From 34780032471c560e2ad6cc204bd0be803b4e2e78 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 12 2016 13:08:46 +0000 Subject: * Fri Aug 12 2016 Lukas Vrabec 3.13.1-208 - Allow cups_config_t domain also mange sock_files. BZ(1361299) - Add wake_alarm capability to fprintd domain BZ(1362430) - Allow firewalld_t to relabel net_conf_t files. BZ(1365178) - Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802) - Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333) - Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173) - Dontaudit mock to write to generic certs. - Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t - Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" - Merge pull request #144 from rhatdan/modemmanager - Allow modemmanager to write to systemd inhibit pipes - Label corosync-qnetd and corosync-qdevice as corosync_t domain - Allow ipa_helper to read network state - Label oddjob_reqiest as oddjob_exec_t - Add interface oddjob_run() - Allow modemmanager chat with systemd_logind via dbus - Allow NetworkManager chat with puppetagent via dbus - Allow NetworkManager chat with kdumpctl via dbus - Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. - Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t - Allow rasdaemon to use tracefs filesystem - Fix typo bug in dirsrv policy - Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. - Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t - Allow dirsrv to read dirsrv_share_t content - Allow virtlogd_t to append svirt_image_t files. - Allow hypervkvp domain to read hugetlbfs dir/files. - Allow mdadm daemon to read nvme_device_t blk files - Allow systemd_resolved to connect on system bus. BZ(1366334) - Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344) - Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625) - label tcp/udp port 853 as dns_port_t. BZ(1365609) - Merge pull request #145 from rhatdan/init - systemd is doing a gettattr on blk and chr devices in /run - Allow selinuxusers and unconfineduser to run oddjob_request - Allow sshd server to acces to Crypto Express 4 (CEX4) devices. - Fix typo in device interfaces - Add interfaces for managing ipmi devices - Add interfaces to allow mounting/umounting tracefs filesystem - Add interfaces to allow rw tracefs filesystem - Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base - Merge pull request #138 from rhatdan/userns - Allow iptables to creating netlink generic sockets. - Fix filecontext for systemd shared lib. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 3a576e9..3ecf0a8 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index a462cc0..87793fe 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5945,7 +5945,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..6c3e760 100644 +index b191055..25a5cfe 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6082,7 +6082,7 @@ index b191055..6c3e760 100644 network_port(distccd, tcp,3632,s0) -network_port(dns, tcp,53,s0, udp,53,s0) +network_port(dogtag, tcp,7390,s0) -+network_port(dns, udp,53,s0, tcp,53,s0) ++network_port(dns, udp,53,s0, tcp,53,s0, tcp,853,s0, udp,853,s0) +network_port(dnssec, tcp,8955,s0) +network_port(echo, tcp,7,s0, udp,7,s0) network_port(efs, tcp,520,s0) @@ -6595,7 +6595,7 @@ index b31c054..891ace5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..0aef35e 100644 +index 76f285e..4e020f3 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7096,7 +7096,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -2043,7 +2285,137 @@ interface(`dev_getattr_framebuffer_dev',` +@@ -2043,7 +2285,180 @@ interface(`dev_getattr_framebuffer_dev',` ## ## # @@ -7129,6 +7129,49 @@ index 76f285e..0aef35e 100644 + +######################################## +## ++## Manage ipmi devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_ipmi_dev',` ++ gen_require(` ++ type device_t, ipmi_device_t; ++ ') ++ ++ manage_chr_files_pattern($1, device_t, ipmi_device_t) ++') ++ ++######################################## ++## ++## Automatic type transition to the type ++## for PCMCIA card manager device nodes when ++## created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`dev_filetrans_ipmi',` ++ gen_require(` ++ type device_t, ipmi_device_t; ++ ') ++ ++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2) ++') ++ ++######################################## ++## +## Read infiniband devices. +## +## @@ -7235,7 +7278,7 @@ index 76f285e..0aef35e 100644 gen_require(` type device_t, framebuf_device_t; ') -@@ -2402,7 +2774,97 @@ interface(`dev_filetrans_lirc',` +@@ -2402,7 +2817,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -7334,7 +7377,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -2532,6 +2994,24 @@ interface(`dev_read_raw_memory',` +@@ -2532,6 +3037,24 @@ interface(`dev_read_raw_memory',` ######################################## ## @@ -7359,7 +7402,7 @@ index 76f285e..0aef35e 100644 ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## -@@ -2573,6 +3053,24 @@ interface(`dev_write_raw_memory',` +@@ -2573,6 +3096,24 @@ interface(`dev_write_raw_memory',` ######################################## ## @@ -7384,7 +7427,7 @@ index 76f285e..0aef35e 100644 ## Read and execute raw memory devices (e.g. /dev/mem). ## ## -@@ -2725,7 +3223,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3266,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7393,7 +7436,7 @@ index 76f285e..0aef35e 100644 ## ## # -@@ -2811,7 +3309,7 @@ interface(`dev_rw_modem',` +@@ -2811,7 +3352,7 @@ interface(`dev_rw_modem',` ######################################## ## @@ -7402,7 +7445,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -2819,17 +3317,17 @@ interface(`dev_rw_modem',` +@@ -2819,17 +3360,17 @@ interface(`dev_rw_modem',` ## ## # @@ -7424,7 +7467,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -2837,17 +3335,17 @@ interface(`dev_getattr_mouse_dev',` +@@ -2837,17 +3378,17 @@ interface(`dev_getattr_mouse_dev',` ## ## # @@ -7446,7 +7489,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -2855,17 +3353,17 @@ interface(`dev_setattr_mouse_dev',` +@@ -2855,12 +3396,84 @@ interface(`dev_setattr_mouse_dev',` ## ## # @@ -7459,94 +7502,29 @@ index 76f285e..0aef35e 100644 - read_chr_files_pattern($1, device_t, mouse_device_t) + read_chr_files_pattern($1, device_t, monitor_device_t) - ') - - ######################################## - ## --## Read and write to mouse devices. ++') ++ ++######################################## ++## +## Read and write to monitor devices. - ## - ## - ## -@@ -2873,18 +3371,17 @@ interface(`dev_read_mouse',` - ## - ## - # --interface(`dev_rw_mouse',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_rw_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; -+ type device_t, monitor_device_t; - ') - -- rw_chr_files_pattern($1, device_t, mouse_device_t) -+ rw_chr_files_pattern($1, device_t, monitor_device_t) - ') - - ######################################## - ## --## Get the attributes of the memory type range --## registers (MTRR) device. -+## Get the attributes of the mouse devices. - ## - ## - ## -@@ -2892,47 +3389,91 @@ interface(`dev_rw_mouse',` - ## - ## - # --interface(`dev_getattr_mtrr_dev',` -+interface(`dev_getattr_mouse_dev',` - gen_require(` -- type device_t, mtrr_device_t; -+ type device_t, mouse_device_t; - ') - -- getattr_files_pattern($1, device_t, mtrr_device_t) -- getattr_chr_files_pattern($1, device_t, mtrr_device_t) -+ getattr_chr_files_pattern($1, device_t, mouse_device_t) - ') - - ######################################## - ## --## Read the memory type range --## registers (MTRR). (Deprecated) -+## Set the attributes of the mouse devices. - ## --## --##

--## Read the memory type range --## registers (MTRR). This interface has --## been deprecated, dev_rw_mtrr() should be --## used instead. --##

--##

--## The MTRR device ioctls can be used for --## reading and writing; thus, read access to the --## device cannot be separated from write access. --##

--##
- ## - ## - ## Domain allowed access. - ## - ## - # --interface(`dev_read_mtrr',` -- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') -- dev_rw_mtrr($1) -+interface(`dev_setattr_mouse_dev',` + gen_require(` -+ type device_t, mouse_device_t; ++ type device_t, monitor_device_t; + ') + -+ setattr_chr_files_pattern($1, device_t, mouse_device_t) - ') - - ######################################## - ## --## Write the memory type range -+## Read the mouse devices. ++ rw_chr_files_pattern($1, device_t, monitor_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of the mouse devices. +## +## +## @@ -7554,17 +7532,17 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_read_mouse',` ++interface(`dev_getattr_mouse_dev',` + gen_require(` + type device_t, mouse_device_t; + ') + -+ read_chr_files_pattern($1, device_t, mouse_device_t) ++ getattr_chr_files_pattern($1, device_t, mouse_device_t) +') + +######################################## +## -+## Read and write to mouse devices. ++## Set the attributes of the mouse devices. +## +## +## @@ -7572,18 +7550,17 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_rw_mouse',` ++interface(`dev_setattr_mouse_dev',` + gen_require(` + type device_t, mouse_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, mouse_device_t) ++ setattr_chr_files_pattern($1, device_t, mouse_device_t) +') + +######################################## +## -+## Get the attributes of the memory type range -+## registers (MTRR) device. ++## Read the mouse devices. +## +## +## @@ -7591,47 +7568,108 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_getattr_mtrr_dev',` ++interface(`dev_read_mouse',` + gen_require(` -+ type device_t, mtrr_device_t; ++ type device_t, mouse_device_t; + ') + -+ getattr_files_pattern($1, device_t, mtrr_device_t) -+ getattr_chr_files_pattern($1, device_t, mtrr_device_t) -+') -+ -+######################################## -+## ++ read_chr_files_pattern($1, device_t, mouse_device_t) + ') + + ######################################## +@@ -2903,20 +3516,20 @@ interface(`dev_getattr_mtrr_dev',` + + ######################################## + ## +-## Read the memory type range +## Write the memory type range ## registers (MTRR). (Deprecated) ## ## -@@ -2975,8 +3516,47 @@ interface(`dev_dontaudit_write_mtrr',` - type mtrr_device_t; - ') + ##

+-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). This interface has + ## been deprecated, dev_rw_mtrr() should be + ## used instead. + ##

+ ##

+ ## The MTRR device ioctls can be used for +-## reading and writing; thus, read access to the +-## device cannot be separated from write access. ++## reading and writing; thus, write access to the ++## device cannot be separated from read access. + ##

+ ##
+ ## +@@ -2925,43 +3538,34 @@ interface(`dev_getattr_mtrr_dev',` + ##
+ ## + # +-interface(`dev_read_mtrr',` ++interface(`dev_write_mtrr',` + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) + ') -- dontaudit $1 mtrr_device_t:file write; -- dontaudit $1 mtrr_device_t:chr_file write; -+ dontaudit $1 mtrr_device_t:file write_file_perms; -+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; -+') -+ -+######################################## -+## -+## Do not audit attempts to read the memory type + ######################################## + ## +-## Write the memory type range +-## registers (MTRR). (Deprecated) ++## Do not audit attempts to write the memory type +## range registers (MTRR). -+## -+## -+## + ## +-## +-##

+-## Write the memory type range +-## registers (MTRR). This interface has +-## been deprecated, dev_rw_mtrr() should be +-## used instead. +-##

+-##

+-## The MTRR device ioctls can be used for +-## reading and writing; thus, write access to the +-## device cannot be separated from read access. +-##

+-##
+ ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_read_mtrr',` + ##
+ ## + # +-interface(`dev_write_mtrr',` +- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') +- dev_rw_mtrr($1) ++interface(`dev_dontaudit_write_mtrr',` + gen_require(` + type mtrr_device_t; + ') + ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write the memory type ++## Do not audit attempts to read the memory type + ## range registers (MTRR). + ## + ## +@@ -2970,13 +3574,32 @@ interface(`dev_write_mtrr',` + ##
+ ## + # +-interface(`dev_dontaudit_write_mtrr',` ++interface(`dev_dontaudit_read_mtrr',` + gen_require(` + type mtrr_device_t; + ') + +- dontaudit $1 mtrr_device_t:file write; +- dontaudit $1 mtrr_device_t:chr_file write; + dontaudit $1 mtrr_device_t:file { open read }; + dontaudit $1 mtrr_device_t:chr_file { open read }; +') @@ -7656,7 +7694,7 @@ index 76f285e..0aef35e 100644 ') ######################################## -@@ -3144,6 +3724,61 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3767,61 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7718,7 +7756,7 @@ index 76f285e..0aef35e 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3798,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3841,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7743,7 +7781,7 @@ index 76f285e..0aef35e 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3907,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3950,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7770,7 +7808,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -3262,12 +3933,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3976,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7787,7 +7825,7 @@ index 76f285e..0aef35e 100644 ') ######################################## -@@ -3399,7 +4071,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4114,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7796,7 +7834,7 @@ index 76f285e..0aef35e 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4085,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4128,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7805,7 +7843,7 @@ index 76f285e..0aef35e 100644 ') ######################################## -@@ -3855,7 +4527,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4570,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7814,7 +7852,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -3863,91 +4535,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4578,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -7925,7 +7963,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -3955,68 +4625,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4668,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8004,7 +8042,7 @@ index 76f285e..0aef35e 100644 ## ## ## -@@ -4024,53 +4679,279 @@ interface(`dev_rw_sysfs',` +@@ -4024,17 +4722,243 @@ interface(`dev_rw_sysfs',` ## ## # @@ -8024,45 +8062,19 @@ index 76f285e..0aef35e 100644 ## -## Read from pseudo random number generator devices (e.g., /dev/urandom). +## Write in a sysfs directories. - ## --## --##

--## Allow the specified domain to read from pseudo random number --## generator devices (e.g., /dev/urandom). Typically this is --## used in situations when a cryptographically secure random --## number is not necessarily needed. One example is the Stack --## Smashing Protector (SSP, formerly known as ProPolice) support --## that may be compiled into programs. --##

--##

--## Related interface: --##

--##
    --##
  • dev_read_rand()
  • --##
--##

--## Related tunable: --##

--##
    --##
  • global_ssp
  • --##
--##
- ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`dev_read_urand',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` - gen_require(` -- type device_t, urandom_device_t; ++ gen_require(` + type sysfs_t; - ') - -- read_chr_files_pattern($1, device_t, urandom_device_t) ++ ') ++ + allow $1 sysfs_t:dir write; +') + @@ -8275,46 +8287,10 @@ index 76f285e..0aef35e 100644 +######################################## +## +## Read from pseudo random number generator devices (e.g., /dev/urandom). -+## -+## -+##

-+## Allow the specified domain to read from pseudo random number -+## generator devices (e.g., /dev/urandom). Typically this is -+## used in situations when a cryptographically secure random -+## number is not necessarily needed. One example is the Stack -+## Smashing Protector (SSP, formerly known as ProPolice) support -+## that may be compiled into programs. -+##

-+##

-+## Related interface: -+##

-+##
    -+##
  • dev_read_rand()
  • -+##
-+##

-+## Related tunable: -+##

-+##
    -+##
  • global_ssp
  • -+##
-+##
-+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_urand',` -+ gen_require(` -+ type device_t, urandom_device_t; -+ ') -+ -+ read_chr_files_pattern($1, device_t, urandom_device_t) - ') - - ######################################## -@@ -4113,6 +4994,25 @@ interface(`dev_write_urand',` + ## + ## + ##

+@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',` ######################################## ##

@@ -8340,7 +8316,7 @@ index 76f285e..0aef35e 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5023,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8349,33 +8325,149 @@ index 76f285e..0aef35e 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4330,28 +5230,180 @@ interface(`dev_search_usbfs',` +@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',` + read_lnk_files_pattern($1, usbfs_t, usbfs_t) + ') + +-######################################## ++###################################### + ## +-## Get the attributes of video4linux devices. ++## Read and write userio device. + ## + ## + ## +@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',` + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_rw_userio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, userio_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, userio_device_t) + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Get the attributes of video4linux devices. + ## + ## + ## +@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_getattr_video_dev',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, v4l_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## +@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',` + + ######################################## + ## +-## Allow read/write the vhost net device ++## Get the attributes of vfio devices. + ## + ## + ## +@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',` + ## + ## + # +-interface(`dev_rw_vhost',` ++interface(`dev_getattr_vfio_dev',` + gen_require(` +- type device_t, vhost_device_t; ++ type device_t, vfio_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vhost_device_t) ++ getattr_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Read and write VMWare devices. ++## Do not audit attempts to get the attributes ++## of vfio device nodes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_rw_vmware',` ++interface(`dev_dontaudit_getattr_vfio_dev',` + gen_require(` +- type device_t, vmware_device_t; ++ type vfio_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vmware_device_t) ++ dontaudit $1 vfio_device_t:chr_file getattr; + ') ######################################## ## --## Allow caller to get a list of usb hardware. -+## Allow caller to get a list of usb hardware. +-## Read, write, and mmap VMWare devices. ++## Set the attributes of vfio device nodes. + ## + ## + ## +@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',` + ## + ## + # +-interface(`dev_rwx_vmware',` ++interface(`dev_setattr_vfio_dev',` + gen_require(` +- type device_t, vmware_device_t; ++ type device_t, vfio_device_t; + ') + +- dev_rw_vmware($1) ++ setattr_chr_files_pattern($1, device_t, vfio_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of vfio device nodes. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_list_usbfs',` ++interface(`dev_dontaudit_setattr_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type vfio_device_t; + ') + -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ getattr_files_pattern($1, usbfs_t, usbfs_t) -+ -+ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ dontaudit $1 vfio_device_t:chr_file setattr; +') + +######################################## +## -+## Set the attributes of usbfs filesystem. ++## Read the vfio devices. +## +## +## @@ -8383,19 +8475,17 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_setattr_usbfs_files',` ++interface(`dev_read_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type device_t, vfio_device_t; + ') + -+ setattr_files_pattern($1, usbfs_t, usbfs_t) -+ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ read_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Read USB hardware information using -+## the usbfs filesystem interface. ++## Write the vfio devices. +## +## +## @@ -8403,19 +8493,17 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_read_usbfs',` ++interface(`dev_write_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type device_t, vfio_device_t; + ') + -+ read_files_pattern($1, usbfs_t, usbfs_t) -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ write_chr_files_pattern($1, device_t, vfio_device_t) +') + +######################################## +## -+## Allow caller to modify usb hardware configuration files. ++## Read and write the VFIO devices. +## +## +## @@ -8423,19 +8511,17 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_rw_usbfs',` ++interface(`dev_rw_vfio_dev',` + gen_require(` -+ type usbfs_t; ++ type device_t, vfio_device_t; + ') + -+ list_dirs_pattern($1, usbfs_t, usbfs_t) -+ rw_files_pattern($1, usbfs_t, usbfs_t) -+ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ rw_chr_files_pattern($1, device_t, vfio_device_t) +') + -+###################################### ++######################################## +## -+## Read and write userio device. ++## Allow read/write the vhost net device +## +## +## @@ -8443,17 +8529,17 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_rw_userio_dev',` ++interface(`dev_rw_vhost',` + gen_require(` -+ type device_t, userio_device_t; ++ type device_t, vhost_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, userio_device_t) ++ rw_chr_files_pattern($1, device_t, vhost_device_t) +') + +######################################## +## -+## Get the attributes of video4linux devices. ++## Allow read/write inheretid the vhost net device +## +## +## @@ -8461,36 +8547,35 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_getattr_video_dev',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` -+ type device_t, v4l_device_t; ++ type device_t, vhost_device_t; + ') + -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; +') + +######################################## +## -+## Do not audit attempts to get the attributes -+## of video4linux device nodes. ++## Read and write VMWare devices. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_getattr_video_dev',` ++interface(`dev_rw_vmware',` + gen_require(` -+ type v4l_device_t; ++ type device_t, vmware_device_t; + ') + -+ dontaudit $1 v4l_device_t:chr_file getattr; ++ rw_chr_files_pattern($1, device_t, vmware_device_t) +') + +######################################## +## -+## Set the attributes of video4linux device nodes. ++## Read, write, and mmap VMWare devices. +## +## +## @@ -8498,296 +8583,16 @@ index 76f285e..0aef35e 100644 +## +## +# -+interface(`dev_setattr_video_dev',` ++interface(`dev_rwx_vmware',` + gen_require(` -+ type device_t, v4l_device_t; ++ type device_t, vmware_device_t; + ') + -+ setattr_chr_files_pattern($1, device_t, v4l_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to set the attributes -+## of video4linux device nodes. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`dev_list_usbfs',` -+interface(`dev_dontaudit_setattr_video_dev',` - gen_require(` -- type usbfs_t; -+ type v4l_device_t; - ') - -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -- getattr_files_pattern($1, usbfs_t, usbfs_t) -- -- list_dirs_pattern($1, usbfs_t, usbfs_t) -+ dontaudit $1 v4l_device_t:chr_file setattr; ++ dev_rw_vmware($1) + allow $1 vmware_device_t:chr_file execute; ') - ######################################## - ## --## Set the attributes of usbfs filesystem. -+## Read the video4linux devices. - ## - ## - ## -@@ -4359,19 +5411,17 @@ interface(`dev_list_usbfs',` - ## - ## - # --interface(`dev_setattr_usbfs_files',` -+interface(`dev_read_video_dev',` - gen_require(` -- type usbfs_t; -+ type device_t, v4l_device_t; - ') - -- setattr_files_pattern($1, usbfs_t, usbfs_t) -- list_dirs_pattern($1, usbfs_t, usbfs_t) -+ read_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## - ## --## Read USB hardware information using --## the usbfs filesystem interface. -+## Write the video4linux devices. - ## - ## - ## -@@ -4379,19 +5429,17 @@ interface(`dev_setattr_usbfs_files',` - ## - ## - # --interface(`dev_read_usbfs',` -+interface(`dev_write_video_dev',` - gen_require(` -- type usbfs_t; -+ type device_t, v4l_device_t; - ') - -- read_files_pattern($1, usbfs_t, usbfs_t) -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -- list_dirs_pattern($1, usbfs_t, usbfs_t) -+ write_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## - ## --## Allow caller to modify usb hardware configuration files. -+## Get the attributes of vfio devices. - ## - ## - ## -@@ -4399,37 +5447,36 @@ interface(`dev_read_usbfs',` - ## - ## - # --interface(`dev_rw_usbfs',` -+interface(`dev_getattr_vfio_dev',` - gen_require(` -- type usbfs_t; -+ type device_t, vfio_device_t; - ') - -- list_dirs_pattern($1, usbfs_t, usbfs_t) -- rw_files_pattern($1, usbfs_t, usbfs_t) -- read_lnk_files_pattern($1, usbfs_t, usbfs_t) -+ getattr_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Get the attributes of video4linux devices. -+## Do not audit attempts to get the attributes -+## of vfio device nodes. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`dev_getattr_video_dev',` -+interface(`dev_dontaudit_getattr_vfio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type vfio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ dontaudit $1 vfio_device_t:chr_file getattr; - ') - --###################################### -+######################################## - ## --## Read and write userio device. -+## Set the attributes of vfio device nodes. - ## - ## - ## -@@ -4437,18 +5484,18 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` -+interface(`dev_setattr_vfio_dev',` - gen_require(` -- type device_t, userio_device_t; -+ type device_t, vfio_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ setattr_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of video4linux device nodes. -+## Do not audit attempts to set the attributes -+## of vfio device nodes. - ## - ## - ## -@@ -4456,17 +5503,17 @@ interface(`dev_rw_userio_dev',` - ## - ## - # --interface(`dev_dontaudit_getattr_video_dev',` -+interface(`dev_dontaudit_setattr_vfio_dev',` - gen_require(` -- type v4l_device_t; -+ type vfio_device_t; - ') - -- dontaudit $1 v4l_device_t:chr_file getattr; -+ dontaudit $1 vfio_device_t:chr_file setattr; - ') - - ######################################## - ## --## Set the attributes of video4linux device nodes. -+## Read the vfio devices. - ## - ## - ## -@@ -4474,36 +5521,35 @@ interface(`dev_dontaudit_getattr_video_dev',` - ## - ## - # --interface(`dev_setattr_video_dev',` -+interface(`dev_read_vfio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, vfio_device_t; - ') - -- setattr_chr_files_pattern($1, device_t, v4l_device_t) -+ read_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Do not audit attempts to set the attributes --## of video4linux device nodes. -+## Write the vfio devices. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_setattr_video_dev',` -+interface(`dev_write_vfio_dev',` - gen_require(` -- type v4l_device_t; -+ type device_t, vfio_device_t; - ') - -- dontaudit $1 v4l_device_t:chr_file setattr; -+ write_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Read the video4linux devices. -+## Read and write the VFIO devices. - ## - ## - ## -@@ -4511,17 +5557,17 @@ interface(`dev_dontaudit_setattr_video_dev',` - ## - ## - # --interface(`dev_read_video_dev',` -+interface(`dev_rw_vfio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, vfio_device_t; - ') - -- read_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Write the video4linux devices. -+## Allow read/write the vhost net device - ## - ## - ## -@@ -4529,17 +5575,17 @@ interface(`dev_read_video_dev',` - ## - ## - # --interface(`dev_write_video_dev',` -+interface(`dev_rw_vhost',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, vhost_device_t; - ') - -- write_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, vhost_device_t) - ') - - ######################################## - ## --## Allow read/write the vhost net device -+## Allow read/write inheretid the vhost net device - ## - ## - ## -@@ -4547,12 +5593,12 @@ interface(`dev_write_video_dev',` - ## - ## - # --interface(`dev_rw_vhost',` -+interface(`dev_rw_inherited_vhost',` - gen_require(` - type device_t, vhost_device_t; - ') - -- rw_chr_files_pattern($1, device_t, vhost_device_t) -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## -@@ -4630,6 +5676,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8812,7 +8617,7 @@ index 76f285e..0aef35e 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5826,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8857,7 +8662,7 @@ index 76f285e..0aef35e 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5953,1020 @@ interface(`dev_unconfined',` +@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -10364,7 +10169,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..b5fe8e5 100644 +index cf04cb5..0715228 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10497,8 +10302,11 @@ index cf04cb5..b5fe8e5 100644 ') ######################################## -@@ -147,12 +217,18 @@ optional_policy(` +@@ -145,14 +215,21 @@ optional_policy(` + # be used on an attribute. + # Use/sendto/connectto sockets created by any domain. ++allow unconfined_domain_type self:cap_userns all_cap_userns_perms; allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; +allow unconfined_domain_type domain:system all_system_perms; @@ -10517,7 +10325,7 @@ index cf04cb5..b5fe8e5 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +236,379 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +237,379 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -18093,7 +17901,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..440c63f 100644 +index 8416beb..20099cd 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18592,7 +18400,7 @@ index 8416beb..440c63f 100644 ## ## ## -@@ -1878,96 +2122,759 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2122,151 @@ interface(`fs_search_fusefs',` ## ## # @@ -18698,6 +18506,7 @@ index 8416beb..440c63f 100644 -# -interface(`fs_exec_fusefs_files',` - gen_require(` +- type fusefs_t; +## +##

+## Execute a file on a FUSE filesystem @@ -18731,88 +18540,110 @@ index 8416beb..440c63f 100644 +interface(`fs_ecryptfs_domtrans',` + gen_require(` + type ecryptfs_t; -+ ') -+ + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) + allow $1 ecryptfs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, ecryptfs_t, $2) -+') -+ -+######################################## -+##

+ ') + + ######################################## + ## +-## Create, read, write, and delete files +-## on a FUSEFS filesystem. +## Mount a FUSE filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_manage_fusefs_files',` +interface(`fs_mount_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ + gen_require(` + type fusefs_t; + ') + +- manage_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:filesystem mount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to create, +-## read, write, and delete files +-## on a FUSEFS filesystem. +## Unmount a FUSE filesystem. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_unmount_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 fusefs_t:filesystem unmount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. +## Mounton a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2014,145 +2274,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## + ## + # +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_mounton_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ + gen_require(` + type fusefs_t; + ') + +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:dir mounton; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of an hugetlbfs +-## filesystem. +## Search directories +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_getattr_hugetlbfs',` +interface(`fs_search_fusefs',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem getattr; + allow $1 fusefs_t:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List hugetlbfs. +## Do not audit attempts to list the contents +## of directories on a FUSEFS filesystem. +## @@ -18834,24 +18665,28 @@ index 8416beb..440c63f 100644 +## +## Create, read, write, and delete directories +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_list_hugetlbfs',` +interface(`fs_manage_fusefs_dirs',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 fusefs_t:dir manage_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Manage hugetlbfs dirs. +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. @@ -18873,129 +18708,157 @@ index 8416beb..440c63f 100644 +######################################## +## +## Read, a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_read_fusefs_files',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + read_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write hugetlbfs files. +## Execute files on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_rw_hugetlbfs_files',` +interface(`fs_exec_fusefs_files',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + exec_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow the type to associate to hugetlbfs filesystems. +## Make general progams in FUSEFS an entrypoint for +## the specified domain. -+## + ## +-## +## -+## + ## +-## The type of the object to be associated. +## The domain for which fusefs_t is an entrypoint. -+## -+## -+# + ## + ## + # +-interface(`fs_associate_hugetlbfs',` +interface(`fs_fusefs_entry_type',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem associate; + domain_entry_file($1, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search inotifyfs filesystem. +## Make general progams in FUSEFS an entrypoint for +## the specified domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## The domain for which fusefs_t is an entrypoint. -+## -+## -+# + ## + ## + # +-interface(`fs_search_inotifyfs',` +interface(`fs_fusefs_entrypoint',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; + allow $1 fusefs_t:file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List inotifyfs filesystem. +## Create, read, write, and delete files +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_list_inotifyfs',` +interface(`fs_manage_fusefs_files',` -+ gen_require(` - type fusefs_t; + gen_require(` +- type inotifyfs_t; ++ type fusefs_t; ') -- exec_files_pattern($1, fusefs_t, fusefs_t) +- allow $1 inotifyfs_t:dir list_dir_perms; + manage_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -2160,73 +2469,118 @@ interface(`fs_list_inotifyfs',` + ## + ## + # +-interface(`fs_dontaudit_list_inotifyfs',` +interface(`fs_dontaudit_manage_fusefs_files',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type fusefs_t; -+ ') -+ + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; + dontaudit $1 fusefs_t:file manage_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. +## Read symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`fs_read_fusefs_symlinks',` + gen_require(` @@ -19011,10 +18874,12 @@ index 8416beb..440c63f 100644 +## Manage symbolic links on a FUSEFS filesystem. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`fs_manage_fusefs_symlinks',` + gen_require(` @@ -19049,78 +18914,101 @@ index 8416beb..440c63f 100644 +##

+##
+## -+## + ## +-## The object class of the object being created. +## Domain allowed to transition. -+## -+## + ## + ## +-## +## -+## + ## +-## The name of the object being created. +## The type of the new process. -+## -+## -+# + ## + ## + # +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_fusefs_domtrans',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## Get the attributes of a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`fs_mount_iso9660_fs',` +interface(`fs_getattr_fusefs',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem mount; + allow $1 fusefs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Get the attributes of an hugetlbfs +## filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2234,18 +2588,17 @@ interface(`fs_mount_iso9660_fs',` + ## + ## + # +-interface(`fs_remount_iso9660_fs',` +interface(`fs_getattr_hugetlbfs',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type hugetlbfs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem remount; + allow $1 hugetlbfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. +## List hugetlbfs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2253,38 +2606,611 @@ interface(`fs_remount_iso9660_fs',` + ## + ## + # +-interface(`fs_unmount_iso9660_fs',` +interface(`fs_list_hugetlbfs',` -+ gen_require(` + gen_require(` +- type iso9660_t; + type hugetlbfs_t; -+ ') -+ + ') + +- allow $1 iso9660_t:filesystem unmount; + allow $1 hugetlbfs_t:dir list_dir_perms; +') + @@ -19379,244 +19267,197 @@ index 8416beb..440c63f 100644 + ') + + allow $1 iso9660_t:filesystem unmount; - ') - - ######################################## - ## --## Create, read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Get the attributes of an iso9660 +## filesystem, which is usually used on CDs. - ## - ## - ## -@@ -1976,37 +2883,38 @@ interface(`fs_exec_fusefs_files',` - ## - ## - # --interface(`fs_manage_fusefs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# +interface(`fs_getattr_iso9660_fs',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type iso9660_t; - ') - -- manage_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + allow $1 iso9660_t:filesystem getattr; - ') - - ######################################## - ## --## Do not audit attempts to create, --## read, write, and delete files --## on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Read files on an iso9660 filesystem, which +## is usually used on CDs. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` ++## ++## ++# +interface(`fs_getattr_iso9660_files',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type iso9660_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; ++ ') ++ + allow $1 iso9660_t:dir list_dir_perms; + allow $1 iso9660_t:file getattr; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. ++') ++ ++######################################## ++## +## Read files on an iso9660 filesystem, which +## is usually used on CDs. - ## - ## - ## -@@ -2014,19 +2922,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_read_iso9660_files',` - gen_require(` -- type fusefs_t; ++ gen_require(` + type iso9660_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + allow $1 iso9660_t:dir list_dir_perms; + read_files_pattern($1, iso9660_t, iso9660_t) + read_lnk_files_pattern($1, iso9660_t, iso9660_t) - ') - ++') + - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. ++ ++######################################## ++## +## Mount kdbus filesystems. - ## - ## - ## -@@ -2034,17 +2943,17 @@ interface(`fs_read_fusefs_symlinks',` - ## - ## - # --interface(`fs_getattr_hugetlbfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_mount_kdbus', ` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; ++ ') ++ + allow $1 kdbusfs_t:filesystem mount; - ') - - ######################################## - ## --## List hugetlbfs. ++') ++ ++######################################## ++## +## Remount kdbus filesystems. - ## - ## - ## -@@ -2052,17 +2961,17 @@ interface(`fs_getattr_hugetlbfs',` - ## - ## - # --interface(`fs_list_hugetlbfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_remount_kdbus', ` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 hugetlbfs_t:dir list_dir_perms; ++ ') ++ + allow $1 kdbusfs_t:filesystem remount; - ') - - ######################################## - ## --## Manage hugetlbfs dirs. ++') ++ ++######################################## ++## +## Unmount kdbus filesystems. - ## - ## - ## -@@ -2070,17 +2979,17 @@ interface(`fs_list_hugetlbfs',` - ## - ## - # --interface(`fs_manage_hugetlbfs_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_unmount_kdbus', ` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type kdbusfs_t; - ') - -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ ') ++ + allow $1 kdbusfs_t:filesystem unmount; - ') - - ######################################## - ## --## Read and write hugetlbfs files. ++') ++ ++######################################## ++## +## Get attributes of kdbus filesystems. - ## - ## - ## -@@ -2088,35 +2997,38 @@ interface(`fs_manage_hugetlbfs_dirs',` - ## - ## - # --interface(`fs_rw_hugetlbfs_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_kdbus',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type kdbusfs_t; - ') - -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ ') ++ + allow $1 kdbusfs_t:filesystem getattr; - ') - - ######################################## - ## --## Allow the type to associate to hugetlbfs filesystems. ++') ++ ++######################################## ++## +## Search kdbusfs directories. - ## --## ++## +## - ## --## The type of the object to be associated. ++## +## Domain allowed access. - ## - ## - # --interface(`fs_associate_hugetlbfs',` ++## ++## ++# +interface(`fs_search_kdbus_dirs',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type kdbusfs_t; + - ') - -- allow $1 hugetlbfs_t:filesystem associate; ++ ') ++ + search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Search inotifyfs filesystem. ++') ++ ++######################################## ++## +## Relabel kdbusfs directories. - ## - ## - ## -@@ -2124,17 +3036,18 @@ interface(`fs_associate_hugetlbfs',` - ## - ## - # --interface(`fs_search_inotifyfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_relabel_kdbus_dirs',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type cgroup_t; + - ') - -- allow $1 inotifyfs_t:dir search_dir_perms; ++ ') ++ + relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) - ') - - ######################################## - ## --## List inotifyfs filesystem. ++') ++ ++######################################## ++## +## List kdbusfs directories. - ## - ## - ## -@@ -2142,71 +3055,78 @@ interface(`fs_search_inotifyfs',` - ## - ## - # --interface(`fs_list_inotifyfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_list_kdbus_dirs',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 inotifyfs_t:dir list_dir_perms; ++ ') ++ + list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) @@ -19639,149 +19480,106 @@ index 8416beb..440c63f 100644 + + dontaudit $1 kdbusfs_t:dir search_dir_perms; + dev_dontaudit_search_sysfs($1) - ') - - ######################################## - ## --## Dontaudit List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Delete kdbusfs directories. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_list_inotifyfs',` ++## ++## ++# +interface(`fs_delete_kdbus_dirs', ` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type kdbusfs_t; - ') - -- dontaudit $1 inotifyfs_t:dir list_dir_perms; ++ ') ++ + delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. ++') ++ ++######################################## ++## +## Manage kdbusfs directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`fs_hugetlbfs_filetrans',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_manage_kdbus_dirs',` - gen_require(` -- type hugetlbfs_t; -- ') ++ gen_require(` + type kdbusfs_t; - -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++ + ') + manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Read kdbusfs files. - ## - ## - ## -@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',` - ## - ## - # --interface(`fs_mount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_read_kdbus_files',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type cgroup_t; + - ') - -- allow $1 iso9660_t:filesystem mount; ++ ') ++ + read_files_pattern($1, kdbusfs_t, kdbusfs_t) + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. ++') ++ ++######################################## ++## +## Write kdbusfs files. - ## - ## - ## -@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',` - ## - ## - # --interface(`fs_remount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_write_kdbus_files', ` - gen_require(` -- type iso9660_t; ++ gen_require(` + type kdbusfs_t; - ') - -- allow $1 iso9660_t:filesystem remount; ++ ') ++ + write_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Unmount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Read and write kdbusfs files. - ## - ## - ## -@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',` - ## - ## - # --interface(`fs_unmount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_rw_kdbus_files',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type kdbusfs_t; + - ') - -- allow $1 iso9660_t:filesystem unmount; ++ ') ++ + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + rw_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) @@ -19897,272 +19695,119 @@ index 8416beb..440c63f 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2439,152 +3384,228 @@ interface(`fs_list_nfs',` - ## - ## - ## --## Domain to not audit. -+## Domain to not audit. +@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + read_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',` + type nfs_t; + ') + ++ fs_search_auto_mountpoints($1) + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',` + + ######################################## + ## ++## Make general progams in nfs an entrypoint for ++## the specified domain. ++## ++## ++## ++## The domain for which nfs_t is an entrypoint. +## +## +# -+interface(`fs_dontaudit_list_nfs',` ++interface(`fs_nfs_entry_type',` + gen_require(` + type nfs_t; + ') + -+ dontaudit $1 nfs_t:dir list_dir_perms; ++ domain_entry_file($1, nfs_t) +') + +######################################## +## -+## Mounton a NFS filesystem. ++## Make general progams in NFS an entrypoint for ++## the specified domain. +## +## +## -+## Domain allowed access. ++## The domain for which nfs_t is an entrypoint. +## +## +# -+interface(`fs_mounton_nfs',` ++interface(`fs_nfs_entrypoint',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:dir mounton; ++ allow $1 nfs_t:file entrypoint; +') + +######################################## +## -+## Read files on a NFS filesystem. + ## Append files + ## on a NFS filesystem. + ## +@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',` + + ######################################## + ## +-## dontaudit Append files ++## Do not audit attempts to append files + ## on a NFS filesystem. + ## + ## +@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',` + + ######################################## + ## ++## Read inherited files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`fs_read_nfs_files',` ++interface(`fs_read_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ fs_search_auto_mountpoints($1) -+ allow $1 nfs_t:dir list_dir_perms; -+ read_files_pattern($1, nfs_t, nfs_t) ++ allow $1 nfs_t:file read_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to read -+## files on a NFS filesystem. ++## Read/write inherited files on a NFS filesystem. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`fs_dontaudit_read_nfs_files',` ++interface(`fs_rw_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ dontaudit $1 nfs_t:file read_file_perms; ++ allow $1 nfs_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Read files on a NFS filesystem. -+## -+## -+## -+## Domain allowed access. - ## - ## - # --interface(`fs_dontaudit_list_nfs',` -+interface(`fs_write_nfs_files',` - gen_require(` - type nfs_t; - ') - -- dontaudit $1 nfs_t:dir list_dir_perms; -+ fs_search_auto_mountpoints($1) -+ allow $1 nfs_t:dir list_dir_perms; -+ write_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Mounton a NFS filesystem. -+## Execute files on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_mounton_nfs',` -+interface(`fs_exec_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir mounton; -+ allow $1 nfs_t:dir list_dir_perms; -+ exec_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Read files on a NFS filesystem. -+## Make general progams in nfs an entrypoint for -+## the specified domain. - ## - ## - ## --## Domain allowed access. -+## The domain for which nfs_t is an entrypoint. - ## - ## --## - # --interface(`fs_read_nfs_files',` -+interface(`fs_nfs_entry_type',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- read_files_pattern($1, nfs_t, nfs_t) -+ domain_entry_file($1, nfs_t) - ') - - ######################################## - ## --## Do not audit attempts to read --## files on a NFS filesystem. -+## Make general progams in NFS an entrypoint for -+## the specified domain. - ## - ## - ## --## Domain to not audit. -+## The domain for which nfs_t is an entrypoint. - ## - ## - # --interface(`fs_dontaudit_read_nfs_files',` -+interface(`fs_nfs_entrypoint',` - gen_require(` - type nfs_t; - ') - -- dontaudit $1 nfs_t:file read_file_perms; -+ allow $1 nfs_t:file entrypoint; - ') - - ######################################## - ## --## Read files on a NFS filesystem. -+## Append files -+## on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_write_nfs_files',` -+interface(`fs_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- write_files_pattern($1, nfs_t, nfs_t) -+ append_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Execute files on a NFS filesystem. -+## Do not audit attempts to append files -+## on a NFS filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - ## - # --interface(`fs_exec_nfs_files',` -+interface(`fs_dontaudit_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- exec_files_pattern($1, nfs_t, nfs_t) -+ dontaudit $1 nfs_t:file append_file_perms; - ') - - ######################################## - ## --## Append files --## on a NFS filesystem. -+## Read inherited files on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_append_nfs_files',` -+interface(`fs_read_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - -- append_files_pattern($1, nfs_t, nfs_t) -+ allow $1 nfs_t:file read_inherited_file_perms; - ') - - ######################################## - ## --## dontaudit Append files --## on a NFS filesystem. -+## Read/write inherited files on a NFS filesystem. + ## Do not audit attempts to read or + ## write files on a NFS filesystem. ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## --## - # --interface(`fs_dontaudit_append_nfs_files',` -+interface(`fs_rw_inherited_nfs_files',` - gen_require(` - type nfs_t; - ') - -- dontaudit $1 nfs_t:file append_file_perms; -+ allow $1 nfs_t:file rw_inherited_file_perms; - ') - - ######################################## @@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -20314,38 +19959,26 @@ index 8416beb..440c63f 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',` - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - --######################################## -+####################################### -+## -+## read files on an nfsd filesystem -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_nfsd_files',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') +@@ -3182,18 +4283,108 @@ interface(`fs_remount_nfsd_fs',` + ## + ## + # +-interface(`fs_unmount_nfsd_fs',` +- gen_require(` +- type nfsd_fs_t; +- ') ++interface(`fs_unmount_nfsd_fs',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') + -+ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ allow $1 nfsd_fs_t:filesystem unmount; +') + -+####################################### - ## - ## Read and write NFS server files. - ## -@@ -3283,6 +4402,78 @@ interface(`fs_rw_nfsd_fs',` - - ######################################## - ## -+## Getattr files on an nsfs filesystem ++######################################## ++## ++## Get the attributes of a NFS server ++## pseudo filesystem. +## +## +## @@ -20353,35 +19986,35 @@ index 8416beb..440c63f 100644 +## +## +# -+interface(`fs_getattr_nsfs_files',` ++interface(`fs_getattr_nfsd_fs',` + gen_require(` -+ type nsfs_t; ++ type nfsd_fs_t; + ') + -+ getattr_files_pattern($1, nsfs_t, nsfs_t) ++ allow $1 nfsd_fs_t:filesystem getattr; +') + -+####################################### ++######################################## +## -+## Read nsfs inodes (e.g. /proc/pid/ns/uts) ++## Search NFS server directories. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`fs_read_nsfs_files',` ++interface(`fs_search_nfsd_fs',` + gen_require(` -+ type nsfs_t; -+ ') ++ type nfsd_fs_t; ++ ') + -+ allow $1 nsfs_t:file read_file_perms; ++ allow $1 nfsd_fs_t:dir search_dir_perms; +') + -+####################################### ++######################################## +## -+## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) ++## List NFS server directories. +## +## +## @@ -20389,17 +20022,17 @@ index 8416beb..440c63f 100644 +## +## +# -+interface(`fs_rw_nsfs_files',` ++interface(`fs_list_nfsd_fs',` + gen_require(` -+ type nsfs_t; ++ type nfsd_fs_t; + ') + -+ rw_files_pattern($1, nsfs_t, nsfs_t) ++ allow $1 nfsd_fs_t:dir list_dir_perms; +') + +######################################## +## -+## Manage NFS server files. ++## Getattr files on an nfsd filesystem +## +## +## @@ -20407,19 +20040,150 @@ index 8416beb..440c63f 100644 +## +## +# -+interface(`fs_manage_nfsd_fs',` ++interface(`fs_getattr_nfsd_files',` + gen_require(` + type nfsd_fs_t; + ') + -+ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + -+######################################## ++####################################### +## - ## Allow the type to associate to ramfs filesystems. ++## read files on an nfsd filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_nfsd_files',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') + +- allow $1 nfsd_fs_t:filesystem unmount; ++ read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + +-######################################## ++####################################### + ## +-## Get the attributes of a NFS server +-## pseudo filesystem. ++## Read and write NFS server files. ## - ## + ## + ## +@@ -3201,17 +4392,17 @@ interface(`fs_unmount_nfsd_fs',` + ## + ## + # +-interface(`fs_getattr_nfsd_fs',` ++interface(`fs_rw_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + +- allow $1 nfsd_fs_t:filesystem getattr; ++ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + + ######################################## + ## +-## Search NFS server directories. ++## Getattr files on an nsfs filesystem + ## + ## + ## +@@ -3219,35 +4410,35 @@ interface(`fs_getattr_nfsd_fs',` + ## + ## + # +-interface(`fs_search_nfsd_fs',` ++interface(`fs_getattr_nsfs_files',` + gen_require(` +- type nfsd_fs_t; ++ type nsfs_t; + ') + +- allow $1 nfsd_fs_t:dir search_dir_perms; ++ getattr_files_pattern($1, nsfs_t, nsfs_t) + ') + +-######################################## ++####################################### + ## +-## List NFS server directories. ++## Read nsfs inodes (e.g. /proc/pid/ns/uts) + ## + ## +-## +-## Domain allowed access. +-## ++## ++## Domain allowed access. ++## + ## + # +-interface(`fs_list_nfsd_fs',` ++interface(`fs_read_nsfs_files',` + gen_require(` +- type nfsd_fs_t; +- ') ++ type nsfs_t; ++ ') + +- allow $1 nfsd_fs_t:dir list_dir_perms; ++ allow $1 nsfs_t:file read_file_perms; + ') + +-######################################## ++####################################### + ## +-## Getattr files on an nfsd filesystem ++## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) + ## + ## + ## +@@ -3255,17 +4446,17 @@ interface(`fs_list_nfsd_fs',` + ## + ## + # +-interface(`fs_getattr_nfsd_files',` ++interface(`fs_rw_nsfs_files',` + gen_require(` +- type nfsd_fs_t; ++ type nsfs_t; + ') + +- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ rw_files_pattern($1, nsfs_t, nsfs_t) + ') + + ######################################## + ## +-## Read and write NFS server files. ++## Manage NFS server files. + ## + ## + ## +@@ -3273,12 +4464,12 @@ interface(`fs_getattr_nfsd_files',` + ## + ## + # +-interface(`fs_rw_nfsd_fs',` ++interface(`fs_manage_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + +- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + + ######################################## @@ -3392,7 +4583,7 @@ interface(`fs_search_ramfs',` ######################################## @@ -20497,186 +20261,116 @@ index 8416beb..440c63f 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3866,12 +5093,49 @@ interface(`fs_relabelfrom_tmpfs',` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:filesystem relabelfrom; -+ allow $1 tmpfs_t:filesystem relabelfrom; -+') -+ -+######################################## -+## -+## Get the attributes of tmpfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_getattr_tmpfs_dirs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:dir getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of tmpfs directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_getattr_tmpfs_dirs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ dontaudit $1 tmpfs_t:dir getattr; - ') +@@ -3908,7 +5135,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## --## Get the attributes of tmpfs directories. +-## Mount on tmpfs directories. +## Set the attributes of tmpfs directories. ## ## ## -@@ -3879,36 +5143,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3916,17 +5143,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # --interface(`fs_getattr_tmpfs_dirs',` +-interface(`fs_mounton_tmpfs',` +interface(`fs_setattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') -- allow $1 tmpfs_t:dir getattr; +- allow $1 tmpfs_t:dir mounton; + allow $1 tmpfs_t:dir setattr; ') ######################################## ## --## Do not audit attempts to get the attributes --## of tmpfs directories. +-## Set the attributes of tmpfs directories. +## Search tmpfs directories. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -3934,17 +5161,17 @@ interface(`fs_mounton_tmpfs',` ## ## # --interface(`fs_dontaudit_getattr_tmpfs_dirs',` +-interface(`fs_setattr_tmpfs_dirs',` +interface(`fs_search_tmpfs',` gen_require(` type tmpfs_t; ') -- dontaudit $1 tmpfs_t:dir getattr; +- allow $1 tmpfs_t:dir setattr; + allow $1 tmpfs_t:dir search_dir_perms; ') ######################################## ## --## Mount on tmpfs directories. +-## Search tmpfs directories. +## List the contents of generic tmpfs directories. ## ## ## -@@ -3916,35 +5179,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3952,17 +5179,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # --interface(`fs_mounton_tmpfs',` +-interface(`fs_search_tmpfs',` +interface(`fs_list_tmpfs',` gen_require(` type tmpfs_t; ') -- allow $1 tmpfs_t:dir mounton; +- allow $1 tmpfs_t:dir search_dir_perms; + allow $1 tmpfs_t:dir list_dir_perms; ') ######################################## ## --## Set the attributes of tmpfs directories. +-## List the contents of generic tmpfs directories. +## Do not audit attempts to list the +## contents of generic tmpfs directories. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`fs_setattr_tmpfs_dirs',` ++## ++## ++# +interface(`fs_dontaudit_list_tmpfs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:dir setattr; ++ gen_require(` ++ type tmpfs_t; ++ ') ++ + dontaudit $1 tmpfs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Search tmpfs directories. ++') ++ ++######################################## ++## +## Relabel directory on tmpfs filesystems. ## ## ## -@@ -3952,17 +5216,17 @@ interface(`fs_setattr_tmpfs_dirs',` - ## - ## - # --interface(`fs_search_tmpfs',` -+interface(`fs_relabel_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) - ') - - ######################################## - ## --## List the contents of generic tmpfs directories. -+## Relabel fifo_file on tmpfs filesystems. - ## - ## - ## -@@ -3970,31 +5234,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5216,48 @@ interface(`fs_search_tmpfs',` ## ## # -interface(`fs_list_tmpfs',` -+interface(`fs_relabel_tmpfs_fifo_files',` ++interface(`fs_relabel_tmpfs_dirs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir list_dir_perms; -+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) ++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Do not audit attempts to list the -## contents of generic tmpfs directories. -+## Relabel files on tmpfs filesystems. ++## Relabel fifo_file on tmpfs filesystems. ## ## ## @@ -20686,64 +20380,67 @@ index 8416beb..440c63f 100644 ## # -interface(`fs_dontaudit_list_tmpfs',` -+interface(`fs_relabel_tmpfs_files',` ++interface(`fs_relabel_tmpfs_fifo_files',` gen_require(` type tmpfs_t; ') - dontaudit $1 tmpfs_t:dir list_dir_perms; ++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) ++') ++ ++######################################## ++## ++## Relabel files on tmpfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ + relabel_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## -@@ -4105,7 +5368,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4066,33 +5329,161 @@ interface(`fs_tmpfs_filetrans',` type tmpfs_t; ') -- dontaudit $1 tmpfs_t:file rw_file_perms; -+ dontaudit $1 tmpfs_t:file rw_inherited_file_perms; - ') - - ######################################## -@@ -4165,6 +5428,24 @@ interface(`fs_rw_tmpfs_files',` - - ######################################## - ## -+## Read and write generic tmpfs files. +- allow $2 tmpfs_t:filesystem associate; +- filetrans_pattern($1, tmpfs_t, $2, $3, $4) ++ allow $2 tmpfs_t:filesystem associate; ++ filetrans_pattern($1, tmpfs_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Do not audit attempts to getattr ++## generic tmpfs files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`fs_rw_inherited_tmpfs_files',` ++interface(`fs_dontaudit_getattr_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:file { read write }; ++ dontaudit $1 tmpfs_t:file getattr; +') + +######################################## +## - ## Read tmpfs link files. - ## - ## -@@ -4202,7 +5483,7 @@ interface(`fs_rw_tmpfs_chr_files',` - - ######################################## - ## --## dontaudit Read and write character nodes on tmpfs filesystems. -+## Do not audit attempts to read and write character nodes on tmpfs filesystems. - ## - ## - ## -@@ -4221,6 +5502,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` - - ######################################## - ## -+## Do not audit attempts to create character nodes on tmpfs filesystems. ++## Do not audit attempts to read or write ++## generic tmpfs files. +## +## +## @@ -20751,60 +20448,54 @@ index 8416beb..440c63f 100644 +## +## +# -+interface(`fs_dontaudit_create_tmpfs_chr_dev',` ++interface(`fs_dontaudit_rw_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + -+ dontaudit $1 tmpfs_t:chr_file create; ++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. ++## Create, read, write, and delete ++## auto moutpoints. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`fs_dontaudit_read_tmpfs_blk_dev',` ++interface(`fs_manage_auto_mountpoints',` + gen_require(` -+ type tmpfs_t; ++ type autofs_t; + ') + -+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; ++ allow $1 autofs_t:dir manage_dir_perms; +') + +######################################## +## -+## Do not audit attempts to read files on tmpfs filesystems. ++## Read generic tmpfs files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`fs_dontaudit_read_tmpfs_files',` ++interface(`fs_read_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + -+ dontaudit $1 tmpfs_t:blk_file read; ++ read_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## - ## Relabel character nodes on tmpfs filesystems. - ## - ## -@@ -4278,6 +5613,44 @@ interface(`fs_relabel_tmpfs_blk_file',` - - ######################################## - ## -+## Relabel sock nodes on tmpfs filesystems. ++## Read and write generic tmpfs files. +## +## +## @@ -20812,18 +20503,17 @@ index 8416beb..440c63f 100644 +## +## +# -+interface(`fs_relabel_tmpfs_sock_file',` ++interface(`fs_rw_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:dir list_dir_perms; -+ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) ++ rw_files_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## -+## Delete generic files in tmpfs directory. ++## Read and write generic tmpfs files. +## +## +## @@ -20831,46 +20521,307 @@ index 8416beb..440c63f 100644 +## +## +# -+interface(`fs_delete_tmpfs_files',` ++interface(`fs_rw_inherited_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:dir del_entry_dir_perms; -+ allow $1 tmpfs_t:file_class_set delete_file_perms; ++ allow $1 tmpfs_t:file { read write }; +') + +######################################## +## - ## Read and write, create and delete generic - ## files on tmpfs filesystems. - ## -@@ -4297,6 +5670,25 @@ interface(`fs_manage_tmpfs_files',` - - ######################################## - ## -+## Execute files on a tmpfs filesystem. ++## Read tmpfs link files. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`fs_exec_tmpfs_files',` ++interface(`fs_read_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + -+ exec_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## - ## Read and write, create and delete symbolic - ## links on tmpfs filesystems. ++ read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to getattr +-## generic tmpfs files. ++## Read and write character nodes on tmpfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_getattr_tmpfs_files',` ++interface(`fs_rw_tmpfs_chr_files',` + gen_require(` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:file getattr; ++ allow $1 tmpfs_t:dir list_dir_perms; ++ rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to read or write +-## generic tmpfs files. ++## Do not audit attempts to read and write character nodes on tmpfs filesystems. + ## + ## + ## +@@ -4100,72 +5491,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` + ## + ## + # +-interface(`fs_dontaudit_rw_tmpfs_files',` ++interface(`fs_dontaudit_use_tmpfs_chr_dev',` + gen_require(` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:file rw_file_perms; ++ dontaudit $1 tmpfs_t:dir list_dir_perms; ++ dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete +-## auto moutpoints. ++## Do not audit attempts to create character nodes on tmpfs filesystems. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_manage_auto_mountpoints',` ++interface(`fs_dontaudit_create_tmpfs_chr_dev',` + gen_require(` +- type autofs_t; ++ type tmpfs_t; + ') + +- allow $1 autofs_t:dir manage_dir_perms; ++ dontaudit $1 tmpfs_t:chr_file create; + ') + + ######################################## + ## +-## Read generic tmpfs files. ++## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_read_tmpfs_files',` ++interface(`fs_dontaudit_read_tmpfs_blk_dev',` + gen_require(` + type tmpfs_t; + ') + +- read_files_pattern($1, tmpfs_t, tmpfs_t) ++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; + ') + + ######################################## + ## +-## Read and write generic tmpfs files. ++## Do not audit attempts to read files on tmpfs filesystems. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`fs_rw_tmpfs_files',` ++interface(`fs_dontaudit_read_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + +- rw_files_pattern($1, tmpfs_t, tmpfs_t) ++ dontaudit $1 tmpfs_t:blk_file read; + ') + + ######################################## + ## +-## Read tmpfs link files. ++## Relabel character nodes on tmpfs filesystems. + ## + ## + ## +@@ -4173,17 +5564,18 @@ interface(`fs_rw_tmpfs_files',` + ## + ## + # +-interface(`fs_read_tmpfs_symlinks',` ++interface(`fs_relabel_tmpfs_chr_file',` + gen_require(` + type tmpfs_t; + ') + +- read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) ++ allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Read and write character nodes on tmpfs filesystems. ++## Read and write block nodes on tmpfs filesystems. + ## + ## + ## +@@ -4191,37 +5583,37 @@ interface(`fs_read_tmpfs_symlinks',` + ## + ## + # +-interface(`fs_rw_tmpfs_chr_files',` ++interface(`fs_rw_tmpfs_blk_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir list_dir_perms; +- rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ++ rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## dontaudit Read and write character nodes on tmpfs filesystems. ++## Relabel block nodes on tmpfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_use_tmpfs_chr_dev',` ++interface(`fs_relabel_tmpfs_blk_file',` + gen_require(` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:dir list_dir_perms; +- dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; ++ allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Relabel character nodes on tmpfs filesystems. ++## Relabel sock nodes on tmpfs filesystems. + ## + ## + ## +@@ -4229,18 +5621,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` + ## + ## + # +-interface(`fs_relabel_tmpfs_chr_file',` ++interface(`fs_relabel_tmpfs_sock_file',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir list_dir_perms; +- relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) ++ relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Read and write block nodes on tmpfs filesystems. ++## Delete generic files in tmpfs directory. + ## + ## + ## +@@ -4248,18 +5640,19 @@ interface(`fs_relabel_tmpfs_chr_file',` + ## + ## + # +-interface(`fs_rw_tmpfs_blk_files',` ++interface(`fs_delete_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir list_dir_perms; +- rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) ++ allow $1 tmpfs_t:dir del_entry_dir_perms; ++ allow $1 tmpfs_t:file_class_set delete_file_perms; + ') + + ######################################## + ## +-## Relabel block nodes on tmpfs filesystems. ++## Read and write, create and delete generic ++## files on tmpfs filesystems. + ## + ## + ## +@@ -4267,32 +5660,31 @@ interface(`fs_rw_tmpfs_blk_files',` + ## + ## + # +-interface(`fs_relabel_tmpfs_blk_file',` ++interface(`fs_manage_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:dir list_dir_perms; +- relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) ++ manage_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## + ## +-## Read and write, create and delete generic +-## files on tmpfs filesystems. ++## Execute files on a tmpfs filesystem. ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_manage_tmpfs_files',` ++interface(`fs_exec_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + +- manage_files_pattern($1, tmpfs_t, tmpfs_t) ++ exec_files_pattern($1, tmpfs_t, tmpfs_t) + ') + + ######################################## @@ -4407,6 +5799,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20968,7 +20919,7 @@ index 8416beb..440c63f 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6364,82 @@ interface(`fs_unconfined',` +@@ -4912,3 +6364,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -21051,6 +21002,97 @@ index 8416beb..440c63f 100644 + rw_sock_files_pattern($1, onload_fs_t, onload_fs_t) +') + ++######################################## ++## ++## Read and write tracefs_t files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_tracefs_files',` ++ gen_require(` ++ type tracefs_t; ++ ') ++ ++ rw_files_pattern($1, tracefs_t, tracefs_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete dirs ++## labeled as tracefs_t. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_manage_tracefs_dirs',` ++ gen_require(` ++ type tracefs_t; ++ ') ++ ++ manage_dirs_pattern($1, tracefs_t, tracefs_t) ++') ++ ++######################################## ++## ++## Mount tracefs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mount_tracefs', ` ++ gen_require(` ++ type tracefs_t; ++ ') ++ ++ allow $1 tracefs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Remount tracefs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_remount_tracefs', ` ++ gen_require(` ++ type tracefs_t; ++ ') ++ ++ allow $1 tracefs_t:filesystem remount; ++') ++ ++######################################## ++## ++## Unmount tracefs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_tracefs', ` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ allow $1 tracefs_t:filesystem unmount; ++') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index e7d1738..59c1cb8 100644 --- a/policy/modules/kernel/filesystem.te @@ -27069,10 +27111,10 @@ index 0000000..15b42ae + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..bca9f3c +index 0000000..270e9a8 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,349 @@ +@@ -0,0 +1,350 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -27381,6 +27423,7 @@ index 0000000..bca9f3c + +optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) ++ oddjob_run(unconfined_t, unconfined_r) +') + +optional_policy(` @@ -28285,7 +28328,7 @@ index 76d9f66..7528851 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..0ac21a6 100644 +index fe0c682..d55811f 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -28459,15 +28502,18 @@ index fe0c682..0ac21a6 100644 auth_rw_login_records($1_t) auth_rw_faillog($1_t) -@@ -234,6 +264,7 @@ template(`ssh_server_template', ` +@@ -233,7 +263,10 @@ template(`ssh_server_template', ` + # for sshd subsystems, such as sftp-server. corecmd_getattr_bin_files($1_t) ++ dev_rw_crypto($1_t) ++ domain_interactive_fd($1_t) + domain_dyntrans_type($1_t) files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -241,35 +272,33 @@ template(`ssh_server_template', ` +@@ -241,35 +274,33 @@ template(`ssh_server_template', ` logging_search_logs($1_t) @@ -28514,7 +28560,7 @@ index fe0c682..0ac21a6 100644 ') ######################################## -@@ -292,14 +321,15 @@ template(`ssh_server_template', ` +@@ -292,14 +323,15 @@ template(`ssh_server_template', ` ## User domain for the role ## ## @@ -28531,7 +28577,7 @@ index fe0c682..0ac21a6 100644 ') ############################## -@@ -328,103 +358,56 @@ template(`ssh_role_template',` +@@ -328,103 +360,56 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -28631,12 +28677,12 @@ index fe0c682..0ac21a6 100644 - # transition back to normal privs upon exec - fs_cifs_domtrans($1_ssh_agent_t, $3) - ') -+ userdom_home_manager($1_ssh_agent_t) - +- - optional_policy(` - nis_use_ypbind($1_ssh_agent_t) - ') -- ++ userdom_home_manager($1_ssh_agent_t) + - optional_policy(` - xserver_use_xdm_fds($1_ssh_agent_t) - xserver_rw_xdm_pipes($1_ssh_agent_t) @@ -28645,7 +28691,7 @@ index fe0c682..0ac21a6 100644 ') ######################################## -@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',` +@@ -496,8 +481,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') @@ -28674,7 +28720,7 @@ index fe0c682..0ac21a6 100644 ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',` +@@ -513,7 +517,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -28683,7 +28729,7 @@ index fe0c682..0ac21a6 100644 ') ######################################## -@@ -605,6 +607,24 @@ interface(`ssh_domtrans',` +@@ -605,6 +609,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -28708,7 +28754,7 @@ index fe0c682..0ac21a6 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',` +@@ -637,7 +659,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -28717,7 +28763,7 @@ index fe0c682..0ac21a6 100644 files_search_pids($1) ') -@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',` +@@ -662,6 +684,42 @@ interface(`ssh_agent_exec',` ######################################## ## @@ -28760,7 +28806,7 @@ index fe0c682..0ac21a6 100644 ## Read ssh home directory content ## ## -@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',` +@@ -701,6 +759,68 @@ interface(`ssh_domtrans_keygen',` ######################################## ## @@ -28829,7 +28875,7 @@ index fe0c682..0ac21a6 100644 ## Read ssh server keys ## ## -@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -714,7 +834,26 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -28857,7 +28903,7 @@ index fe0c682..0ac21a6 100644 ') ###################################### -@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',` +@@ -754,3 +893,151 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -37274,7 +37320,7 @@ index 79a45f6..9926eaf 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..4616101 100644 +index 17eda24..5bee7df 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37385,20 +37431,21 @@ index 17eda24..4616101 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -98,7 +146,11 @@ ifdef(`enable_mls',` +@@ -98,7 +146,12 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: -allow init_t self:capability ~sys_module; +allow init_t self:capability ~{ audit_control audit_write sys_module }; +allow init_t self:capability2 ~{ mac_admin mac_override }; ++allow init_t self:cap_userns all_cap_userns_perms; +allow init_t self:tcp_socket { listen accept }; +allow init_t self:packet_socket create_socket_perms; +allow init_t self:key manage_key_perms; # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +161,45 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -37440,6 +37487,8 @@ index 17eda24..4616101 100644 +files_pid_filetrans(init_t, init_var_run_t, { dir file }) +allow init_t init_var_run_t:dir mounton; +allow init_t init_var_run_t:sock_file relabelto; ++allow init_t init_var_run_t:blk_file getattr; ++allow init_t init_var_run_t:chr_file getattr; + +allow init_t machineid_t:file manage_file_perms; +files_pid_filetrans(init_t, machineid_t, file, "machine-id") @@ -37448,7 +37497,7 @@ index 17eda24..4616101 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +209,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -37473,7 +37522,7 @@ index 17eda24..4616101 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t) +@@ -139,14 +233,24 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -37499,7 +37548,7 @@ index 17eda24..4616101 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +256,68 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +259,68 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -37573,7 +37622,7 @@ index 17eda24..4616101 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +326,264 @@ ifdef(`distro_gentoo',` +@@ -186,29 +329,264 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37847,7 +37896,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -216,7 +591,30 @@ optional_policy(` +@@ -216,7 +594,30 @@ optional_policy(` ') optional_policy(` @@ -37879,7 +37928,7 @@ index 17eda24..4616101 100644 ') ######################################## -@@ -225,9 +623,9 @@ optional_policy(` +@@ -225,9 +626,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37891,7 +37940,7 @@ index 17eda24..4616101 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +656,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +659,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37908,7 +37957,7 @@ index 17eda24..4616101 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +681,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +684,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37951,7 +38000,7 @@ index 17eda24..4616101 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +718,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +721,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37963,7 +38012,7 @@ index 17eda24..4616101 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +730,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +733,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37974,7 +38023,7 @@ index 17eda24..4616101 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +741,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +744,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37984,7 +38033,7 @@ index 17eda24..4616101 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +750,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +753,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37992,7 +38041,7 @@ index 17eda24..4616101 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +757,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +760,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38000,7 +38049,7 @@ index 17eda24..4616101 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +765,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +768,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38018,7 +38067,7 @@ index 17eda24..4616101 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +783,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +786,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38032,7 +38081,7 @@ index 17eda24..4616101 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +798,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +801,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38046,7 +38095,7 @@ index 17eda24..4616101 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +811,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +814,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38057,7 +38106,7 @@ index 17eda24..4616101 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +824,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +827,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38065,7 +38114,7 @@ index 17eda24..4616101 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +843,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +846,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38089,7 +38138,7 @@ index 17eda24..4616101 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +876,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +879,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38097,7 +38146,7 @@ index 17eda24..4616101 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +910,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +913,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38108,7 +38157,7 @@ index 17eda24..4616101 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +934,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +937,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38117,7 +38166,7 @@ index 17eda24..4616101 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +949,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +952,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38125,7 +38174,7 @@ index 17eda24..4616101 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +970,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +973,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38133,7 +38182,7 @@ index 17eda24..4616101 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +980,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +983,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38178,7 +38227,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -559,14 +1025,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1028,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38210,7 +38259,7 @@ index 17eda24..4616101 100644 ') ') -@@ -577,6 +1060,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1063,39 @@ ifdef(`distro_suse',` ') ') @@ -38250,7 +38299,7 @@ index 17eda24..4616101 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1105,8 @@ optional_policy(` +@@ -589,6 +1108,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38259,7 +38308,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -610,6 +1128,7 @@ optional_policy(` +@@ -610,6 +1131,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38267,7 +38316,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -626,6 +1145,17 @@ optional_policy(` +@@ -626,6 +1148,17 @@ optional_policy(` ') optional_policy(` @@ -38285,7 +38334,7 @@ index 17eda24..4616101 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1172,13 @@ optional_policy(` +@@ -642,9 +1175,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38299,7 +38348,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -657,15 +1191,11 @@ optional_policy(` +@@ -657,15 +1194,11 @@ optional_policy(` ') optional_policy(` @@ -38317,7 +38366,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -686,6 +1216,15 @@ optional_policy(` +@@ -686,6 +1219,15 @@ optional_policy(` ') optional_policy(` @@ -38333,7 +38382,7 @@ index 17eda24..4616101 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1265,7 @@ optional_policy(` +@@ -726,6 +1268,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38341,7 +38390,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -743,7 +1283,13 @@ optional_policy(` +@@ -743,7 +1286,13 @@ optional_policy(` ') optional_policy(` @@ -38356,7 +38405,7 @@ index 17eda24..4616101 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1312,10 @@ optional_policy(` +@@ -766,6 +1315,10 @@ optional_policy(` ') optional_policy(` @@ -38367,7 +38416,7 @@ index 17eda24..4616101 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1325,20 @@ optional_policy(` +@@ -775,10 +1328,20 @@ optional_policy(` ') optional_policy(` @@ -38388,7 +38437,7 @@ index 17eda24..4616101 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1347,10 @@ optional_policy(` +@@ -787,6 +1350,10 @@ optional_policy(` ') optional_policy(` @@ -38399,7 +38448,7 @@ index 17eda24..4616101 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1372,6 @@ optional_policy(` +@@ -808,8 +1375,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38408,7 +38457,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -818,6 +1380,10 @@ optional_policy(` +@@ -818,6 +1383,10 @@ optional_policy(` ') optional_policy(` @@ -38419,7 +38468,7 @@ index 17eda24..4616101 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1393,12 @@ optional_policy(` +@@ -827,10 +1396,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38432,7 +38481,7 @@ index 17eda24..4616101 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1425,62 @@ optional_policy(` +@@ -857,21 +1428,62 @@ optional_policy(` ') optional_policy(` @@ -38496,7 +38545,7 @@ index 17eda24..4616101 100644 ') optional_policy(` -@@ -887,6 +1496,10 @@ optional_policy(` +@@ -887,6 +1499,10 @@ optional_policy(` ') optional_policy(` @@ -38507,7 +38556,7 @@ index 17eda24..4616101 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1510,218 @@ optional_policy(` +@@ -897,3 +1513,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -39504,7 +39553,7 @@ index c42fbc3..bf211db 100644 + files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") +') diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index be8ed1e..e336bc1 100644 +index be8ed1e..fa11d0f 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,18 @@ role iptables_roles types iptables_t; @@ -39529,10 +39578,11 @@ index be8ed1e..e336bc1 100644 ######################################## # # Iptables local policy -@@ -35,25 +38,32 @@ dontaudit iptables_t self:capability sys_tty_config; +@@ -35,25 +38,33 @@ dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:fifo_file rw_fifo_file_perms; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; ++allow iptables_t self:netlink_generic_socket create_socket_perms; +allow iptables_t self:netlink_netfilter_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; @@ -39565,7 +39615,7 @@ index be8ed1e..e336bc1 100644 kernel_use_fds(iptables_t) # needed by ipvsadm -@@ -64,19 +74,23 @@ corenet_relabelto_all_packets(iptables_t) +@@ -64,19 +75,23 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -39591,7 +39641,7 @@ index be8ed1e..e336bc1 100644 auth_use_nsswitch(iptables_t) -@@ -85,15 +99,14 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +100,14 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -39609,7 +39659,7 @@ index be8ed1e..e336bc1 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +115,9 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +116,9 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -39619,7 +39669,7 @@ index be8ed1e..e336bc1 100644 ') optional_policy(` -@@ -110,6 +126,13 @@ optional_policy(` +@@ -110,6 +127,13 @@ optional_policy(` ') optional_policy(` @@ -39633,7 +39683,7 @@ index be8ed1e..e336bc1 100644 modutils_run_insmod(iptables_t, iptables_roles) ') -@@ -124,6 +147,16 @@ optional_policy(` +@@ -124,6 +148,16 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -39650,7 +39700,7 @@ index be8ed1e..e336bc1 100644 ') optional_policy(` -@@ -135,9 +168,9 @@ optional_policy(` +@@ -135,9 +169,9 @@ optional_policy(` ') optional_policy(` @@ -39697,7 +39747,7 @@ index 0000000..c814795 +fs_manage_kdbus_dirs(systemd_logind_t) +fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 73bb3c0..8cf7041 100644 +index 73bb3c0..549c41b 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -1,3 +1,4 @@ @@ -39798,7 +39848,7 @@ index 73bb3c0..8cf7041 100644 -/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/systemd/libsystemd-shared-231\.so.* -- gen_context(system_u:object_r:lib_t,s0) ++/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0) + +/usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -48855,10 +48905,10 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a111f4d +index 0000000..8654fdf --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,960 @@ +@@ -0,0 +1,965 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -49226,6 +49276,8 @@ index 0000000..a111f4d +allow systemd_networkd_t self:udp_socket create_socket_perms; +allow systemd_networkd_t self:rawip_socket create_socket_perms; + ++allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms; ++ +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) @@ -49693,6 +49745,7 @@ index 0000000..a111f4d +# +# systemd_coredump domains +# ++allow systemd_coredump_t self:cap_userns sys_ptrace; + +manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t) +fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file ) @@ -49812,6 +49865,8 @@ index 0000000..a111f4d +# systemd_modules_load domain +# + ++allow systemd_modules_load_t self:capability sys_module; ++ +kernel_dgram_send(systemd_modules_load_t) + +dev_read_sysfs(systemd_modules_load_t) @@ -51234,7 +51289,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..236692c 100644 +index 9dc60c6..420907f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -52240,7 +52295,7 @@ index 9dc60c6..236692c 100644 userdom_change_password_template($1) -@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', ` +@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -52376,6 +52431,7 @@ index 9dc60c6..236692c 100644 optional_policy(` - quota_dontaudit_getattr_db($1_t) + oddjob_run_mkhomedir($1_t, $1_r) ++ oddjob_run($1_t, $1_r) ') + optional_policy(` @@ -52389,7 +52445,7 @@ index 9dc60c6..236692c 100644 ') ') -@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -52402,7 +52458,7 @@ index 9dc60c6..236692c 100644 ############################## # # Local policy -@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -52554,7 +52610,7 @@ index 9dc60c6..236692c 100644 ') ####################################### -@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -52592,7 +52648,7 @@ index 9dc60c6..236692c 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -52666,7 +52722,7 @@ index 9dc60c6..236692c 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -52677,7 +52733,7 @@ index 9dc60c6..236692c 100644 ') ') -@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -52688,7 +52744,7 @@ index 9dc60c6..236692c 100644 ') ############################## -@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -52696,7 +52752,7 @@ index 9dc60c6..236692c 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -52713,7 +52769,7 @@ index 9dc60c6..236692c 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -52722,7 +52778,7 @@ index 9dc60c6..236692c 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -52738,7 +52794,7 @@ index 9dc60c6..236692c 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -52783,7 +52839,7 @@ index 9dc60c6..236692c 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -52792,7 +52848,7 @@ index 9dc60c6..236692c 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -52815,7 +52871,7 @@ index 9dc60c6..236692c 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -52824,7 +52880,7 @@ index 9dc60c6..236692c 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52833,7 +52889,7 @@ index 9dc60c6..236692c 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52845,7 +52901,7 @@ index 9dc60c6..236692c 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -52888,7 +52944,7 @@ index 9dc60c6..236692c 100644 ') optional_policy(` -@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -52907,7 +52963,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -52961,7 +53017,7 @@ index 9dc60c6..236692c 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -52993,7 +53049,7 @@ index 9dc60c6..236692c 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53008,7 +53064,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53020,7 +53076,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -53045,7 +53101,7 @@ index 9dc60c6..236692c 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -53105,7 +53161,7 @@ index 9dc60c6..236692c 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -53120,7 +53176,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53135,7 +53191,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -53144,7 +53200,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -53168,7 +53224,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -53239,7 +53295,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -53267,7 +53323,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -53347,7 +53403,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',` +@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',` ## ## # @@ -53464,7 +53520,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -53473,7 +53529,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -53486,7 +53542,7 @@ index 9dc60c6..236692c 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -53495,7 +53551,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -53564,7 +53620,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -53574,7 +53630,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -53599,7 +53655,7 @@ index 9dc60c6..236692c 100644 ######################################## ## -@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -53608,7 +53664,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -53632,7 +53688,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -53648,7 +53704,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -53706,7 +53762,7 @@ index 9dc60c6..236692c 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -53715,7 +53771,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -53741,7 +53797,7 @@ index 9dc60c6..236692c 100644 ######################################## ## -@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -53770,7 +53826,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',` +@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',` ## ## # @@ -53798,7 +53854,7 @@ index 9dc60c6..236692c 100644 interface(`userdom_manage_user_tmp_pipes',` gen_require(` type user_tmp_t; -@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -53820,7 +53876,7 @@ index 9dc60c6..236692c 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -53842,7 +53898,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -53865,7 +53921,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -53926,7 +53982,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -53951,7 +54007,7 @@ index 9dc60c6..236692c 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -53994,7 +54050,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3824,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -54032,7 +54088,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3869,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -54062,7 +54118,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3961,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54105,7 +54161,7 @@ index 9dc60c6..236692c 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4020,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54130,7 +54186,7 @@ index 9dc60c6..236692c 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4038,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -54142,7 +54198,7 @@ index 9dc60c6..236692c 100644 ## memory segments. ## ## -@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4049,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -54163,7 +54219,7 @@ index 9dc60c6..236692c 100644 ## memory segments. ## ## -@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4068,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -54178,7 +54234,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4118,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54187,7 +54243,7 @@ index 9dc60c6..236692c 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4134,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54221,7 +54277,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4222,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54248,7 +54304,7 @@ index 9dc60c6..236692c 100644 ') ######################################## -@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4295,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54264,7 +54320,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4309,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -54336,7 +54392,7 @@ index 9dc60c6..236692c 100644 ## ## ## -@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',` +@@ -3337,17 +4366,91 @@ interface(`userdom_getattr_all_users',` ## ## # @@ -54431,7 +54487,7 @@ index 9dc60c6..236692c 100644 ## descriptors from any user domains. ## ## -@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4485,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -54474,7 +54530,7 @@ index 9dc60c6..236692c 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4541,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -54535,7 +54591,7 @@ index 9dc60c6..236692c 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4628,1781 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 7869f93..40b3d80 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -19101,7 +19101,7 @@ index 1303b30..f13c532 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..1444c2f 100644 +index 7de3859..e8010ba 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -19454,7 +19454,7 @@ index 7de3859..1444c2f 100644 auth_use_nsswitch(crond_t) logging_send_audit_msgs(crond_t) -@@ -312,41 +264,46 @@ logging_set_loginuid(crond_t) +@@ -312,41 +264,49 @@ logging_set_loginuid(crond_t) seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) @@ -19476,9 +19476,11 @@ index 7de3859..1444c2f 100644 - allow crond_t cronjob_t:process transition; - allow crond_t cronjob_t:fd use; - allow crond_t cronjob_t:key manage_key_perms; --') -+mta_send_mail(crond_t) -+mta_system_content(cron_spool_t) ++optional_policy(` ++ mta_send_mail(crond_t) ++ mta_filetrans_admin_home_content(crond_t) ++ mta_system_content(cron_spool_t) + ') ifdef(`distro_debian',` + # pam_limits is used @@ -19517,7 +19519,7 @@ index 7de3859..1444c2f 100644 ') optional_policy(` -@@ -354,103 +311,141 @@ optional_policy(` +@@ -354,103 +314,141 @@ optional_policy(` ') optional_policy(` @@ -19690,7 +19692,7 @@ index 7de3859..1444c2f 100644 allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -@@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t) +@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -19703,7 +19705,7 @@ index 7de3859..1444c2f 100644 corenet_all_recvfrom_netlabel(system_cronjob_t) corenet_tcp_sendrecv_generic_if(system_cronjob_t) corenet_udp_sendrecv_generic_if(system_cronjob_t) -@@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t) +@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t) fs_getattr_all_pipes(system_cronjob_t) fs_getattr_all_sockets(system_cronjob_t) @@ -19711,7 +19713,7 @@ index 7de3859..1444c2f 100644 domain_dontaudit_read_all_domains_state(system_cronjob_t) files_exec_etc_files(system_cronjob_t) -@@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t) +@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t) files_getattr_all_symlinks(system_cronjob_t) files_getattr_all_pipes(system_cronjob_t) files_getattr_all_sockets(system_cronjob_t) @@ -19736,7 +19738,7 @@ index 7de3859..1444c2f 100644 auth_use_nsswitch(system_cronjob_t) -@@ -516,20 +517,26 @@ logging_read_generic_logs(system_cronjob_t) +@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) @@ -19766,7 +19768,7 @@ index 7de3859..1444c2f 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +546,18 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -19785,7 +19787,7 @@ index 7de3859..1444c2f 100644 ') optional_policy(` -@@ -551,10 +566,6 @@ optional_policy(` +@@ -551,10 +569,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -19796,7 +19798,7 @@ index 7de3859..1444c2f 100644 ') optional_policy(` -@@ -567,6 +578,10 @@ optional_policy(` +@@ -567,6 +581,10 @@ optional_policy(` ') optional_policy(` @@ -19807,15 +19809,16 @@ index 7de3859..1444c2f 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +606,7 @@ optional_policy(` +@@ -591,6 +609,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) ++ mta_filetrans_admin_home_content(system_cronjob_t) + mta_system_content(system_cron_spool_t) ') optional_policy(` -@@ -598,7 +614,23 @@ optional_policy(` +@@ -598,7 +618,23 @@ optional_policy(` ') optional_policy(` @@ -19839,7 +19842,7 @@ index 7de3859..1444c2f 100644 ') optional_policy(` -@@ -607,7 +639,12 @@ optional_policy(` +@@ -607,7 +643,12 @@ optional_policy(` ') optional_policy(` @@ -19852,7 +19855,7 @@ index 7de3859..1444c2f 100644 ') optional_policy(` -@@ -615,12 +652,27 @@ optional_policy(` +@@ -615,12 +656,27 @@ optional_policy(` ') optional_policy(` @@ -19882,7 +19885,7 @@ index 7de3859..1444c2f 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +680,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -19916,7 +19919,7 @@ index 7de3859..1444c2f 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +713,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -20794,7 +20797,7 @@ index 3023be7..4f0fe46 100644 + files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") ') diff --git a/cups.te b/cups.te -index c91813c..65e9a4d 100644 +index c91813c..8aececf 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2) @@ -21196,8 +21199,11 @@ index c91813c..65e9a4d 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms; + + manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) ++manage_sock_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) -read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t) @@ -21217,7 +21223,7 @@ index c91813c..65e9a4d 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -21238,7 +21244,7 @@ index c91813c..65e9a4d 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -21250,7 +21256,7 @@ index c91813c..65e9a4d 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -449,9 +498,12 @@ optional_policy(` +@@ -449,9 +499,12 @@ optional_policy(` ') optional_policy(` @@ -21264,7 +21270,7 @@ index c91813c..65e9a4d 100644 ') optional_policy(` -@@ -467,6 +519,10 @@ optional_policy(` +@@ -467,6 +520,10 @@ optional_policy(` ') optional_policy(` @@ -21275,7 +21281,7 @@ index c91813c..65e9a4d 100644 rpm_read_db(cupsd_config_t) ') -@@ -487,10 +543,6 @@ optional_policy(` +@@ -487,10 +544,6 @@ optional_policy(` # Lpd local policy # @@ -21286,7 +21292,7 @@ index c91813c..65e9a4d 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -21304,7 +21310,7 @@ index c91813c..65e9a4d 100644 corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t) corenet_sendrecv_printer_server_packets(cupsd_lpd_t) -@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t) +@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t) logging_send_syslog_msg(cupsd_lpd_t) @@ -21314,7 +21320,7 @@ index c91813c..65e9a4d 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -550,7 +599,6 @@ optional_policy(` +@@ -550,7 +600,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -21322,7 +21328,7 @@ index c91813c..65e9a4d 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -21474,7 +21480,7 @@ index c91813c..65e9a4d 100644 ######################################## # -@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -21482,7 +21488,7 @@ index c91813c..65e9a4d 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -21496,7 +21502,7 @@ index c91813c..65e9a4d 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -21505,7 +21511,7 @@ index c91813c..65e9a4d 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -773,3 +691,4 @@ optional_policy(` +@@ -773,3 +692,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -25181,10 +25187,10 @@ index 0000000..b3784d8 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..aa290b1 +index 0000000..89f1271 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,200 @@ +@@ -0,0 +1,203 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25278,6 +25284,9 @@ index 0000000..aa290b1 +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) +allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms; + ++read_files_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t) ++list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t) ++ +kernel_read_network_state(dirsrv_t) +kernel_read_system_state(dirsrv_t) +kernel_read_kernel_sysctls(dirsrv_t) @@ -28854,7 +28863,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..73c5573 100644 +index 98072a3..9670e41 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28898,7 +28907,7 @@ index 98072a3..73c5573 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +77,21 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +77,23 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -28924,10 +28933,12 @@ index 98072a3..73c5573 100644 +sysnet_dns_name_resolve(firewalld_t) +sysnet_manage_config_dirs(firewalld_t) +sysnet_manage_config(firewalld_t) ++sysnet_relabelfrom_net_conf(firewalld_t) ++sysnet_relabelto_net_conf(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +110,10 @@ optional_policy(` +@@ -95,6 +112,10 @@ optional_policy(` ') optional_policy(` @@ -29256,11 +29267,14 @@ index 5010f04..3b73741 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index 92a6479..addf8a6 100644 +index 92a6479..59a65a4 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -20,23 +20,26 @@ files_type(fprintd_var_lib_t) +@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t) + # + allow fprintd_t self:capability sys_nice; ++allow fprintd_t self:capability2 wake_alarm; allow fprintd_t self:process { getsched setsched signal sigkill }; allow fprintd_t self:fifo_file rw_fifo_file_perms; +allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -29289,7 +29303,7 @@ index 92a6479..addf8a6 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +57,17 @@ optional_policy(` +@@ -54,8 +58,17 @@ optional_policy(` ') ') @@ -37486,10 +37500,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..d750c5c 100644 +index 4eb7041..572b64b 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,150 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,152 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -37577,6 +37591,8 @@ index 4eb7041..d750c5c 100644 +files_dontaudit_search_home(hypervkvp_t) + +fs_getattr_all_fs(hypervkvp_t) ++fs_read_hugetlbfs_files(hypervkvp_t) ++fs_list_hugetlbfs(hypervkvp_t) + +auth_use_nsswitch(hypervkvp_t) + @@ -38616,10 +38632,10 @@ index 0000000..1a30961 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..e3b22a3 +index 0000000..81f38fe --- /dev/null +++ b/ipa.te -@@ -0,0 +1,201 @@ +@@ -0,0 +1,202 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38713,6 +38729,7 @@ index 0000000..e3b22a3 +logging_log_filetrans(ipa_helper_t, ipa_log_t, file) + +kernel_read_system_state(ipa_helper_t) ++kernel_read_network_state(ipa_helper_t) + +corenet_tcp_connect_ldap_port(ipa_helper_t) +corenet_tcp_connect_smbd_port(ipa_helper_t) @@ -38823,14 +38840,16 @@ index 0000000..e3b22a3 +') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 -index 0000000..caf1fe5 +index 0000000..afe4e83 --- /dev/null +++ b/ipmievd.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ +/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0) + +/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0) + ++/usr/libexec/openipmi-helper -- gen_context(system_u:object_r:ipmievd_exec_t,s0) ++ +/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0) diff --git a/ipmievd.if b/ipmievd.if new file mode 100644 @@ -38960,10 +38979,10 @@ index 0000000..e86db54 +') diff --git a/ipmievd.te b/ipmievd.te new file mode 100644 -index 0000000..f8428ca +index 0000000..32d7f6c --- /dev/null +++ b/ipmievd.te -@@ -0,0 +1,32 @@ +@@ -0,0 +1,33 @@ +policy_module(ipmievd, 1.0.0) + +######################################## @@ -38992,7 +39011,8 @@ index 0000000..f8428ca +manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t) +files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file }) + -+dev_rw_ipmi_dev(ipmievd_t) ++dev_manage_ipmi_dev(ipmievd_t) ++dev_filetrans_ipmi(ipmievd_t) + +logging_send_syslog_msg(ipmievd_t) + @@ -41394,7 +41414,7 @@ index 3a00b3a..92f125f 100644 +') + diff --git a/kdump.te b/kdump.te -index 715fc21..3cac629 100644 +index 715fc21..9852a07 100644 --- a/kdump.te +++ b/kdump.te @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t) @@ -41435,10 +41455,10 @@ index 715fc21..3cac629 100644 +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash") ++ ++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) -allow kdump_t kdump_etc_t:file read_file_perms; -+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) -+ +manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t) +manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) +manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) @@ -41501,7 +41521,7 @@ index 715fc21..3cac629 100644 kernel_read_system_state(kdumpctl_t) -@@ -71,46 +107,56 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +107,60 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -41538,6 +41558,10 @@ index 715fc21..3cac629 100644 -miscfiles_read_localization(kdumpctl_t) +optional_policy(` ++ networkmanager_dbus_chat(kdumpctl_t) ++') ++ ++optional_policy(` + gpg_exec(kdumpctl_t) +') @@ -45925,7 +45949,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..9059174 100644 +index be0ab84..6f39336 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0) @@ -46058,12 +46082,13 @@ index be0ab84..9059174 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +134,55 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) +application_exec_all(logrotate_t) + ++auth_domtrans_chk_passwd(logrotate_t) auth_manage_login_records(logrotate_t) auth_use_nsswitch(logrotate_t) @@ -46120,7 +46145,7 @@ index be0ab84..9059174 100644 ') optional_policy(` -@@ -135,16 +197,17 @@ optional_policy(` +@@ -135,16 +198,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -46140,7 +46165,7 @@ index be0ab84..9059174 100644 ') optional_policy(` -@@ -170,6 +233,11 @@ optional_policy(` +@@ -170,6 +234,11 @@ optional_policy(` ') optional_policy(` @@ -46152,7 +46177,7 @@ index be0ab84..9059174 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +246,7 @@ optional_policy(` +@@ -178,7 +247,7 @@ optional_policy(` ') optional_policy(` @@ -46161,7 +46186,7 @@ index be0ab84..9059174 100644 ') optional_policy(` -@@ -198,17 +266,18 @@ optional_policy(` +@@ -198,17 +267,18 @@ optional_policy(` ') optional_policy(` @@ -46183,7 +46208,7 @@ index be0ab84..9059174 100644 ') optional_policy(` -@@ -216,6 +285,14 @@ optional_policy(` +@@ -216,6 +286,14 @@ optional_policy(` ') optional_policy(` @@ -46198,7 +46223,7 @@ index be0ab84..9059174 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +305,50 @@ optional_policy(` +@@ -228,26 +306,50 @@ optional_policy(` ') optional_policy(` @@ -49894,10 +49919,10 @@ index 0000000..f5b98e6 +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..0dcf221 +index 0000000..c3fda0f --- /dev/null +++ b/mock.te -@@ -0,0 +1,286 @@ +@@ -0,0 +1,288 @@ +policy_module(mock,1.0.0) + +## @@ -50050,6 +50075,8 @@ index 0000000..0dcf221 +lvm_read_metadata(mock_t) +lvm_getattr_exec_files(mock_t) + ++miscfiles_dontaudit_write_generic_cert_files(mock_t) ++ +userdom_use_user_ptys(mock_t) +userdom_use_user_ttys(mock_t) + @@ -50264,7 +50291,7 @@ index b1ac8b5..24782b3 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..7f3c31d 100644 +index d15eb5b..2055876 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -50306,14 +50333,18 @@ index d15eb5b..7f3c31d 100644 logging_send_syslog_msg(modemmanager_t) -@@ -56,3 +63,7 @@ optional_policy(` - udev_read_db(modemmanager_t) - udev_manage_pid_files(modemmanager_t) - ') +@@ -50,6 +57,11 @@ optional_policy(` + optional_policy(` + policykit_dbus_chat(modemmanager_t) + ') + -+optional_policy(` -+ systemd_dbus_chat_logind(modemmanager_t) -+') ++ optional_policy(` ++ systemd_dbus_chat_logind(modemmanager_t) ++ systemd_write_inhibit_pipes(modemmanager_t) ++ ') + ') + + optional_policy(` diff --git a/mojomojo.fc b/mojomojo.fc index 7b827ca..5ee8a0f 100644 --- a/mojomojo.fc @@ -63065,10 +63096,10 @@ index 57c0161..c554eb6 100644 + ps_process_pattern($1, nut_t) ') diff --git a/nut.te b/nut.te -index 5b2cb0d..7655e0b 100644 +index 5b2cb0d..1ac5cf5 100644 --- a/nut.te +++ b/nut.te -@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0) +@@ -7,154 +7,153 @@ policy_module(nut, 1.3.0) attribute nut_domain; @@ -63182,9 +63213,9 @@ index 5b2cb0d..7655e0b 100644 +allow nut_upsmon_t self:tcp_socket create_socket_perms; +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto }; -+ -+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) ++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) ++ +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -63229,6 +63260,11 @@ index 5b2cb0d..7655e0b 100644 shutdown_domtrans(nut_upsmon_t) ') ++optional_policy(` ++ dbus_system_bus_client(nut_upsmon_t) ++ systemd_dbus_chat_logind(nut_upsmon_t) ++') ++ ######################################## # -# Upsdrvctl local policy @@ -63586,10 +63622,10 @@ index cd29ea8..d01d2c8 100644 ') ') diff --git a/oddjob.fc b/oddjob.fc -index dd1d9ef..fbbe3ff 100644 +index dd1d9ef..c48733a 100644 --- a/oddjob.fc +++ b/oddjob.fc -@@ -1,10 +1,10 @@ +@@ -1,10 +1,12 @@ -/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) @@ -63600,13 +63636,15 @@ index dd1d9ef..fbbe3ff 100644 -/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/bin/oddjob_request -- gen_context(system_u:object_r:oddjob_exec_t,s0) ++ +/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) +/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if -index c87bd2a..4c17c99 100644 +index c87bd2a..284e4de 100644 --- a/oddjob.if +++ b/oddjob.if @@ -1,4 +1,8 @@ @@ -63718,7 +63756,7 @@ index c87bd2a..4c17c99 100644 ## ## ## -@@ -105,46 +141,71 @@ interface(`oddjob_domtrans_mkhomedir',` +@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',` # interface(`oddjob_run_mkhomedir',` gen_require(` @@ -63732,25 +63770,48 @@ index c87bd2a..4c17c99 100644 ') -##################################### -+####################################### ++######################################## ## -## Do not audit attempts to read and write -## oddjob fifo files. -+## Execute oddjob in the oddjob domain. ++## Execute the oddjob program in the oddjob domain. ## ## --## + ## -## Domain to not audit. --## -+## -+## Domain allowed to transition. -+## ++## Domain allowed to transition. + ## ## ++## ++## ++## Role allowed access. ++## ++## ++## # -interface(`oddjob_dontaudit_rw_fifo_files',` -- gen_require(` -- type oddjob_t; -- ') ++interface(`oddjob_run',` + gen_require(` + type oddjob_t; + ') + +- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; ++ oddjob_domtrans($1) ++ role $2 types oddjob_t; + ') + +-###################################### ++####################################### + ## +-## Send child terminated signals to oddjob. ++## Execute oddjob in the oddjob domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# +interface(`oddjob_systemctl',` + gen_require(` + type oddjob_unit_file_t; @@ -63761,15 +63822,12 @@ index c87bd2a..4c17c99 100644 + init_reload_services($1) + allow $1 oddjob_unit_file_t:file read_file_perms; + allow $1 oddjob_unit_file_t:service manage_service_perms; - -- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; ++ + ps_process_pattern($1, oddjob_t) - ') - --###################################### ++') ++ +######################################## - ## --## Send child terminated signals to oddjob. ++## +## Create a domain which can be started by init, +## with a range transition. ## @@ -79207,7 +79265,7 @@ index 7cb8b1f..bef7217 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..8e08251 100644 +index 618dcfe..9f36ed5 100644 --- a/puppet.te +++ b/puppet.te @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) @@ -79269,7 +79327,7 @@ index 618dcfe..8e08251 100644 type puppetmaster_t; type puppetmaster_exec_t; -@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t) +@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t) ######################################## # @@ -79504,6 +79562,10 @@ index 618dcfe..8e08251 100644 optional_policy(` - files_rw_var_files(puppet_t) ++ networkmanager_dbus_chat(puppetagent_t) ++') ++ ++optional_policy(` + firewalld_dbus_chat(puppetagent_t) +') @@ -79514,28 +79576,28 @@ index 618dcfe..8e08251 100644 + portage_domtrans(puppetagent_t) + portage_domtrans_fetch(puppetagent_t) + portage_domtrans_gcc_config(puppetagent_t) - ') - - optional_policy(` -- unconfined_domain(puppet_t) ++') ++ ++optional_policy(` + files_rw_var_files(puppetagent_t) + + rpm_domtrans(puppetagent_t) + rpm_manage_db(puppetagent_t) + rpm_manage_log(puppetagent_t) ++') ++ ++optional_policy(` ++ shorewall_domtrans(puppetagent_t) + ') + + optional_policy(` +- unconfined_domain(puppet_t) ++ unconfined_domain_noaudit(puppetagent_t) ') optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -+ shorewall_domtrans(puppetagent_t) -+') -+ -+optional_policy(` -+ unconfined_domain_noaudit(puppetagent_t) -+') -+ -+optional_policy(` + shorewall_domtrans(puppet_t) ') @@ -79556,7 +79618,7 @@ index 618dcfe..8e08251 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -79564,7 +79626,7 @@ index 618dcfe..8e08251 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -79580,7 +79642,7 @@ index 618dcfe..8e08251 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,38 +259,48 @@ optional_policy(` +@@ -246,38 +263,48 @@ optional_policy(` hostname_exec(puppetca_t) ') @@ -79645,7 +79707,7 @@ index 618dcfe..8e08251 100644 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) kernel_read_network_state(puppetmaster_t) -@@ -289,23 +312,24 @@ corecmd_exec_bin(puppetmaster_t) +@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) corenet_all_recvfrom_netlabel(puppetmaster_t) @@ -79676,7 +79738,7 @@ index 618dcfe..8e08251 100644 selinux_validate_context(puppetmaster_t) -@@ -314,26 +338,31 @@ auth_use_nsswitch(puppetmaster_t) +@@ -314,26 +342,31 @@ auth_use_nsswitch(puppetmaster_t) logging_send_syslog_msg(puppetmaster_t) miscfiles_read_generic_certs(puppetmaster_t) @@ -79713,7 +79775,7 @@ index 618dcfe..8e08251 100644 ') optional_policy(` -@@ -342,3 +371,9 @@ optional_policy(` +@@ -342,3 +375,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -83706,10 +83768,10 @@ index 951db7f..00e699d 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") ') diff --git a/raid.te b/raid.te -index c99753f..c7b77bc 100644 +index c99753f..357db0b 100644 --- a/raid.te +++ b/raid.te -@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t; +@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) @@ -83798,6 +83860,7 @@ index c99753f..c7b77bc 100644 +dev_read_kvm(mdadm_t) +dev_read_mei(mdadm_t) +dev_read_nvram(mdadm_t) ++dev_read_nvme(mdadm_t) +dev_read_generic_files(mdadm_t) +dev_read_generic_usb_dev(mdadm_t) +dev_read_urand(mdadm_t) @@ -83821,7 +83884,7 @@ index c99753f..c7b77bc 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -83848,7 +83911,7 @@ index c99753f..c7b77bc 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -90,17 +148,38 @@ optional_policy(` +@@ -90,17 +149,38 @@ optional_policy(` ') optional_policy(` @@ -84067,10 +84130,10 @@ index 0000000..d57006d +') diff --git a/rasdaemon.te b/rasdaemon.te new file mode 100644 -index 0000000..6731d5c +index 0000000..dcdca44 --- /dev/null +++ b/rasdaemon.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,51 @@ +policy_module(rasdaemon, 1.0.0) + +######################################## @@ -84107,6 +84170,11 @@ index 0000000..6731d5c +dev_read_urand(rasdaemon_t) +dev_rw_cpu_microcode(rasdaemon_t) + ++fs_rw_tracefs_files(rasdaemon_t) ++fs_manage_tracefs_dirs(rasdaemon_t) ++fs_mount_tracefs(rasdaemon_t) ++fs_unmount_tracefs(rasdaemon_t) ++ +modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277 + +auth_use_nsswitch(rasdaemon_t) @@ -86176,10 +86244,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..bc62d96 100644 +index 47de2d6..aa2272c 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,96 @@ +@@ -1,31 +1,101 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -86253,12 +86321,16 @@ index 47de2d6..bc62d96 100644 +/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0) + +/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/corosync-qnetd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/corosync-qdevice.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++ +/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) +/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) + +/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/bin/corosync-qnetd -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0) @@ -86268,6 +86340,7 @@ index 47de2d6..bc62d96 100644 +/usr/sbin/pacemaker_remoted -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) ++/usr/share/corosync/corosync-qdevice -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0) +/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0) @@ -97572,10 +97645,10 @@ index 0000000..7a058a8 +') diff --git a/sbd.te b/sbd.te new file mode 100644 -index 0000000..8666aec +index 0000000..f6e5b0f --- /dev/null +++ b/sbd.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,52 @@ +policy_module(sbd, 1.0.0) + +######################################## @@ -97601,6 +97674,7 @@ index 0000000..8666aec +allow sbd_t self:process { fork setsched signal_perms }; +allow sbd_t self:fifo_file rw_fifo_file_perms; +allow sbd_t self:unix_stream_socket create_stream_socket_perms; ++allow sbd_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t) +manage_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t) @@ -97608,6 +97682,8 @@ index 0000000..8666aec +files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file }) + +kernel_read_system_state(sbd_t) ++kernel_dgram_send(sbd_t) ++kernel_rw_kernel_sysctl(sbd_t) + +dev_read_rand(sbd_t) +dev_write_watchdog(sbd_t) @@ -97618,6 +97694,8 @@ index 0000000..8666aec + +miscfiles_read_localization(sbd_t) + ++logging_send_syslog_msg(sbd_t) ++ +optional_policy(` + rhcs_rw_cluster_tmpfs(sbd_t) + rhcs_stream_connect_cluster(sbd_t) @@ -104403,7 +104481,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..864ea2f 100644 +index 2d8db1f..a28dfe7 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t) @@ -104425,7 +104503,7 @@ index 2d8db1f..864ea2f 100644 # -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource }; -+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; ++allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource }; allow sssd_t self:capability2 block_suspend; allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit }; allow sssd_t self:fifo_file rw_fifo_file_perms; @@ -104449,7 +104527,7 @@ index 2d8db1f..864ea2f 100644 logging_log_filetrans(sssd_t, sssd_var_log_t, file) manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) -@@ -62,17 +69,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) +@@ -62,17 +69,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) kernel_read_network_state(sssd_t) kernel_read_system_state(sssd_t) @@ -104468,10 +104546,11 @@ index 2d8db1f..864ea2f 100644 +corenet_tcp_connect_kerberos_password_port(sssd_t) +corenet_tcp_connect_smbd_port(sssd_t) +corenet_tcp_connect_http_port(sssd_t) ++corenet_tcp_connect_http_cache_port(sssd_t) corecmd_exec_bin(sssd_t) -@@ -83,28 +86,36 @@ domain_read_all_domains_state(sssd_t) +@@ -83,28 +87,36 @@ domain_read_all_domains_state(sssd_t) domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) @@ -104512,7 +104591,7 @@ index 2d8db1f..864ea2f 100644 init_read_utmp(sssd_t) -@@ -112,18 +123,64 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +124,64 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -113203,7 +113282,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..cd95400 100644 +index f03dcf5..25d26d4 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114215,7 +114294,7 @@ index f03dcf5..cd95400 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +707,332 @@ optional_policy(` +@@ -746,44 +707,335 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -114279,6 +114358,8 @@ index f03dcf5..cd95400 100644 + +manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t) + ++append_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t) ++ + +# Allow virtlogd to look at /proc/$PID/status +# to authenticate the connecting libvirtd @@ -114387,9 +114468,10 @@ index f03dcf5..cd95400 100644 +dev_rw_qemu(virt_domain) +dev_rw_inherited_vhost(virt_domain) +dev_rw_infiniband_dev(virt_domain) ++dev_rw_dri(virt_domain) + +domain_use_interactive_fds(virt_domain) -+ + +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) @@ -114445,7 +114527,7 @@ index f03dcf5..cd95400 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') - ++ +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -114570,7 +114652,7 @@ index f03dcf5..cd95400 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1043,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1046,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -114597,7 +114679,7 @@ index f03dcf5..cd95400 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1063,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1066,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -114631,7 +114713,7 @@ index f03dcf5..cd95400 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1100,20 @@ optional_policy(` +@@ -856,14 +1103,20 @@ optional_policy(` ') optional_policy(` @@ -114653,7 +114735,7 @@ index f03dcf5..cd95400 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1138,66 @@ optional_policy(` +@@ -888,49 +1141,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -114738,7 +114820,7 @@ index f03dcf5..cd95400 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1209,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1212,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -114758,7 +114840,7 @@ index f03dcf5..cd95400 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1230,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1233,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -114782,7 +114864,7 @@ index f03dcf5..cd95400 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1255,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1258,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -115279,7 +115361,7 @@ index f03dcf5..cd95400 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1616,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1619,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115294,7 +115376,7 @@ index f03dcf5..cd95400 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1634,7 @@ optional_policy(` +@@ -1192,7 +1637,7 @@ optional_policy(` ######################################## # @@ -115303,7 +115385,7 @@ index f03dcf5..cd95400 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1643,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1646,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 313bdb5..a7a4b7a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 207%{?dist} +Release: 208%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,52 @@ exit 0 %endif %changelog +* Fri Aug 12 2016 Lukas Vrabec 3.13.1-208 +- Allow cups_config_t domain also mange sock_files. BZ(1361299) +- Add wake_alarm capability to fprintd domain BZ(1362430) +- Allow firewalld_t to relabel net_conf_t files. BZ(1365178) +- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802) +- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333) +- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173) +- Dontaudit mock to write to generic certs. +- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t +- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain" +- Merge pull request #144 from rhatdan/modemmanager +- Allow modemmanager to write to systemd inhibit pipes +- Label corosync-qnetd and corosync-qdevice as corosync_t domain +- Allow ipa_helper to read network state +- Label oddjob_reqiest as oddjob_exec_t +- Add interface oddjob_run() +- Allow modemmanager chat with systemd_logind via dbus +- Allow NetworkManager chat with puppetagent via dbus +- Allow NetworkManager chat with kdumpctl via dbus +- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls. +- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t +- Allow rasdaemon to use tracefs filesystem +- Fix typo bug in dirsrv policy +- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd. +- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t +- Allow dirsrv to read dirsrv_share_t content +- Allow virtlogd_t to append svirt_image_t files. +- Allow hypervkvp domain to read hugetlbfs dir/files. +- Allow mdadm daemon to read nvme_device_t blk files +- Allow systemd_resolved to connect on system bus. BZ(1366334) +- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344) +- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625) +- label tcp/udp port 853 as dns_port_t. BZ(1365609) +- Merge pull request #145 from rhatdan/init +- systemd is doing a gettattr on blk and chr devices in /run +- Allow selinuxusers and unconfineduser to run oddjob_request +- Allow sshd server to acces to Crypto Express 4 (CEX4) devices. +- Fix typo in device interfaces +- Add interfaces for managing ipmi devices +- Add interfaces to allow mounting/umounting tracefs filesystem +- Add interfaces to allow rw tracefs filesystem +- Merge branch 'rawhide-base' of github.com:fedora-selinux/selinux-policy into rawhide-base +- Merge pull request #138 from rhatdan/userns +- Allow iptables to creating netlink generic sockets. +- Fix filecontext for systemd shared lib. + * Thu Aug 04 2016 Lukas Vrabec 3.13.1-207 - Fix filesystem inteface file, we don't have nsfs_fs_t type, just nsfs_t