From 397c1e2d5c5d57d53e9fbd72dc74331ca1d69f47 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 04 2011 23:41:02 +0000 Subject: - Add /var/run/lock /var/lock definition to file_contexts.subs - nslcd_t is looking for kerberos cc files - SSH_USE_STRONG_RNG is 1 which requires /dev/random - Fix auth_rw_faillog definition - Allow sysadm_t to set attributes on fixed disks - allow user domains to execute lsof and look at application sockets - prelink_cron job calls telinit -u if init is rewritten - Fixes to run qemu_t from staff_t --- diff --git a/file_contexts.subs b/file_contexts.subs index 7499c75..f8d0cb3 100644 --- a/file_contexts.subs +++ b/file_contexts.subs @@ -1,2 +1,3 @@ /run /var/run /run/lock /var/lock +/var/run/lock /var/lock diff --git a/policy-F16.patch b/policy-F16.patch index 2e87799..ca4da59 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1476,7 +1476,7 @@ index c633aea..d1e56f6 100644 ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..f30119e 100644 +index af55369..2718561 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1561,7 +1561,7 @@ index af55369..f30119e 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,7 +163,7 @@ optional_policy(` +@@ -148,17 +163,26 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -1570,7 +1570,11 @@ index af55369..f30119e 100644 libs_exec_ld_so(prelink_cron_system_t) -@@ -158,7 +173,14 @@ optional_policy(` + logging_search_logs(prelink_cron_system_t) + ++ init_stream_connect(prelink_cron_system_t) ++ + miscfiles_read_localization(prelink_cron_system_t) cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t) @@ -7600,7 +7604,7 @@ index 2ba7787..9f12b51 100644 ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index c2d20a2..be062b9 100644 +index c2d20a2..ae14a7d 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -7662,10 +7666,10 @@ index c2d20a2..be062b9 100644 ') + +optional_policy(` -+ qemu_manage_tmpfs_files(pulseaudio_t) ++ virt_manage_tmpfs_files(pulseaudio_t) +') diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if -index c1d5f50..9e34fbd 100644 +index c1d5f50..6c7a005 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -76,7 +76,7 @@ template(`qemu_domain_template',` @@ -7760,7 +7764,7 @@ index c1d5f50..9e34fbd 100644 # interface(`qemu_run',` gen_require(` -@@ -177,10 +157,6 @@ interface(`qemu_run',` +@@ -177,10 +157,8 @@ interface(`qemu_run',` qemu_domtrans($1) role $2 types qemu_t; @@ -7768,10 +7772,12 @@ index c1d5f50..9e34fbd 100644 - optional_policy(` - samba_run_smb(qemu_t, $2, $3) - ') ++ allow qemu_t $1:process signull; ++ allow $1 qemu_t:process signull; ') ######################################## -@@ -275,6 +251,67 @@ interface(`qemu_domtrans_unconfined',` +@@ -275,6 +253,67 @@ interface(`qemu_domtrans_unconfined',` ######################################## ## @@ -7839,7 +7845,7 @@ index c1d5f50..9e34fbd 100644 ## Manage qemu temporary dirs. ## ## -@@ -308,3 +345,42 @@ interface(`qemu_manage_tmp_files',` +@@ -308,3 +347,22 @@ interface(`qemu_manage_tmp_files',` manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) ') @@ -7862,28 +7868,8 @@ index c1d5f50..9e34fbd 100644 + + domain_entry_file($1, qemu_exec_t) +') -+ -+######################################## -+## -+## allow domain to manage -+## qemu tmpfs files -+## -+## -+## -+## Domain allowed access -+## -+## -+# -+interface(`qemu_manage_tmpfs_files',` -+ gen_require(` -+ attribute qemu_tmpfs_type; -+ ') -+ -+ allow $1 qemu_tmpfs_type:file manage_file_perms; -+') -+ diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te -index 5ef2f7d..c01d37c 100644 +index 5ef2f7d..13057b7 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true) @@ -7914,17 +7900,21 @@ index 5ef2f7d..c01d37c 100644 corenet_udp_bind_all_ports(qemu_t) corenet_tcp_bind_all_ports(qemu_t) corenet_tcp_connect_all_ports(qemu_t) -@@ -90,10 +91,18 @@ tunable_policy(`qemu_use_usb',` +@@ -90,10 +91,22 @@ tunable_policy(`qemu_use_usb',` ') optional_policy(` - samba_domtrans_smbd(qemu_t) -+ tunable_policy(`qemu_use_cifs',` -+ samba_domtrans_smbd(qemu_t) -+ ') ++ dbus_read_lib_files(qemu_t) ') optional_policy(` ++ tunable_policy(`qemu_use_cifs',` ++ samba_domtrans_smbd(qemu_t) ++ ') ++') ++ ++optional_policy(` + pulseaudio_manage_home_files(qemu_t) + pulseaudio_stream_connect(qemu_t) +') @@ -7934,7 +7924,7 @@ index 5ef2f7d..c01d37c 100644 virt_manage_images(qemu_t) virt_append_log(qemu_t) ') -@@ -102,6 +111,11 @@ optional_policy(` +@@ -102,6 +115,11 @@ optional_policy(` xen_rw_image_files(qemu_t) ') @@ -7946,7 +7936,7 @@ index 5ef2f7d..c01d37c 100644 ######################################## # # Unconfined qemu local policy -@@ -112,6 +126,8 @@ optional_policy(` +@@ -112,6 +130,8 @@ optional_policy(` typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) unconfined_domain(unconfined_qemu_t) @@ -10673,7 +10663,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..c4607c9 100644 +index e9313fb..60437ca 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -10947,10 +10937,28 @@ index e9313fb..c4607c9 100644 ## Read hardware state information. ## ## -@@ -3954,6 +4026,24 @@ interface(`dev_rw_sysfs',` +@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',` ######################################## ## ++## Relabel hardware state directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_sysfs_dirs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## +## Allow caller to modify hardware state information. +## +## @@ -10972,7 +10980,7 @@ index e9313fb..c4607c9 100644 ## Read and write the TPM device. ## ## -@@ -4514,6 +4604,24 @@ interface(`dev_rwx_vmware',` +@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',` ######################################## ## @@ -10997,7 +11005,7 @@ index e9313fb..c4607c9 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4856,23 @@ interface(`dev_unconfined',` +@@ -4748,3 +4874,23 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -12800,7 +12808,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..5da5ee1 100644 +index dfe361a..be9572b 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -12821,13 +12829,13 @@ index dfe361a..5da5ee1 100644 +## +## +# -+interface(`fs_relabelto_cgroup_dirs',` ++interface(`fs_relabel_cgroup_dirs',` + gen_require(` + type cgroup_t; + + ') + -+ relabelto_dirs_pattern($1, cgroup_t, cgroup_t) ++ relabel_dirs_pattern($1, cgroup_t, cgroup_t) +') + +######################################## @@ -13371,11 +13379,11 @@ index dfe361a..5da5ee1 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3989,6 +4334,78 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## -+## dontaudit Read and write block nodes on tmpfs filesystems. ++## Relabel directory on tmpfs filesystems. +## +## +## @@ -13383,53 +13391,24 @@ index dfe361a..5da5ee1 100644 +## +## +# -+interface(`fs_dontaudit_read_tmpfs_blk_dev',` ++interface(`fs_relabel_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + -+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; -+') -+ -+###################################### -+## -+## Allow setattr on directory on tmpfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_setattr_tmpfs_dir',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ setattr_dirs_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+####################################### -+## -+## Create directory on tmpfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_create_tmpfs_dir',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ create_dirs_pattern($1, tmpfs_t, tmpfs_t) ++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) +') + +######################################## +## -+## Relabelfrom directory on tmpfs filesystems. + ## Create, read, write, and delete + ## tmpfs directories + ## +@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` + + ######################################## + ## ++## dontaudit Read and write block nodes on tmpfs filesystems. +## +## +## @@ -13437,12 +13416,12 @@ index dfe361a..5da5ee1 100644 +## +## +# -+interface(`fs_relabelfrom_tmpfs_dir',` ++interface(`fs_dontaudit_read_tmpfs_blk_dev',` + gen_require(` + type tmpfs_t; + ') + -+ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t) ++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; +') + +######################################## @@ -13450,7 +13429,7 @@ index dfe361a..5da5ee1 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4688,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -13459,7 +13438,7 @@ index dfe361a..5da5ee1 100644 ') ######################################## -@@ -4681,3 +5100,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -14059,7 +14038,7 @@ index 3994e57..a1923fe 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f3acfee..eceb42d 100644 +index f3acfee..59ea6ae 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -14120,7 +14099,32 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -658,6 +680,25 @@ interface(`term_use_controlling_term',` +@@ -462,6 +484,24 @@ interface(`term_list_ptys',` + + ######################################## + ## ++## Relabel the /dev/pts directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_relabel_ptys_dirs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:dir relabel_dirs_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read the + ## /dev/pts directory. + ## +@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',` allow $1 devtty_t:chr_file { rw_term_perms lock append }; ') @@ -14146,7 +14150,7 @@ index f3acfee..eceb42d 100644 ######################################## ## ## Do not audit attempts to get attributes -@@ -842,6 +883,26 @@ interface(`term_use_all_ptys',` +@@ -842,6 +901,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -14173,7 +14177,7 @@ index f3acfee..eceb42d 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -855,7 +916,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -855,7 +934,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -14182,7 +14186,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1123,7 +1184,7 @@ interface(`term_relabel_unallocated_ttys',` +@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',` ') dev_list_all_dev_nodes($1) @@ -14191,7 +14195,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1222,7 +1283,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1222,7 +1301,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -14200,7 +14204,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1238,11 +1299,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1238,11 +1317,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -14214,7 +14218,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1259,10 +1322,12 @@ interface(`term_getattr_all_ttys',` +@@ -1259,10 +1340,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -14227,7 +14231,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1301,7 +1366,7 @@ interface(`term_relabel_all_ttys',` +@@ -1301,7 +1384,7 @@ interface(`term_relabel_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -14236,7 +14240,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1340,7 +1405,27 @@ interface(`term_use_all_ttys',` +@@ -1340,7 +1423,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -14265,7 +14269,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1359,7 +1444,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1359,7 +1462,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -14274,7 +14278,7 @@ index f3acfee..eceb42d 100644 ') ######################################## -@@ -1475,3 +1560,22 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1475,3 +1578,22 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -14423,7 +14427,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..9440b5f 100644 +index 2be17d2..7ccb554 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) @@ -14475,7 +14479,7 @@ index 2be17d2..9440b5f 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +63,138 @@ optional_policy(` +@@ -27,25 +63,139 @@ optional_policy(` ') optional_policy(` @@ -14548,6 +14552,7 @@ index 2be17d2..9440b5f 100644 optional_policy(` + qemu_run(staff_t, staff_r) ++ virt_manage_tmpfs_files(staff_t) +') + +optional_policy(` @@ -14616,7 +14621,7 @@ index 2be17d2..9440b5f 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +238,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +239,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -14627,7 +14632,7 @@ index 2be17d2..9440b5f 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +282,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +283,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -14638,7 +14643,7 @@ index 2be17d2..9440b5f 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +313,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +314,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -14647,10 +14652,10 @@ index 2be17d2..9440b5f 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..d721e34 100644 +index 4a8d146..6b0999e 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -24,20 +24,40 @@ ifndef(`enable_mls',` +@@ -24,20 +24,41 @@ ifndef(`enable_mls',` # # Local policy # @@ -14665,6 +14670,8 @@ index 4a8d146..d721e34 100644 mls_process_read_up(sysadm_t) +mls_file_read_to_clearance(sysadm_t) +mls_process_write_to_clearance(sysadm_t) ++ ++storage_setattr_fixed_disk_dev(sysadm_t) ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) @@ -14677,7 +14684,6 @@ index 4a8d146..d721e34 100644 +init_dbus_chat(sysadm_t) +init_script_role_transition(sysadm_r) + -+ +miscfiles_read_hwdata(sysadm_t) # Add/remove user home directories @@ -14691,7 +14697,7 @@ index 4a8d146..d721e34 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,6 +75,7 @@ ifndef(`enable_mls',` +@@ -55,6 +76,7 @@ ifndef(`enable_mls',` logging_manage_audit_log(sysadm_t) logging_manage_audit_config(sysadm_t) logging_run_auditctl(sysadm_t, sysadm_r) @@ -14699,7 +14705,7 @@ index 4a8d146..d721e34 100644 ') tunable_policy(`allow_ptrace',` -@@ -69,7 +90,6 @@ optional_policy(` +@@ -69,7 +91,6 @@ optional_policy(` apache_run_helper(sysadm_t, sysadm_r) #apache_run_all_scripts(sysadm_t, sysadm_r) #apache_domtrans_sys_script(sysadm_t) @@ -14707,7 +14713,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -98,6 +118,10 @@ optional_policy(` +@@ -98,6 +119,10 @@ optional_policy(` ') optional_policy(` @@ -14718,7 +14724,7 @@ index 4a8d146..d721e34 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -114,7 +138,7 @@ optional_policy(` +@@ -114,7 +139,7 @@ optional_policy(` ') optional_policy(` @@ -14727,7 +14733,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -124,6 +148,10 @@ optional_policy(` +@@ -124,6 +149,10 @@ optional_policy(` ') optional_policy(` @@ -14738,7 +14744,7 @@ index 4a8d146..d721e34 100644 ddcprobe_run(sysadm_t, sysadm_r) ') -@@ -163,6 +191,13 @@ optional_policy(` +@@ -163,6 +192,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -14752,7 +14758,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -170,15 +205,15 @@ optional_policy(` +@@ -170,15 +206,15 @@ optional_policy(` ') optional_policy(` @@ -14771,7 +14777,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -198,18 +233,12 @@ optional_policy(` +@@ -198,18 +234,12 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -14792,7 +14798,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -225,6 +254,10 @@ optional_policy(` +@@ -225,6 +255,10 @@ optional_policy(` ') optional_policy(` @@ -14803,7 +14809,7 @@ index 4a8d146..d721e34 100644 netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -253,7 +286,7 @@ optional_policy(` +@@ -253,7 +287,7 @@ optional_policy(` ') optional_policy(` @@ -14812,7 +14818,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -265,20 +298,14 @@ optional_policy(` +@@ -265,20 +299,14 @@ optional_policy(` ') optional_policy(` @@ -14834,7 +14840,7 @@ index 4a8d146..d721e34 100644 optional_policy(` rsync_exec(sysadm_t) -@@ -307,7 +334,7 @@ optional_policy(` +@@ -307,7 +335,7 @@ optional_policy(` ') optional_policy(` @@ -14843,7 +14849,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -332,10 +359,6 @@ optional_policy(` +@@ -332,10 +360,6 @@ optional_policy(` ') optional_policy(` @@ -14854,7 +14860,7 @@ index 4a8d146..d721e34 100644 tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -343,19 +366,15 @@ optional_policy(` +@@ -343,19 +367,15 @@ optional_policy(` ') optional_policy(` @@ -14876,7 +14882,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -367,17 +386,14 @@ optional_policy(` +@@ -367,17 +387,14 @@ optional_policy(` ') optional_policy(` @@ -14896,7 +14902,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -389,7 +405,7 @@ optional_policy(` +@@ -389,7 +406,7 @@ optional_policy(` ') optional_policy(` @@ -14905,7 +14911,7 @@ index 4a8d146..d721e34 100644 ') optional_policy(` -@@ -404,8 +420,15 @@ optional_policy(` +@@ -404,8 +421,15 @@ optional_policy(` yam_run(sysadm_t, sysadm_r) ') @@ -14921,7 +14927,7 @@ index 4a8d146..d721e34 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -452,5 +475,60 @@ ifndef(`distro_redhat',` +@@ -452,5 +476,60 @@ ifndef(`distro_redhat',` optional_policy(` java_role(sysadm_r, sysadm_t) ') @@ -22798,7 +22804,7 @@ index 35241ed..b6c4cc9 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..9941737 100644 +index f7583ab..220ba1b 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -22940,13 +22946,14 @@ index f7583ab..9941737 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,11 +220,16 @@ files_list_usr(crond_t) +@@ -203,11 +220,17 @@ files_list_usr(crond_t) files_search_var_lib(crond_t) files_search_default(crond_t) +fs_manage_cgroup_dirs(crond_t) +fs_manage_cgroup_files(crond_t) + ++init_read_state(crond_t) init_rw_utmp(crond_t) init_spec_domtrans_script(crond_t) @@ -22957,7 +22964,7 @@ index f7583ab..9941737 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -22968,7 +22975,7 @@ index f7583ab..9941737 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -233,7 +257,7 @@ ifdef(`distro_debian',` +@@ -233,7 +258,7 @@ ifdef(`distro_debian',` ') ') @@ -22977,7 +22984,7 @@ index f7583ab..9941737 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -23008,7 +23015,7 @@ index f7583ab..9941737 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +307,8 @@ optional_policy(` +@@ -264,6 +308,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -23017,7 +23024,7 @@ index f7583ab..9941737 100644 ') optional_policy(` -@@ -289,12 +334,18 @@ optional_policy(` +@@ -289,12 +335,18 @@ optional_policy(` udev_read_db(crond_t) ') @@ -23036,7 +23043,7 @@ index f7583ab..9941737 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +358,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -23057,7 +23064,7 @@ index f7583ab..9941737 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +390,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -23065,7 +23072,7 @@ index f7583ab..9941737 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +402,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -23080,7 +23087,7 @@ index f7583ab..9941737 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +431,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -23088,7 +23095,7 @@ index f7583ab..9941737 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +458,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -23096,7 +23103,7 @@ index f7583ab..9941737 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +481,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -23108,7 +23115,7 @@ index f7583ab..9941737 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +508,8 @@ optional_policy(` +@@ -439,6 +509,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -23117,7 +23124,7 @@ index f7583ab..9941737 100644 ') optional_policy(` -@@ -446,6 +517,14 @@ optional_policy(` +@@ -446,6 +518,14 @@ optional_policy(` ') optional_policy(` @@ -23132,7 +23139,7 @@ index f7583ab..9941737 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,15 +535,24 @@ optional_policy(` +@@ -456,15 +536,24 @@ optional_policy(` ') optional_policy(` @@ -23157,7 +23164,7 @@ index f7583ab..9941737 100644 ') optional_policy(` -@@ -480,7 +568,7 @@ optional_policy(` +@@ -480,7 +569,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -23166,7 +23173,7 @@ index f7583ab..9941737 100644 ') optional_policy(` -@@ -495,6 +583,7 @@ optional_policy(` +@@ -495,6 +584,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -23174,7 +23181,7 @@ index f7583ab..9941737 100644 ') optional_policy(` -@@ -502,7 +591,13 @@ optional_policy(` +@@ -502,7 +592,13 @@ optional_policy(` ') optional_policy(` @@ -23188,7 +23195,7 @@ index f7583ab..9941737 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +691,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -31109,7 +31116,7 @@ index 256166a..15daf47 100644 /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..2f948ad 100644 +index 343cee3..3d7edf0 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -31123,7 +31130,15 @@ index 343cee3..2f948ad 100644 gen_require(` attribute user_mail_domain; type sendmail_exec_t; -@@ -158,6 +158,7 @@ template(`mta_base_mail_template',` +@@ -104,6 +104,7 @@ template(`mta_base_mail_template',` + + optional_policy(` + postfix_domtrans_user_mail_handler($1_mail_t) ++ postfix_rw_master_pipes($1_mail_t) + ') + + optional_policy(` +@@ -158,6 +159,7 @@ template(`mta_base_mail_template',` ## User domain for the role ## ## @@ -31131,7 +31146,7 @@ index 343cee3..2f948ad 100644 # interface(`mta_role',` gen_require(` -@@ -169,7 +170,7 @@ interface(`mta_role',` +@@ -169,7 +171,7 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -31140,7 +31155,7 @@ index 343cee3..2f948ad 100644 allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; -@@ -220,6 +221,25 @@ interface(`mta_agent_executable',` +@@ -220,6 +222,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -31166,7 +31181,7 @@ index 343cee3..2f948ad 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,7 +326,6 @@ interface(`mta_mailserver_sender',` +@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -31174,7 +31189,7 @@ index 343cee3..2f948ad 100644 ') typeattribute $1 mailserver_delivery; -@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',` +@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -31187,7 +31202,7 @@ index 343cee3..2f948ad 100644 ') ######################################## -@@ -350,9 +363,8 @@ interface(`mta_mailserver_user_agent',` +@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -31198,7 +31213,7 @@ index 343cee3..2f948ad 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -362,6 +374,10 @@ interface(`mta_send_mail',` +@@ -362,6 +375,10 @@ interface(`mta_send_mail',` allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_fifo_file_perms; @@ -31209,7 +31224,7 @@ index 343cee3..2f948ad 100644 ') ######################################## -@@ -391,12 +407,15 @@ interface(`mta_send_mail',` +@@ -391,12 +408,15 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -31227,7 +31242,7 @@ index 343cee3..2f948ad 100644 ') ######################################## -@@ -409,7 +428,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -31235,7 +31250,7 @@ index 343cee3..2f948ad 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +438,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -31260,7 +31275,7 @@ index 343cee3..2f948ad 100644 ## Execute sendmail in the caller domain. ## ## -@@ -474,7 +510,8 @@ interface(`mta_write_config',` +@@ -474,7 +511,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -31270,7 +31285,7 @@ index 343cee3..2f948ad 100644 ') ######################################## -@@ -552,7 +589,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -31279,7 +31294,7 @@ index 343cee3..2f948ad 100644 ') ####################################### -@@ -646,8 +683,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -31290,7 +31305,7 @@ index 343cee3..2f948ad 100644 ') ####################################### -@@ -697,8 +734,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +735,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -31301,7 +31316,7 @@ index 343cee3..2f948ad 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +875,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -31310,7 +31325,7 @@ index 343cee3..2f948ad 100644 ') ######################################## -@@ -899,3 +936,50 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -32958,7 +32973,7 @@ index 23c769c..be5a5b4 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te -index 4e28d58..5b9cf6d 100644 +index 4e28d58..1835068 100644 --- a/policy/modules/services/nslcd.te +++ b/policy/modules/services/nslcd.te @@ -16,7 +16,7 @@ type nslcd_var_run_t; @@ -32979,11 +32994,12 @@ index 4e28d58..5b9cf6d 100644 allow nslcd_t self:unix_stream_socket create_stream_socket_perms; allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -37,9 +37,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) +@@ -37,9 +37,13 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) kernel_read_system_state(nslcd_t) files_read_etc_files(nslcd_t) +files_read_usr_symlinks(nslcd_t) ++files_list_tmp(nslcd_t) auth_use_nsswitch(nslcd_t) @@ -35243,7 +35259,7 @@ index 55e62d2..6082184 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..9b8c3eb 100644 +index 46bee12..37bd751 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` @@ -35345,7 +35361,7 @@ index 46bee12..9b8c3eb 100644 + type postfix_master_t; + ') + -+ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms; ++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## @@ -36489,7 +36505,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..2a70dd1 100644 +index 29b9295..609ff86 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -36538,17 +36554,18 @@ index 29b9295..2a70dd1 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -128,6 +137,10 @@ optional_policy(` - ') - - optional_policy(` -+ nagios_search_spool(procmail_t) +@@ -125,6 +134,11 @@ optional_policy(` + postfix_read_spool_files(procmail_t) + postfix_read_local_state(procmail_t) + postfix_read_master_state(procmail_t) ++ postfix_rw_master_pipes(procmail_t) +') + +optional_policy(` - pyzor_domtrans(procmail_t) - pyzor_signal(procmail_t) ++ nagios_search_spool(procmail_t) ') + + optional_policy(` diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if index bc329d1..0589f97 100644 --- a/policy/modules/services/psad.if @@ -42103,7 +42120,7 @@ index 22adaca..68ad7a7 100644 + allow $1 sshd_t:process signull; +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..594aa01 100644 +index 2dad3c8..efa5535 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0) @@ -42432,7 +42449,7 @@ index 2dad3c8..594aa01 100644 ') dnl endif TODO ######################################## -@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -42453,7 +42470,13 @@ index 2dad3c8..594aa01 100644 kernel_read_kernel_sysctls(ssh_keygen_t) fs_search_auto_mountpoints(ssh_keygen_t) -@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t) + + dev_read_sysfs(ssh_keygen_t) ++dev_read_rand(ssh_keygen_t) + dev_read_urand(ssh_keygen_t) + + term_dontaudit_use_console(ssh_keygen_t) +@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) optional_policy(` @@ -43618,10 +43641,10 @@ index 2124b6a..6546d6e 100644 /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..d885f6b 100644 +index 7c5d8d8..9b24cb5 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if -@@ -13,14 +13,14 @@ +@@ -13,14 +13,15 @@ # template(`virt_domain_template',` gen_require(` @@ -43629,6 +43652,7 @@ index 7c5d8d8..d885f6b 100644 - attribute virt_image_type; - attribute virt_domain; + attribute virt_image_type, virt_domain; ++ attribute virt_tmpfs_type; ') type $1_t, virt_domain; @@ -43639,7 +43663,14 @@ index 7c5d8d8..d885f6b 100644 role system_r types $1_t; type $1_devpts_t; -@@ -35,17 +35,18 @@ template(`virt_domain_template',` +@@ -29,23 +30,24 @@ template(`virt_domain_template',` + type $1_tmp_t; + files_tmp_file($1_tmp_t) + +- type $1_tmpfs_t; ++ type $1_tmpfs_t, virt_tmpfs_type; + files_tmpfs_file($1_tmpfs_t) + type $1_image_t, virt_image_type; files_type($1_image_t) dev_node($1_image_t) @@ -43662,7 +43693,7 @@ index 7c5d8d8..d885f6b 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +58,6 @@ template(`virt_domain_template',` +@@ -57,18 +59,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -43681,7 +43712,7 @@ index 7c5d8d8..d885f6b 100644 optional_policy(` xserver_rw_shm($1_t) ') -@@ -101,9 +90,9 @@ interface(`virt_image',` +@@ -101,9 +91,9 @@ interface(`virt_image',` ## Execute a domain transition to run virt. ## ## @@ -43693,7 +43724,7 @@ index 7c5d8d8..d885f6b 100644 ## # interface(`virt_domtrans',` -@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',` +@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -43709,7 +43740,7 @@ index 7c5d8d8..d885f6b 100644 ') ######################################## -@@ -185,13 +174,13 @@ interface(`virt_read_config',` +@@ -185,13 +175,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -43725,7 +43756,7 @@ index 7c5d8d8..d885f6b 100644 ') ######################################## -@@ -231,6 +220,24 @@ interface(`virt_read_content',` +@@ -231,6 +221,24 @@ interface(`virt_read_content',` ######################################## ## @@ -43750,7 +43781,7 @@ index 7c5d8d8..d885f6b 100644 ## Read virt PID files. ## ## -@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',` +@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',` ######################################## ## @@ -43787,7 +43818,7 @@ index 7c5d8d8..d885f6b 100644 ## Search virt lib directories. ## ## -@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',` +@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -43812,7 +43843,7 @@ index 7c5d8d8..d885f6b 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +407,9 @@ interface(`virt_read_log',` +@@ -352,9 +408,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -43824,7 +43855,7 @@ index 7c5d8d8..d885f6b 100644 ## # interface(`virt_append_log',` -@@ -424,6 +479,24 @@ interface(`virt_read_images',` +@@ -424,6 +480,24 @@ interface(`virt_read_images',` ######################################## ## @@ -43849,7 +43880,7 @@ index 7c5d8d8..d885f6b 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +506,15 @@ interface(`virt_read_images',` +@@ -433,15 +507,15 @@ interface(`virt_read_images',` ## ## # @@ -43870,7 +43901,7 @@ index 7c5d8d8..d885f6b 100644 ') ######################################## -@@ -516,3 +589,107 @@ interface(`virt_admin',` +@@ -516,3 +590,144 @@ interface(`virt_admin',` virt_manage_log($1) ') @@ -43978,11 +44009,48 @@ index 7c5d8d8..d885f6b 100644 + manage_files_pattern($1, virt_home_t, virt_home_t) +') + ++######################################## ++## ++## allow domain to read ++## virt tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`virt_read_tmpfs_files',` ++ gen_require(` ++ attribute virt_tmpfs_type; ++ ') ++ ++ allow $1 virt_tmpfs_type:file read_file_perms; ++') ++ ++######################################## ++## ++## allow domain to manage ++## virt tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`virt_manage_tmpfs_files',` ++ gen_require(` ++ attribute virt_tmpfs_type; ++ ') ++ ++ allow $1 virt_tmpfs_type:file manage_file_perms; ++') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..72132fe 100644 +index 3eca020..f715498 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te -@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0) +@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0) # Declarations # @@ -44063,13 +44131,14 @@ index 3eca020..72132fe 100644 - attribute virt_domain; attribute virt_image_type; - ++attribute virt_tmpfs_type; ++ +type virt_cache_t alias svirt_cache_t; +files_type(virt_cache_t) -+ + type virt_etc_t; files_config_file(virt_etc_t) - +@@ -62,23 +72,31 @@ files_config_file(virt_etc_t) type virt_etc_rw_t; files_type(virt_etc_rw_t) @@ -44102,7 +44171,7 @@ index 3eca020..72132fe 100644 type virtd_t; type virtd_exec_t; -@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t) +@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t) type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -44114,7 +44183,7 @@ index 3eca020..72132fe 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -104,15 +126,12 @@ ifdef(`enable_mls',` +@@ -104,15 +127,12 @@ ifdef(`enable_mls',` allow svirt_t self:udp_socket create_socket_perms; @@ -44131,7 +44200,7 @@ index 3eca020..72132fe 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,6 +152,8 @@ dev_list_sysfs(svirt_t) +@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t) userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) @@ -44140,7 +44209,7 @@ index 3eca020..72132fe 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +168,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -44156,7 +44225,7 @@ index 3eca020..72132fe 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +185,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -44179,7 +44248,7 @@ index 3eca020..72132fe 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +210,33 @@ optional_policy(` +@@ -174,21 +211,33 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -44217,7 +44286,7 @@ index 3eca020..72132fe 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +248,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -44234,7 +44303,7 @@ index 3eca020..72132fe 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +274,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -44242,7 +44311,7 @@ index 3eca020..72132fe 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +294,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -44275,7 +44344,7 @@ index 3eca020..72132fe 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +326,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -44294,7 +44363,7 @@ index 3eca020..72132fe 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +361,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) @@ -44325,7 +44394,7 @@ index 3eca020..72132fe 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +403,10 @@ optional_policy(` +@@ -313,6 +404,10 @@ optional_policy(` ') optional_policy(` @@ -44336,7 +44405,7 @@ index 3eca020..72132fe 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,6 +423,10 @@ optional_policy(` +@@ -329,6 +424,10 @@ optional_policy(` ') optional_policy(` @@ -44347,7 +44416,7 @@ index 3eca020..72132fe 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +463,8 @@ optional_policy(` +@@ -365,6 +464,8 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -44356,7 +44425,7 @@ index 3eca020..72132fe 100644 ') optional_policy(` -@@ -385,23 +485,35 @@ optional_policy(` +@@ -385,23 +486,35 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -44397,7 +44466,7 @@ index 3eca020..72132fe 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +534,7 @@ corenet_rw_tun_tap_dev(virt_domain) +@@ -422,6 +535,7 @@ corenet_rw_tun_tap_dev(virt_domain) corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -44405,7 +44474,7 @@ index 3eca020..72132fe 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +542,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +543,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -44418,7 +44487,7 @@ index 3eca020..72132fe 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,8 +555,16 @@ files_search_all(virt_domain) +@@ -440,8 +556,16 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -44436,7 +44505,7 @@ index 3eca020..72132fe 100644 term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +580,117 @@ optional_policy(` +@@ -457,8 +581,117 @@ optional_policy(` ') optional_policy(` @@ -47576,10 +47645,10 @@ index f9a06d2..3d407c6 100644 files_read_etc_files(zos_remote_t) diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index ac50333..9017b02 100644 +index ac50333..b784a12 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if -@@ -130,3 +130,75 @@ interface(`application_signull',` +@@ -130,3 +130,93 @@ interface(`application_signull',` allow $1 application_domain_type:process signull; ') @@ -47655,6 +47724,24 @@ index ac50333..9017b02 100644 + + allow $1 application_domain_type:process signal; +') ++ ++######################################## ++## ++## Getattr all application sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`application_getattr_socket',` ++ gen_require(` ++ attribute application_domain_type; ++ ') ++ ++ allow $1 application_domain_type:socket_class_set getattr; ++') diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te index 88df85d..2fa3974 100644 --- a/policy/modules/system/application.te @@ -47711,7 +47798,7 @@ index 2952cef..d845132 100644 /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 42b4f0f..3c1892d 100644 +index 42b4f0f..3e15a8c 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -47892,10 +47979,14 @@ index 42b4f0f..3c1892d 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -736,6 +812,46 @@ interface(`auth_rw_faillog',` - allow $1 faillog_t:file rw_file_perms; - ') +@@ -733,7 +809,47 @@ interface(`auth_rw_faillog',` + ') + logging_search_logs($1) +- allow $1 faillog_t:file rw_file_perms; ++ rw_files_pattern($1, faillog_t, faillog_t) ++') ++ +######################################## +## +## Relabel the login failure log. @@ -47934,11 +48025,9 @@ index 42b4f0f..3c1892d 100644 + files_search_pids($1) + allow $1 faillog_t:dir manage_dir_perms; + allow $1 faillog_t:file manage_file_perms; -+') -+ + ') + ####################################### - ## - ## Read the last logins log. @@ -874,6 +990,46 @@ interface(`auth_exec_pam',` ######################################## @@ -49370,7 +49459,7 @@ index cc83689..3388f34 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..819a8d5 100644 +index ea29513..b4fdd42 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -49536,7 +49625,7 @@ index ea29513..819a8d5 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +236,109 @@ tunable_policy(`init_upstart',` +@@ -186,12 +236,113 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -49553,6 +49642,7 @@ index ea29513..819a8d5 100644 + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + # Until systemd is fixed + allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write }; ++ allow init_t self:udp_socket create_socket_perms; + allow init_t self:netlink_route_socket create_netlink_socket_perms; + + allow init_t initrc_t:unix_dgram_socket create_socket_perms; @@ -49578,6 +49668,7 @@ index ea29513..819a8d5 100644 + dev_relabel_all_dev_nodes(init_t) + dev_relabel_all_dev_files(init_t) + dev_manage_sysfs_dirs(init_t) ++ dev_relabel_sysfs_dirs(init_t) + + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) @@ -49591,13 +49682,13 @@ index ea29513..819a8d5 100644 + fs_manage_cgroup_dirs(init_t) + fs_manage_hugetlbfs_dirs(init_t) + fs_manage_tmpfs_dirs(init_t) -+ fs_relabelfrom_tmpfs_dir(init_t) ++ fs_relabel_tmpfs_dirs(init_t) + fs_mount_all_fs(init_t) + fs_remount_autofs(init_t) + fs_list_auto_mountpoints(init_t) + fs_read_cgroup_files(init_t) + fs_write_cgroup_files(init_t) -+ fs_relabelto_cgroup_dirs(init_t) ++ fs_relabel_cgroup_dirs(init_t) + fs_search_cgroup_dirs(daemon) + + selinux_compute_create_context(init_t) @@ -49606,6 +49697,8 @@ index ea29513..819a8d5 100644 + + storage_getattr_removable_dev(init_t) + ++ term_relabel_ptys_dirs(init_t) ++ + auth_relabel_login_records(init_t) + auth_relabel_pam_console_data_dirs(init_t) + @@ -49646,7 +49739,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -199,10 +346,25 @@ optional_policy(` +@@ -199,10 +350,25 @@ optional_policy(` ') optional_policy(` @@ -49672,7 +49765,7 @@ index ea29513..819a8d5 100644 unconfined_domain(init_t) ') -@@ -212,7 +374,7 @@ optional_policy(` +@@ -212,7 +378,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -49681,7 +49774,7 @@ index ea29513..819a8d5 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +403,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +407,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -49697,7 +49790,7 @@ index ea29513..819a8d5 100644 init_write_initctl(initrc_t) -@@ -258,20 +423,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +427,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -49734,7 +49827,7 @@ index ea29513..819a8d5 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +456,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +460,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -49742,7 +49835,7 @@ index ea29513..819a8d5 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +469,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +473,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -49750,7 +49843,7 @@ index ea29513..819a8d5 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +477,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +481,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -49766,7 +49859,7 @@ index ea29513..819a8d5 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +495,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +499,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -49774,7 +49867,7 @@ index ea29513..819a8d5 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +503,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +507,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -49786,7 +49879,7 @@ index ea29513..819a8d5 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +522,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +526,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -49800,7 +49893,7 @@ index ea29513..819a8d5 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +537,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +541,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -49809,7 +49902,7 @@ index ea29513..819a8d5 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +551,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +555,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -49817,7 +49910,7 @@ index ea29513..819a8d5 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +563,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +567,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -49825,7 +49918,7 @@ index ea29513..819a8d5 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +584,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +588,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -49847,7 +49940,7 @@ index ea29513..819a8d5 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -478,7 +667,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +671,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -49856,7 +49949,7 @@ index ea29513..819a8d5 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +682,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +686,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -49864,7 +49957,7 @@ index ea29513..819a8d5 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -524,6 +714,23 @@ ifdef(`distro_redhat',` +@@ -524,6 +718,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -49888,7 +49981,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -531,10 +738,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +742,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -49906,7 +49999,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -549,6 +763,39 @@ ifdef(`distro_suse',` +@@ -549,6 +767,39 @@ ifdef(`distro_suse',` ') ') @@ -49946,7 +50039,7 @@ index ea29513..819a8d5 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +808,8 @@ optional_policy(` +@@ -561,6 +812,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -49955,7 +50048,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -577,6 +826,7 @@ optional_policy(` +@@ -577,6 +830,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -49963,7 +50056,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -589,6 +839,11 @@ optional_policy(` +@@ -589,6 +843,11 @@ optional_policy(` ') optional_policy(` @@ -49975,7 +50068,7 @@ index ea29513..819a8d5 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +860,13 @@ optional_policy(` +@@ -605,9 +864,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -49989,7 +50082,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -649,6 +908,11 @@ optional_policy(` +@@ -649,6 +912,11 @@ optional_policy(` ') optional_policy(` @@ -50001,7 +50094,7 @@ index ea29513..819a8d5 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +970,13 @@ optional_policy(` +@@ -706,7 +974,13 @@ optional_policy(` ') optional_policy(` @@ -50015,7 +50108,7 @@ index ea29513..819a8d5 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +999,10 @@ optional_policy(` +@@ -729,6 +1003,10 @@ optional_policy(` ') optional_policy(` @@ -50026,7 +50119,7 @@ index ea29513..819a8d5 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1012,20 @@ optional_policy(` +@@ -738,10 +1016,20 @@ optional_policy(` ') optional_policy(` @@ -50047,7 +50140,7 @@ index ea29513..819a8d5 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1034,10 @@ optional_policy(` +@@ -750,6 +1038,10 @@ optional_policy(` ') optional_policy(` @@ -50058,7 +50151,7 @@ index ea29513..819a8d5 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1059,6 @@ optional_policy(` +@@ -771,8 +1063,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -50067,7 +50160,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -781,14 +1067,21 @@ optional_policy(` +@@ -781,14 +1071,21 @@ optional_policy(` ') optional_policy(` @@ -50089,7 +50182,7 @@ index ea29513..819a8d5 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1093,6 @@ optional_policy(` +@@ -800,7 +1097,6 @@ optional_policy(` ') optional_policy(` @@ -50097,7 +50190,7 @@ index ea29513..819a8d5 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1102,19 @@ optional_policy(` +@@ -810,11 +1106,19 @@ optional_policy(` ') optional_policy(` @@ -50118,7 +50211,7 @@ index ea29513..819a8d5 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1124,25 @@ optional_policy(` +@@ -824,6 +1128,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -50144,7 +50237,7 @@ index ea29513..819a8d5 100644 ') optional_policy(` -@@ -849,3 +1168,42 @@ optional_policy(` +@@ -849,3 +1172,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -54620,10 +54713,10 @@ index 0000000..aabfb0d +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..1e5b954 +index 0000000..d5b6aff --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,163 @@ +@@ -0,0 +1,162 @@ + +policy_module(systemd, 1.0.0) + @@ -54700,9 +54793,8 @@ index 0000000..1e5b954 +dev_write_kmsg(systemd_tmpfiles_t) + +# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev -+fs_create_tmpfs_dir(systemd_tmpfiles_t) -+fs_relabelfrom_tmpfs_dir(systemd_tmpfiles_t) -+fs_setattr_tmpfs_dir(systemd_tmpfiles_t) ++fs_manage_tmpfs_dirs(systemd_tmpfiles_t) ++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) + +files_read_etc_files(systemd_tmpfiles_t) +files_getattr_all_dirs(systemd_tmpfiles_t) @@ -55938,7 +56030,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..d0697c5 100644 +index 28b88de..d514493 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -56390,7 +56482,7 @@ index 28b88de..d0697c5 100644 ############################## # -@@ -500,73 +570,79 @@ template(`userdom_common_user_template',` +@@ -500,73 +570,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -56456,6 +56548,8 @@ index 28b88de..d0697c5 100644 + fs_read_noxattr_fs_files($1_usertype) + fs_read_noxattr_fs_symlinks($1_usertype) + fs_rw_cgroup_files($1_usertype) ++ ++ application_getattr_socket($1_usertype) - fs_rw_cgroup_files($1_t) + logging_send_syslog_msg($1_usertype) @@ -56509,7 +56603,7 @@ index 28b88de..d0697c5 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +650,122 @@ template(`userdom_common_user_template',` +@@ -574,67 +652,122 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -56523,23 +56617,23 @@ index 28b88de..d0697c5 100644 # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ canna_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ colord_read_lib_files($1_usertype) ++ canna_stream_connect($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) ++ chrome_role($1_r, $1_usertype) ++ ') ++ ++ optional_policy(` ++ colord_read_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -56555,49 +56649,49 @@ index 28b88de..d0697c5 100644 + optional_policy(` + bluetooth_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` -+ consolekit_dbus_chat($1_usertype) -+ consolekit_read_log($1_usertype) -+ ') -+ -+ optional_policy(` -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ consolekit_dbus_chat($1_usertype) ++ consolekit_read_log($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) ++ hal_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ kde_dbus_chat_backlighthelper($1_usertype) ++ ') ++ ++ optional_policy(` ++ modemmanager_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat($1_usertype) + networkmanager_read_lib_files($1_usertype) - ') ++ ') + + optional_policy(` + vpn_dbus_chat($1_usertype) @@ -56650,7 +56744,7 @@ index 28b88de..d0697c5 100644 ') optional_policy(` -@@ -650,41 +781,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +783,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -56682,53 +56776,51 @@ index 28b88de..d0697c5 100644 + optional_policy(` + rpc_dontaudit_getattr_exports($1_usertype) + rpc_manage_nfs_rw_content($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpcbind_stream_connect($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') + ++ optional_policy(` ++ slrnpull_search_spool($1_usertype) ++ ') ++ ') ####################################### -@@ -712,13 +852,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +854,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) ++ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -56736,7 +56828,9 @@ index 28b88de..d0697c5 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -56744,7 +56838,7 @@ index 28b88de..d0697c5 100644 userdom_change_password_template($1) -@@ -736,72 +889,70 @@ template(`userdom_login_user_template', ` +@@ -736,72 +891,70 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -56811,10 +56905,10 @@ index 28b88de..d0697c5 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) - seutil_read_config($1_t) ++ seutil_read_config($1_usertype) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -56852,7 +56946,7 @@ index 28b88de..d0697c5 100644 ') ') -@@ -833,6 +984,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -56862,7 +56956,7 @@ index 28b88de..d0697c5 100644 ############################## # # Local policy -@@ -874,45 +1028,113 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -56933,40 +57027,40 @@ index 28b88de..d0697c5 100644 + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') -+ -+ optional_policy(` -+ consolekit_dontaudit_read_log($1_usertype) -+ consolekit_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` -+ cups_dbus_chat($1_usertype) -+ cups_dbus_chat_config($1_usertype) -+ ') optional_policy(` - consolekit_dbus_chat($1_t) -+ devicekit_dbus_chat($1_usertype) -+ devicekit_dbus_chat_disk($1_usertype) -+ devicekit_dbus_chat_power($1_usertype) ++ consolekit_dontaudit_read_log($1_usertype) ++ consolekit_dbus_chat($1_usertype) ') optional_policy(` - cups_dbus_chat($1_t) -+ fprintd_dbus_chat($1_t) ++ cups_dbus_chat($1_usertype) ++ cups_dbus_chat_config($1_usertype) ') - ') - - optional_policy(` -- java_role($1_r, $1_t) -+ openoffice_role_template($1, $1_r, $1_usertype) ++ ++ optional_policy(` ++ devicekit_dbus_chat($1_usertype) ++ devicekit_dbus_chat_disk($1_usertype) ++ devicekit_dbus_chat_power($1_usertype) ++ ') ++ ++ optional_policy(` ++ fprintd_dbus_chat($1_t) ++ ') + ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) ++ openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` ++ policykit_role($1_r, $1_usertype) + ') + + optional_policy(` +- java_role($1_r, $1_t) + pulseaudio_role($1_r, $1_usertype) + ') + @@ -56987,7 +57081,7 @@ index 28b88de..d0697c5 100644 ') ') -@@ -947,7 +1169,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -56996,7 +57090,7 @@ index 28b88de..d0697c5 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1178,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -57066,13 +57160,16 @@ index 28b88de..d0697c5 100644 + + optional_policy(` + gpg_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + ') + +- # Run pppd in pppd_t by default for user + optional_policy(` +- ppp_run_cond($1_t,$1_r) + gnomeclock_dbus_chat($1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- setroubleshoot_stream_connect($1_t) + gpm_stream_connect($1_usertype) + ') + @@ -57095,22 +57192,19 @@ index 28b88de..d0697c5 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) - ') - -- # Run pppd in pppd_t by default for user - optional_policy(` -- ppp_run_cond($1_t,$1_r) ++ ') ++ ++ optional_policy(` + postfix_run_postdrop($1_t, $1_r) - ') - ++ ') ++ + # Run pppd in pppd_t by default for user - optional_policy(` -- setroubleshoot_stream_connect($1_t) ++ optional_policy(` + ppp_run_cond($1_t, $1_r) ') ') -@@ -1039,7 +1290,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -57119,7 +57213,7 @@ index 28b88de..d0697c5 100644 ') ############################## -@@ -1066,6 +1317,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -57127,7 +57221,7 @@ index 28b88de..d0697c5 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1326,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -57137,7 +57231,7 @@ index 28b88de..d0697c5 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1343,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -57145,7 +57239,7 @@ index 28b88de..d0697c5 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1361,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -57159,7 +57253,7 @@ index 28b88de..d0697c5 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1378,21 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1380,21 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -57182,7 +57276,7 @@ index 28b88de..d0697c5 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1404,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -57194,7 +57288,7 @@ index 28b88de..d0697c5 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1476,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -57203,7 +57297,7 @@ index 28b88de..d0697c5 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1490,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -57211,7 +57305,7 @@ index 28b88de..d0697c5 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1506,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -57219,7 +57313,7 @@ index 28b88de..d0697c5 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1549,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -57257,7 +57351,7 @@ index 28b88de..d0697c5 100644 ubac_constrained($1) ') -@@ -1395,6 +1691,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -57265,7 +57359,7 @@ index 28b88de..d0697c5 100644 files_search_home($1) ') -@@ -1441,6 +1738,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -57280,7 +57374,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -1456,9 +1761,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -57292,7 +57386,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -1515,10 +1822,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -57305,7 +57399,7 @@ index 28b88de..d0697c5 100644 ## ## ## -@@ -1526,22 +1833,58 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -57328,7 +57422,6 @@ index 28b88de..d0697c5 100644 +## Relabel user home files. ## -## --##

+## +##

+## Domain allowed access. @@ -57369,11 +57462,10 @@ index 28b88de..d0697c5 100644 +## user home directory. +## +## -+##

+ ##

## Do a domain transition to the specified ## domain when executing a program in the - ## user home directory. -@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -57382,7 +57474,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -57397,7 +57489,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ##

@@ -57423,7 +57515,7 @@ index 28b88de..d0697c5 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -57456,7 +57548,7 @@ index 28b88de..d0697c5 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -57474,7 +57566,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -57484,7 +57576,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -57498,18 +57590,19 @@ index 28b88de..d0697c5 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` + ## Do not audit attempts to execute user home files. +@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -57518,7 +57611,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -57534,7 +57627,7 @@ index 28b88de..d0697c5 100644 ## ## ## -@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -57561,7 +57654,7 @@ index 28b88de..d0697c5 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2935,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2937,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -57586,7 +57679,7 @@ index 28b88de..d0697c5 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +2971,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +2973,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -57629,7 +57722,7 @@ index 28b88de..d0697c5 100644 ## ## ## -@@ -2614,14 +3007,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3009,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -57667,7 +57760,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -2815,7 +3227,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3229,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -57676,7 +57769,7 @@ index 28b88de..d0697c5 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3243,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3245,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -57692,7 +57785,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -2917,7 +3331,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3333,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -57701,7 +57794,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -2972,7 +3386,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3388,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -57748,7 +57841,7 @@ index 28b88de..d0697c5 100644 ') ######################################## -@@ -3009,6 +3461,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3463,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -57756,7 +57849,7 @@ index 28b88de..d0697c5 100644 kernel_search_proc($1) ') -@@ -3087,6 +3540,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3542,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -57781,7 +57874,7 @@ index 28b88de..d0697c5 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3610,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3612,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9fd0ac3..9b6dd51 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,16 @@ exit 0 %endif %changelog +* Mon Apr 4 2011 Miroslav Grepl 3.9.16-12 +- Add /var/run/lock /var/lock definition to file_contexts.subs +- nslcd_t is looking for kerberos cc files +- SSH_USE_STRONG_RNG is 1 which requires /dev/random +- Fix auth_rw_faillog definition +- Allow sysadm_t to set attributes on fixed disks +- allow user domains to execute lsof and look at application sockets +- prelink_cron job calls telinit -u if init is rewritten +- Fixes to run qemu_t from staff_t + * Mon Apr 4 2011 Miroslav Grepl 3.9.16-11 - Fix label for /var/run/udev to udev_var_run_t - Mock needs to be able to read network state