From 3f0021e9f3cfa1fbbc488d3202a42e5d8ec4e676 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 16 2016 12:59:24 +0000 Subject: * Wed Mar 16 2016 Lukas Vrabec 3.13.1-179 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. - Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content." - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content. - Allow pcp_pmie and pcp_pmlogger to read all domains state. - Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717 - Merge pull request #108 from rhatdan/rkt - Merge pull request #109 from rhatdan/virt_sandbox - Add new interface to define virt_sandbox_network domains - Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. - Fix typo in drbd policy - Remove declaration of empty booleans in virt policy. - Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. - Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. - Additional rules to make rkt work in enforcing mode - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 - Allow ipsec to use pam. rhbz#1317988 - Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968 - Allow setrans daemon to read /proc/meminfo. - Merge pull request #107 from rhatdan/rkt-base - Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. - Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 3bbf129..05cb417 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index c922d1b..6f97c6e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3495,7 +3495,7 @@ index 7590165..d81185e 100644 + fs_mounton_fusefs(seunshare_domain) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 33e0f8d..9502a72 100644 +index 33e0f8d..b94f32f 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -3518,16 +3518,7 @@ index 33e0f8d..9502a72 100644 /etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -59,6 +61,8 @@ ifdef(`distro_redhat',` - /etc/cron.weekly(/.*)? gen_context(system_u:object_r:bin_t,s0) - /etc/cron.monthly(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:bin_t,s0) -+ - /etc/dhcp/dhclient\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) -@@ -67,18 +71,33 @@ ifdef(`distro_redhat',` +@@ -67,18 +69,33 @@ ifdef(`distro_redhat',` /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0) /etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3561,7 +3552,7 @@ index 33e0f8d..9502a72 100644 /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -101,8 +120,6 @@ ifdef(`distro_redhat',` +@@ -101,8 +118,6 @@ ifdef(`distro_redhat',` /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -3570,7 +3561,7 @@ index 33e0f8d..9502a72 100644 /etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0) /etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0) -@@ -116,6 +133,9 @@ ifdef(`distro_redhat',` +@@ -116,6 +131,9 @@ ifdef(`distro_redhat',` /etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3580,7 +3571,7 @@ index 33e0f8d..9502a72 100644 /etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0) /etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0) -@@ -135,10 +155,12 @@ ifdef(`distro_debian',` +@@ -135,10 +153,12 @@ ifdef(`distro_debian',` /lib/nut/.* -- gen_context(system_u:object_r:bin_t,s0) /lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) @@ -3594,7 +3585,7 @@ index 33e0f8d..9502a72 100644 ifdef(`distro_gentoo',` /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) -@@ -149,10 +171,12 @@ ifdef(`distro_gentoo',` +@@ -149,10 +169,12 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3608,7 +3599,7 @@ index 33e0f8d..9502a72 100644 /sbin/.* gen_context(system_u:object_r:bin_t,s0) /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) -@@ -168,6 +192,7 @@ ifdef(`distro_gentoo',` +@@ -168,6 +190,7 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -3616,7 +3607,7 @@ index 33e0f8d..9502a72 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -179,34 +204,50 @@ ifdef(`distro_gentoo',` +@@ -179,34 +202,50 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -3676,7 +3667,7 @@ index 33e0f8d..9502a72 100644 /usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,19 +259,32 @@ ifdef(`distro_gentoo',` +@@ -218,19 +257,32 @@ ifdef(`distro_gentoo',` /usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) /usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -3716,7 +3707,7 @@ index 33e0f8d..9502a72 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -245,26 +299,40 @@ ifdef(`distro_gentoo',` +@@ -245,26 +297,40 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -3762,7 +3753,7 @@ index 33e0f8d..9502a72 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -280,10 +348,14 @@ ifdef(`distro_gentoo',` +@@ -280,10 +346,14 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -3777,7 +3768,7 @@ index 33e0f8d..9502a72 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -298,16 +370,22 @@ ifdef(`distro_gentoo',` +@@ -298,16 +368,22 @@ ifdef(`distro_gentoo',` /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) @@ -3802,7 +3793,7 @@ index 33e0f8d..9502a72 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,20 +403,27 @@ ifdef(`distro_redhat', ` +@@ -325,20 +401,27 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -3831,7 +3822,7 @@ index 33e0f8d..9502a72 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -346,6 +431,7 @@ ifdef(`distro_redhat', ` +@@ -346,6 +429,7 @@ ifdef(`distro_redhat', ` /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -3839,7 +3830,7 @@ index 33e0f8d..9502a72 100644 /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) -@@ -387,17 +473,34 @@ ifdef(`distro_suse', ` +@@ -387,17 +471,34 @@ ifdef(`distro_suse', ` # # /var # @@ -18124,7 +18115,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..65a3b6d 100644 +index e100d88..c652350 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -18135,7 +18126,7 @@ index e100d88..65a3b6d 100644 +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# @@ -18755,7 +18746,7 @@ index e100d88..65a3b6d 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3284,630 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3284,649 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -19309,6 +19300,25 @@ index e100d88..65a3b6d 100644 + +######################################## +## ++## Dontaudit write usermodehelper state ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`kernel_dontaudit_write_usermodehelper_state',` ++ gen_require(` ++ type usermodehelper_t; ++ ') ++ ++ dontaudit $1 usermodehelper_t:file write; ++') ++ ++######################################## ++## +## Relabel to usermodehelper context . +## +## @@ -28312,7 +28322,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..23560f0 100644 +index 8b40377..436b1e0 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -28906,7 +28916,7 @@ index 8b40377..23560f0 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +643,44 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +643,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28918,6 +28928,7 @@ index 8b40377..23560f0 100644 +term_use_all_terms(xdm_t) +term_relabel_all_ttys(xdm_t) +term_relabel_unallocated_ttys(xdm_t) ++term_getattr_virtio_console(xdm_t) auth_domtrans_pam_console(xdm_t) -auth_manage_pam_pid(xdm_t) @@ -28955,7 +28966,7 @@ index 8b40377..23560f0 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +689,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +690,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -29125,7 +29136,7 @@ index 8b40377..23560f0 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +858,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +859,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -29157,7 +29168,7 @@ index 8b40377..23560f0 100644 ') optional_policy(` -@@ -518,8 +893,36 @@ optional_policy(` +@@ -518,8 +894,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -29195,7 +29206,7 @@ index 8b40377..23560f0 100644 ') ') -@@ -530,6 +933,20 @@ optional_policy(` +@@ -530,6 +934,20 @@ optional_policy(` ') optional_policy(` @@ -29216,7 +29227,7 @@ index 8b40377..23560f0 100644 hostname_exec(xdm_t) ') -@@ -547,28 +964,78 @@ optional_policy(` +@@ -547,28 +965,78 @@ optional_policy(` ') optional_policy(` @@ -29304,7 +29315,7 @@ index 8b40377..23560f0 100644 ') optional_policy(` -@@ -580,6 +1047,14 @@ optional_policy(` +@@ -580,6 +1048,14 @@ optional_policy(` ') optional_policy(` @@ -29319,7 +29330,7 @@ index 8b40377..23560f0 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1069,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1070,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -29328,7 +29339,7 @@ index 8b40377..23560f0 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1079,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1080,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -29341,7 +29352,7 @@ index 8b40377..23560f0 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1096,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1097,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -29357,7 +29368,7 @@ index 8b40377..23560f0 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1112,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1113,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -29368,7 +29379,7 @@ index 8b40377..23560f0 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1127,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1128,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -29405,7 +29416,7 @@ index 8b40377..23560f0 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1173,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1174,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -29437,7 +29448,7 @@ index 8b40377..23560f0 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1206,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1207,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -29452,7 +29463,7 @@ index 8b40377..23560f0 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1227,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1228,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -29476,7 +29487,7 @@ index 8b40377..23560f0 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1246,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1247,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -29485,7 +29496,7 @@ index 8b40377..23560f0 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1290,54 @@ optional_policy(` +@@ -785,17 +1291,54 @@ optional_policy(` ') optional_policy(` @@ -29542,7 +29553,7 @@ index 8b40377..23560f0 100644 ') optional_policy(` -@@ -803,6 +1345,10 @@ optional_policy(` +@@ -803,6 +1346,10 @@ optional_policy(` ') optional_policy(` @@ -29553,7 +29564,7 @@ index 8b40377..23560f0 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1364,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1365,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -29578,7 +29589,7 @@ index 8b40377..23560f0 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1387,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1388,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29613,7 +29624,7 @@ index 8b40377..23560f0 100644 ') optional_policy(` -@@ -912,7 +1452,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1453,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -29622,7 +29633,7 @@ index 8b40377..23560f0 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1506,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1507,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -29654,7 +29665,7 @@ index 8b40377..23560f0 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1552,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1553,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -35595,7 +35606,7 @@ index 0d4c8d3..537aa42 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..324b3af 100644 +index 312cd04..102b975 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -35702,7 +35713,7 @@ index 312cd04..324b3af 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,22 +178,31 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,22 +178,32 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -35711,6 +35722,7 @@ index 312cd04..324b3af 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) ++auth_use_pam(ipsec_t) auth_use_nsswitch(ipsec_t) +auth_read_home_content(ipsec_t) @@ -35736,7 +35748,7 @@ index 312cd04..324b3af 100644 optional_policy(` seutil_sigchld_newrole(ipsec_t) -@@ -182,19 +212,30 @@ optional_policy(` +@@ -182,19 +213,30 @@ optional_policy(` udev_read_db(ipsec_t) ') @@ -35771,7 +35783,7 @@ index 312cd04..324b3af 100644 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -208,12 +249,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +250,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -35787,7 +35799,7 @@ index 312cd04..324b3af 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +289,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +290,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -35804,7 +35816,7 @@ index 312cd04..324b3af 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +308,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +309,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -35813,7 +35825,7 @@ index 312cd04..324b3af 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +324,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +325,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -35821,7 +35833,7 @@ index 312cd04..324b3af 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +334,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +335,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -35833,7 +35845,7 @@ index 312cd04..324b3af 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +345,28 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +346,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -35867,7 +35879,7 @@ index 312cd04..324b3af 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +390,10 @@ optional_policy(` +@@ -322,6 +391,10 @@ optional_policy(` ') optional_policy(` @@ -35878,7 +35890,7 @@ index 312cd04..324b3af 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +407,7 @@ optional_policy(` +@@ -335,7 +408,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -35887,7 +35899,7 @@ index 312cd04..324b3af 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +442,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +443,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -35907,7 +35919,7 @@ index 312cd04..324b3af 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +472,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +473,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -35920,7 +35932,7 @@ index 312cd04..324b3af 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +509,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +510,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -42470,7 +42482,7 @@ index efa9c27..536a514 100644 + manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) +') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te -index 1447687..d5e6fb9 100644 +index 1447687..0b1da4d 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -12,6 +12,7 @@ gen_require(` @@ -42481,7 +42493,15 @@ index 1447687..d5e6fb9 100644 type setrans_initrc_exec_t; init_script_file(setrans_initrc_exec_t) -@@ -78,7 +79,6 @@ locallogin_dontaudit_use_fds(setrans_t) +@@ -49,6 +50,7 @@ manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) + manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t) + files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir }) + ++kernel_read_system_state(setrans_t) + kernel_read_kernel_sysctls(setrans_t) + kernel_read_proc_symlinks(setrans_t) + +@@ -78,7 +80,6 @@ locallogin_dontaudit_use_fds(setrans_t) logging_send_syslog_msg(setrans_t) @@ -45266,10 +45286,10 @@ index 0000000..21f7c14 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f4783a5 +index 0000000..605f160 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,904 @@ +@@ -0,0 +1,909 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45832,6 +45852,8 @@ index 0000000..f4783a5 +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_notify_t self:unix_dgram_socket create_socket_perms; + ++dev_write_kmsg(systemd_notify_t) ++ +domain_use_interactive_fds(systemd_notify_t) + +fs_getattr_cgroup_files(systemd_notify_t) @@ -46105,10 +46127,13 @@ index 0000000..f4783a5 +# +# systemd_gpt_generator domain +# ++ +dev_read_sysfs(systemd_gpt_generator_t) +dev_write_kmsg(systemd_gpt_generator_t) +dev_read_nvme(systemd_gpt_generator_t) + ++storage_raw_read_fixed_disk(systemd_gpt_generator_t) ++ +####################################### +# +# systemd_resolved domain diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6de2977..ba812ef 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -19864,17 +19864,19 @@ index 7de3859..1444c2f 100644 type unconfined_cronjob_t; diff --git a/ctdb.fc b/ctdb.fc -index 8401fe6..d58f3e7 100644 +index 8401fe6..84ece3e 100644 --- a/ctdb.fc +++ b/ctdb.fc -@@ -1,12 +1,18 @@ +@@ -1,12 +1,20 @@ /etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) ++/etc/ctdb/events\.d/.* -- gen_context(system_u:object_r:ctdbd_exec_t,s0) ++ /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) +/usr/sbin/ctdbd_wrapper -- gen_context(system_u:object_r:ctdbd_exec_t,s0) - -+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) + ++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0) + +/var/lib/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) @@ -20192,7 +20194,7 @@ index b25b01d..06895f3 100644 ') + diff --git a/ctdb.te b/ctdb.te -index 001b502..4a84c8b 100644 +index 001b502..47199aa 100644 --- a/ctdb.te +++ b/ctdb.te @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t) @@ -20221,7 +20223,7 @@ index 001b502..4a84c8b 100644 append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t) -@@ -57,12 +63,21 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) +@@ -57,12 +63,23 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir) exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t) @@ -20239,12 +20241,14 @@ index 001b502..4a84c8b 100644 +manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t) files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir) ++setattr_files_pattern(ctdbd_t, ctdbd_exec_t, ctdbd_exec_t) ++ +can_exec(ctdbd_t, ctdbd_exec_t) + kernel_read_network_state(ctdbd_t) kernel_read_system_state(ctdbd_t) kernel_rw_net_sysctls(ctdbd_t) -@@ -72,9 +87,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) +@@ -72,9 +89,13 @@ corenet_all_recvfrom_netlabel(ctdbd_t) corenet_tcp_sendrecv_generic_if(ctdbd_t) corenet_tcp_sendrecv_generic_node(ctdbd_t) corenet_tcp_bind_generic_node(ctdbd_t) @@ -20258,7 +20262,7 @@ index 001b502..4a84c8b 100644 corenet_tcp_sendrecv_ctdb_port(ctdbd_t) corecmd_exec_bin(ctdbd_t) -@@ -85,14 +104,18 @@ dev_read_urand(ctdbd_t) +@@ -85,14 +106,18 @@ dev_read_urand(ctdbd_t) domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -20279,7 +20283,7 @@ index 001b502..4a84c8b 100644 optional_policy(` consoletype_exec(ctdbd_t) ') -@@ -106,9 +129,16 @@ optional_policy(` +@@ -106,9 +131,16 @@ optional_policy(` ') optional_policy(` @@ -20442,7 +20446,7 @@ index 949011e..9437dbe 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 3023be7..0317731 100644 +index 3023be7..4f0fe46 100644 --- a/cups.if +++ b/cups.if @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` @@ -20520,7 +20524,7 @@ index 3023be7..0317731 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -368,13 +400,45 @@ interface(`cups_admin',` +@@ -368,13 +400,46 @@ interface(`cups_admin',` logging_list_logs($1) admin_pattern($1, cupsd_log_t) @@ -20565,6 +20569,7 @@ index 3023be7..0317731 100644 + filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O") + filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N") + filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat") ++ files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap") + files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat") + files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") + files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") @@ -26601,7 +26606,7 @@ index 0aabc7e..e1c4564 100644 sendmail_domtrans(dovecot_deliver_t) ') diff --git a/drbd.fc b/drbd.fc -index 671a3fb..c781675 100644 +index 671a3fb..47b4958 100644 --- a/drbd.fc +++ b/drbd.fc @@ -3,7 +3,7 @@ @@ -26613,6 +26618,12 @@ index 671a3fb..c781675 100644 /usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) /usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) +@@ -11,3 +11,5 @@ + /var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) + + /var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0) ++ ++/var/run/drbd(/.*)? gen_context(system_u:object_r:drbd_var_run_t,s0) diff --git a/drbd.if b/drbd.if index 9a21639..26c5986 100644 --- a/drbd.if @@ -26756,13 +26767,16 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..0487894 100644 +index f2516cc..6b232ae 100644 --- a/drbd.te +++ b/drbd.te -@@ -18,17 +18,20 @@ files_type(drbd_var_lib_t) +@@ -18,38 +18,71 @@ files_type(drbd_var_lib_t) type drbd_lock_t; files_lock_file(drbd_lock_t) ++type drbd_var_run_t; ++files_pid_file(drbd_var_run_t) ++ +type drbd_tmp_t; +files_tmp_file(drbd_tmp_t) + @@ -26782,14 +26796,21 @@ index f2516cc..0487894 100644 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -@@ -38,18 +41,40 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) + manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) + files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) + ++manage_dirs_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t) ++manage_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t) ++manage_lnk_files_pattern(drbd_t, drbd_var_run_t, drbd_var_run_t) ++files_pid_filetrans(drbd_t, drbd_var_run_t, { file dir }) ++ manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) files_lock_filetrans(drbd_t, drbd_lock_t, file) -can_exec(drbd_t, drbd_exec_t) +manage_dirs_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) +manage_files_pattern(drbd_t, drbd_tmp_t, drbd_tmp_t) -+files_tmp_filetrans(drbd_t, drbd_tmp_t, dir) ++files_tmp_filetrans(drbd_t, drbd_tmp_t, {file dir}) kernel_read_system_state(drbd_t) @@ -29992,10 +30013,10 @@ index 0000000..c4d2c2d +') diff --git a/fwupd.te b/fwupd.te new file mode 100644 -index 0000000..3dd3dc8 +index 0000000..e0bb02d --- /dev/null +++ b/fwupd.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,64 @@ +policy_module(fwupd, 1.0.0) + +######################################## @@ -30056,6 +30077,10 @@ index 0000000..3dd3dc8 + policykit_dbus_chat(fwupd_t) + ') +') ++ ++optional_policy(` ++ unconfined_domain(fwupd_t) ++') diff --git a/games.if b/games.if index e2a3e0d..50ebd40 100644 --- a/games.if @@ -67402,10 +67427,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..573632e +index 0000000..2fecf5d --- /dev/null +++ b/pcp.te -@@ -0,0 +1,274 @@ +@@ -0,0 +1,278 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -67658,6 +67683,8 @@ index 0000000..573632e + +corecmd_exec_bin(pcp_pmie_t) + ++domain_read_all_domains_state(pcp_pmie_t) ++ +logging_send_syslog_msg(pcp_pmie_t) + +userdom_read_user_tmp_files(pcp_pmie_t) @@ -67680,6 +67707,8 @@ index 0000000..573632e +corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t) +corenet_tcp_bind_generic_node(pcp_pmlogger_t) + ++domain_read_all_domains_state(pcp_pmlogger_t) ++ diff --git a/pcscd.if b/pcscd.if index 43d50f9..6b1544f 100644 --- a/pcscd.if @@ -83865,22 +83894,24 @@ index 5bc878b..5736203 100644 + unconfined_domain_noaudit(realmd_consolehelper_t) ') diff --git a/redis.fc b/redis.fc -index e240ac9..953767b 100644 +index e240ac9..b9707aa 100644 --- a/redis.fc +++ b/redis.fc -@@ -1,9 +1,11 @@ +@@ -1,9 +1,13 @@ /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) -/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) -+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) ++/etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0) -/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) -+/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) ++/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) -/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) -+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) ++/usr/bin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) -/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) ++/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) ++ +/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) + +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) @@ -84149,10 +84180,20 @@ index 16c8ecb..4e021ec 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd417..edf5ca8 100644 +index 25cd417..61de827 100644 --- a/redis.te +++ b/redis.te -@@ -21,6 +21,9 @@ files_type(redis_var_lib_t) +@@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t) + type redis_initrc_exec_t; + init_script_file(redis_initrc_exec_t) + ++type redis_conf_t; ++files_config_file(redis_conf_t) ++ + type redis_log_t; + logging_log_file(redis_log_t) + +@@ -21,6 +24,9 @@ files_type(redis_var_lib_t) type redis_var_run_t; files_pid_file(redis_var_run_t) @@ -84162,7 +84203,16 @@ index 25cd417..edf5ca8 100644 ######################################## # # Local policy -@@ -42,8 +45,10 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +@@ -31,6 +37,8 @@ allow redis_t self:fifo_file rw_fifo_file_perms; + allow redis_t self:unix_stream_socket create_stream_socket_perms; + allow redis_t self:tcp_socket create_stream_socket_perms; + ++manage_files_pattern(redis_t, redis_conf_t, redis_conf_t) ++ + manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) + manage_files_pattern(redis_t, redis_log_t, redis_log_t) + manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) +@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) @@ -84173,7 +84223,14 @@ index 25cd417..edf5ca8 100644 corenet_all_recvfrom_unlabeled(redis_t) corenet_all_recvfrom_netlabel(redis_t) -@@ -60,6 +65,4 @@ dev_read_urand(redis_t) + corenet_tcp_sendrecv_generic_if(redis_t) + corenet_tcp_sendrecv_generic_node(redis_t) + corenet_tcp_bind_generic_node(redis_t) ++corenet_tcp_connect_redis_port(redis_t) + + corenet_sendrecv_redis_server_packets(redis_t) + corenet_tcp_bind_redis_port(redis_t) +@@ -60,6 +71,4 @@ dev_read_urand(redis_t) logging_send_syslog_msg(redis_t) @@ -109275,10 +109332,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..58f9c69 100644 +index a4f20bc..c88e3e4 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,102 @@ +@@ -1,51 +1,103 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -109376,6 +109433,7 @@ index a4f20bc..58f9c69 100644 +/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_image_t,s0) -/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) -/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) @@ -109420,7 +109478,7 @@ index a4f20bc..58f9c69 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..52ece13 100644 +index facdee8..280e040 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,226 @@ @@ -110438,9 +110496,12 @@ index facdee8..52ece13 100644 + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) -+ ') -+ -+ tunable_policy(`virt_use_samba',` + ') + + tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) + fs_list_cifs($1) + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) @@ -110478,13 +110539,14 @@ index facdee8..52ece13 100644 +interface(`virt_rw_chr_files',` + gen_require(` + attribute virt_image_type; -+ ') + ') + + rw_chr_files_pattern($1, virt_image_type, virt_image_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Relabel virt home content. +## Create, read, write, and delete +## svirt cache files. +## @@ -110722,20 +110784,13 @@ index facdee8..52ece13 100644 +interface(`virt_mounton_sandbox_file',` + gen_require(` + type svirt_sandbox_file_t; - ') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) -- ') ++ ') ++ + allow $1 svirt_sandbox_file_t:dir_file_class_set mounton; - ') - --######################################## ++') ++ +####################################### - ## --## Relabel virt home content. ++## +## Connect to virt over a unix domain stream socket. ## ## @@ -111084,7 +111139,7 @@ index facdee8..52ece13 100644 ## ## ## -@@ -935,117 +1284,134 @@ interface(`virt_read_log',` +@@ -935,117 +1284,153 @@ interface(`virt_read_log',` ## ## # @@ -111167,22 +111222,22 @@ index facdee8..52ece13 100644 ######################################## ## -## Read virt image files. -+## Execute a qemu_exec_t in the callers domain ++## Make the specified type usable as a lxc network domain ## - ## --## -+## - ## Domain allowed access. --## -+## +-## ++## + ## +-## Domain allowed access. ++## Type to be used as a lxc network domain + ## ## # -interface(`virt_read_images',` -+interface(`virt_exec_qemu',` ++template(`virt_sandbox_net_domain',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ type qemu_exec_t; ++ attribute sandbox_net_domain; ') - virt_search_lib($1) @@ -111191,7 +111246,8 @@ index facdee8..52ece13 100644 - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ can_exec($1, qemu_exec_t) ++ virt_sandbox_domain($1) ++ typeattribute $1 sandbox_net_domain; +') - tunable_policy(`virt_use_nfs',` @@ -111200,6 +111256,28 @@ index facdee8..52ece13 100644 - fs_read_nfs_symlinks($1) +######################################## +## ++## Execute a qemu_exec_t in the callers domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_exec_qemu',` ++ gen_require(` ++ type qemu_exec_t; + ') + +- tunable_policy(`virt_use_samba',` +- fs_list_cifs($1) +- fs_read_cifs_files($1) +- fs_read_cifs_symlinks($1) ++ can_exec($1, qemu_exec_t) ++') ++ ++######################################## ++## +## Transition to virt named content +## +## @@ -111213,12 +111291,7 @@ index facdee8..52ece13 100644 + type virt_lxc_var_run_t; + type virt_var_run_t; ') - -- tunable_policy(`virt_use_samba',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- fs_read_cifs_symlinks($1) -- ') ++ + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") @@ -111271,7 +111344,7 @@ index facdee8..52ece13 100644 ## ## ## -@@ -1053,15 +1419,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1438,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -111294,7 +111367,7 @@ index facdee8..52ece13 100644 ## ## ## -@@ -1069,21 +1437,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1456,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -111320,7 +111393,7 @@ index facdee8..52ece13 100644 ## ## ## -@@ -1091,36 +1455,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1474,36 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -111377,7 +111450,7 @@ index facdee8..52ece13 100644 ## ## ## -@@ -1136,50 +1500,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1519,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -111487,10 +111560,10 @@ index facdee8..52ece13 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..f347621 100644 +index f03dcf5..ae377ac 100644 --- a/virt.te +++ b/virt.te -@@ -1,150 +1,248 @@ +@@ -1,150 +1,234 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -111645,27 +111718,12 @@ index f03dcf5..f347621 100644 + +## +##

-+## Allow sandbox containers to manage nfs files -+##

-+##
-+gen_tunable(virt_sandbox_use_nfs, false) -+ -+## -+##

-+## Allow sandbox containers to manage samba/cifs files -+##

-+##
-+gen_tunable(virt_sandbox_use_samba, false) -+ -+## -+##

+## Allow sandbox containers to send audit messages + +##

+##
+gen_tunable(virt_sandbox_use_audit, true) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use netlink system calls @@ -111679,7 +111737,8 @@ index f03dcf5..f347621 100644 +##

+##
+gen_tunable(virt_sandbox_use_sys_admin, false) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to use mknod system calls @@ -111718,13 +111777,13 @@ index f03dcf5..f347621 100644 -virt_domain_template(svirt_prot_exec) +role system_r types svirt_t; +typealias svirt_t alias qemu_t; -+ + +-type virt_cache_t alias svirt_cache_t; +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; + +type qemu_exec_t, virt_file_type; - --type virt_cache_t alias svirt_cache_t; ++ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -111809,7 +111868,7 @@ index f03dcf5..f347621 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +251,137 @@ ifdef(`enable_mls',` +@@ -153,299 +237,140 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -112033,28 +112092,30 @@ index f03dcf5..f347621 100644 -optional_policy(` - dbus_read_lib_files(virt_domain) -') -- --optional_policy(` -- nscd_use(virt_domain) --') +type virtd_lxc_t, virt_system_domain; +type virtd_lxc_exec_t, virt_file_type; +init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -optional_policy(` -- samba_domtrans_smbd(virt_domain) +- nscd_use(virt_domain) -') +type virt_lxc_var_run_t, virt_file_type; +files_pid_file(virt_lxc_var_run_t) +typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; -optional_policy(` -- xen_rw_image_files(virt_domain) +- samba_domtrans_smbd(virt_domain) -') +# virt lxc container files +type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type; +files_mountpoint(svirt_sandbox_file_t) +-optional_policy(` +- xen_rw_image_files(virt_domain) +-') ++type container_image_t; ++files_mountpoint(container_image_t) + ######################################## # # svirt local policy @@ -112072,27 +112133,27 @@ index f03dcf5..f347621 100644 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) - -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- --stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +allow svirt_t self:process ptrace; --corenet_udp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) --corenet_udp_bind_generic_node(svirt_t) +-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_bind_generic_node(svirt_t) +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) - corenet_udp_bind_generic_node(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) corenet_udp_bind_all_ports(svirt_t) @@ -112188,7 +112249,7 @@ index f03dcf5..f347621 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +391,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +380,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -112235,7 +112296,7 @@ index f03dcf5..f347621 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +426,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +415,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -112266,7 +112327,7 @@ index f03dcf5..f347621 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +447,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +436,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -112294,7 +112355,7 @@ index f03dcf5..f347621 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +467,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +456,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -112325,7 +112386,7 @@ index f03dcf5..f347621 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +519,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +508,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -112345,7 +112406,7 @@ index f03dcf5..f347621 100644 selinux_validate_context(virtd_t) -@@ -620,18 +541,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +530,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -112382,7 +112443,7 @@ index f03dcf5..f347621 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +569,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +558,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -112391,7 +112452,7 @@ index f03dcf5..f347621 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +594,12 @@ optional_policy(` +@@ -665,20 +583,12 @@ optional_policy(` ') optional_policy(` @@ -112412,7 +112473,7 @@ index f03dcf5..f347621 100644 ') optional_policy(` -@@ -691,20 +612,26 @@ optional_policy(` +@@ -691,20 +601,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -112423,12 +112484,11 @@ index f03dcf5..f347621 100644 ') optional_policy(` -- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` -+ iptables_domtrans(virtd_t) + iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -112444,7 +112504,7 @@ index f03dcf5..f347621 100644 ') optional_policy(` -@@ -712,11 +639,18 @@ optional_policy(` +@@ -712,11 +628,18 @@ optional_policy(` ') optional_policy(` @@ -112463,26 +112523,24 @@ index f03dcf5..f347621 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +661,18 @@ optional_policy(` +@@ -727,7 +650,15 @@ optional_policy(` ') optional_policy(` +- sasl_connect(virtd_t) + sanlock_stream_connect(virtd_t) +') + +optional_policy(` - sasl_connect(virtd_t) - ') - - optional_policy(` -+ setrans_manage_pid_files(virtd_t) ++ sasl_connect(virtd_t) +') + +optional_policy(` - kernel_read_xen_state(virtd_t) - kernel_write_xen_state(virtd_t) ++ setrans_manage_pid_files(virtd_t) + ') -@@ -746,44 +688,278 @@ optional_policy(` + optional_policy(` +@@ -746,44 +677,278 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -112520,7 +112578,13 @@ index f03dcf5..f347621 100644 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) -+ + +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -112530,17 +112594,15 @@ index f03dcf5..f347621 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) -+ + +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -112573,18 +112635,14 @@ index f03dcf5..f347621 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +-allow virsh_t svirt_lxc_domain:process transition; +dontaudit virt_domain virt_tmpfs_type:file { read write }; --dontaudit virsh_t virt_var_lib_t:file read_file_perms; +-can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_log_t, virt_log_t) - --allow virsh_t svirt_lxc_domain:process transition; ++ +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - --can_exec(virsh_t, virsh_exec_t) ++ +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -112638,7 +112696,7 @@ index f03dcf5..f347621 100644 +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) -+ + +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; +') @@ -112664,7 +112722,7 @@ index f03dcf5..f347621 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') - ++ +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -112783,7 +112841,7 @@ index f03dcf5..f347621 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +970,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +959,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -112810,7 +112868,7 @@ index f03dcf5..f347621 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +990,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +979,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -112844,7 +112902,7 @@ index f03dcf5..f347621 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1027,20 @@ optional_policy(` +@@ -856,14 +1016,20 @@ optional_policy(` ') optional_policy(` @@ -112866,7 +112924,7 @@ index f03dcf5..f347621 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1065,65 @@ optional_policy(` +@@ -888,49 +1054,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -112950,7 +113008,7 @@ index f03dcf5..f347621 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1135,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1124,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -112970,7 +113028,7 @@ index f03dcf5..f347621 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1156,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1145,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -112994,7 +113052,7 @@ index f03dcf5..f347621 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1181,343 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1170,352 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -113010,21 +113068,21 @@ index f03dcf5..f347621 100644 +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) -+ + +-miscfiles_read_localization(virtd_lxc_t) + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') --miscfiles_read_localization(virtd_lxc_t) -+optional_policy(` -+ docker_exec_lib(virtd_lxc_t) -+') - -seutil_domtrans_setfiles(virtd_lxc_t) -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) +optional_policy(` ++ docker_exec_lib(virtd_lxc_t) ++') ++ ++optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') + @@ -113079,21 +113137,30 @@ index f03dcf5..f347621 100644 +manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +manage_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +allow svirt_sandbox_domain svirt_sandbox_file_t:file { execmod relabelfrom relabelto }; ++allow svirt_sandbox_domain svirt_sandbox_file_t:dir { execmod relabelfrom relabelto }; ++virt_mounton_sandbox_file(svirt_sandbox_domain) ++ ++list_dirs_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++read_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++read_lnk_files_pattern(svirt_sandbox_domain, container_image_t, container_image_t) ++allow svirt_sandbox_domain container_image_t:file execmod; ++can_exec(svirt_sandbox_domain, container_image_t) + +allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr; +rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t) +can_exec(svirt_sandbox_domain, svirt_sandbox_file_t) +allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton; -+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr; ++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem { getattr remount }; + +kernel_getattr_proc(svirt_sandbox_domain) +kernel_list_all_proc(svirt_sandbox_domain) +kernel_read_all_sysctls(svirt_sandbox_domain) -+kernel_read_net_sysctls(svirt_sandbox_domain) ++kernel_rw_net_sysctls(svirt_sandbox_domain) +kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain) +kernel_dontaudit_access_check_proc(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_files(svirt_sandbox_domain) +kernel_dontaudit_setattr_proc_dirs(svirt_sandbox_domain) ++kernel_dontaudit_write_usermodehelper_state(svirt_sandbox_domain) + +corecmd_exec_all_executables(svirt_sandbox_domain) + @@ -113149,11 +113216,6 @@ index f03dcf5..f347621 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -113238,23 +113300,30 @@ index f03dcf5..f347621 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ gear_read_pid_files(svirt_sandbox_domain) ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) +') + +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ gear_read_pid_files(svirt_sandbox_domain) +') -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + ssh_use_ptys(svirt_sandbox_domain) +') + +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -113276,11 +113345,9 @@ index f03dcf5..f347621 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + docker_read_share_files(svirt_sandbox_domain) + docker_exec_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) @@ -113444,15 +113511,15 @@ index f03dcf5..f347621 100644 +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(svirt_sandbox_file_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) @@ -113479,7 +113546,7 @@ index f03dcf5..f347621 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1530,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -113494,7 +113561,7 @@ index f03dcf5..f347621 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1548,7 @@ optional_policy(` +@@ -1192,7 +1546,7 @@ optional_policy(` ######################################## # @@ -113503,7 +113570,7 @@ index f03dcf5..f347621 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1557,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 1c1d049..bf9efb2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 178%{?dist} +Release: 179%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -670,6 +670,29 @@ exit 0 %endif %changelog +* Wed Mar 16 2016 Lukas Vrabec 3.13.1-179 +- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. +- Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content." +- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content. +- Allow pcp_pmie and pcp_pmlogger to read all domains state. +- Make fwupd domain unconfined. We need to discuss solution related to using gpg. rhbz#1316717 +- Merge pull request #108 from rhatdan/rkt +- Merge pull request #109 from rhatdan/virt_sandbox +- Add new interface to define virt_sandbox_network domains +- Label /etc/redis-sentinel.conf as redis_conf_t. Allow redis_t write to redis_conf_t. Allow redis_t to connect on redis tcp port. +- Fix typo in drbd policy +- Remove declaration of empty booleans in virt policy. +- Add new drbd file type: drbd_var_run_t. Allow drbd_t to manage drbd_var_run_t files/dirs. +- Label /etc/ctdb/events.d/* as ctdb_exec_t. Allow ctdbd_t to setattr on ctdbd_exec_t files. +- Additional rules to make rkt work in enforcing mode +- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 +- Allow ipsec to use pam. rhbz#1317988 +- Allow systemd-gpt-generator to read fixed_disk_device_t. rhbz#1314968 +- Allow setrans daemon to read /proc/meminfo. +- Merge pull request #107 from rhatdan/rkt-base +- Allow systemd_notify_t to write to kmsg_device_t when 'systemd.log_target=kmsg' option is used. +- Remove bin_t label for /etc/ctdb/events.d/. We need to label this scripts as ctdb_exec_t. + * Thu Mar 10 2016 Lukas Vrabec 3.13.1-178 - Label tcp port 5355 as llmnr-> Link-Local Multicast Name Resolution - Add support systemd-resolved.