From 3da13de0318a6d6addffc12537776768c89050d5 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jul 15 2012 22:03:02 +0000 Subject: +- Add realmd and stapserver policies +- Allow useradd to manage stap-server lib files +- Tighten up capabilities for confined users +- Label /etc/security/opasswd as shadow_t +- Add label for /dev/ecryptfs +- Allow condor_startd_t to start sshd with the ranged +- Allow lpstat.cups to read fips_enabled file +- Allow pyzor running as spamc_t to create /root/.pyzor directory +- Add labelinf for amavisd-snmp init script +- Add support for amavisd-snmp +- Allow fprintd sigkill self +- Allow xend (w/o libvirt) to start virtual machines +- Allow aiccu to read /etc/passwd +- Allow condor_startd to Make specified domain MCS trusted for setting any category set fo +- Add condor_startd_ranged_domtrans_to() interface +- Add ssd_conf_t for /etc/sssd +- accountsd needs to fchown some files/directories +- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content +- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works +- Allow xend_t to read the /etc/passwd file Please enter the commit message for your changes. Lines starting with '#' will be ignored, and an empty message aborts the commit. On branch master Changes to be committed: (use "git reset HEAD ..." to unstage) modified: policy-rawhide.patch modified: policy_contrib-rawhide.patch modified: selinux-policy.spec --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 7f547f8..0f15e94 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -59605,7 +59605,7 @@ index 98b8b2d..da75471 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 81b6608..527c7bb 100644 +index 81b6608..c8252ac 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) @@ -60000,10 +60000,10 @@ index 81b6608..527c7bb 100644 userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) @@ -60043,6 +60043,14 @@ index 81b6608..527c7bb 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') +@@ -559,3 +610,7 @@ optional_policy(` + rpm_use_fds(useradd_t) + rpm_rw_pipes(useradd_t) + ') ++ ++optional_policy(` ++ stapserver_manage_lib(useradd_t) ++') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..a01511f 100644 --- a/policy/modules/apps/seunshare.if @@ -62392,10 +62400,10 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 02b7ac1..67183c5 100644 +index 02b7ac1..82666ab 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc -@@ -15,12 +15,14 @@ +@@ -15,14 +15,17 @@ /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -62410,8 +62418,11 @@ index 02b7ac1..67183c5 100644 +/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) ++/dev/ecryptfs -c gen_context(system_u:object_r:ecryptfs_device_t,mls_systemhigh) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) -@@ -57,8 +59,10 @@ + /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) +@@ -57,8 +60,10 @@ /dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -62422,7 +62433,7 @@ index 02b7ac1..67183c5 100644 /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -126,12 +130,14 @@ ifdef(`distro_suse', ` +@@ -126,12 +131,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -62437,7 +62448,7 @@ index 02b7ac1..67183c5 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -195,12 +201,22 @@ ifdef(`distro_debian',` +@@ -195,12 +202,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -62463,7 +62474,7 @@ index 02b7ac1..67183c5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index d820975..e236661 100644 +index d820975..21a21e4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -62777,7 +62788,32 @@ index d820975..e236661 100644 ## Get the attributes of the CPU ## microcode and id interfaces. ## -@@ -2383,7 +2549,97 @@ interface(`dev_filetrans_lirc',` +@@ -1772,6 +1938,24 @@ interface(`dev_rw_crypto',` + rw_chr_files_pattern($1, device_t, crypt_device_t) + ') + ++######################################## ++## ++## Read and write the the ecrypt filesystem device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_ecryptfs',` ++ gen_require(` ++ type device_t, ecryptfs_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, ecryptfs_device_t) ++') ++ + ####################################### + ## + ## Set the attributes of the dlm control devices. +@@ -2383,7 +2567,97 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -62876,7 +62912,7 @@ index d820975..e236661 100644 ## ## ## -@@ -2706,7 +2962,7 @@ interface(`dev_write_misc',` +@@ -2706,7 +2980,7 @@ interface(`dev_write_misc',` ## ## ## @@ -62885,7 +62921,7 @@ index d820975..e236661 100644 ## ## # -@@ -2956,8 +3212,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2956,8 +3230,8 @@ interface(`dev_dontaudit_write_mtrr',` type mtrr_device_t; ') @@ -62896,7 +62932,7 @@ index d820975..e236661 100644 ') ######################################## -@@ -3235,7 +3491,7 @@ interface(`dev_rw_printer',` +@@ -3235,7 +3509,7 @@ interface(`dev_rw_printer',` ######################################## ## @@ -62905,7 +62941,7 @@ index d820975..e236661 100644 ## ## ## -@@ -3243,12 +3499,31 @@ interface(`dev_rw_printer',` +@@ -3243,12 +3517,31 @@ interface(`dev_rw_printer',` ## ## # @@ -62940,7 +62976,7 @@ index d820975..e236661 100644 ') ######################################## -@@ -3836,6 +4111,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3836,6 +4129,42 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -62983,7 +63019,7 @@ index d820975..e236661 100644 ## Search the sysfs directories. ## ## -@@ -3885,6 +4196,7 @@ interface(`dev_list_sysfs',` +@@ -3885,6 +4214,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -62991,7 +63027,7 @@ index d820975..e236661 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3927,23 +4239,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3927,23 +4257,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -63045,7 +63081,7 @@ index d820975..e236661 100644 ######################################## ## ## Read hardware state information. -@@ -3997,6 +4335,62 @@ interface(`dev_rw_sysfs',` +@@ -3997,6 +4353,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -63108,7 +63144,7 @@ index d820975..e236661 100644 ## Read and write the TPM device. ## ## -@@ -4094,6 +4488,25 @@ interface(`dev_write_urand',` +@@ -4094,6 +4506,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -63134,7 +63170,7 @@ index d820975..e236661 100644 ## Getattr generic the USB devices. ## ## -@@ -4128,6 +4541,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4128,6 +4559,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -63159,7 +63195,7 @@ index d820975..e236661 100644 ######################################## ## ## Read generic the USB devices. -@@ -4520,6 +4951,24 @@ interface(`dev_rw_vhost',` +@@ -4520,6 +4969,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -63184,7 +63220,7 @@ index d820975..e236661 100644 ## Read and write VMWare devices. ## ## -@@ -4725,6 +5174,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4725,6 +5192,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -63211,7 +63247,7 @@ index d820975..e236661 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4814,3 +5283,861 @@ interface(`dev_unconfined',` +@@ -4814,3 +5301,863 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -63348,6 +63384,7 @@ index d820975..e236661 100644 + type zero_device_t; + type smartcard_device_t; + type mtrr_device_t; ++ type ecryptfs_device_t; +') + + dev_filetrans_printer_named_dev($1) @@ -63413,6 +63450,7 @@ index d820975..e236661 100644 + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9") ++ filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1") + filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2") @@ -64074,7 +64112,7 @@ index d820975..e236661 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 74894d7..b570097 100644 +index 74894d7..94d5f10 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -20,6 +20,7 @@ files_mountpoint(device_t) @@ -64085,7 +64123,17 @@ index 74894d7..b570097 100644 # # Type for /dev/agpgart -@@ -108,6 +109,7 @@ dev_node(ksm_device_t) +@@ -62,6 +63,9 @@ dev_node(cpu_device_t) + type crash_device_t; + dev_node(crash_device_t) + ++type ecryptfs_device_t; ++dev_node(ecryptfs_device_t) ++ + # for the IBM zSeries z90crypt hardware ssl accelorator + type crypt_device_t; + dev_node(crypt_device_t) +@@ -108,6 +112,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -64093,7 +64141,7 @@ index 74894d7..b570097 100644 # # Type for /dev/lirc -@@ -118,6 +120,12 @@ dev_node(lirc_device_t) +@@ -118,6 +123,12 @@ dev_node(lirc_device_t) # # Type for /dev/mapper/control # @@ -64106,7 +64154,7 @@ index 74894d7..b570097 100644 type lvm_control_t; dev_node(lvm_control_t) -@@ -218,6 +226,10 @@ files_mountpoint(sysfs_t) +@@ -218,6 +229,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -64117,7 +64165,7 @@ index 74894d7..b570097 100644 # # Type for /dev/tpm # -@@ -265,6 +277,7 @@ dev_node(v4l_device_t) +@@ -265,6 +280,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -64125,7 +64173,7 @@ index 74894d7..b570097 100644 # Type for vmware devices. type vmware_device_t; -@@ -310,5 +323,5 @@ files_associate_tmp(device_node) +@@ -310,5 +326,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -72859,7 +72907,7 @@ index fe0c682..93ec53f 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..9dbbafe 100644 +index b17e27a..89d7bf8 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.0) @@ -73008,7 +73056,7 @@ index b17e27a..9dbbafe 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -157,37 +176,36 @@ logging_read_generic_logs(ssh_t) +@@ -157,37 +176,42 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -73058,12 +73106,18 @@ index b17e27a..9dbbafe 100644 + corenet_tcp_bind_all_unreserved_ports(ssh_t) +') + ++ifdef(`enable_mcs',` ++ optional_policy(` ++ condor_startd_ranged_domtrans_to(sshd_t, sshd_exec_t, mcs_systemlow - mcs_systemhigh) ++ ') ++') ++ +optional_policy(` + gnome_stream_connect_gkeyringd(ssh_t) ') optional_policy(` -@@ -195,28 +213,24 @@ optional_policy(` +@@ -195,28 +219,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -73096,7 +73150,7 @@ index b17e27a..9dbbafe 100644 ################################# # # sshd local policy -@@ -227,33 +241,46 @@ optional_policy(` +@@ -227,33 +247,46 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -73152,7 +73206,7 @@ index b17e27a..9dbbafe 100644 ') optional_policy(` -@@ -261,11 +288,24 @@ optional_policy(` +@@ -261,11 +294,24 @@ optional_policy(` ') optional_policy(` @@ -73178,7 +73232,7 @@ index b17e27a..9dbbafe 100644 ') optional_policy(` -@@ -283,6 +323,15 @@ optional_policy(` +@@ -283,6 +329,15 @@ optional_policy(` ') optional_policy(` @@ -73194,7 +73248,7 @@ index b17e27a..9dbbafe 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -290,6 +339,29 @@ optional_policy(` +@@ -290,6 +345,29 @@ optional_policy(` xserver_domtrans_xauth(sshd_t) ') @@ -73224,7 +73278,7 @@ index b17e27a..9dbbafe 100644 ######################################## # # ssh_keygen local policy -@@ -298,19 +370,26 @@ optional_policy(` +@@ -298,19 +376,26 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -73252,7 +73306,7 @@ index b17e27a..9dbbafe 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -327,9 +406,11 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -327,9 +412,11 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -73266,7 +73320,7 @@ index b17e27a..9dbbafe 100644 ') optional_policy(` -@@ -339,3 +420,83 @@ optional_policy(` +@@ -339,3 +426,83 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -75978,7 +76032,7 @@ index c4f7c35..06c447c 100644 + unconfined_domain(xdm_unconfined_t) +') diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..232be41 100644 +index 1b6619e..219acba 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if @@ -43,6 +43,27 @@ interface(`application_executable_file',` @@ -76009,7 +76063,15 @@ index 1b6619e..232be41 100644 ######################################## ## ## Execute application executables in the caller domain. -@@ -189,6 +210,24 @@ interface(`application_dontaudit_signal',` +@@ -76,7 +97,6 @@ interface(`application_exec_all',` + corecmd_dontaudit_exec_all_executables($1) + corecmd_exec_bin($1) + corecmd_exec_shell($1) +- corecmd_exec_chroot($1) + + application_exec($1) + ') +@@ -189,6 +209,24 @@ interface(`application_dontaudit_signal',` ######################################## ## @@ -76034,7 +76096,7 @@ index 1b6619e..232be41 100644 ## Do not audit attempts to send kill signals ## to all application domains. ## -@@ -205,3 +244,21 @@ interface(`application_dontaudit_sigkill',` +@@ -205,3 +243,21 @@ interface(`application_dontaudit_sigkill',` dontaudit $1 application_domain_type:process sigkill; ') @@ -76090,7 +76152,7 @@ index c6fdab7..32f45fa 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..82def3d 100644 +index 28ad538..47fdb65 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,3 +1,7 @@ @@ -76101,12 +76163,14 @@ index 28ad538..82def3d 100644 /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) -@@ -5,7 +9,12 @@ +@@ -5,7 +9,14 @@ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) +/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0) ++/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0) +/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0) +/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0) @@ -76114,7 +76178,7 @@ index 28ad538..82def3d 100644 /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) -@@ -16,13 +25,22 @@ ifdef(`distro_suse', ` +@@ -16,13 +27,22 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') @@ -76139,7 +76203,7 @@ index 28ad538..82def3d 100644 /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -@@ -30,6 +48,8 @@ ifdef(`distro_gentoo', ` +@@ -30,6 +50,8 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -76148,7 +76212,7 @@ index 28ad538..82def3d 100644 /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -39,11 +59,13 @@ ifdef(`distro_gentoo', ` +@@ -39,11 +61,13 @@ ifdef(`distro_gentoo', ` /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) @@ -87635,7 +87699,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..18fff60 100644 +index e720dcd..bb468a3 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -87651,7 +87715,7 @@ index e720dcd..18fff60 100644 corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) -@@ -44,79 +46,134 @@ template(`userdom_base_user_template',` +@@ -44,79 +46,132 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -87794,8 +87858,6 @@ index e720dcd..18fff60 100644 - libs_exec_ld_so($1_t) + libs_exec_ld_so($1_usertype) -+ -+ logging_send_audit_msgs($1_t) miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) @@ -87837,7 +87899,7 @@ index e720dcd..18fff60 100644 ') ####################################### -@@ -150,6 +207,8 @@ interface(`userdom_ro_home_role',` +@@ -150,6 +205,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -87846,7 +87908,7 @@ index e720dcd..18fff60 100644 ############################## # # Domain access to home dir -@@ -167,27 +226,6 @@ interface(`userdom_ro_home_role',` +@@ -167,27 +224,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -87874,7 +87936,7 @@ index e720dcd..18fff60 100644 ') ####################################### -@@ -219,8 +257,11 @@ interface(`userdom_ro_home_role',` +@@ -219,8 +255,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -87886,7 +87948,7 @@ index e720dcd..18fff60 100644 ############################## # # Domain access to home dir -@@ -229,43 +270,47 @@ interface(`userdom_manage_home_role',` +@@ -229,43 +268,47 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -87950,7 +88012,7 @@ index e720dcd..18fff60 100644 ') ') -@@ -273,6 +318,25 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +316,25 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -87976,7 +88038,7 @@ index e720dcd..18fff60 100644 ## ## ## Role allowed access. -@@ -287,17 +351,64 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +349,64 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -88046,7 +88108,7 @@ index e720dcd..18fff60 100644 ') ####################################### -@@ -317,6 +428,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,6 +426,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -88054,7 +88116,7 @@ index e720dcd..18fff60 100644 files_search_tmp($1) ') -@@ -348,59 +460,62 @@ interface(`userdom_exec_user_tmp_files',` +@@ -348,59 +458,62 @@ interface(`userdom_exec_user_tmp_files',` # interface(`userdom_manage_tmpfs_role',` gen_require(` @@ -88149,7 +88211,7 @@ index e720dcd..18fff60 100644 ') ####################################### -@@ -431,6 +546,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +544,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -88157,7 +88219,7 @@ index e720dcd..18fff60 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +579,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +577,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -88168,7 +88230,7 @@ index e720dcd..18fff60 100644 ') ') -@@ -491,7 +607,7 @@ template(`userdom_common_user_template',` +@@ -491,7 +605,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -88177,7 +88239,7 @@ index e720dcd..18fff60 100644 ############################## # -@@ -501,73 +617,83 @@ template(`userdom_common_user_template',` +@@ -501,73 +615,83 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -88248,7 +88310,7 @@ index e720dcd..18fff60 100644 - fs_rw_cgroup_files($1_t) + logging_send_syslog_msg($1_usertype) -+ logging_send_audit_msgs($1_usertype) ++ + selinux_get_enforce_mode($1_usertype) # cjp: some of this probably can be removed @@ -88303,7 +88365,7 @@ index e720dcd..18fff60 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -575,71 +701,117 @@ template(`userdom_common_user_template',` +@@ -575,71 +699,117 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -88318,19 +88380,19 @@ index e720dcd..18fff60 100644 - # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + canna_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ chrome_role($1_r, $1_usertype) ++ colord_read_lib_files($1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ colord_read_lib_files($1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -88404,23 +88466,23 @@ index e720dcd..18fff60 100644 + optional_policy(` + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ++ ') ++ ++ optional_policy(` ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) ++ lircd_stream_connect($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) -+ lircd_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` + locate_read_lib_files($1_usertype) ') @@ -88443,7 +88505,7 @@ index e720dcd..18fff60 100644 mysql_stream_connect($1_t) ') ') -@@ -651,40 +823,52 @@ template(`userdom_common_user_template',` +@@ -651,40 +821,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -88480,35 +88542,35 @@ index e720dcd..18fff60 100644 + + optional_policy(` + rpcbind_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ sandbox_transition($1_usertype, $1_r) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ seunshare_role_template($1, $1_r, $1_t) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - slrnpull_search_spool($1_t) -+ slrnpull_search_spool($1_usertype) ++ seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` - usernetctl_run($1_t, $1_r) ++ slrnpull_search_spool($1_usertype) ++ ') ++ ++ optional_policy(` + thumb_role($1_r, $1_usertype) ') ') -@@ -709,17 +893,33 @@ template(`userdom_common_user_template',` +@@ -709,17 +891,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -88519,11 +88581,11 @@ index e720dcd..18fff60 100644 - userdom_manage_home_role($1_r, $1_t) + typeattribute $1_t login_userdomain; ++ ++ userdom_manage_home_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_home_role($1_r, $1_usertype) -+ + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) + @@ -88547,20 +88609,19 @@ index e720dcd..18fff60 100644 userdom_change_password_template($1) -@@ -728,81 +928,98 @@ template(`userdom_login_user_template', ` +@@ -727,82 +925,95 @@ template(`userdom_login_user_template', ` + # # User domain Local policy # - +- - allow $1_t self:capability { setgid chown fowner }; -+ allow $1_t self:capability { setgid setuid chown fowner }; -+ allow $1_t self:process setcurrent; -+ domain_dyntrans_type($1_t) dontaudit $1_t self:capability { sys_nice fsetid }; - +- - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; + allow $1_t self:process ~{ ptrace setrlimit execmem execstack execheap }; dontaudit $1_t self:process setrlimit; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; ++ domain_dyntrans_type($1_t) allow $1_t self:context contains; @@ -88632,56 +88693,56 @@ index e720dcd..18fff60 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) - -- seutil_read_config($1_t) ++ + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) ++ ++ optional_policy(` ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ++ ') + +- seutil_read_config($1_t) ++ optional_policy(` ++ kerberos_use($1_usertype) ++ kerberos_filetrans_home_content($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) ++ mysql_filetrans_named_content($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ kerberos_use($1_usertype) -+ kerberos_filetrans_home_content($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ mysql_filetrans_named_content($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ quota_dontaudit_getattr_db($1_usertype) -+ ') -+ -+ optional_policy(` -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) -+ ') -+ -+ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -834,6 +1051,12 @@ template(`userdom_restricted_user_template',` +@@ -834,6 +1045,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -88694,7 +88755,7 @@ index e720dcd..18fff60 100644 ############################## # # Local policy -@@ -874,46 +1097,115 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,46 +1091,114 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -88734,7 +88795,7 @@ index e720dcd..18fff60 100644 logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) +- logging_send_audit_msgs($1_t) selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) @@ -88823,7 +88884,7 @@ index e720dcd..18fff60 100644 ') ') -@@ -948,7 +1240,7 @@ template(`userdom_unpriv_user_template', ` +@@ -948,21 +1233,27 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -88832,8 +88893,12 @@ index e720dcd..18fff60 100644 userdom_common_user_template($1) ############################## -@@ -957,12 +1249,15 @@ template(`userdom_unpriv_user_template', ` # + # Local policy + # ++ allow $1_t self:capability { setgid chown fowner }; ++ ++ corecmd_exec_chroot($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here - corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) @@ -88850,7 +88915,7 @@ index e720dcd..18fff60 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -979,23 +1274,60 @@ template(`userdom_unpriv_user_template', ` +@@ -979,23 +1270,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -88920,7 +88985,7 @@ index e720dcd..18fff60 100644 ') # Run pppd in pppd_t by default for user -@@ -1004,7 +1336,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1004,7 +1332,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -88931,7 +88996,7 @@ index e720dcd..18fff60 100644 ') ') -@@ -1040,7 +1374,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1040,7 +1370,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -88940,7 +89005,7 @@ index e720dcd..18fff60 100644 ') ############################## -@@ -1067,6 +1401,7 @@ template(`userdom_admin_user_template',` +@@ -1067,6 +1397,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -88948,7 +89013,7 @@ index e720dcd..18fff60 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1075,6 +1410,9 @@ template(`userdom_admin_user_template',` +@@ -1075,6 +1406,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -88958,7 +89023,7 @@ index e720dcd..18fff60 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1427,7 @@ template(`userdom_admin_user_template',` +@@ -1089,6 +1423,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -88966,7 +89031,7 @@ index e720dcd..18fff60 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1106,10 +1445,13 @@ template(`userdom_admin_user_template',` +@@ -1106,10 +1441,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -88980,7 +89045,7 @@ index e720dcd..18fff60 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1120,29 +1462,38 @@ template(`userdom_admin_user_template',` +@@ -1120,29 +1458,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -89023,7 +89088,7 @@ index e720dcd..18fff60 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1152,6 +1503,8 @@ template(`userdom_admin_user_template',` +@@ -1152,6 +1499,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -89032,7 +89097,7 @@ index e720dcd..18fff60 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1166,6 +1519,10 @@ template(`userdom_admin_user_template',` +@@ -1166,6 +1515,10 @@ template(`userdom_admin_user_template',` fs_read_noxattr_fs_files($1_t) ') @@ -89043,7 +89108,7 @@ index e720dcd..18fff60 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1568,8 @@ template(`userdom_security_admin_template',` +@@ -1211,6 +1564,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -89052,7 +89117,7 @@ index e720dcd..18fff60 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1223,8 +1582,10 @@ template(`userdom_security_admin_template',` +@@ -1223,8 +1578,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -89064,7 +89129,7 @@ index e720dcd..18fff60 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1235,13 +1596,18 @@ template(`userdom_security_admin_template',` +@@ -1235,13 +1592,18 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -89087,7 +89152,7 @@ index e720dcd..18fff60 100644 ') optional_policy(` -@@ -1252,12 +1618,12 @@ template(`userdom_security_admin_template',` +@@ -1252,12 +1614,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -89103,7 +89168,7 @@ index e720dcd..18fff60 100644 ') optional_policy(` -@@ -1317,12 +1683,15 @@ interface(`userdom_user_application_domain',` +@@ -1317,12 +1679,15 @@ interface(`userdom_user_application_domain',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -89120,7 +89185,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1363,18 +1732,63 @@ interface(`userdom_user_tmpfs_file',` +@@ -1363,9 +1728,54 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -89130,17 +89195,14 @@ index e720dcd..18fff60 100644 -## Domain allowed access. +## Type to be used as a file in the +## generic temporary directory. - ## - ## - # --interface(`userdom_attach_admin_tun_iface',` ++## ++## ++# +interface(`userdom_user_tmp_content',` - gen_require(` -- attribute admindomain; ++ gen_require(` + attribute user_tmp_type; - ') - -- allow $1 admindomain:tun_socket relabelfrom; ++ ') ++ + typeattribute $1 user_tmp_type; + + files_tmp_file($1) @@ -89177,19 +89239,10 @@ index e720dcd..18fff60 100644 +## +## +## Domain allowed access. -+## -+## -+# -+interface(`userdom_attach_admin_tun_iface',` -+ gen_require(` -+ attribute admindomain; -+ ') -+ -+ allow $1 admindomain:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; - ') - -@@ -1467,11 +1881,31 @@ interface(`userdom_search_user_home_dirs',` + ## + ## + # +@@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -89221,7 +89274,7 @@ index e720dcd..18fff60 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1513,6 +1947,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1513,6 +1943,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -89236,7 +89289,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1528,9 +1970,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1528,9 +1966,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -89248,7 +89301,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1587,6 +2031,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1587,6 +2027,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -89291,7 +89344,7 @@ index e720dcd..18fff60 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1666,6 +2146,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1666,6 +2142,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -89300,7 +89353,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1680,10 +2162,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1680,10 +2158,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -89315,7 +89368,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1726,6 +2210,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1726,6 +2206,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -89359,7 +89412,7 @@ index e720dcd..18fff60 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1745,6 +2266,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1745,6 +2262,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -89385,7 +89438,7 @@ index e720dcd..18fff60 100644 ## Mmap user home files. ## ## -@@ -1775,14 +2315,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1775,14 +2311,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -89423,7 +89476,7 @@ index e720dcd..18fff60 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1793,11 +2355,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1793,11 +2351,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -89441,7 +89494,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1856,6 +2421,78 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1856,6 +2417,78 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -89520,7 +89573,7 @@ index e720dcd..18fff60 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1887,8 +2524,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1887,8 +2520,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -89530,7 +89583,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -1904,20 +2540,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1904,20 +2536,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -89555,7 +89608,7 @@ index e720dcd..18fff60 100644 ######################################## ## -@@ -2018,6 +2648,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -2018,6 +2644,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -89580,7 +89633,7 @@ index e720dcd..18fff60 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2250,11 +2898,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2250,11 +2894,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -89595,7 +89648,7 @@ index e720dcd..18fff60 100644 files_search_tmp($1) ') -@@ -2274,7 +2922,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2274,7 +2918,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -89604,7 +89657,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -2521,6 +3169,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2521,6 +3165,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -89630,7 +89683,7 @@ index e720dcd..18fff60 100644 ######################################## ## ## Read user tmpfs files. -@@ -2537,13 +3204,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2537,13 +3200,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -89646,7 +89699,7 @@ index e720dcd..18fff60 100644 ## ## ## -@@ -2564,7 +3232,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2564,7 +3228,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -89655,7 +89708,7 @@ index e720dcd..18fff60 100644 ## ## ## -@@ -2572,19 +3240,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2572,19 +3236,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -89678,13 +89731,14 @@ index e720dcd..18fff60 100644 ## ## ## -@@ -2592,7 +3258,25 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2592,9 +3254,27 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # -interface(`userdom_getattr_user_ttys',` +interface(`userdom_execute_user_tmpfs_files',` -+ gen_require(` + gen_require(` +- type user_tty_device_t; + type user_tmpfs_t; + ') + @@ -89702,10 +89756,12 @@ index e720dcd..18fff60 100644 +## +# +interface(`userdom_getattr_user_ttys',` - gen_require(` - type user_tty_device_t; ++ gen_require(` ++ type user_tty_device_t; ') -@@ -2674,6 +3358,24 @@ interface(`userdom_use_user_ttys',` + + allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; +@@ -2674,6 +3354,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -89730,7 +89786,7 @@ index e720dcd..18fff60 100644 ## Read and write a user domain pty. ## ## -@@ -2692,22 +3394,34 @@ interface(`userdom_use_user_ptys',` +@@ -2692,22 +3390,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -89773,7 +89829,7 @@ index e720dcd..18fff60 100644 ## ## ## -@@ -2716,14 +3430,33 @@ interface(`userdom_use_user_ptys',` +@@ -2716,14 +3426,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -89811,7 +89867,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -2742,8 +3475,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2742,8 +3471,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -89841,7 +89897,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -2815,69 +3567,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2815,69 +3563,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -89942,7 +89998,7 @@ index e720dcd..18fff60 100644 ## ## ## -@@ -2885,12 +3636,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2885,12 +3632,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -89957,7 +90013,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -2954,7 +3705,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2954,7 +3701,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -89966,7 +90022,7 @@ index e720dcd..18fff60 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,29 +3721,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2970,29 +3717,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -90000,7 +90056,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -3074,7 +3809,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3074,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -90009,7 +90065,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -3129,7 +3864,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3129,7 +3860,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -90056,7 +90112,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -3147,7 +3920,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3147,7 +3916,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -90065,7 +90121,7 @@ index e720dcd..18fff60 100644 ') ######################################## -@@ -3166,6 +3939,7 @@ interface(`userdom_read_all_users_state',` +@@ -3166,6 +3935,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -90073,7 +90129,7 @@ index e720dcd..18fff60 100644 kernel_search_proc($1) ') -@@ -3242,6 +4016,42 @@ interface(`userdom_signal_all_users',` +@@ -3242,6 +4012,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -90116,7 +90172,7 @@ index e720dcd..18fff60 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4072,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4068,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -90141,7 +90197,7 @@ index e720dcd..18fff60 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4124,1282 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4120,1282 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 9b32038..e906a1b 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -833,7 +833,7 @@ index c0f858d..d75aae9 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 1632f10..67cd103 100644 +index 1632f10..1cb95bc 100644 --- a/accountsd.te +++ b/accountsd.te @@ -1,5 +1,9 @@ @@ -865,7 +865,7 @@ index 1632f10..67cd103 100644 # -allow accountsd_t self:capability { dac_override setuid setgid sys_ptrace }; -+allow accountsd_t self:capability { dac_override setuid setgid }; ++allow accountsd_t self:capability { chown dac_override setuid setgid }; +allow accountsd_t self:process signal; allow accountsd_t self:fifo_file rw_fifo_file_perms; +allow accountsd_t self:passwd { rootok passwd chfn chsh }; @@ -988,10 +988,18 @@ index 8559cdc..641044e 100644 # Allow afs_admin to restart the afs service afs_initrc_domtrans($1) diff --git a/afs.te b/afs.te -index a496fde..847609a 100644 +index a496fde..859f4cf 100644 --- a/afs.te +++ b/afs.te -@@ -107,6 +107,10 @@ miscfiles_read_localization(afs_t) +@@ -71,6 +71,7 @@ role system_r types afs_vlserver_t; + # + + allow afs_t self:capability { sys_admin sys_nice sys_tty_config }; ++dontaudit afs_t self:capability dac_override; + allow afs_t self:process { setsched signal }; + allow afs_t self:udp_socket create_socket_perms; + allow afs_t self:fifo_file rw_file_perms; +@@ -107,6 +108,10 @@ miscfiles_read_localization(afs_t) sysnet_dns_name_resolve(afs_t) @@ -1022,7 +1030,7 @@ index 184c9a8..8f77bf5 100644 domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; diff --git a/aiccu.te b/aiccu.te -index 6d685ba..4114d9b 100644 +index 6d685ba..b6f9ba3 100644 --- a/aiccu.te +++ b/aiccu.te @@ -45,9 +45,11 @@ corecmd_exec_shell(aiccu_t) @@ -1037,6 +1045,15 @@ index 6d685ba..4114d9b 100644 corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t) corenet_tcp_bind_generic_node(aiccu_t) corenet_tcp_connect_sixxsconfig_port(aiccu_t) +@@ -62,6 +64,8 @@ dev_read_urand(aiccu_t) + + files_read_etc_files(aiccu_t) + ++auth_read_passwd(aiccu_t) ++ + logging_send_syslog_msg(aiccu_t) + + miscfiles_read_localization(aiccu_t) diff --git a/aide.if b/aide.if index 838d25b..33981e0 100644 --- a/aide.if @@ -1472,6 +1489,18 @@ index bec220e..1d26add 100644 + fstools_domtrans(amanda_t) + fstools_signal(amanda_t) +') +diff --git a/amavis.fc b/amavis.fc +index 446ee16..25423bf 100644 +--- a/amavis.fc ++++ b/amavis.fc +@@ -2,6 +2,7 @@ + /etc/amavis(d)?\.conf -- gen_context(system_u:object_r:amavis_etc_t,s0) + /etc/amavisd(/.*)? gen_context(system_u:object_r:amavis_etc_t,s0) + /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0) + + /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0) + /usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0) diff --git a/amavis.if b/amavis.if index e31d92a..1aa0718 100644 --- a/amavis.if @@ -1500,7 +1529,7 @@ index e31d92a..1aa0718 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 5a9b451..c4b2eec 100644 +index 5a9b451..189c0a8 100644 --- a/amavis.te +++ b/amavis.te @@ -38,7 +38,7 @@ type amavis_quarantine_t; @@ -1534,7 +1563,11 @@ index 5a9b451..c4b2eec 100644 # var/lib files for amavis manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t) -@@ -128,17 +130,19 @@ corenet_tcp_connect_razor_port(amavis_t) +@@ -125,20 +127,23 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t) + corenet_udp_bind_generic_port(amavis_t) + corenet_dontaudit_udp_bind_all_ports(amavis_t) + corenet_tcp_connect_razor_port(amavis_t) ++corenet_tcp_connect_agentx_port(amavis_t) dev_read_rand(amavis_t) dev_read_urand(amavis_t) @@ -1555,7 +1588,7 @@ index 5a9b451..c4b2eec 100644 # uses uptime which reads utmp - redhat bug 561383 init_read_utmp(amavis_t) init_stream_connect_script(amavis_t) -@@ -148,29 +152,32 @@ logging_send_syslog_msg(amavis_t) +@@ -148,34 +153,38 @@ logging_send_syslog_msg(amavis_t) miscfiles_read_generic_certs(amavis_t) miscfiles_read_localization(amavis_t) @@ -1596,6 +1629,23 @@ index 5a9b451..c4b2eec 100644 nslcd_stream_connect(amavis_t) ') + optional_policy(` + postfix_read_config(amavis_t) ++ postfix_list_spool(amavis_t) + ') + + optional_policy(` +@@ -188,6 +197,10 @@ optional_policy(` + ') + + optional_policy(` ++ snmp_manage_var_lib_files(amavis_t) ++') ++ ++optional_policy(` + spamassassin_exec(amavis_t) + spamassassin_exec_client(amavis_t) + spamassassin_read_lib_files(amavis_t) diff --git a/amtu.te b/amtu.te index 057abb0..c75e9e9 100644 --- a/amtu.te @@ -10035,10 +10085,10 @@ index 0000000..b3a5b51 +/var/run/condor(/.*)? gen_context(system_u:object_r:condor_var_run_t,s0) diff --git a/condor.if b/condor.if new file mode 100644 -index 0000000..168f664 +index 0000000..e4ef32f --- /dev/null +++ b/condor.if -@@ -0,0 +1,327 @@ +@@ -0,0 +1,387 @@ + +## policy for condor + @@ -10091,6 +10141,66 @@ index 0000000..168f664 + corecmd_search_bin($1) + domtrans_pattern($1, condor_exec_t, condor_t) +') ++ ++####################################### ++## ++## Allows to start userland processes ++## by transitioning to the specified domain, ++## with a range transition. ++## ++## ++## ++## The process type entered by condor_startd. ++## ++## ++## ++## ++## The executable type for the entrypoint. ++## ++## ++## ++## ++## Range for the domain. ++## ++## ++# ++interface(`condor_startd_ranged_domtrans_to',` ++ gen_require(` ++ type sshd_t; ++ ') ++ condor_startd_domtrans_to($1, $2) ++ ++ ++ ifdef(`enable_mcs',` ++ range_transition condor_startd_t $2:process $3; ++ ') ++ ++') ++ ++####################################### ++## ++## Allows to start userlandprocesses ++## by transitioning to the specified domain. ++## ++## ++## ++## The process type entered by condor_startd. ++## ++## ++## ++## ++## The executable type for the entrypoint. ++## ++## ++# ++interface(`condor_startd_domtrans_to',` ++ gen_require(` ++ type condor_startd_t; ++ ') ++ ++ domtrans_pattern(condor_startd_t, $2, $1) ++') ++ +######################################## +## +## Read condor's log files. @@ -10368,10 +10478,10 @@ index 0000000..168f664 +') diff --git a/condor.te b/condor.te new file mode 100644 -index 0000000..40f65d5 +index 0000000..d39573f --- /dev/null +++ b/condor.te -@@ -0,0 +1,239 @@ +@@ -0,0 +1,241 @@ +policy_module(condor, 1.0.0) + +######################################## @@ -10587,6 +10697,8 @@ index 0000000..40f65d5 + +domain_read_all_domains_state(condor_startd_t) + ++mcs_process_set_categories(condor_startd_t) ++ +auth_use_nsswitch(condor_startd_t) + +init_domtrans_script(condor_startd_t) @@ -19318,7 +19430,7 @@ index ebad8c4..640293e 100644 ') - diff --git a/fprintd.te b/fprintd.te -index 7df52c7..5b9e374 100644 +index 7df52c7..1eb75fd 100644 --- a/fprintd.te +++ b/fprintd.te @@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0) @@ -19338,7 +19450,7 @@ index 7df52c7..5b9e374 100644 + allow fprintd_t self:fifo_file rw_fifo_file_perms; -allow fprintd_t self:process { getsched signal }; -+allow fprintd_t self:process { getsched setsched signal }; ++allow fprintd_t self:process { getsched setsched signal sigkill }; manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) @@ -28415,7 +28527,7 @@ index a4f32f5..628b63c 100644 ## in the caller domain. ## diff --git a/lpd.te b/lpd.te -index a03b63a..bee4750 100644 +index a03b63a..ce66d05 100644 --- a/lpd.te +++ b/lpd.te @@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -28481,7 +28593,15 @@ index a03b63a..bee4750 100644 logging_send_syslog_msg(lpd_t) -@@ -256,7 +255,6 @@ domain_use_interactive_fds(lpr_t) +@@ -236,6 +235,7 @@ can_exec(lpr_t, lpr_exec_t) + # Allow lpd to read, rename, and unlink spool files. + allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms }; + ++kernel_read_system_state(lpr_t) + kernel_read_kernel_sysctls(lpr_t) + + corenet_all_recvfrom_unlabeled(lpr_t) +@@ -256,7 +256,6 @@ domain_use_interactive_fds(lpr_t) files_search_spool(lpr_t) # for lpd config files (should have a new type) @@ -28489,7 +28609,7 @@ index a03b63a..bee4750 100644 # for test print files_read_usr_files(lpr_t) #Added to cover read_content macro -@@ -275,19 +273,21 @@ miscfiles_read_localization(lpr_t) +@@ -275,19 +274,21 @@ miscfiles_read_localization(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -28516,7 +28636,7 @@ index a03b63a..bee4750 100644 # Send SIGHUP to lpd. allow lpr_t lpd_t:process signal; -@@ -305,17 +305,7 @@ tunable_policy(`use_lpd_server',` +@@ -305,17 +306,7 @@ tunable_policy(`use_lpd_server',` read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') @@ -28535,7 +28655,7 @@ index a03b63a..bee4750 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +314,13 @@ optional_policy(` +@@ -324,5 +315,13 @@ optional_policy(` ') optional_policy(` @@ -30671,7 +30791,7 @@ index 3a73e74..60e7237 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index b397fde..30bfefb 100644 +index b397fde..25a03ce 100644 --- a/mozilla.if +++ b/mozilla.if @@ -18,10 +18,11 @@ @@ -30819,7 +30939,7 @@ index b397fde..30bfefb 100644 ## ## ## -@@ -275,28 +359,98 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -275,28 +359,100 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -30923,6 +31043,8 @@ index b397fde..30bfefb 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") +') + diff --git a/mozilla.te b/mozilla.te @@ -34811,10 +34933,17 @@ index 632a565..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index abe3f7f..8c0b6f9 100644 +index abe3f7f..026e1e6 100644 --- a/nis.if +++ b/nis.if -@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` +@@ -27,14 +27,11 @@ interface(`nis_use_ypbind_uncond',` + gen_require(` + type var_yp_t; + ') +- +- allow $1 self:capability net_bind_service; +- + allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; allow $1 var_yp_t:dir list_dir_perms; @@ -34823,7 +34952,7 @@ index abe3f7f..8c0b6f9 100644 allow $1 var_yp_t:file read_file_perms; corenet_all_recvfrom_unlabeled($1) -@@ -49,14 +49,13 @@ interface(`nis_use_ypbind_uncond',` +@@ -49,14 +46,13 @@ interface(`nis_use_ypbind_uncond',` corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) @@ -34841,7 +34970,7 @@ index abe3f7f..8c0b6f9 100644 corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) -@@ -88,7 +87,7 @@ interface(`nis_use_ypbind_uncond',` +@@ -88,7 +84,7 @@ interface(`nis_use_ypbind_uncond',` ## # interface(`nis_use_ypbind',` @@ -34850,7 +34979,7 @@ index abe3f7f..8c0b6f9 100644 nis_use_ypbind_uncond($1) ') ') -@@ -105,7 +104,7 @@ interface(`nis_use_ypbind',` +@@ -105,7 +101,7 @@ interface(`nis_use_ypbind',` ## # interface(`nis_authenticate',` @@ -34859,7 +34988,7 @@ index abe3f7f..8c0b6f9 100644 nis_use_ypbind_uncond($1) corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) -@@ -337,6 +336,55 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -337,6 +333,55 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## ## @@ -34915,7 +35044,7 @@ index abe3f7f..8c0b6f9 100644 ## All of the rules required to administrate ## an nis environment ## -@@ -354,22 +402,31 @@ interface(`nis_initrc_domtrans_ypbind',` +@@ -354,22 +399,31 @@ interface(`nis_initrc_domtrans_ypbind',` # interface(`nis_admin',` gen_require(` @@ -34954,7 +35083,7 @@ index abe3f7f..8c0b6f9 100644 ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) -@@ -379,18 +436,24 @@ interface(`nis_admin',` +@@ -379,18 +433,24 @@ interface(`nis_admin',` role_transition $2 ypbind_initrc_exec_t system_r; allow $2 system_r; @@ -42952,6 +43081,35 @@ index d4000e0..f35afa4 100644 mta_send_mail(psad_t) mta_read_queue(psad_t) ') +diff --git a/ptchown.if b/ptchown.if +index 96cc023..5919bbd 100644 +--- a/ptchown.if ++++ b/ptchown.if +@@ -18,6 +18,24 @@ interface(`ptchown_domtrans',` + domtrans_pattern($1, ptchown_exec_t, ptchown_t) + ') + ++####################################### ++## ++## Execute ptchown in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ptchown_exec',` ++ gen_require(` ++ type ptchown_exec_t; ++ ') ++ ++ can_exec($1, ptchown_exec_t) ++') ++ + ######################################## + ## + ## Execute ptchown in the ptchown domain, and diff --git a/pulseaudio.fc b/pulseaudio.fc index 84f23dc..5be2738 100644 --- a/pulseaudio.fc @@ -46351,6 +46509,87 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) +diff --git a/realmd.fc b/realmd.fc +new file mode 100644 +index 0000000..3c24ce4 +--- /dev/null ++++ b/realmd.fc +@@ -0,0 +1 @@ ++/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) +diff --git a/realmd.if b/realmd.if +new file mode 100644 +index 0000000..48ea717 +--- /dev/null ++++ b/realmd.if +@@ -0,0 +1,21 @@ ++ ++## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA ++ ++######################################## ++## ++## Execute realmd in the realmd_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`realmd_domtrans',` ++ gen_require(` ++ type realmd_t, realmd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, realmd_exec_t, realmd_t) ++') +diff --git a/realmd.te b/realmd.te +new file mode 100644 +index 0000000..158fd63 +--- /dev/null ++++ b/realmd.te +@@ -0,0 +1,41 @@ ++policy_module(realmd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type realmd_t; ++type realmd_exec_t; ++dbus_system_domain(realmd_t, realmd_exec_t) ++ ++ ++######################################## ++# ++# realmd local policy ++# ++ ++allow realmd_t self:capability { kill }; ++ ++domain_use_interactive_fds(realmd_t) ++ ++files_read_etc_files(realmd_t) ++ ++logging_send_syslog_msg(realmd_t) ++ ++miscfiles_read_localization(realmd_t) ++ ++optional_policy(` ++ kerberos_use(realmd_t) ++') ++ ++optional_policy(` ++ samba_domtrans_net(realmd_t) ++ samba_read_config(realmd_t) ++') ++ ++optional_policy(` ++ sssd_read_config(realmd_t) ++ sssd_write_config(realmd_t) ++ sssd_create_config(realmd_t) ++') diff --git a/remotelogin.te b/remotelogin.te index 0a76027..a3bc03a 100644 --- a/remotelogin.te @@ -54183,7 +54422,7 @@ index c954f31..82fc7f6 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..2269290 100644 +index 1bbf73b..bf120b4 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0) @@ -54420,7 +54659,7 @@ index 1bbf73b..2269290 100644 ') ######################################## -@@ -202,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto; +@@ -202,15 +268,36 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -54437,6 +54676,9 @@ index 1bbf73b..2269290 100644 +manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t) +userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file }) +userdom_append_user_home_content_files(spamc_t) ++# for /root/.pyzor ++allow spamc_t self:capability dac_override; ++userdom_admin_home_dir_filetrans(spamc_t, spamc_home_t , dir, ".pyzor") + +list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) @@ -54445,6 +54687,7 @@ index 1bbf73b..2269290 100644 allow spamc_t spamd_t:unix_stream_socket connectto; allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms; +spamd_stream_connect(spamc_t) ++allow spamc_t spamd_tmp_t:file read_inherited_file_perms; kernel_read_kernel_sysctls(spamc_t) +kernel_read_system_state(spamc_t) @@ -54453,7 +54696,7 @@ index 1bbf73b..2269290 100644 corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -222,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) +@@ -222,6 +309,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) @@ -54461,7 +54704,7 @@ index 1bbf73b..2269290 100644 fs_search_auto_mountpoints(spamc_t) -@@ -234,15 +318,19 @@ corecmd_read_bin_sockets(spamc_t) +@@ -234,15 +322,19 @@ corecmd_read_bin_sockets(spamc_t) domain_use_interactive_fds(spamc_t) @@ -54482,7 +54725,7 @@ index 1bbf73b..2269290 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -250,27 +338,35 @@ seutil_read_config(spamc_t) +@@ -250,27 +342,35 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -54524,7 +54767,7 @@ index 1bbf73b..2269290 100644 ') ######################################## -@@ -282,7 +378,7 @@ optional_policy(` +@@ -282,7 +382,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -54533,7 +54776,7 @@ index 1bbf73b..2269290 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -298,10 +394,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -298,10 +398,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -54552,7 +54795,7 @@ index 1bbf73b..2269290 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -310,11 +413,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -310,11 +417,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -54570,7 +54813,7 @@ index 1bbf73b..2269290 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -356,30 +463,29 @@ corecmd_exec_bin(spamd_t) +@@ -356,30 +467,29 @@ corecmd_exec_bin(spamd_t) domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) @@ -54609,7 +54852,7 @@ index 1bbf73b..2269290 100644 ') optional_policy(` -@@ -395,7 +501,9 @@ optional_policy(` +@@ -395,7 +505,9 @@ optional_policy(` ') optional_policy(` @@ -54619,7 +54862,7 @@ index 1bbf73b..2269290 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -404,25 +512,17 @@ optional_policy(` +@@ -404,25 +516,17 @@ optional_policy(` ') optional_policy(` @@ -54647,7 +54890,7 @@ index 1bbf73b..2269290 100644 postgresql_stream_connect(spamd_t) ') -@@ -433,6 +533,10 @@ optional_policy(` +@@ -433,6 +537,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -54658,7 +54901,7 @@ index 1bbf73b..2269290 100644 ') optional_policy(` -@@ -440,6 +544,7 @@ optional_policy(` +@@ -440,6 +548,7 @@ optional_policy(` ') optional_policy(` @@ -54666,7 +54909,7 @@ index 1bbf73b..2269290 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -@@ -447,3 +552,50 @@ optional_policy(` +@@ -447,3 +556,50 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -54839,10 +55082,15 @@ index d24bd07..624dd50 100644 + kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") +') diff --git a/sssd.fc b/sssd.fc -index 4271815..4bc00ea 100644 +index 4271815..fb5520f 100644 --- a/sssd.fc +++ b/sssd.fc -@@ -4,6 +4,8 @@ +@@ -1,9 +1,13 @@ + /etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0) + ++/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) ++ + /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0) @@ -54852,7 +55100,7 @@ index 4271815..4bc00ea 100644 /var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0) diff --git a/sssd.if b/sssd.if -index 941380a..e1095f0 100644 +index 941380a..ff89df6 100644 --- a/sssd.if +++ b/sssd.if @@ -5,9 +5,9 @@ @@ -54867,7 +55115,71 @@ index 941380a..e1095f0 100644 ## # interface(`sssd_domtrans',` -@@ -89,6 +89,7 @@ interface(`sssd_manage_pids',` +@@ -36,6 +36,63 @@ interface(`sssd_initrc_domtrans',` + init_labeled_script_domtrans($1, sssd_initrc_exec_t) + ') + ++####################################### ++## ++## Read sssd configuration. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_read_config',` ++ gen_require(` ++ type sssd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, sssd_conf_t, sssd_conf_t) ++') ++ ++###################################### ++## ++## Write sssd configuration. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_write_config',` ++ gen_require(` ++ type sssd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ write_files_pattern($1, sssd_conf_t, sssd_conf_t) ++') ++ ++##################################### ++## ++## Write sssd configuration. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sssd_create_config',` ++ gen_require(` ++ type sssd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ create_files_pattern($1, sssd_conf_t, sssd_conf_t) ++') ++ + ######################################## + ## + ## Read sssd public files. +@@ -89,6 +146,7 @@ interface(`sssd_manage_pids',` type sssd_var_run_t; ') @@ -54875,7 +55187,7 @@ index 941380a..e1095f0 100644 manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) ') -@@ -128,7 +129,6 @@ interface(`sssd_dontaudit_search_lib',` +@@ -128,7 +186,6 @@ interface(`sssd_dontaudit_search_lib',` ') dontaudit $1 sssd_var_lib_t:dir search_dir_perms; @@ -54883,7 +55195,7 @@ index 941380a..e1095f0 100644 ') ######################################## -@@ -148,6 +148,7 @@ interface(`sssd_read_lib_files',` +@@ -148,6 +205,7 @@ interface(`sssd_read_lib_files',` files_search_var_lib($1) read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) @@ -54891,7 +55203,7 @@ index 941380a..e1095f0 100644 ') ######################################## -@@ -168,6 +169,7 @@ interface(`sssd_manage_lib_files',` +@@ -168,6 +226,7 @@ interface(`sssd_manage_lib_files',` files_search_var_lib($1) manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) @@ -54899,7 +55211,7 @@ index 941380a..e1095f0 100644 ') ######################################## -@@ -193,7 +195,7 @@ interface(`sssd_dbus_chat',` +@@ -193,7 +252,7 @@ interface(`sssd_dbus_chat',` ######################################## ## @@ -54908,7 +55220,7 @@ index 941380a..e1095f0 100644 ## ## ## -@@ -225,21 +227,18 @@ interface(`sssd_stream_connect',` +@@ -225,21 +284,18 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## ## @@ -54937,10 +55249,18 @@ index 941380a..e1095f0 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/sssd.te b/sssd.te -index 8ffa257..20d8944 100644 +index 8ffa257..706c52b 100644 --- a/sssd.te +++ b/sssd.te -@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t) +@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t) + type sssd_initrc_exec_t; + init_script_file(sssd_initrc_exec_t) + ++type sssd_conf_t; ++files_config_file(sssd_conf_t) ++ + type sssd_public_t; + files_pid_file(sssd_public_t) type sssd_var_lib_t; files_type(sssd_var_lib_t) @@ -54948,7 +55268,7 @@ index 8ffa257..20d8944 100644 type sssd_var_log_t; logging_log_file(sssd_var_log_t) -@@ -28,9 +29,11 @@ files_pid_file(sssd_var_run_t) +@@ -28,18 +32,23 @@ files_pid_file(sssd_var_run_t) # # sssd local policy # @@ -54962,8 +55282,10 @@ index 8ffa257..20d8944 100644 +allow sssd_t self:key manage_key_perms; allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t) ++ manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t) -@@ -38,8 +41,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) + manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t) manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t) @@ -54974,7 +55296,7 @@ index 8ffa257..20d8944 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,18 +52,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,18 +57,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -55000,7 +55322,7 @@ index 8ffa257..20d8944 100644 fs_list_inotifyfs(sssd_t) -@@ -68,10 +79,14 @@ selinux_validate_context(sssd_t) +@@ -68,10 +84,14 @@ selinux_validate_context(sssd_t) seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -55016,7 +55338,7 @@ index 8ffa257..20d8944 100644 init_read_utmp(sssd_t) -@@ -79,6 +94,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +99,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -55029,7 +55351,7 @@ index 8ffa257..20d8944 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +108,19 @@ optional_policy(` +@@ -87,4 +113,19 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -55039,16 +55361,296 @@ index 8ffa257..20d8944 100644 + +optional_policy(` + dirsrv_stream_connect(sssd_t) - ') ++') + +optional_policy(` + ldap_stream_connect(sssd_t) -+') + ') + +userdom_home_reader(sssd_t) + + + +diff --git a/stapserver.fc b/stapserver.fc +new file mode 100644 +index 0000000..0ccce59 +--- /dev/null ++++ b/stapserver.fc +@@ -0,0 +1,7 @@ ++/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0) ++ ++/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0) ++ ++/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0) ++ ++/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0) +diff --git a/stapserver.if b/stapserver.if +new file mode 100644 +index 0000000..89b20d3 +--- /dev/null ++++ b/stapserver.if +@@ -0,0 +1,156 @@ ++ ++## Instrumentation System Server ++ ++######################################## ++## ++## Execute stapserver in the stapserver domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`stapserver_domtrans',` ++ gen_require(` ++ type stapserver_t, stapserver_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, stapserver_exec_t, stapserver_t) ++') ++######################################## ++## ++## Read stapserver's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`stapserver_read_log',` ++ gen_require(` ++ type stapserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, stapserver_log_t, stapserver_log_t) ++') ++ ++######################################## ++## ++## Append to stapserver log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_append_log',` ++ gen_require(` ++ type stapserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, stapserver_log_t, stapserver_log_t) ++') ++ ++######################################## ++## ++## Manage stapserver log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_manage_log',` ++ gen_require(` ++ type stapserver_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t) ++ manage_files_pattern($1, stapserver_log_t, stapserver_log_t) ++ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t) ++') ++######################################## ++## ++## Read stapserver PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_read_pid_files',` ++ gen_require(` ++ type stapserver_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 stapserver_var_run_t:file read_file_perms; ++') ++ ++####################################### ++## ++## Manage stapserver lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stapserver_manage_lib',` ++ gen_require(` ++ type stapserver_var_lib_t; ++ ') ++ ++ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) ++ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an stapserver environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`stapserver_admin',` ++ gen_require(` ++ type stapserver_t; ++ type stapserver_log_t; ++ type stapserver_var_run_t; ++ ') ++ ++ allow $1 stapserver_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, stapserver_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, stapserver_log_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, stapserver_var_run_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/stapserver.te b/stapserver.te +new file mode 100644 +index 0000000..fa12095 +--- /dev/null ++++ b/stapserver.te +@@ -0,0 +1,99 @@ ++policy_module(stapserver, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type stapserver_t; ++type stapserver_exec_t; ++init_daemon_domain(stapserver_t, stapserver_exec_t) ++ ++type stapserver_var_lib_t; ++files_type(stapserver_var_lib_t) ++ ++type stapserver_log_t; ++logging_log_file(stapserver_log_t) ++ ++type stapserver_var_run_t; ++files_pid_file(stapserver_var_run_t) ++ ++######################################## ++# ++# stapserver local policy ++# ++ ++#runuser ++allow stapserver_t self:capability { setuid setgid }; ++allow stapserver_t self:process setsched; ++ ++allow stapserver_t self:capability { dac_override kill }; ++allow stapserver_t self:process { setrlimit signal }; ++ ++allow stapserver_t self:fifo_file rw_fifo_file_perms; ++allow stapserver_t self:key write; ++allow stapserver_t self:unix_stream_socket create_stream_socket_perms; ++allow stapserver_t self:tcp_socket { accept listen }; ++ ++manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) ++manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t) ++files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir) ++ ++manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) ++manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t) ++logging_log_filetrans(stapserver_t, stapserver_log_t, dir ) ++ ++manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) ++manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t) ++files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir ) ++ ++kernel_read_system_state(stapserver_t) ++kernel_read_kernel_sysctls(stapserver_t) ++ ++corecmd_exec_bin(stapserver_t) ++corecmd_exec_shell(stapserver_t) ++ ++domain_read_all_domains_state(stapserver_t) ++domain_use_interactive_fds(stapserver_t) ++ ++dev_read_sysfs(stapserver_t) ++dev_read_rand(stapserver_t) ++dev_read_urand(stapserver_t) ++ ++files_list_tmp(stapserver_t) ++files_read_usr_files(stapserver_t) ++files_search_kernel_modules(stapserver_t) ++ ++auth_use_nsswitch(stapserver_t) ++ ++init_read_utmp(stapserver_t) ++ ++logging_send_audit_msgs(stapserver_t) ++logging_send_syslog_msg(stapserver_t) ++ ++miscfiles_read_localization(stapserver_t) ++#lspci ++miscfiles_read_hwdata(stapserver_t) ++ ++userdom_use_user_terminals(stapserver_t) ++ ++optional_policy(` ++ consoletype_exec(stapserver_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(stapserver_t) ++') ++ ++optional_policy(` ++ hostname_exec(stapserver_t) ++') ++ ++optional_policy(` ++ plymouthd_exec_plymouth(stapserver_t) ++') ++ ++optional_policy(` ++ rpm_exec(stapserver_t) ++') ++ diff --git a/stunnel.te b/stunnel.te index f646c66..6fef759 100644 --- a/stunnel.te @@ -61234,7 +61836,7 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index d995c70..17e2d43 100644 +index d995c70..da9a6e1 100644 --- a/xen.te +++ b/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.11.1) @@ -61316,12 +61918,23 @@ index d995c70..17e2d43 100644 files_read_etc_files(xend_t) files_read_kernel_symbol_table(xend_t) -@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t) +@@ -309,7 +315,9 @@ files_etc_filetrans_etc_runtime(xend_t, file) + files_read_usr_files(xend_t) + files_read_default_symlinks(xend_t) + ++term_setattr_generic_ptys(xend_t) + term_getattr_all_ptys(xend_t) ++term_setattr_all_ptys(xend_t) + term_use_generic_ptys(xend_t) + term_use_ptmx(xend_t) + term_getattr_pty_fs(xend_t) +@@ -320,13 +328,11 @@ locallogin_dontaudit_use_fds(xend_t) logging_send_syslog_msg(xend_t) -lvm_domtrans(xend_t) -- ++auth_read_passwd(xend_t) + miscfiles_read_localization(xend_t) miscfiles_read_hwdata(xend_t) @@ -61330,7 +61943,7 @@ index d995c70..17e2d43 100644 sysnet_domtrans_dhcpc(xend_t) sysnet_signal_dhcpc(xend_t) sysnet_domtrans_ifconfig(xend_t) -@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) +@@ -339,8 +345,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t) xen_stream_connect_xenstore(xend_t) @@ -61339,7 +61952,7 @@ index d995c70..17e2d43 100644 optional_policy(` brctl_domtrans(xend_t) ') -@@ -349,6 +349,23 @@ optional_policy(` +@@ -349,6 +353,27 @@ optional_policy(` consoletype_exec(xend_t) ') @@ -61356,6 +61969,10 @@ index d995c70..17e2d43 100644 +') + +optional_policy(` ++ ptchown_exec(xend_t) ++') ++ ++optional_policy(` + virt_search_images(xend_t) + virt_read_config(xend_t) +') @@ -61363,7 +61980,7 @@ index d995c70..17e2d43 100644 ######################################## # # Xen console local policy -@@ -374,8 +391,6 @@ dev_rw_xen(xenconsoled_t) +@@ -374,8 +399,6 @@ dev_rw_xen(xenconsoled_t) dev_filetrans_xen(xenconsoled_t) dev_rw_sysfs(xenconsoled_t) @@ -61372,7 +61989,7 @@ index d995c70..17e2d43 100644 files_read_etc_files(xenconsoled_t) files_read_usr_files(xenconsoled_t) -@@ -413,9 +428,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -413,9 +436,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -61384,7 +62001,7 @@ index d995c70..17e2d43 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -442,9 +458,11 @@ files_read_etc_files(xenstored_t) +@@ -442,9 +466,11 @@ files_read_etc_files(xenstored_t) files_read_usr_files(xenstored_t) @@ -61396,7 +62013,7 @@ index d995c70..17e2d43 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -457,96 +475,9 @@ xen_append_log(xenstored_t) +@@ -457,96 +483,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -61493,7 +62110,7 @@ index d995c70..17e2d43 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -559,8 +490,4 @@ optional_policy(` +@@ -559,8 +498,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 9689a36..16e2d0f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jul 16 2012 Miroslav Grepl 3.11.0-10 +- Add realmd and stapserver policies +- Allow useradd to manage stap-server lib files +- Tighten up capabilities for confined users +- Label /etc/security/opasswd as shadow_t +- Add label for /dev/ecryptfs +- Allow condor_startd_t to start sshd with the ranged +- Allow lpstat.cups to read fips_enabled file +- Allow pyzor running as spamc_t to create /root/.pyzor directory +- Add labelinf for amavisd-snmp init script +- Add support for amavisd-snmp +- Allow fprintd sigkill self +- Allow xend (w/o libvirt) to start virtual machines +- Allow aiccu to read /etc/passwd +- Allow condor_startd to Make specified domain MCS trusted for setting any category set for the processes it executes +- Add condor_startd_ranged_domtrans_to() interface +- Add ssd_conf_t for /etc/sssd +- accountsd needs to fchown some files/directories +- Add ICACLient and zibrauserdata as mozilla_filetrans_home_content +- SELinux reports afs_t needs dac_override to read /etc/mtab, even though everything works, adding dontaudit +- Allow xend_t to read the /etc/passwd file + * Wed Jul 11 2012 Miroslav Grepl 3.11.0-9 - Until we figure out how to fix systemd issues, allow all apps that send syslog messages to send them to kernel_t - Add init_access_check() interface