 @@ ifdef(`distro_redhat',` +@@ -155,6 +157,15 @@ ifdef(`distro_redhat',` netutils_domtrans(apmd_t) ') @@ -27582,7 +27686,7 @@ index 1c8c27e..01d69d4 100644 ',` # for ifconfig which is run all the time kernel_dontaudit_search_sysctl(apmd_t) -@@ -181,6 +193,12 @@ optional_policy(` +@@ -181,6 +192,12 @@ optional_policy(` ') optional_policy(` @@ -27595,7 +27699,7 @@ index 1c8c27e..01d69d4 100644 dbus_system_bus_client(apmd_t) optional_policy(` -@@ -201,7 +219,8 @@ optional_policy(` +@@ -201,7 +218,8 @@ optional_policy(` ') optional_policy(` @@ -27605,7 +27709,7 @@ index 1c8c27e..01d69d4 100644 ') optional_policy(` -@@ -209,8 +228,9 @@ optional_policy(` +@@ -209,8 +227,9 @@ optional_policy(` pcmcia_domtrans_cardctl(apmd_t) ') @@ -27616,7 +27720,7 @@ index 1c8c27e..01d69d4 100644 ') optional_policy(` -@@ -219,10 +239,6 @@ optional_policy(` +@@ -219,10 +238,6 @@ optional_policy(` ') optional_policy(` @@ -28926,10 +29030,10 @@ index 0000000..9fe3f9e +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..040aa2e +index 0000000..dac00da --- /dev/null +++ b/policy/modules/services/boinc.te -@@ -0,0 +1,171 @@ +@@ -0,0 +1,167 @@ +policy_module(boinc, 1.0.0) + +######################################## @@ -29068,10 +29172,6 @@ index 0000000..040aa2e +allow boinc_project_t self:process { setpgid setsched signal signull sigkill sigstop }; +allow boinc_project_t self:process { execmem execstack }; + -+tunable_policy(`deny_ptrace',`',` -+ allow boinc_project_t self:process ptrace; -+') -+ +manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t) +files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file }) @@ -29944,7 +30044,7 @@ index 6ee2cc8..b509c40 100644 ## ## diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te -index 4c90b57..418eb6b 100644 +index 4c90b57..2e3fb03 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -10,7 +10,7 @@ type ccs_exec_t; @@ -29956,7 +30056,15 @@ index 4c90b57..418eb6b 100644 type ccs_tmp_t; files_tmp_file(ccs_tmp_t) -@@ -61,7 +61,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) +@@ -34,7 +34,6 @@ files_pid_file(ccs_var_run_t) + + allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin }; + allow ccs_t self:process { signal setrlimit setsched }; +-dontaudit ccs_t self:process ptrace; + allow ccs_t self:fifo_file rw_fifo_file_perms; + allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms }; + allow ccs_t self:unix_dgram_socket create_socket_perms; +@@ -61,7 +60,7 @@ manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t) files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir }) @@ -29965,7 +30073,7 @@ index 4c90b57..418eb6b 100644 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) -@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t) +@@ -97,6 +96,7 @@ files_read_etc_files(ccs_t) files_read_etc_runtime_files(ccs_t) init_rw_script_tmp_files(ccs_t) @@ -29973,7 +30081,7 @@ index 4c90b57..418eb6b 100644 logging_send_syslog_msg(ccs_t) -@@ -107,7 +108,7 @@ sysnet_dns_name_resolve(ccs_t) +@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t) userdom_manage_unpriv_user_shared_mem(ccs_t) userdom_manage_unpriv_user_semaphores(ccs_t) @@ -29982,7 +30090,7 @@ index 4c90b57..418eb6b 100644 corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) ') -@@ -118,5 +119,10 @@ optional_policy(` +@@ -118,5 +118,10 @@ optional_policy(` ') optional_policy(` @@ -32485,10 +32593,10 @@ index fd15dfe..d33cc41 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index e67a003..8bd4751 100644 +index e67a003..f5b76dd 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te -@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t) +@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t) type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -32502,43 +32610,53 @@ index e67a003..8bd4751 100644 -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice }; -+tunable_policy(`deny_ptrace',`',` -+ allow consolekit_t self:capability sys_ptrace; -+') + allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -69,17 +76,23 @@ logging_send_audit_msgs(consolekit_t) +@@ -43,7 +47,6 @@ dev_read_sysfs(consolekit_t) + + domain_read_all_domains_state(consolekit_t) + domain_use_interactive_fds(consolekit_t) +-domain_dontaudit_ptrace_all_domains(consolekit_t) + + files_read_etc_files(consolekit_t) + files_read_usr_files(consolekit_t) +@@ -53,8 +56,6 @@ files_search_all_mountpoints(consolekit_t) + + fs_list_inotifyfs(consolekit_t) + +-mcs_ptrace_all(consolekit_t) +- + term_use_all_terms(consolekit_t) + + auth_use_nsswitch(consolekit_t) +@@ -69,17 +70,17 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) +systemd_exec_systemctl(consolekit_t) + -+# consolekit needs to be able to ptrace all logged in users +userdom_read_all_users_state(consolekit_t) -+userdom_ptrace_all_users(consolekit_t) userdom_dontaudit_read_user_home_content_files(consolekit_t) +userdom_dontaudit_getattr_admin_home_files(consolekit_t) userdom_read_user_tmp_files(consolekit_t) -hal_ptrace(consolekit_t) -+userdom_home_reader(consolekit_t) - +- -tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(consolekit_t) -+optional_policy(` -+ cron_read_system_job_lib_files(consolekit_t) - ') +-') ++userdom_home_reader(consolekit_t) -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(consolekit_t) +optional_policy(` -+ hal_ptrace(consolekit_t) ++ cron_read_system_job_lib_files(consolekit_t) ') optional_policy(` -@@ -99,6 +112,10 @@ optional_policy(` +@@ -99,6 +100,10 @@ optional_policy(` ') optional_policy(` @@ -32549,7 +32667,7 @@ index e67a003..8bd4751 100644 policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) -@@ -106,9 +123,10 @@ optional_policy(` +@@ -106,9 +111,10 @@ optional_policy(` ') optional_policy(` @@ -32562,13 +32680,11 @@ index e67a003..8bd4751 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +143,8 @@ optional_policy(` +@@ -124,6 +130,5 @@ optional_policy(` + ') optional_policy(` - #reading .Xauthity -+ tunable_policy(`deny_ptrace',`',` -+ unconfined_ptrace(consolekit_t) -+ ') +- #reading .Xauthity unconfined_stream_connect(consolekit_t) ') diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc @@ -34495,7 +34611,7 @@ index 305ddf4..c9de648 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..f4f2dc5 100644 +index 0f28095..03f22e6 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -34676,7 +34792,15 @@ index 0f28095..f4f2dc5 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,23 +616,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) + corenet_tcp_bind_generic_node(cupsd_lpd_t) + corenet_udp_bind_generic_node(cupsd_lpd_t) + corenet_tcp_connect_ipp_port(cupsd_lpd_t) ++corenet_tcp_connect_printer_port(cupsd_lpd_t) + + dev_read_urand(cupsd_lpd_t) + dev_read_rand(cupsd_lpd_t) +@@ -587,23 +617,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -34709,7 +34833,7 @@ index 0f28095..f4f2dc5 100644 ') ######################################## -@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -34718,7 +34842,7 @@ index 0f28095..f4f2dc5 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -34726,7 +34850,7 @@ index 0f28095..f4f2dc5 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -35304,7 +35428,7 @@ index 1a1becd..115133d 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 1bff6ee..c9396db 100644 +index 1bff6ee..4327f89 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -35455,7 +35579,7 @@ index 1bff6ee..c9396db 100644 # +dontaudit session_bus_type self:capability sys_resource; +allow session_bus_type self:process { getattr sigkill signal }; -+dontaudit session_bus_type self:process { ptrace setrlimit }; ++dontaudit session_bus_type self:process setrlimit; +allow session_bus_type self:file { getattr read write }; +allow session_bus_type self:fifo_file rw_fifo_file_perms; +allow session_bus_type self:dbus { send_msg acquire_svc }; @@ -35756,20 +35880,29 @@ index 567865f..3a57eb9 100644 admin_pattern($1, denyhosts_var_lock_t) ') diff --git a/policy/modules/services/denyhosts.te b/policy/modules/services/denyhosts.te -index 8ba9425..555058a 100644 +index 8ba9425..ca29d0a 100644 --- a/policy/modules/services/denyhosts.te +++ b/policy/modules/services/denyhosts.te -@@ -25,7 +25,8 @@ logging_log_file(denyhosts_var_log_t) +@@ -25,7 +25,9 @@ logging_log_file(denyhosts_var_log_t) # # DenyHosts personal policy. # - +# Bug #588563 +allow denyhosts_t self:capability sys_tty_config; ++allow denyhosts_t self:fifo_file rw_fifo_file_perms; allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms; allow denyhosts_t self:tcp_socket create_socket_perms; allow denyhosts_t self:udp_socket create_socket_perms; -@@ -53,20 +54,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) +@@ -45,6 +47,7 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file) + + kernel_read_system_state(denyhosts_t) + ++corecmd_exec_shell(denyhosts_t) + corecmd_exec_bin(denyhosts_t) + + corenet_all_recvfrom_unlabeled(denyhosts_t) +@@ -53,20 +56,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t) corenet_tcp_sendrecv_generic_node(denyhosts_t) corenet_tcp_bind_generic_node(denyhosts_t) corenet_tcp_connect_smtp_port(denyhosts_t) @@ -39265,7 +39398,7 @@ index f590a1f..eb6f870 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..c7a0911 100644 +index 2a69e5e..afb6deb 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) @@ -39329,7 +39462,7 @@ index 2a69e5e..c7a0911 100644 optional_policy(` apache_read_log(fail2ban_t) ') -@@ -94,5 +110,38 @@ optional_policy(` +@@ -94,5 +110,43 @@ optional_policy(` ') optional_policy(` @@ -39368,6 +39501,11 @@ index 2a69e5e..c7a0911 100644 +files_search_pids(fail2ban_client_t) + +miscfiles_read_localization(fail2ban_client_t) ++ ++optional_policy(` ++ gnome_dontaudit_search_config(fail2ban_client_t) ++') ++ diff --git a/policy/modules/services/fcoemon.fc b/policy/modules/services/fcoemon.fc new file mode 100644 index 0000000..83279fb @@ -41914,7 +42052,7 @@ index 7cf6763..4a7bc56 100644 + dontaudit $1 hald_var_run_t:file read_inherited_file_perms; +') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te -index 24c6253..6fdb0cd 100644 +index 24c6253..c31f21c 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t) @@ -41953,7 +42091,11 @@ index 24c6253..6fdb0cd 100644 dev_rw_generic_usb_dev(hald_t) dev_setattr_generic_usb_dev(hald_t) dev_setattr_usbfs_files(hald_t) -@@ -140,6 +144,7 @@ domain_dontaudit_ptrace_all_domains(hald_t) +@@ -136,10 +140,10 @@ dev_read_video_dev(hald_t) + + domain_use_interactive_fds(hald_t) + domain_read_all_domains_state(hald_t) +-domain_dontaudit_ptrace_all_domains(hald_t) files_exec_etc_files(hald_t) files_read_etc_files(hald_t) @@ -41961,7 +42103,7 @@ index 24c6253..6fdb0cd 100644 files_rw_etc_runtime_files(hald_t) files_manage_mnt_dirs(hald_t) files_manage_mnt_files(hald_t) -@@ -165,6 +170,7 @@ fs_manage_fusefs_dirs(hald_t) +@@ -165,6 +169,7 @@ fs_manage_fusefs_dirs(hald_t) fs_rw_removable_blk_files(hald_t) files_getattr_all_mountpoints(hald_t) @@ -41969,7 +42111,7 @@ index 24c6253..6fdb0cd 100644 mls_file_read_all_levels(hald_t) -@@ -186,8 +192,6 @@ term_use_unallocated_ttys(hald_t) +@@ -186,8 +191,6 @@ term_use_unallocated_ttys(hald_t) auth_use_nsswitch(hald_t) @@ -41978,7 +42120,7 @@ index 24c6253..6fdb0cd 100644 init_domtrans_script(hald_t) init_read_utmp(hald_t) #hal runs shutdown, probably need a shutdown domain -@@ -204,20 +208,25 @@ logging_search_logs(hald_t) +@@ -204,20 +207,25 @@ logging_search_logs(hald_t) miscfiles_read_localization(hald_t) miscfiles_read_hwdata(hald_t) @@ -42008,7 +42150,7 @@ index 24c6253..6fdb0cd 100644 optional_policy(` alsa_domtrans(hald_t) -@@ -252,8 +261,7 @@ optional_policy(` +@@ -252,8 +260,7 @@ optional_policy(` ') optional_policy(` @@ -42018,7 +42160,7 @@ index 24c6253..6fdb0cd 100644 init_dbus_chat_script(hald_t) -@@ -263,15 +271,28 @@ optional_policy(` +@@ -263,15 +270,28 @@ optional_policy(` ') optional_policy(` @@ -42047,7 +42189,7 @@ index 24c6253..6fdb0cd 100644 hotplug_read_config(hald_t) ') -@@ -280,6 +301,11 @@ optional_policy(` +@@ -280,6 +300,11 @@ optional_policy(` ') optional_policy(` @@ -42059,7 +42201,7 @@ index 24c6253..6fdb0cd 100644 mount_domtrans(hald_t) ') -@@ -302,7 +328,7 @@ optional_policy(` +@@ -302,7 +327,7 @@ optional_policy(` ') optional_policy(` @@ -42068,7 +42210,7 @@ index 24c6253..6fdb0cd 100644 policykit_domtrans_auth(hald_t) policykit_domtrans_resolve(hald_t) policykit_read_lib(hald_t) -@@ -318,6 +344,10 @@ optional_policy(` +@@ -318,6 +343,10 @@ optional_policy(` ') optional_policy(` @@ -42079,7 +42221,7 @@ index 24c6253..6fdb0cd 100644 udev_domtrans(hald_t) udev_read_db(hald_t) ') -@@ -338,6 +368,10 @@ optional_policy(` +@@ -338,6 +367,10 @@ optional_policy(` virt_manage_images(hald_t) ') @@ -42090,7 +42232,7 @@ index 24c6253..6fdb0cd 100644 ######################################## # # Hal acl local policy -@@ -358,6 +392,7 @@ files_search_var_lib(hald_acl_t) +@@ -358,6 +391,7 @@ files_search_var_lib(hald_acl_t) manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) @@ -42098,7 +42240,7 @@ index 24c6253..6fdb0cd 100644 corecmd_exec_bin(hald_acl_t) -@@ -388,7 +423,7 @@ logging_send_syslog_msg(hald_acl_t) +@@ -388,7 +422,7 @@ logging_send_syslog_msg(hald_acl_t) miscfiles_read_localization(hald_acl_t) optional_policy(` @@ -42107,7 +42249,7 @@ index 24c6253..6fdb0cd 100644 policykit_domtrans_auth(hald_acl_t) policykit_read_lib(hald_acl_t) policykit_read_reload(hald_acl_t) -@@ -470,6 +505,12 @@ files_read_usr_files(hald_keymap_t) +@@ -470,6 +504,12 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -42120,7 +42262,7 @@ index 24c6253..6fdb0cd 100644 ######################################## # # Local hald dccm policy -@@ -524,7 +565,9 @@ files_read_usr_files(hald_dccm_t) +@@ -524,7 +564,9 @@ files_read_usr_files(hald_dccm_t) miscfiles_read_localization(hald_dccm_t) @@ -44120,6 +44262,20 @@ index 64fd1ff..0f5d0b7 100644 logging_send_syslog_msg(slapd_t) +diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc +index 057a4e4..57491fc 100644 +--- a/policy/modules/services/likewise.fc ++++ b/policy/modules/services/likewise.fc +@@ -20,7 +20,8 @@ + /usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) + /usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) ++/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) ++/var/lib/likewise(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) + /var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) + /var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) + /var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if index 771e04b..81d98b3 100644 --- a/policy/modules/services/likewise.if @@ -45463,7 +45619,7 @@ index 4d69477..d3b4f39 100644 +/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if -index db4fd6f..ce07b3f 100644 +index db4fd6f..a32c2f3 100644 --- a/policy/modules/services/memcached.if +++ b/policy/modules/services/memcached.if @@ -5,15 +5,14 @@ @@ -45485,7 +45641,52 @@ index db4fd6f..ce07b3f 100644 ') domtrans_pattern($1, memcached_exec_t, memcached_t) -@@ -57,17 +56,20 @@ interface(`memcached_read_pid_files',` +@@ -40,6 +39,44 @@ interface(`memcached_read_pid_files',` + + ######################################## + ## ++## Manage memcached PID files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`memcached_manage_pid_files',` ++ gen_require(` ++ type memcached_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) ++') ++ ++######################################## ++## ++## Connect to memcached over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`memcached_stream_connect',` ++ gen_require(` ++ type memcached_t, memcached_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) ++') ++ ++######################################## ++## + ## All of the rules required to administrate + ## an memcached environment + ## +@@ -57,17 +94,20 @@ interface(`memcached_read_pid_files',` # interface(`memcached_admin',` gen_require(` @@ -48804,7 +49005,7 @@ index 15448d5..62284bf 100644 +/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if -index abe3f7f..7c7f939 100644 +index abe3f7f..4b891ee 100644 --- a/policy/modules/services/nis.if +++ b/policy/modules/services/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -48925,7 +49126,7 @@ index abe3f7f..7c7f939 100644 - type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; - type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t; + type ypbind_t, yppasswdd_t, ypserv_t; -+ type ypserv_tmp_t, ypserv_conf_t; ++ type ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; - type ypbind_initrc_exec_t, nis_initrc_exec_t; + type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; @@ -48954,7 +49155,7 @@ index abe3f7f..7c7f939 100644 ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) -@@ -379,18 +416,18 @@ interface(`nis_admin',` +@@ -379,18 +416,15 @@ interface(`nis_admin',` role_transition $2 ypbind_initrc_exec_t system_r; allow $2 system_r; @@ -48970,14 +49171,13 @@ index abe3f7f..7c7f939 100644 files_list_etc($1) admin_pattern($1, ypserv_conf_t) -+ files_list_tmp($1) - admin_pattern($1, ypserv_tmp_t) - +- admin_pattern($1, ypserv_tmp_t) +- admin_pattern($1, ypserv_var_run_t) + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..de34d17 100644 +index 4876cae..e29f5d6 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -48996,16 +49196,19 @@ index 4876cae..de34d17 100644 type yppasswdd_t; type yppasswdd_exec_t; init_daemon_domain(yppasswdd_t, yppasswdd_exec_t) -@@ -37,7 +37,7 @@ type ypserv_exec_t; +@@ -37,10 +37,7 @@ type ypserv_exec_t; init_daemon_domain(ypserv_t, ypserv_exec_t) type ypserv_conf_t; -files_type(ypserv_conf_t) +- +-type ypserv_tmp_t; +-files_tmp_file(ypserv_tmp_t) +files_config_file(ypserv_conf_t) - type ypserv_tmp_t; - files_tmp_file(ypserv_tmp_t) -@@ -52,22 +52,22 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) + type ypserv_var_run_t; + files_pid_file(ypserv_var_run_t) +@@ -52,22 +49,22 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t) type ypxfr_var_run_t; files_pid_file(ypxfr_var_run_t) @@ -49033,7 +49236,7 @@ index 4876cae..de34d17 100644 manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t) files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) -@@ -142,8 +142,8 @@ optional_policy(` +@@ -142,8 +139,8 @@ optional_policy(` allow yppasswdd_t self:capability dac_override; dontaudit yppasswdd_t self:capability sys_tty_config; @@ -49043,7 +49246,7 @@ index 4876cae..de34d17 100644 allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -@@ -211,6 +211,10 @@ optional_policy(` +@@ -211,6 +208,10 @@ optional_policy(` ') optional_policy(` @@ -49054,7 +49257,7 @@ index 4876cae..de34d17 100644 seutil_sigchld_newrole(yppasswdd_t) ') -@@ -224,8 +228,8 @@ optional_policy(` +@@ -224,8 +225,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; @@ -49064,6 +49267,17 @@ index 4876cae..de34d17 100644 allow ypserv_t self:unix_dgram_socket create_socket_perms; allow ypserv_t self:unix_stream_socket create_stream_socket_perms; allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; +@@ -236,10 +237,6 @@ manage_files_pattern(ypserv_t, var_yp_t, var_yp_t) + + allow ypserv_t ypserv_conf_t:file read_file_perms; + +-manage_dirs_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) +-manage_files_pattern(ypserv_t, ypserv_tmp_t, ypserv_tmp_t) +-files_tmp_filetrans(ypserv_t, ypserv_tmp_t, { file dir }) +- + manage_files_pattern(ypserv_t, ypserv_var_run_t, ypserv_var_run_t) + files_pid_filetrans(ypserv_t, ypserv_var_run_t, file) + diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc new file mode 100644 index 0000000..4af11e2 @@ -50176,6 +50390,97 @@ index b4c5f86..0f1549d 100644 optional_policy(` cron_system_entry(oav_update_t, oav_update_exec_t) +diff --git a/policy/modules/services/obex.fc b/policy/modules/services/obex.fc +new file mode 100644 +index 0000000..eebfda8 +--- /dev/null ++++ b/policy/modules/services/obex.fc +@@ -0,0 +1,4 @@ ++ ++ ++/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0) ++ +diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if +new file mode 100644 +index 0000000..2d78f06 +--- /dev/null ++++ b/policy/modules/services/obex.if +@@ -0,0 +1,43 @@ ++## SELinux policy for obex-data-server ++ ++ ++ ++######################################## ++## ++## Transition to obex. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`obex_domtrans',` ++ gen_require(` ++ type obex_t, obex_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, obex_exec_t, obex_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## obex over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`obex_dbus_chat',` ++ gen_require(` ++ type obex_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 obex_t:dbus send_msg; ++ allow obex_t $1:dbus send_msg; ++') +diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te +new file mode 100644 +index 0000000..4a6f24c +--- /dev/null ++++ b/policy/modules/services/obex.te +@@ -0,0 +1,26 @@ ++policy_module(obex,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type obex_t; ++type obex_exec_t; ++dbus_system_domain(obex_t, obex_exec_t) ++ ++######################################## ++# ++# obex local policy ++# ++ ++allow obex_t self:fifo_file rw_fifo_file_perms; ++ ++dev_read_urand(obex_t) ++ ++files_read_etc_files(obex_t) ++ ++logging_send_syslog_msg(obex_t) ++ ++miscfiles_read_localization(obex_t) ++ diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc index bdf8c89..0132b08 100644 --- a/policy/modules/services/oddjob.fc @@ -51181,10 +51486,10 @@ index 0000000..548d0a2 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..1c69a1a +index 0000000..ad76682 --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,304 @@ +@@ -0,0 +1,300 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -51253,9 +51558,6 @@ index 0000000..1c69a1a + +allow piranha_web_t self:capability { setuid sys_nice kill setgid }; +allow piranha_web_t self:process { getsched setsched signal signull }; -+tunable_policy(`deny_ptrace',`',` -+ allow piranha_web_t self:process ptrace; -+') + +allow piranha_web_t self:rawip_socket create_socket_perms; +allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms; @@ -51384,7 +51686,6 @@ index 0000000..1c69a1a + +domain_read_all_domains_state(piranha_pulse_t) +domain_getattr_all_domains(piranha_pulse_t) -+#domain_dontaudit_ptrace_all_domains(piranha_pulse_t) + +fs_getattr_all_fs(piranha_pulse_t) + @@ -51971,10 +52272,10 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te -index 1e7169d..a8b2f63 100644 +index 1e7169d..9438cc4 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te -@@ -5,47 +5,73 @@ policy_module(policykit, 1.1.0) +@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0) # Declarations # @@ -52041,10 +52342,6 @@ index 1e7169d..a8b2f63 100644 -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid }; -+tunable_policy(`deny_ptrace',`',` -+ allow policykit_t self:capability sys_ptrace; -+') -+ +allow policykit_t self:process { getsched signal }; allow policykit_t self:unix_dgram_socket create_socket_perms; -allow policykit_t self:unix_stream_socket create_stream_socket_perms; @@ -52060,7 +52357,7 @@ index 1e7169d..a8b2f63 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +82,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +78,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -52180,7 +52477,7 @@ index 1e7169d..a8b2f63 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +195,21 @@ optional_policy(` +@@ -118,14 +191,21 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -52204,7 +52501,7 @@ index 1e7169d..a8b2f63 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -145,19 +229,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t +@@ -145,19 +225,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t files_read_etc_files(policykit_grant_t) files_read_usr_files(policykit_grant_t) @@ -52229,7 +52526,7 @@ index 1e7169d..a8b2f63 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +250,8 @@ optional_policy(` +@@ -167,9 +246,8 @@ optional_policy(` # polkit_resolve local policy # @@ -52241,7 +52538,7 @@ index 1e7169d..a8b2f63 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -185,13 +267,9 @@ corecmd_search_bin(policykit_resolve_t) +@@ -185,14 +263,8 @@ corecmd_search_bin(policykit_resolve_t) files_read_etc_files(policykit_resolve_t) files_read_usr_files(policykit_resolve_t) @@ -52252,11 +52549,11 @@ index 1e7169d..a8b2f63 100644 -logging_send_syslog_msg(policykit_resolve_t) - -miscfiles_read_localization(policykit_resolve_t) -+mcs_ptrace_all(policykit_resolve_t) - +- userdom_read_all_users_state(policykit_resolve_t) -@@ -207,4 +285,3 @@ optional_policy(` + optional_policy(` +@@ -207,4 +279,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -52480,10 +52777,10 @@ index 0000000..7dc2c0c +') diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te new file mode 100644 -index 0000000..d958b53 +index 0000000..87e8372 --- /dev/null +++ b/policy/modules/services/polipo.te -@@ -0,0 +1,149 @@ +@@ -0,0 +1,160 @@ +policy_module(polipo, 1.0.0) + +######################################## @@ -52532,6 +52829,13 @@ index 0000000..d958b53 +## +gen_tunable(polipo_session_send_syslog_msg, false) + ++## ++##

++## Allow polipo to connect to all ports > 1023 ++##

++##
++gen_tunable(polipo_connect_all_unreserved, false) ++ +attribute polipo_daemon; + +type polipo_t, polipo_daemon; @@ -52603,6 +52907,10 @@ index 0000000..d958b53 + +logging_send_syslog_msg(polipo_t) + ++tunable_policy(`polipo_connect_all_unreserved',` ++ corenet_tcp_connect_all_unreserved_ports(polipo_t) ++') ++ +tunable_policy(`polipo_use_cifs',` + fs_manage_cifs_files(polipo_t) +') @@ -56276,7 +56584,7 @@ index 5a9630c..bedca3a 100644 + manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) ') diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te -index cb7ecb5..08d19e6 100644 +index cb7ecb5..2b3f6f9 100644 --- a/policy/modules/services/qpid.te +++ b/policy/modules/services/qpid.te @@ -12,12 +12,15 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -56297,7 +56605,7 @@ index cb7ecb5..08d19e6 100644 ######################################## # # qpidd local policy -@@ -30,27 +33,34 @@ allow qpidd_t self:shm create_shm_perms; +@@ -30,27 +33,35 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket create_stream_socket_perms; allow qpidd_t self:unix_stream_socket create_stream_socket_perms; @@ -56328,6 +56636,7 @@ index cb7ecb5..08d19e6 100644 -corenet_tcp_bind_generic_node(qpidd_t) corenet_tcp_bind_amqp_port(qpidd_t) +corenet_tcp_bind_matahari_port(qpidd_t) ++corenet_tcp_connect_amqp_port(qpidd_t) +dev_read_sysfs(qpidd_t) dev_read_urand(qpidd_t) @@ -56337,7 +56646,7 @@ index cb7ecb5..08d19e6 100644 logging_send_syslog_msg(qpidd_t) -@@ -61,3 +71,8 @@ sysnet_dns_name_resolve(qpidd_t) +@@ -61,3 +72,8 @@ sysnet_dns_name_resolve(qpidd_t) optional_policy(` corosync_stream_connect(qpidd_t) ') @@ -57096,7 +57405,7 @@ index 7dc38d1..808f9c6 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..d3d5f2b 100644 +index 00fa514..4a9758b 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -57123,18 +57432,17 @@ index 00fa514..d3d5f2b 100644 type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) -@@ -35,9 +37,8 @@ files_pid_file(rgmanager_var_run_t) +@@ -35,9 +37,7 @@ files_pid_file(rgmanager_var_run_t) # allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock }; -dontaudit rgmanager_t self:capability { sys_ptrace }; allow rgmanager_t self:process { setsched signal }; -dontaudit rgmanager_t self:process { ptrace }; -+dontaudit rgmanager_t self:process ptrace; allow rgmanager_t self:fifo_file rw_fifo_file_perms; allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; -@@ -55,11 +56,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) +@@ -55,11 +55,14 @@ fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file }) manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) @@ -57150,7 +57458,7 @@ index 00fa514..d3d5f2b 100644 kernel_read_system_state(rgmanager_t) kernel_rw_rpc_sysctls(rgmanager_t) kernel_search_debugfs(rgmanager_t) -@@ -67,7 +71,6 @@ kernel_search_network_state(rgmanager_t) +@@ -67,7 +70,6 @@ kernel_search_network_state(rgmanager_t) corecmd_exec_bin(rgmanager_t) corecmd_exec_shell(rgmanager_t) @@ -57158,9 +57466,11 @@ index 00fa514..d3d5f2b 100644 # need to write to /dev/misc/dlm-control dev_rw_dlm_control(rgmanager_t) -@@ -78,29 +81,35 @@ domain_read_all_domains_state(rgmanager_t) +@@ -76,31 +78,36 @@ dev_search_sysfs(rgmanager_t) + + domain_read_all_domains_state(rgmanager_t) domain_getattr_all_domains(rgmanager_t) - domain_dontaudit_ptrace_all_domains(rgmanager_t) +-domain_dontaudit_ptrace_all_domains(rgmanager_t) -files_list_all(rgmanager_t) +files_create_var_run_dirs(rgmanager_t) @@ -57198,7 +57508,7 @@ index 00fa514..d3d5f2b 100644 tunable_policy(`rgmanager_can_network_connect',` corenet_tcp_connect_all_ports(rgmanager_t) -@@ -118,6 +127,14 @@ optional_policy(` +@@ -118,6 +125,14 @@ optional_policy(` ') optional_policy(` @@ -57213,7 +57523,7 @@ index 00fa514..d3d5f2b 100644 fstools_domtrans(rgmanager_t) ') -@@ -140,6 +157,16 @@ optional_policy(` +@@ -140,6 +155,16 @@ optional_policy(` ') optional_policy(` @@ -57230,7 +57540,7 @@ index 00fa514..d3d5f2b 100644 mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') -@@ -165,6 +192,8 @@ optional_policy(` +@@ -165,6 +190,8 @@ optional_policy(` optional_policy(` rpc_initrc_domtrans_nfsd(rgmanager_t) rpc_initrc_domtrans_rpcd(rgmanager_t) @@ -58611,7 +58921,7 @@ index f7826f9..23d579c 100644 + admin_pattern($1, ricci_var_run_t) +') diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te -index 33e72e8..7582159 100644 +index 33e72e8..8e98863 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0) @@ -58783,7 +59093,15 @@ index 33e72e8..7582159 100644 nscd_dontaudit_search_pid(ricci_modservice_t) ') -@@ -444,22 +470,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) +@@ -418,7 +444,6 @@ optional_policy(` + # + + allow ricci_modstorage_t self:process { setsched signal }; +-dontaudit ricci_modstorage_t self:process ptrace; + allow ricci_modstorage_t self:capability { mknod sys_nice }; + allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms; + allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms; +@@ -444,22 +469,22 @@ files_read_etc_runtime_files(ricci_modstorage_t) files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -58813,7 +59131,7 @@ index 33e72e8..7582159 100644 optional_policy(` aisexec_stream_connect(ricci_modstorage_t) corosync_stream_connect(ricci_modstorage_t) -@@ -471,12 +497,24 @@ optional_policy(` +@@ -471,12 +496,24 @@ optional_policy(` ') optional_policy(` @@ -61724,7 +62042,7 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..73fdfdc 100644 +index 3d8d1b3..035a27f 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -61776,7 +62094,15 @@ index 3d8d1b3..73fdfdc 100644 corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) -@@ -94,15 +98,19 @@ files_search_home(snmpd_t) +@@ -83,7 +87,6 @@ dev_getattr_usbfs_dirs(snmpd_t) + domain_use_interactive_fds(snmpd_t) + domain_signull_all_domains(snmpd_t) + domain_read_all_domains_state(snmpd_t) +-domain_dontaudit_ptrace_all_domains(snmpd_t) + domain_exec_all_entry_files(snmpd_t) + + files_read_etc_files(snmpd_t) +@@ -94,15 +97,19 @@ files_search_home(snmpd_t) fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) fs_search_auto_mountpoints(snmpd_t) @@ -61797,7 +62123,7 @@ index 3d8d1b3..73fdfdc 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +123,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -63330,10 +63656,10 @@ index 22adaca..6ec295a 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..cf94c2b 100644 +index 2dad3c8..4a63fae 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) +@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0) # ## @@ -63354,13 +63680,6 @@ index 2dad3c8..cf94c2b 100644 +gen_tunable(ssh_sysadm_login, false) + +## -+##

-+## allow sshd to forward port connections -+##

-+##
-+gen_tunable(sshd_forward_ports, false) -+ -+## ##

-## Allow ssh logins as sysadm_r:sysadm_t +## Allow ssh with chroot env to read and write files @@ -63384,7 +63703,7 @@ index 2dad3c8..cf94c2b 100644 type sshd_exec_t; corecmd_executable_file(sshd_exec_t) -@@ -33,17 +51,12 @@ corecmd_executable_file(sshd_exec_t) +@@ -33,17 +44,12 @@ corecmd_executable_file(sshd_exec_t) ssh_server_template(sshd) init_daemon_domain(sshd_t, sshd_exec_t) @@ -63405,7 +63724,7 @@ index 2dad3c8..cf94c2b 100644 type ssh_t; type ssh_exec_t; typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; -@@ -76,8 +89,12 @@ ubac_constrained(ssh_tmpfs_t) +@@ -76,8 +82,12 @@ ubac_constrained(ssh_tmpfs_t) type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; @@ -63419,7 +63738,7 @@ index 2dad3c8..cf94c2b 100644 ############################## # -@@ -88,6 +105,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -88,6 +98,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -63427,7 +63746,7 @@ index 2dad3c8..cf94c2b 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -95,15 +113,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -95,15 +106,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -63444,7 +63763,7 @@ index 2dad3c8..cf94c2b 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -113,20 +127,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -113,20 +120,26 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) @@ -63474,7 +63793,7 @@ index 2dad3c8..cf94c2b 100644 kernel_read_kernel_sysctls(ssh_t) kernel_read_system_state(ssh_t) -@@ -138,7 +158,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) +@@ -138,7 +151,11 @@ corenet_tcp_sendrecv_generic_node(ssh_t) corenet_tcp_sendrecv_all_ports(ssh_t) corenet_tcp_connect_ssh_port(ssh_t) corenet_sendrecv_ssh_client_packets(ssh_t) @@ -63486,7 +63805,7 @@ index 2dad3c8..cf94c2b 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -162,31 +186,24 @@ logging_read_generic_logs(ssh_t) +@@ -162,31 +179,24 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -63527,7 +63846,7 @@ index 2dad3c8..cf94c2b 100644 ') # for port forwarding -@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',` +@@ -196,10 +206,15 @@ tunable_policy(`user_tcp_server',` ') optional_policy(` @@ -63543,7 +63862,7 @@ index 2dad3c8..cf94c2b 100644 ############################## # # ssh_keysign_t local policy -@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,19 +224,14 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -63565,7 +63884,7 @@ index 2dad3c8..cf94c2b 100644 ################################# # # sshd local policy -@@ -232,33 +249,44 @@ optional_policy(` +@@ -232,33 +242,39 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -63596,11 +63915,6 @@ index 2dad3c8..cf94c2b 100644 +userdom_signal_unpriv_users(sshd_t) +userdom_dyntransition_unpriv_users(sshd_t) + -+tunable_policy(`sshd_forward_ports',` -+ corenet_tcp_bind_all_unreserved_ports(sshd_t) -+ corenet_tcp_connect_all_ports(sshd_t) -+') -+ tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to @@ -63619,7 +63933,7 @@ index 2dad3c8..cf94c2b 100644 ') optional_policy(` -@@ -266,11 +294,24 @@ optional_policy(` +@@ -266,11 +282,24 @@ optional_policy(` ') optional_policy(` @@ -63645,7 +63959,7 @@ index 2dad3c8..cf94c2b 100644 ') optional_policy(` -@@ -284,6 +325,15 @@ optional_policy(` +@@ -284,6 +313,15 @@ optional_policy(` ') optional_policy(` @@ -63661,7 +63975,7 @@ index 2dad3c8..cf94c2b 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +342,26 @@ optional_policy(` +@@ -292,26 +330,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -63707,7 +64021,7 @@ index 2dad3c8..cf94c2b 100644 ') dnl endif TODO ######################################## -@@ -322,19 +372,26 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +360,26 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -63735,7 +64049,7 @@ index 2dad3c8..cf94c2b 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,9 +408,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,9 +396,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -63749,7 +64063,7 @@ index 2dad3c8..cf94c2b 100644 ') optional_policy(` -@@ -363,3 +422,77 @@ optional_policy(` +@@ -363,3 +410,77 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -64599,7 +64913,7 @@ index 54b8605..a04f013 100644 admin_pattern($1, tuned_var_run_t) ') diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te -index db9d2a5..1aebd23 100644 +index db9d2a5..7f1a022 100644 --- a/policy/modules/services/tuned.te +++ b/policy/modules/services/tuned.te @@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t) @@ -64619,7 +64933,16 @@ index db9d2a5..1aebd23 100644 # to allow cpu tuning dev_rw_netcontrol(tuned_t) -@@ -58,6 +59,10 @@ optional_policy(` +@@ -47,6 +48,8 @@ files_read_etc_files(tuned_t) + files_read_usr_files(tuned_t) + files_dontaudit_search_home(tuned_t) + ++auth_use_nsswitch(tuned_t) ++ + logging_send_syslog_msg(tuned_t) + + miscfiles_read_localization(tuned_t) +@@ -58,6 +61,10 @@ optional_policy(` fstools_domtrans(tuned_t) ') @@ -68682,7 +69005,7 @@ index 130ced9..51e7627 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..a3e787d 100644 +index 143c893..163158e 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -68996,17 +69319,13 @@ index 143c893..a3e787d 100644 ') optional_policy(` -@@ -305,19 +396,40 @@ optional_policy(` +@@ -305,19 +396,36 @@ optional_policy(` # allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; + +allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate }; -+tunable_policy(`deny_ptrace',`',` -+ allow xdm_t self:process ptrace; -+') -+ allow xdm_t self:fifo_file rw_fifo_file_perms; allow xdm_t self:shm create_shm_perms; allow xdm_t self:sem create_sem_perms; @@ -69040,7 +69359,7 @@ index 143c893..a3e787d 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +437,63 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +433,63 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -69110,7 +69429,7 @@ index 143c893..a3e787d 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +502,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +498,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -69138,7 +69457,7 @@ index 143c893..a3e787d 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +533,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +529,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -69186,13 +69505,12 @@ index 143c893..a3e787d 100644 domain_use_interactive_fds(xdm_t) # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) -+domain_dontaudit_ptrace_all_domains(xdm_t) +domain_dontaudit_signal_all_domains(xdm_t) +domain_dontaudit_getattr_all_entry_files(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +586,25 @@ files_list_mnt(xdm_t) +@@ -435,9 +581,25 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -69218,7 +69536,7 @@ index 143c893..a3e787d 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +613,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +608,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -69258,7 +69576,7 @@ index 143c893..a3e787d 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,24 +652,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,24 +647,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -69308,7 +69626,7 @@ index 143c893..a3e787d 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +702,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +697,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -69330,7 +69648,7 @@ index 143c893..a3e787d 100644 ') optional_policy(` -@@ -519,12 +724,63 @@ optional_policy(` +@@ -519,12 +719,63 @@ optional_policy(` ') optional_policy(` @@ -69394,7 +69712,7 @@ index 143c893..a3e787d 100644 hostname_exec(xdm_t) ') -@@ -542,28 +798,69 @@ optional_policy(` +@@ -542,28 +793,69 @@ optional_policy(` ') optional_policy(` @@ -69473,7 +69791,7 @@ index 143c893..a3e787d 100644 ') optional_policy(` -@@ -575,6 +872,14 @@ optional_policy(` +@@ -575,6 +867,14 @@ optional_policy(` ') optional_policy(` @@ -69488,7 +69806,7 @@ index 143c893..a3e787d 100644 xfs_stream_connect(xdm_t) ') -@@ -600,6 +905,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -600,6 +900,7 @@ allow xserver_t input_xevent_t:x_event send; # NVIDIA Needs execstack allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; @@ -69496,7 +69814,7 @@ index 143c893..a3e787d 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -69512,7 +69830,7 @@ index 143c893..a3e787d 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -69534,7 +69852,7 @@ index 143c893..a3e787d 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -69542,7 +69860,7 @@ index 143c893..a3e787d 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,21 +993,28 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +988,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -69573,7 +69891,7 @@ index 143c893..a3e787d 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1020,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -69587,7 +69905,7 @@ index 143c893..a3e787d 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1044,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1039,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -69596,7 +69914,7 @@ index 143c893..a3e787d 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1051,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1046,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -69611,7 +69929,7 @@ index 143c893..a3e787d 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1110,40 @@ optional_policy(` +@@ -778,16 +1105,40 @@ optional_policy(` ') optional_policy(` @@ -69653,7 +69971,7 @@ index 143c893..a3e787d 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1152,10 @@ optional_policy(` +@@ -796,6 +1147,10 @@ optional_policy(` ') optional_policy(` @@ -69664,7 +69982,7 @@ index 143c893..a3e787d 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1166,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -69678,7 +69996,7 @@ index 143c893..a3e787d 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1177,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -69687,7 +70005,7 @@ index 143c893..a3e787d 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,26 +1195,21 @@ init_use_fds(xserver_t) +@@ -835,26 +1190,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -69722,7 +70040,7 @@ index 143c893..a3e787d 100644 ') optional_policy(` -@@ -862,6 +1217,10 @@ optional_policy(` +@@ -862,6 +1212,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -69733,7 +70051,7 @@ index 143c893..a3e787d 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -69742,7 +70060,7 @@ index 143c893..a3e787d 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1318,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1313,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -69774,7 +70092,7 @@ index 143c893..a3e787d 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1364,31 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1359,31 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -69914,7 +70232,7 @@ index c9981d1..75a7d17 100644 init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te -index 7f88f5f..4d704e8 100644 +index 7f88f5f..7d8a06e 100644 --- a/policy/modules/services/zabbix.te +++ b/policy/modules/services/zabbix.te @@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1) @@ -69972,7 +70290,7 @@ index 7f88f5f..4d704e8 100644 # shared memory rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t) fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file) -@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) +@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t) files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file }) @@ -69984,8 +70302,10 @@ index 7f88f5f..4d704e8 100644 + corenet_tcp_bind_generic_node(zabbix_t) corenet_tcp_bind_zabbix_port(zabbix_t) -+#needed by zabbix-server-mysql ++# needed by zabbix-server-mysql +corenet_tcp_connect_http_port(zabbix_t) ++# to monitor ftp urls ++corenet_tcp_connect_ftp_port(zabbix_t) + +dev_read_urand(zabbix_t) @@ -70001,8 +70321,8 @@ index 7f88f5f..4d704e8 100644 zabbix_agent_tcp_connect(zabbix_t) +tunable_policy(`zabbix_can_network',` -+ corenet_tcp_connect_all_unreserved_ports(zabbix_t) -+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t) ++ corenet_tcp_connect_all_unreserved_ports(zabbix_t) ++ corenet_tcp_connect_all_ephemeral_ports(zabbix_t) +') + optional_policy(` @@ -70028,7 +70348,7 @@ index 7f88f5f..4d704e8 100644 ######################################## # # zabbix agent local policy -@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) +@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t) # Network access to zabbix server zabbix_tcp_connect(zabbix_agent_t) @@ -73194,7 +73514,7 @@ index 94fd8dd..5a52670 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..2a26b46 100644 +index 29a9565..26fe806 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -73634,7 +73954,7 @@ index 29a9565..2a26b46 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +520,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,17 +520,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -73650,7 +73970,11 @@ index 29a9565..2a26b46 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +538,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +-domain_dontaudit_ptrace_all_domains(initrc_t) + domain_getsession_all_domains(initrc_t) + domain_use_interactive_fds(initrc_t) + # for lsof which is used by alsa shutdown: +@@ -316,6 +537,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -73658,7 +73982,7 @@ index 29a9565..2a26b46 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +546,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +545,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -73670,7 +73994,7 @@ index 29a9565..2a26b46 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +565,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +564,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -73684,7 +74008,7 @@ index 29a9565..2a26b46 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,8 +580,12 @@ fs_mount_all_fs(initrc_t) +@@ -351,9 +579,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -73692,12 +74016,13 @@ index 29a9565..2a26b46 100644 +fs_getattr_nfsd_files(initrc_t) # initrc_t needs to do a pidof which requires ptrace +-mcs_ptrace_all(initrc_t) +mcs_file_read_all(initrc_t) +mcs_file_write_all(initrc_t) - mcs_ptrace_all(initrc_t) mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -363,6 +596,7 @@ mls_process_read_up(initrc_t) + +@@ -363,6 +594,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -73705,7 +74030,7 @@ index 29a9565..2a26b46 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +608,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +606,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -73713,7 +74038,7 @@ index 29a9565..2a26b46 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +629,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +627,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -73735,7 +74060,7 @@ index 29a9565..2a26b46 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +692,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +690,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -73746,7 +74071,7 @@ index 29a9565..2a26b46 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +716,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +714,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -73755,7 +74080,7 @@ index 29a9565..2a26b46 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +731,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +729,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -73763,7 +74088,7 @@ index 29a9565..2a26b46 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +761,35 @@ ifdef(`distro_redhat',` +@@ -522,8 +759,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -73799,7 +74124,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -531,10 +797,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +795,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -73822,7 +74147,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -549,6 +827,39 @@ ifdef(`distro_suse',` +@@ -549,6 +825,39 @@ ifdef(`distro_suse',` ') ') @@ -73862,7 +74187,7 @@ index 29a9565..2a26b46 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +872,8 @@ optional_policy(` +@@ -561,6 +870,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -73871,7 +74196,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -577,6 +890,7 @@ optional_policy(` +@@ -577,6 +888,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -73879,7 +74204,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -589,6 +903,17 @@ optional_policy(` +@@ -589,6 +901,17 @@ optional_policy(` ') optional_policy(` @@ -73897,7 +74222,7 @@ index 29a9565..2a26b46 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +930,13 @@ optional_policy(` +@@ -605,9 +928,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -73911,7 +74236,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -632,6 +961,10 @@ optional_policy(` +@@ -632,6 +959,10 @@ optional_policy(` ') optional_policy(` @@ -73922,7 +74247,7 @@ index 29a9565..2a26b46 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +982,11 @@ optional_policy(` +@@ -649,6 +980,11 @@ optional_policy(` ') optional_policy(` @@ -73934,7 +74259,7 @@ index 29a9565..2a26b46 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1027,7 @@ optional_policy(` +@@ -689,6 +1025,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -73942,7 +74267,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -706,7 +1045,13 @@ optional_policy(` +@@ -706,7 +1043,13 @@ optional_policy(` ') optional_policy(` @@ -73956,7 +74281,7 @@ index 29a9565..2a26b46 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1074,10 @@ optional_policy(` +@@ -729,6 +1072,10 @@ optional_policy(` ') optional_policy(` @@ -73967,7 +74292,7 @@ index 29a9565..2a26b46 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1087,20 @@ optional_policy(` +@@ -738,10 +1085,20 @@ optional_policy(` ') optional_policy(` @@ -73988,7 +74313,7 @@ index 29a9565..2a26b46 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1109,10 @@ optional_policy(` +@@ -750,6 +1107,10 @@ optional_policy(` ') optional_policy(` @@ -73999,7 +74324,7 @@ index 29a9565..2a26b46 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1134,6 @@ optional_policy(` +@@ -771,8 +1132,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -74008,7 +74333,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -781,6 +1142,10 @@ optional_policy(` +@@ -781,6 +1140,10 @@ optional_policy(` ') optional_policy(` @@ -74019,7 +74344,7 @@ index 29a9565..2a26b46 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -790,10 +1155,12 @@ optional_policy(` +@@ -790,10 +1153,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -74032,7 +74357,7 @@ index 29a9565..2a26b46 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1172,6 @@ optional_policy(` +@@ -805,7 +1170,6 @@ optional_policy(` ') optional_policy(` @@ -74040,7 +74365,7 @@ index 29a9565..2a26b46 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1181,26 @@ optional_policy(` +@@ -815,11 +1179,25 @@ optional_policy(` ') optional_policy(` @@ -74062,13 +74387,12 @@ index 29a9565..2a26b46 100644 + mcs_file_write_all(initrc_t) + mcs_socket_write_all_levels(initrc_t) + mcs_killall(initrc_t) -+ mcs_ptrace_all(initrc_t) + + files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1210,18 @@ optional_policy(` +@@ -829,6 +1207,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -74087,7 +74411,7 @@ index 29a9565..2a26b46 100644 ') optional_policy(` -@@ -844,6 +1237,10 @@ optional_policy(` +@@ -844,6 +1234,10 @@ optional_policy(` ') optional_policy(` @@ -74098,7 +74422,7 @@ index 29a9565..2a26b46 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1251,161 @@ optional_policy(` +@@ -854,3 +1248,161 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -75316,7 +75640,7 @@ index 808ba93..4ff705d 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index e5836d3..eae9427 100644 +index e5836d3..cc8dabb 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -75328,7 +75652,14 @@ index e5836d3..eae9427 100644 files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -79,6 +79,7 @@ corecmd_search_bin(ldconfig_t) +@@ -75,10 +75,14 @@ kernel_read_system_state(ldconfig_t) + + fs_getattr_xattr_fs(ldconfig_t) + ++files_list_var_lib(ldconfig_t) ++files_manage_var_lib_symlinks(ldconfig_t) ++ + corecmd_search_bin(ldconfig_t) domain_use_interactive_fds(ldconfig_t) @@ -75336,7 +75667,7 @@ index e5836d3..eae9427 100644 files_search_var_lib(ldconfig_t) files_read_etc_files(ldconfig_t) files_read_usr_files(ldconfig_t) -@@ -94,7 +95,8 @@ miscfiles_read_localization(ldconfig_t) +@@ -94,7 +98,8 @@ miscfiles_read_localization(ldconfig_t) logging_send_syslog_msg(ldconfig_t) @@ -75346,7 +75677,7 @@ index e5836d3..eae9427 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +105,12 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +108,12 @@ ifdef(`distro_ubuntu',` ') ') @@ -75359,7 +75690,7 @@ index e5836d3..eae9427 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +122,9 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +125,9 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -75369,7 +75700,7 @@ index e5836d3..eae9427 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +142,10 @@ optional_policy(` +@@ -131,6 +145,10 @@ optional_policy(` ') optional_policy(` @@ -75380,7 +75711,7 @@ index e5836d3..eae9427 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +156,3 @@ optional_policy(` +@@ -141,6 +159,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -75944,10 +76275,10 @@ index 831b909..118f708 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..dc551f4 100644 +index b6ec597..709fc74 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2) +@@ -5,6 +5,20 @@ policy_module(logging, 1.17.2) # Declarations # @@ -75958,10 +76289,17 @@ index b6ec597..dc551f4 100644 +## +gen_tunable(logging_syslogd_can_sendmail, false) + ++## ++##

++## Allow syslogd the ability to read/write terminals ++##

++##
++gen_tunable(logging_syslogd_use_tty, false) ++ attribute logfile; type auditctl_t; -@@ -20,6 +27,7 @@ files_security_file(auditd_log_t) +@@ -20,6 +34,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; @@ -75969,7 +76307,7 @@ index b6ec597..dc551f4 100644 files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) -@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t) +@@ -64,6 +79,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -75977,7 +76315,7 @@ index b6ec597..dc551f4 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +127,7 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -75986,7 +76324,7 @@ index b6ec597..dc551f4 100644 init_dontaudit_use_fds(auditctl_t) -@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +199,19 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -76007,7 +76345,7 @@ index b6ec597..dc551f4 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t) +@@ -237,10 +256,17 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -76025,7 +76363,7 @@ index b6ec597..dc551f4 100644 logging_send_syslog_msg(audisp_t) -@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t) +@@ -250,6 +276,10 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -76036,7 +76374,7 @@ index b6ec597..dc551f4 100644 ') ######################################## -@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,11 +310,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -76057,7 +76395,7 @@ index b6ec597..dc551f4 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -354,11 +386,12 @@ optional_policy(` +@@ -354,11 +393,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -76072,7 +76410,7 @@ index b6ec597..dc551f4 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -376,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -76080,7 +76418,7 @@ index b6ec597..dc551f4 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -385,9 +426,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -76096,10 +76434,15 @@ index b6ec597..dc551f4 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -426,10 +466,22 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -426,10 +473,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) ++tunable_policy(`logging_syslogd_use_tty',` ++ term_use_all_ttys(syslogd_t) ++ term_use_all_ptys(syslogd_t) ++') ++ +tunable_policy(`logging_syslogd_can_sendmail',` + # support for ommail module to send logs via mail + corenet_tcp_connect_smtp_port(syslogd_t) @@ -76119,7 +76462,7 @@ index b6ec597..dc551f4 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -447,7 +499,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and +@@ -447,7 +511,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -76129,7 +76472,7 @@ index b6ec597..dc551f4 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -459,6 +513,7 @@ init_use_fds(syslogd_t) +@@ -459,6 +525,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -76137,7 +76480,7 @@ index b6ec597..dc551f4 100644 miscfiles_read_localization(syslogd_t) -@@ -496,11 +551,20 @@ optional_policy(` +@@ -496,11 +563,20 @@ optional_policy(` ') optional_policy(` @@ -76365,7 +76708,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..653277a 100644 +index a0a0ebf..c5c9312 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -76387,7 +76730,14 @@ index a0a0ebf..653277a 100644 type lvm_lock_t; files_lock_file(lvm_lock_t) -@@ -56,6 +59,10 @@ allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t) + allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; + dontaudit clvmd_t self:capability sys_tty_config; + allow clvmd_t self:process { signal_perms setsched }; +-dontaudit clvmd_t self:process ptrace; + allow clvmd_t self:socket create_socket_perms; + allow clvmd_t self:fifo_file rw_fifo_file_perms; + allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; @@ -76398,7 +76748,7 @@ index a0a0ebf..653277a 100644 manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) -@@ -141,6 +148,11 @@ ifdef(`distro_redhat',` +@@ -141,6 +147,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -76410,7 +76760,7 @@ index a0a0ebf..653277a 100644 ccs_stream_connect(clvmd_t) ') -@@ -167,9 +179,10 @@ optional_policy(` +@@ -167,9 +178,10 @@ optional_policy(` # net_admin for multipath allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; dontaudit lvm_t self:capability sys_tty_config; @@ -76422,7 +76772,7 @@ index a0a0ebf..653277a 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,8 +204,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -76433,7 +76783,7 @@ index a0a0ebf..653277a 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -200,8 +214,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -200,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -76444,7 +76794,7 @@ index a0a0ebf..653277a 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -213,11 +228,13 @@ files_search_mnt(lvm_t) +@@ -213,11 +227,13 @@ files_search_mnt(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) @@ -76458,7 +76808,7 @@ index a0a0ebf..653277a 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -228,11 +245,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -228,11 +244,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -76473,7 +76823,7 @@ index a0a0ebf..653277a 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -244,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -76481,7 +76831,7 @@ index a0a0ebf..653277a 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,17 +273,21 @@ files_read_etc_files(lvm_t) +@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -76504,7 +76854,7 @@ index a0a0ebf..653277a 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -283,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -76513,7 +76863,7 @@ index a0a0ebf..653277a 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -292,6 +316,8 @@ init_read_script_state(lvm_t) +@@ -292,6 +315,8 @@ init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -76522,7 +76872,7 @@ index a0a0ebf..653277a 100644 miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) -@@ -299,7 +325,10 @@ seutil_read_file_contexts(lvm_t) +@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -76533,7 +76883,7 @@ index a0a0ebf..653277a 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -311,6 +340,11 @@ ifdef(`distro_redhat',` +@@ -311,6 +339,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -76545,7 +76895,7 @@ index a0a0ebf..653277a 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -331,14 +365,27 @@ optional_policy(` +@@ -331,14 +364,27 @@ optional_policy(` ') optional_policy(` @@ -77310,7 +77660,7 @@ index 8b5c196..da41726 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..aa18423 100644 +index 15832c7..5c5ecf6 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,17 +17,29 @@ type mount_exec_t; @@ -77348,24 +77698,20 @@ index 15832c7..aa18423 100644 ######################################## # -@@ -35,7 +47,15 @@ application_domain(unconfined_mount_t, mount_exec_t) +@@ -35,7 +47,11 @@ application_domain(unconfined_mount_t, mount_exec_t) # # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; +allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; +allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; -+tunable_policy(`deny_ptrace',`',` -+ allow mount_t self:process ptrace; -+') -+ +allow mount_t self:fifo_file rw_fifo_file_perms; +allow mount_t self:unix_stream_socket create_stream_socket_perms; +allow mount_t self:unix_dgram_socket create_socket_perms; allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,9 +66,24 @@ can_exec(mount_t, mount_exec_t) +@@ -46,9 +62,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -77391,7 +77737,7 @@ index 15832c7..aa18423 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,65 +92,94 @@ kernel_request_load_module(mount_t) +@@ -57,65 +88,94 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -77495,7 +77841,7 @@ index 15832c7..aa18423 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +190,8 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +186,8 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -77504,7 +77850,7 @@ index 15832c7..aa18423 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +207,28 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +203,28 @@ ifdef(`distro_ubuntu',` ') ') @@ -77543,7 +77889,7 @@ index 15832c7..aa18423 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +242,8 @@ optional_policy(` +@@ -174,6 +238,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -77552,7 +77898,7 @@ index 15832c7..aa18423 100644 ') optional_policy(` -@@ -181,6 +251,28 @@ optional_policy(` +@@ -181,6 +247,28 @@ optional_policy(` ') optional_policy(` @@ -77581,7 +77927,7 @@ index 15832c7..aa18423 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,21 +280,88 @@ optional_policy(` +@@ -188,21 +276,88 @@ optional_policy(` ') ') @@ -77625,20 +77971,20 @@ index 15832c7..aa18423 100644 +optional_policy(` + ssh_exec(mount_t) +') -+ -+optional_policy(` + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) + usbmuxd_stream_connect(mount_t) -+') + ') + +optional_policy(` + userhelper_exec_console(mount_t) +') - - optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) ++ ++optional_policy(` + virt_read_blk_images(mount_t) - ') ++') + +optional_policy(` + vmware_exec_host(mount_t) @@ -77716,10 +78062,10 @@ index 9cf0e56..2b5260a 100644 /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0) diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te -index 4d06ae3..e81b7ac 100644 +index 4d06ae3..3f7c716 100644 --- a/policy/modules/system/pcmcia.te +++ b/policy/modules/system/pcmcia.te -@@ -62,9 +62,8 @@ dev_read_urand(cardmgr_t) +@@ -62,9 +62,7 @@ dev_read_urand(cardmgr_t) domain_use_interactive_fds(cardmgr_t) # Read /proc/PID directories for all domains (for fuser). @@ -77727,11 +78073,10 @@ index 4d06ae3..e81b7ac 100644 -domain_getattr_confined_domains(cardmgr_t) -domain_dontaudit_ptrace_confined_domains(cardmgr_t) +domain_read_all_domains_state(cardmgr_t) -+domain_dontaudit_ptrace_all_domains(cardmgr_t) # cjp: these look excessive: domain_dontaudit_getattr_all_pipes(cardmgr_t) domain_dontaudit_getattr_all_sockets(cardmgr_t) -@@ -98,18 +97,20 @@ logging_send_syslog_msg(cardmgr_t) +@@ -98,18 +96,20 @@ logging_send_syslog_msg(cardmgr_t) miscfiles_read_localization(cardmgr_t) @@ -78849,16 +79194,17 @@ index 7ed9819..ac8b214 100644 + unconfined_domain(setfiles_mac_t) ') diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc -index bea4629..427e5f6 100644 +index bea4629..06e2834 100644 --- a/policy/modules/system/setrans.fc +++ b/policy/modules/system/setrans.fc -@@ -2,4 +2,6 @@ +@@ -2,4 +2,7 @@ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) +/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0) + /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) ++/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 1447687..cdc0223 100644 --- a/policy/modules/system/setrans.te @@ -79190,7 +79536,7 @@ index ff80d0a..22c9f0d 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..58f8e6e 100644 +index 34d0ec5..9291d3a 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -79217,7 +79563,7 @@ index 34d0ec5..58f8e6e 100644 type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -34,17 +44,20 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) +@@ -34,18 +44,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; @@ -79234,14 +79580,12 @@ index 34d0ec5..58f8e6e 100644 # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; +- +allow dhcpc_t self:process { getsched getcap setcap setfscreate signal_perms }; -+tunable_policy(`deny_ptrace',`',` -+ allow dhcpc_t self:process ptrace; -+') - allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -57,8 +70,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) + allow dhcpc_t self:udp_socket create_socket_perms; +@@ -57,8 +66,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -79253,7 +79597,7 @@ index 34d0ec5..58f8e6e 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -66,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) +@@ -66,6 +78,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -79262,7 +79606,7 @@ index 34d0ec5..58f8e6e 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -91,25 +109,28 @@ corecmd_exec_shell(dhcpc_t) +@@ -91,25 +105,28 @@ corecmd_exec_shell(dhcpc_t) corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) @@ -79299,7 +79643,7 @@ index 34d0ec5..58f8e6e 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -129,14 +150,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -129,14 +146,17 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -79319,7 +79663,7 @@ index 34d0ec5..58f8e6e 100644 userdom_use_user_terminals(dhcpc_t) userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -151,7 +175,18 @@ ifdef(`distro_ubuntu',` +@@ -151,7 +171,18 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -79339,7 +79683,7 @@ index 34d0ec5..58f8e6e 100644 ') optional_policy(` -@@ -171,6 +206,8 @@ optional_policy(` +@@ -171,6 +202,8 @@ optional_policy(` optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -79348,7 +79692,7 @@ index 34d0ec5..58f8e6e 100644 ') optional_policy(` -@@ -192,17 +229,31 @@ optional_policy(` +@@ -192,17 +225,31 @@ optional_policy(` ') optional_policy(` @@ -79380,7 +79724,7 @@ index 34d0ec5..58f8e6e 100644 ') optional_policy(` -@@ -213,6 +264,11 @@ optional_policy(` +@@ -213,6 +260,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -79392,7 +79736,7 @@ index 34d0ec5..58f8e6e 100644 ') optional_policy(` -@@ -255,6 +311,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +307,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -79400,7 +79744,7 @@ index 34d0ec5..58f8e6e 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +333,12 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +329,12 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -79413,7 +79757,7 @@ index 34d0ec5..58f8e6e 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -290,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -290,7 +347,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -79422,7 +79766,7 @@ index 34d0ec5..58f8e6e 100644 init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) -@@ -301,11 +362,11 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +358,11 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -79437,7 +79781,7 @@ index 34d0ec5..58f8e6e 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +375,18 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +371,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -79456,7 +79800,7 @@ index 34d0ec5..58f8e6e 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +397,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +393,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -79471,7 +79815,7 @@ index 34d0ec5..58f8e6e 100644 ') optional_policy(` -@@ -335,7 +413,15 @@ optional_policy(` +@@ -335,7 +409,15 @@ optional_policy(` ') optional_policy(` @@ -79488,7 +79832,7 @@ index 34d0ec5..58f8e6e 100644 ') optional_policy(` -@@ -356,3 +442,9 @@ optional_policy(` +@@ -356,3 +438,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -80086,7 +80430,7 @@ index 0000000..19ba4e1 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..6677509 +index 0000000..40e1dcc --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,393 @@ @@ -80150,7 +80494,7 @@ index 0000000..6677509 +# + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) -+allow systemd_logind_t self:capability { chown dac_override fowner }; ++allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; +allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; @@ -80728,7 +81072,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..fb3d00c 100644 +index d88f7c3..7983cfa 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -80747,7 +81091,7 @@ index d88f7c3..fb3d00c 100644 ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -36,9 +34,19 @@ ifdef(`enable_mcs',` +@@ -36,9 +34,15 @@ ifdef(`enable_mcs',` # Local policy # @@ -80762,14 +81106,10 @@ index d88f7c3..fb3d00c 100644 +') + +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; -+tunable_policy(`deny_ptrace',`',` -+ allow udev_t self:process ptrace; -+') -+ allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; allow udev_t self:fifo_file rw_fifo_file_perms; -@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -80777,7 +81117,7 @@ index d88f7c3..fb3d00c 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,31 +71,34 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -62,31 +67,34 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -80819,7 +81159,7 @@ index d88f7c3..fb3d00c 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -97,6 +109,7 @@ corecmd_exec_all_executables(udev_t) +@@ -97,6 +105,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -80827,14 +81167,14 @@ index d88f7c3..fb3d00c 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +118,31 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,23 +114,30 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) +dev_filetrans_all_named_dev(udev_t) domain_read_all_domains_state(udev_t) - domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +-domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -80855,12 +81195,14 @@ index d88f7c3..fb3d00c 100644 fs_getattr_all_fs(udev_t) fs_list_inotifyfs(udev_t) fs_rw_anon_inodefs_files(udev_t) +- +-mcs_ptrace_all(udev_t) +fs_list_auto_mountpoints(udev_t) +fs_list_hugetlbfs(udev_t) - mcs_ptrace_all(udev_t) - -@@ -143,6 +166,7 @@ auth_use_nsswitch(udev_t) + mls_file_read_all_levels(udev_t) + mls_file_write_all_levels(udev_t) +@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -80868,7 +81210,7 @@ index d88f7c3..fb3d00c 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -154,6 +178,8 @@ miscfiles_read_hwdata(udev_t) +@@ -154,6 +171,8 @@ miscfiles_read_hwdata(udev_t) modutils_domtrans_insmod(udev_t) # read modules.inputmap: modutils_read_module_deps(udev_t) @@ -80877,7 +81219,7 @@ index d88f7c3..fb3d00c 100644 seutil_read_config(udev_t) seutil_read_default_contexts(udev_t) -@@ -169,6 +195,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +188,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -80886,7 +81228,7 @@ index d88f7c3..fb3d00c 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,8 +214,9 @@ ifdef(`distro_redhat',` +@@ -186,8 +207,9 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -80897,7 +81239,7 @@ index d88f7c3..fb3d00c 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) -@@ -216,11 +245,16 @@ optional_policy(` +@@ -216,11 +238,16 @@ optional_policy(` ') optional_policy(` @@ -80914,7 +81256,7 @@ index d88f7c3..fb3d00c 100644 ') optional_policy(` -@@ -230,10 +264,20 @@ optional_policy(` +@@ -230,10 +257,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -80935,7 +81277,7 @@ index d88f7c3..fb3d00c 100644 ') optional_policy(` -@@ -259,6 +303,10 @@ optional_policy(` +@@ -259,6 +296,10 @@ optional_policy(` ') optional_policy(` @@ -80946,7 +81288,7 @@ index d88f7c3..fb3d00c 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +321,11 @@ optional_policy(` +@@ -273,6 +314,11 @@ optional_policy(` ') optional_policy(` @@ -80958,7 +81300,7 @@ index d88f7c3..fb3d00c 100644 unconfined_signal(udev_t) ') -@@ -285,6 +338,7 @@ optional_policy(` +@@ -285,6 +331,7 @@ optional_policy(` kernel_read_xen_state(udev_t) xen_manage_log(udev_t) xen_read_image_files(udev_t) @@ -85659,7 +86001,7 @@ index 77d41b6..138efd8 100644 files_search_pids($1) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index 4350ba0..9ab107b 100644 +index 4350ba0..29cee30 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1) @@ -85701,7 +86043,7 @@ index 4350ba0..9ab107b 100644 # Do we need to allow execution of qemu-dm? tunable_policy(`xend_run_qemu',` allow qemu_dm_t self:capability sys_resource; -@@ -208,9 +209,13 @@ tunable_policy(`xend_run_qemu',` +@@ -208,10 +209,13 @@ tunable_policy(`xend_run_qemu',` # xend local policy # @@ -85709,15 +86051,24 @@ index 4350ba0..9ab107b 100644 -dontaudit xend_t self:capability { sys_ptrace }; +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw }; allow xend_t self:process { signal sigkill }; +-dontaudit xend_t self:process ptrace; + +# needed by qemu_dm +allow xend_t self:capability sys_resource; +allow xend_t self:process setrlimit; + - dontaudit xend_t self:process ptrace; # internal communication is often done using fifo and unix sockets. allow xend_t self:fifo_file rw_fifo_file_perms; -@@ -320,13 +325,9 @@ locallogin_dontaudit_use_fds(xend_t) + allow xend_t self:unix_stream_socket create_stream_socket_perms; +@@ -299,7 +303,6 @@ dev_rw_sysfs(xend_t) + dev_rw_xen(xend_t) + + domain_dontaudit_read_all_domains_state(xend_t) +-domain_dontaudit_ptrace_all_domains(xend_t) + + files_read_etc_files(xend_t) + files_read_kernel_symbol_table(xend_t) +@@ -320,13 +323,9 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) @@ -85731,7 +86082,7 @@ index 4350ba0..9ab107b 100644 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) sysnet_domtrans_ifconfig(xend_t) -@@ -339,8 +340,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -339,8 +338,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -85740,7 +86091,7 @@ index 4350ba0..9ab107b 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +348,22 @@ optional_policy(` +@@ -349,6 +346,22 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -85763,7 +86114,16 @@ index 4350ba0..9ab107b 100644 ######################################## # # Xen console local policy -@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -374,8 +387,6 @@ dev_rw_xen(xenconsoled_t) + dev_filetrans_xen(xenconsoled_t) + dev_rw_sysfs(xenconsoled_t) + +-domain_dontaudit_ptrace_all_domains(xenconsoled_t) +- + files_read_etc_files(xenconsoled_t) + files_read_usr_files(xenconsoled_t) + +@@ -413,9 +424,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -85775,7 +86135,7 @@ index 4350ba0..9ab107b 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +454,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -85787,7 +86147,7 @@ index 4350ba0..9ab107b 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +475,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +471,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -85884,7 +86244,7 @@ index 4350ba0..9ab107b 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +490,4 @@ optional_policy(` +@@ -559,8 +486,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 4827ad9..414b53b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 81.2%{?dist} +Release: 82%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,21 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Feb 3 2012 Miroslav Grepl 3.10.0-82 +- Allow gpg and gpg_agent to store sock_file in gpg_secret_t directory +- lxdm startup scripts should be labeled bin_t, so confined users will work +- mcstransd now creates a pid, needs back port to F16 +- qpidd should be allowed to connect to the amqp port +- Label devices 010-029 as usb devices +- ypserv packager says ypserv does not use tmp_t so removing selinux policy types +- Remove all ptrace commands that I believe are caused by the kernel/ps avcs +- Add initial Obex policy +- Add logging_syslogd_use_tty boolean +- Add polipo_connect_all_unreserved bolean +- Allow zabbix to connect to ftp port +- Allow systemd-logind to be able to switch VTs +- Allow apache to communicate with memcached through a sock_file + * Tue Jan 31 2012 Dan Walsh 3.10.0-81.2 - Fix file_context.subs_dist for now to work with pre usrmove