From 4415dfa1a89d5de800f76b558c739fd8c3393b20 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 09 2012 07:07:54 +0000 Subject: * Sat Jun 9 2012 Miroslav Grepl 3.11.0-2 - Rename boolean names to remove allow_ --- diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 42c8124..b1a3db6 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58218,10 +58218,10 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..0f0bb47 100644 +index 4705ab6..cc2b436 100644 --- a/policy/global_tunables +++ b/policy/global_tunables -@@ -6,6 +6,13 @@ +@@ -6,52 +6,59 @@ ## ##

@@ -58235,7 +58235,8 @@ index 4705ab6..0f0bb47 100644 ## Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

## -@@ -13,21 +20,21 @@ gen_tunable(allow_execheap,false) +-gen_tunable(allow_execheap,false) ++gen_tunable(selinuxuser_execheap,false) ## ##

@@ -58252,7 +58253,8 @@ index 4705ab6..0f0bb47 100644 +## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t ##

## - gen_tunable(allow_execmod,false) +-gen_tunable(allow_execmod,false) ++gen_tunable(selinuxuser_execmod,false) ## ##

@@ -58260,7 +58262,35 @@ index 4705ab6..0f0bb47 100644 +## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla ##

## - gen_tunable(allow_execstack,false) +-gen_tunable(allow_execstack,false) ++gen_tunable(selinuxuser_execstack,false) + + ## + ##

+ ## Enable polyinstantiated directory support. + ##

+ ## +-gen_tunable(allow_polyinstantiation,false) ++gen_tunable(polyinstantiation_enabled,false) + + ## + ##

+ ## Allow system to run with NIS + ##

+ ## +-gen_tunable(allow_ypbind,false) ++gen_tunable(nis_enabled,false) + + ## + ##

+ ## Allow logging in and using the system from /dev/console. + ##

+ ## +-gen_tunable(console_login,true) ++gen_tunable(login_console_enabled,true) + + ## + ##

@@ -68,15 +75,6 @@ gen_tunable(global_ssp,false) ## @@ -58277,7 +58307,7 @@ index 4705ab6..0f0bb47 100644 ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false) +@@ -105,9 +103,17 @@ gen_tunable(use_samba_home_dirs,false) ## ##

@@ -58295,13 +58325,6 @@ index 4705ab6..0f0bb47 100644 ## gen_tunable(user_tcp_server,false) + -+## -+##

-+## Allow direct login to the console device. Required for System 390 -+##

-+## -+gen_tunable(allow_console_login,false) -+ diff --git a/policy/mcs b/policy/mcs index f477c7f..d80599b 100644 --- a/policy/mcs @@ -58421,7 +58444,7 @@ index 7a6f06f..530d2df 100644 +/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index a778bb1..4a50807 100644 +index a778bb1..5e914db 100644 --- a/policy/modules/admin/bootloader.if +++ b/policy/modules/admin/bootloader.if @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',` @@ -58449,7 +58472,31 @@ index a778bb1..4a50807 100644 ######################################## ## ## Execute bootloader interactively and do -@@ -100,7 +118,7 @@ interface(`bootloader_rw_tmp_files',` +@@ -38,11 +56,21 @@ interface(`bootloader_domtrans',` + # + interface(`bootloader_run',` + gen_require(` +- attribute_role bootloader_roles; ++ type bootloader_t; ++ #attribute_role bootloader_roles; + ') + ++ #bootloader_domtrans($1) ++ #roleattribute $2 bootloader_roles; ++ + bootloader_domtrans($1) +- roleattribute $2 bootloader_roles; ++ ++ role $2 types bootloader_t; ++ ++ ifdef(`distro_redhat',` ++ # for mke2fs ++ mount_run(bootloader_t, $2) ++ ') + ') + + ######################################## +@@ -100,7 +128,7 @@ interface(`bootloader_rw_tmp_files',` ') files_search_tmp($1) @@ -58458,7 +58505,7 @@ index a778bb1..4a50807 100644 ') ######################################## -@@ -122,3 +140,22 @@ interface(`bootloader_create_runtime_file',` +@@ -122,3 +150,22 @@ interface(`bootloader_create_runtime_file',` allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) ') @@ -58482,10 +58529,30 @@ index a778bb1..4a50807 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index ab0439a..81a08e4 100644 +index ab0439a..e717a21 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te -@@ -26,7 +26,7 @@ role bootloader_roles types bootloader_t; +@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) + # Declarations + # + +-attribute_role bootloader_roles; +-roleattribute system_r bootloader_roles; ++#attribute_role bootloader_roles; ++#roleattribute system_r bootloader_roles; + + # + # boot_runtime_t is the type for /boot/kernel.h, +@@ -19,14 +19,15 @@ files_type(boot_runtime_t) + type bootloader_t; + type bootloader_exec_t; + application_domain(bootloader_t, bootloader_exec_t) +-role bootloader_roles types bootloader_t; ++#role bootloader_roles types bootloader_t; ++role system_r types bootloader_t; + + # + # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # type bootloader_etc_t alias etc_bootloader_t; @@ -58494,7 +58561,7 @@ index ab0439a..81a08e4 100644 # # The temp file is used for initrd creation; -@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t) +@@ -41,7 +42,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # @@ -58503,7 +58570,7 @@ index ab0439a..81a08e4 100644 allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -@@ -81,6 +81,7 @@ dev_rw_nvram(bootloader_t) +@@ -81,6 +82,7 @@ dev_rw_nvram(bootloader_t) fs_getattr_xattr_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) @@ -58511,7 +58578,7 @@ index ab0439a..81a08e4 100644 fs_read_tmpfs_symlinks(bootloader_t) #Needed for ia64 fs_manage_dos_files(bootloader_t) -@@ -89,6 +90,7 @@ mls_file_read_all_levels(bootloader_t) +@@ -89,6 +91,7 @@ mls_file_read_all_levels(bootloader_t) mls_file_write_all_levels(bootloader_t) term_getattr_all_ttys(bootloader_t) @@ -58519,7 +58586,7 @@ index ab0439a..81a08e4 100644 term_dontaudit_manage_pty_dirs(bootloader_t) corecmd_exec_all_executables(bootloader_t) -@@ -98,12 +100,14 @@ domain_use_interactive_fds(bootloader_t) +@@ -98,12 +101,14 @@ domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) files_manage_boot_files(bootloader_t) files_manage_boot_symlinks(bootloader_t) @@ -58534,7 +58601,7 @@ index ab0439a..81a08e4 100644 # for nscd files_dontaudit_search_pids(bootloader_t) # for blkid.tab -@@ -111,6 +115,7 @@ files_manage_etc_runtime_files(bootloader_t) +@@ -111,6 +116,7 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) @@ -58542,7 +58609,7 @@ index ab0439a..81a08e4 100644 init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) -@@ -118,8 +123,10 @@ init_rw_script_pipes(bootloader_t) +@@ -118,8 +124,10 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) @@ -58554,7 +58621,7 @@ index ab0439a..81a08e4 100644 logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) -@@ -130,7 +137,8 @@ seutil_read_bin_policy(bootloader_t) +@@ -130,7 +138,8 @@ seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) seutil_dontaudit_search_config(bootloader_t) @@ -58564,7 +58631,17 @@ index ab0439a..81a08e4 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -174,6 +182,10 @@ ifdef(`distro_redhat',` +@@ -166,7 +175,8 @@ ifdef(`distro_redhat',` + files_manage_isid_type_chr_files(bootloader_t) + + # for mke2fs +- mount_run(bootloader_t, bootloader_roles) ++ #mount_run(bootloader_t, bootloader_roles) ++ mount_domtrans(bootloader_t) + + optional_policy(` + unconfined_domain(bootloader_t) +@@ -174,6 +184,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -58575,7 +58652,7 @@ index ab0439a..81a08e4 100644 fstools_exec(bootloader_t) ') -@@ -183,6 +195,10 @@ optional_policy(` +@@ -183,6 +197,10 @@ optional_policy(` ') optional_policy(` @@ -58586,7 +58663,7 @@ index ab0439a..81a08e4 100644 kudzu_domtrans(bootloader_t) ') -@@ -195,15 +211,13 @@ optional_policy(` +@@ -195,15 +213,13 @@ optional_policy(` optional_policy(` modutils_exec_insmod(bootloader_t) @@ -58922,7 +58999,7 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..db8eed3 100644 +index 03ec5ca..336ad27 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -119,11 +119,6 @@ template(`su_restricted_domain_template', ` @@ -58954,7 +59031,7 @@ index 03ec5ca..db8eed3 100644 ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora -@@ -277,11 +273,6 @@ template(`su_role_template',` +@@ -277,12 +273,7 @@ template(`su_role_template',` ') ') @@ -58963,9 +59040,11 @@ index 03ec5ca..db8eed3 100644 - dontaudit $1_su_t $3:socket_class_set { read write }; - ') - - tunable_policy(`allow_polyinstantiation',` +- tunable_policy(`allow_polyinstantiation',` ++ tunable_policy(`polyinstantiation_enabled',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) + ') diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc index 7bddc02..2b59ed0 100644 --- a/policy/modules/admin/sudo.fc @@ -59250,7 +59329,7 @@ index 1bd7d84..4f57935 100644 + fprintd_dbus_chat(sudodomain) +') diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 98b8b2d..4d387af 100644 +index 98b8b2d..da75471 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',` @@ -59264,7 +59343,26 @@ index 98b8b2d..4d387af 100644 ') ######################################## -@@ -65,10 +61,25 @@ interface(`usermanage_domtrans_groupadd',` +@@ -41,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` + # + interface(`usermanage_run_chfn',` + gen_require(` +- attribute_role chfn_roles; ++ #attribute_role chfn_roles; ++ type chfn_t; + ') + ++ #usermanage_domtrans_chfn($1) ++ #roleattribute $2 chfn_roles; ++ + usermanage_domtrans_chfn($1) +- roleattribute $2 chfn_roles; ++ role $2 types chfn_t; ++ + ') + + ######################################## +@@ -65,10 +66,25 @@ interface(`usermanage_domtrans_groupadd',` corecmd_search_bin($1) domtrans_pattern($1, groupadd_exec_t, groupadd_t) @@ -59292,7 +59390,29 @@ index 98b8b2d..4d387af 100644 ') ######################################## -@@ -114,10 +125,6 @@ interface(`usermanage_domtrans_passwd',` +@@ -90,11 +106,19 @@ interface(`usermanage_domtrans_groupadd',` + # + interface(`usermanage_run_groupadd',` + gen_require(` +- attribute_role groupadd_roles; ++ type groupadd_t; ++ #attribute_role groupadd_roles; + ') + ++ #usermanage_domtrans_groupadd($1) ++ #roleattribute $2 groupadd_roles; + usermanage_domtrans_groupadd($1) +- roleattribute $2 groupadd_roles; ++ role $2 types groupadd_t; ++ ++ optional_policy(` ++ nscd_run(groupadd_t, $2) ++ ') ++ + ') + + ######################################## +@@ -114,10 +138,6 @@ interface(`usermanage_domtrans_passwd',` corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) @@ -59303,10 +59423,27 @@ index 98b8b2d..4d387af 100644 ') ######################################## -@@ -165,6 +172,25 @@ interface(`usermanage_run_passwd',` +@@ -156,11 +176,36 @@ interface(`usermanage_kill_passwd',` + # + interface(`usermanage_run_passwd',` + gen_require(` +- attribute_role passwd_roles; ++ type passwd_t; ++ #attribute_role passwd_roles; + ') - ######################################## - ## ++ #usermanage_domtrans_passwd($1) ++ #roleattribute $2 passwd_roles; ++ + usermanage_domtrans_passwd($1) +- roleattribute $2 passwd_roles; ++ role $2 types passwd_t; ++ auth_run_chk_passwd(passwd_t, $2) ++ ++') ++ ++######################################## ++## +## Check access to the passwd executable +## +## @@ -59322,14 +59459,33 @@ index 98b8b2d..4d387af 100644 + + corecmd_search_bin($1) + allow $1 passwd_exec_t:file { getattr_file_perms execute }; -+') + ') + + ######################################## +@@ -203,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',` + # + interface(`usermanage_run_admin_passwd',` + gen_require(` +- attribute_role sysadm_passwd_roles; ++ type sysadm_passwd_t; ++ #attribute_role sysadm_passwd_roles; + ') + ++ #usermanage_domtrans_admin_passwd($1) ++ #roleattribute $2 sysadm_passwd_roles; + -+######################################## -+## - ## Execute password admin functions in - ## the admin passwd domain. - ## -@@ -245,10 +271,6 @@ interface(`usermanage_domtrans_useradd',` + usermanage_domtrans_admin_passwd($1) +- roleattribute $2 sysadm_passwd_roles; ++ role $2 types sysadm_passwd_t; ++ ++ optional_policy(` ++ nscd_run(sysadm_passwd_t, $2) ++ ') ++ + ') + + ######################################## +@@ -245,10 +299,6 @@ interface(`usermanage_domtrans_useradd',` corecmd_search_bin($1) domtrans_pattern($1, useradd_exec_t, useradd_t) @@ -59340,10 +59496,31 @@ index 98b8b2d..4d387af 100644 ') ######################################## -@@ -279,6 +301,25 @@ interface(`usermanage_run_useradd',` +@@ -270,11 +320,39 @@ interface(`usermanage_domtrans_useradd',` + # + interface(`usermanage_run_useradd',` + gen_require(` +- attribute_role useradd_roles; ++ #attribute_role useradd_roles; ++ type sysadm_passwd_t; + ') - ######################################## - ## +- usermanage_domtrans_useradd($1) +- roleattribute $2 useradd_roles; ++ #usermanage_domtrans_useradd($1) ++ #roleattribute $2 useradd_roles; ++ ++ usermanage_domtrans_admin_passwd($1) ++ role $2 types sysadm_passwd_t; ++ ++ optional_policy(` ++ nscd_run(sysadm_passwd_t, $2) ++ ') ++ ++') ++ ++######################################## ++## +## Check access to the useradd executable. +## +## @@ -59359,18 +59536,86 @@ index 98b8b2d..4d387af 100644 + + corecmd_search_bin($1) + allow $1 useradd_exec_t:file { getattr_file_perms execute }; -+') -+ -+######################################## -+## - ## Read the crack database. - ## - ## + ') + + ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 81b6608..446b743 100644 +index 81b6608..396909c 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -86,6 +86,7 @@ allow chfn_t self:unix_stream_socket connectto; +@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) + # Declarations + # + +-attribute_role chfn_roles; +-role system_r types chfn_t; ++#attribute_role chfn_roles; ++#role system_r types chfn_t; + +-attribute_role groupadd_roles; ++#attribute_role groupadd_roles; + +-attribute_role passwd_roles; +-roleattribute system_r passwd_roles; ++#attribute_role passwd_roles; ++#roleattribute system_r passwd_roles; + +-attribute_role sysadm_passwd_roles; +-roleattribute system_r sysadm_passwd_roles; ++#attribute_role sysadm_passwd_roles; ++#roleattribute system_r sysadm_passwd_roles; + +-attribute_role useradd_roles; ++#attribute_role useradd_roles; + + type admin_passwd_exec_t; + files_type(admin_passwd_exec_t) +@@ -25,7 +25,8 @@ type chfn_t; + type chfn_exec_t; + domain_obj_id_change_exemption(chfn_t) + application_domain(chfn_t, chfn_exec_t) +-role chfn_roles types chfn_t; ++#role chfn_roles types chfn_t; ++role system_r types chfn_t; + + type crack_t; + type crack_exec_t; +@@ -42,18 +43,21 @@ type groupadd_t; + type groupadd_exec_t; + domain_obj_id_change_exemption(groupadd_t) + init_system_domain(groupadd_t, groupadd_exec_t) +-role groupadd_roles types groupadd_t; ++#role groupadd_roles types groupadd_t; ++ + + type passwd_t; + type passwd_exec_t; + domain_obj_id_change_exemption(passwd_t) + application_domain(passwd_t, passwd_exec_t) +-role passwd_roles types passwd_t; ++#role passwd_roles types passwd_t; ++role system_r types passwd_t; + + type sysadm_passwd_t; + domain_obj_id_change_exemption(sysadm_passwd_t) + application_domain(sysadm_passwd_t, admin_passwd_exec_t) +-role sysadm_passwd_roles types sysadm_passwd_t; ++#role sysadm_passwd_roles types sysadm_passwd_t; ++role system_r types sysadm_passwd_t; + + type sysadm_passwd_tmp_t; + files_tmp_file(sysadm_passwd_tmp_t) +@@ -62,7 +66,8 @@ type useradd_t; + type useradd_exec_t; + domain_obj_id_change_exemption(useradd_t) + init_system_domain(useradd_t, useradd_exec_t) +-role useradd_roles types useradd_t; ++#role useradd_roles types useradd_t; ++role system_r types useradd_t; + + ######################################## + # +@@ -86,6 +91,7 @@ allow chfn_t self:unix_stream_socket connectto; kernel_read_system_state(chfn_t) kernel_read_kernel_sysctls(chfn_t) @@ -59378,7 +59623,7 @@ index 81b6608..446b743 100644 selinux_get_fs_mount(chfn_t) selinux_validate_context(chfn_t) -@@ -94,25 +95,29 @@ selinux_compute_create_context(chfn_t) +@@ -94,25 +100,29 @@ selinux_compute_create_context(chfn_t) selinux_compute_relabel_context(chfn_t) selinux_compute_user_contexts(chfn_t) @@ -59395,11 +59640,14 @@ index 81b6608..446b743 100644 dev_read_urand(chfn_t) +dev_dontaudit_getattr_all(chfn_t) -+#auth_manage_passwd(chfn_t) -+#auth_use_pam(chfn_t) - auth_run_chk_passwd(chfn_t, chfn_roles) - auth_dontaudit_read_shadow(chfn_t) - auth_use_nsswitch(chfn_t) +-auth_run_chk_passwd(chfn_t, chfn_roles) +-auth_dontaudit_read_shadow(chfn_t) +-auth_use_nsswitch(chfn_t) ++auth_manage_passwd(chfn_t) ++auth_use_pam(chfn_t) ++#auth_run_chk_passwd(chfn_t, chfn_roles) ++#auth_dontaudit_read_shadow(chfn_t) ++#auth_use_nsswitch(chfn_t) # allow checking if a shell is executable corecmd_check_exec_shell(chfn_t) @@ -59411,7 +59659,7 @@ index 81b6608..446b743 100644 files_read_etc_runtime_files(chfn_t) files_dontaudit_search_var(chfn_t) files_dontaudit_search_home(chfn_t) -@@ -120,6 +125,7 @@ files_dontaudit_search_home(chfn_t) +@@ -120,6 +130,7 @@ files_dontaudit_search_home(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(chfn_t) @@ -59419,7 +59667,7 @@ index 81b6608..446b743 100644 miscfiles_read_localization(chfn_t) -@@ -128,11 +134,24 @@ logging_send_syslog_msg(chfn_t) +@@ -128,11 +139,24 @@ logging_send_syslog_msg(chfn_t) # uses unix_chkpwd for checking passwords seutil_dontaudit_search_config(chfn_t) @@ -59444,7 +59692,7 @@ index 81b6608..446b743 100644 ######################################## # # Crack local policy -@@ -209,8 +228,8 @@ selinux_compute_create_context(groupadd_t) +@@ -209,8 +233,8 @@ selinux_compute_create_context(groupadd_t) selinux_compute_relabel_context(groupadd_t) selinux_compute_user_contexts(groupadd_t) @@ -59455,7 +59703,7 @@ index 81b6608..446b743 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -218,8 +237,8 @@ init_dontaudit_write_utmp(groupadd_t) +@@ -218,8 +242,8 @@ init_dontaudit_write_utmp(groupadd_t) domain_use_interactive_fds(groupadd_t) @@ -59465,8 +59713,13 @@ index 81b6608..446b743 100644 files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) -@@ -234,9 +253,10 @@ miscfiles_read_localization(groupadd_t) - auth_run_chk_passwd(groupadd_t, groupadd_roles) +@@ -231,12 +255,14 @@ logging_send_syslog_msg(groupadd_t) + + miscfiles_read_localization(groupadd_t) + +-auth_run_chk_passwd(groupadd_t, groupadd_roles) ++#auth_run_chk_passwd(groupadd_t, groupadd_roles) ++auth_domtrans_chk_passwd(groupadd_t) auth_rw_lastlog(groupadd_t) auth_use_nsswitch(groupadd_t) +auth_manage_passwd(groupadd_t) @@ -59477,7 +59730,17 @@ index 81b6608..446b743 100644 auth_relabel_shadow(groupadd_t) auth_etc_filetrans_shadow(groupadd_t) -@@ -285,6 +305,7 @@ allow passwd_t self:shm create_shm_perms; +@@ -253,7 +279,8 @@ optional_policy(` + ') + + optional_policy(` +- nscd_run(groupadd_t, groupadd_roles) ++# nscd_run(groupadd_t, groupadd_roles) ++ nscd_domtrans(groupadd_t) + ') + + optional_policy(` +@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms; allow passwd_t self:sem create_sem_perms; allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msg { send receive }; @@ -59485,7 +59748,7 @@ index 81b6608..446b743 100644 allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -@@ -293,6 +314,7 @@ kernel_read_kernel_sysctls(passwd_t) +@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t) # for SSP dev_read_urand(passwd_t) @@ -59493,7 +59756,7 @@ index 81b6608..446b743 100644 fs_getattr_xattr_fs(passwd_t) fs_search_auto_mountpoints(passwd_t) -@@ -307,10 +329,17 @@ selinux_compute_create_context(passwd_t) +@@ -307,26 +336,37 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -59501,19 +59764,21 @@ index 81b6608..446b743 100644 -term_use_all_ptys(passwd_t) +term_use_all_inherited_terms(passwd_t) +term_getattr_all_ptys(passwd_t) -+ -+#auth_manage_passwd(passwd_t) -+#auth_manage_shadow(passwd_t) -+#auth_relabel_shadow(passwd_t) -+#auth_etc_filetrans_shadow(passwd_t) -+#auth_use_pam(passwd_t) - auth_run_chk_passwd(passwd_t, passwd_roles) +-auth_run_chk_passwd(passwd_t, passwd_roles) +auth_manage_passwd(passwd_t) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) -@@ -318,15 +347,19 @@ auth_use_nsswitch(passwd_t) +-auth_use_nsswitch(passwd_t) ++auth_use_pam(passwd_t) ++ ++#auth_run_chk_passwd(passwd_t, passwd_roles) ++#auth_manage_passwd(passwd_t) ++#auth_manage_shadow(passwd_t) ++#auth_relabel_shadow(passwd_t) ++#auth_etc_filetrans_shadow(passwd_t) ++#auth_use_nsswitch(passwd_t) # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -59534,7 +59799,7 @@ index 81b6608..446b743 100644 # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. init_dontaudit_rw_utmp(passwd_t) -@@ -340,7 +373,7 @@ miscfiles_read_localization(passwd_t) +@@ -340,7 +380,7 @@ miscfiles_read_localization(passwd_t) seutil_read_config(passwd_t) seutil_read_file_contexts(passwd_t) @@ -59543,15 +59808,20 @@ index 81b6608..446b743 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -349,6 +382,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -349,9 +389,11 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +userdom_stream_connect(passwd_t) optional_policy(` - nscd_run(passwd_t, passwd_roles) -@@ -398,9 +432,10 @@ dev_read_urand(sysadm_passwd_t) +- nscd_run(passwd_t, passwd_roles) ++ #nscd_run(passwd_t, passwd_roles) ++ nscd_domtrans(passwd_t) + ') + + ######################################## +@@ -398,9 +440,10 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -59564,7 +59834,7 @@ index 81b6608..446b743 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) -@@ -413,7 +448,6 @@ files_read_usr_files(sysadm_passwd_t) +@@ -413,7 +456,6 @@ files_read_usr_files(sysadm_passwd_t) domain_use_interactive_fds(sysadm_passwd_t) @@ -59572,7 +59842,17 @@ index 81b6608..446b743 100644 files_relabel_etc_files(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t) # for nscd lookups -@@ -443,7 +477,8 @@ optional_policy(` +@@ -435,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + + optional_policy(` +- nscd_run(sysadm_passwd_t, sysadm_passwd_roles) ++ nscd_domtrans(sysadm_passwd_t) ++ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') + + ######################################## +@@ -443,7 +486,8 @@ optional_policy(` # Useradd local policy # @@ -59582,7 +59862,7 @@ index 81b6608..446b743 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -465,10 +500,13 @@ corecmd_exec_shell(useradd_t) +@@ -465,10 +509,13 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -59597,7 +59877,7 @@ index 81b6608..446b743 100644 files_search_var_lib(useradd_t) files_relabel_etc_files(useradd_t) files_read_etc_runtime_files(useradd_t) -@@ -477,17 +515,15 @@ fs_search_auto_mountpoints(useradd_t) +@@ -477,24 +524,19 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -59610,19 +59890,17 @@ index 81b6608..446b743 100644 -selinux_compute_create_context(useradd_t) -selinux_compute_relabel_context(useradd_t) -selinux_compute_user_contexts(useradd_t) -+seutil_semanage_policy(useradd_t) -+seutil_manage_file_contexts(useradd_t) -+seutil_manage_config(useradd_t) -+seutil_manage_default_contexts(useradd_t) - +- -term_use_all_ttys(useradd_t) -term_use_all_ptys(useradd_t) +term_use_all_inherited_terms(useradd_t) +term_getattr_all_ptys(useradd_t) - auth_run_chk_passwd(useradd_t, useradd_roles) +-auth_run_chk_passwd(useradd_t, useradd_roles) ++#auth_run_chk_passwd(useradd_t, useradd_roles) ++auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -495,6 +531,7 @@ auth_rw_faillog(useradd_t) + auth_rw_faillog(useradd_t) auth_use_nsswitch(useradd_t) # these may be unnecessary due to the above # domtrans_chk_passwd() call. @@ -59630,27 +59908,37 @@ index 81b6608..446b743 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -510,28 +547,25 @@ miscfiles_read_localization(useradd_t) +@@ -507,31 +549,33 @@ logging_send_syslog_msg(useradd_t) + + miscfiles_read_localization(useradd_t) + ++seutil_semanage_policy(useradd_t) ++seutil_manage_file_contexts(useradd_t) ++seutil_manage_config(useradd_t) ++seutil_manage_default_contexts(useradd_t) ++ seutil_read_config(useradd_t) seutil_read_file_contexts(useradd_t) seutil_read_default_contexts(useradd_t) -+#seutil_domtrans_semanage(useradd_t) -+#seutil_domtrans_setfiles(useradd_t) -+#seutil_domtrans_loadpolicy(useradd_t) +-seutil_run_semanage(useradd_t, useradd_roles) +-seutil_run_setfiles(useradd_t, useradd_roles) ++seutil_domtrans_semanage(useradd_t) ++seutil_domtrans_setfiles(useradd_t) ++seutil_domtrans_loadpolicy(useradd_t) +#seutil_manage_bin_policy(useradd_t) +#seutil_manage_module_store(useradd_t) -+#seutil_get_semanage_trans_lock(useradd_t) -+#seutil_get_semanage_read_lock(useradd_t) - seutil_run_semanage(useradd_t, useradd_roles) - seutil_run_setfiles(useradd_t, useradd_roles) ++seutil_get_semanage_trans_lock(useradd_t) ++seutil_get_semanage_read_lock(useradd_t) ++#seutil_run_semanage(useradd_t, useradd_roles) ++#seutil_run_setfiles(useradd_t, useradd_roles) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) @@ -59667,7 +59955,17 @@ index 81b6608..446b743 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -550,6 +584,11 @@ optional_policy(` +@@ -542,7 +586,8 @@ optional_policy(` + ') + + optional_policy(` +- nscd_run(useradd_t, useradd_roles) ++ nscd_domtrans(useradd_t) ++# nscd_run(useradd_t, useradd_roles) + ') + + optional_policy(` +@@ -550,6 +595,11 @@ optional_policy(` ') optional_policy(` @@ -59832,7 +60130,7 @@ index 7590165..59539e8 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index db981df..add631a 100644 +index db981df..cdbf6c7 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -59910,7 +60208,7 @@ index db981df..add631a 100644 /opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -174,53 +183,76 @@ ifdef(`distro_gentoo',` +@@ -174,53 +183,77 @@ ifdef(`distro_gentoo',` /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -59945,6 +60243,7 @@ index db981df..add631a 100644 /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/jvm/java(.*/)bin(/.*) gen_context(system_u:object_r:bin_t,s0) +/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -60004,7 +60303,7 @@ index db981df..add631a 100644 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) -@@ -235,10 +267,15 @@ ifdef(`distro_gentoo',` +@@ -235,10 +268,15 @@ ifdef(`distro_gentoo',` /usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -60020,7 +60319,7 @@ index db981df..add631a 100644 /usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0) -@@ -251,11 +288,18 @@ ifdef(`distro_gentoo',` +@@ -251,11 +289,18 @@ ifdef(`distro_gentoo',` /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -60040,7 +60339,7 @@ index db981df..add631a 100644 /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -271,6 +315,10 @@ ifdef(`distro_gentoo',` +@@ -271,6 +316,10 @@ ifdef(`distro_gentoo',` /usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) @@ -60051,7 +60350,7 @@ index db981df..add631a 100644 /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0) -@@ -290,15 +338,19 @@ ifdef(`distro_gentoo',` +@@ -290,15 +339,19 @@ ifdef(`distro_gentoo',` /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) @@ -60072,7 +60371,7 @@ index db981df..add631a 100644 ifdef(`distro_debian',` /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,8 +366,12 @@ ifdef(`distro_redhat', ` +@@ -314,8 +367,12 @@ ifdef(`distro_redhat', ` /etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0) /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0) @@ -60085,7 +60384,7 @@ index db981df..add631a 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -325,9 +381,11 @@ ifdef(`distro_redhat', ` +@@ -325,9 +382,11 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -60097,7 +60396,7 @@ index db981df..add631a 100644 /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -376,11 +434,14 @@ ifdef(`distro_suse', ` +@@ -376,11 +435,14 @@ ifdef(`distro_suse', ` # # /var # @@ -60113,7 +60412,7 @@ index db981df..add631a 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -390,3 +451,12 @@ ifdef(`distro_suse', ` +@@ -390,3 +452,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -63866,7 +64165,7 @@ index 6a1e4d1..ffaa90a 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..927cfba 100644 +index cf04cb5..e43701b 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.11.0) @@ -63879,7 +64178,7 @@ index cf04cb5..927cfba 100644 +##

+## +# -+gen_tunable(allow_domain_fd_use, true) ++gen_tunable(domain_fd_use, true) + +## +##

@@ -64161,7 +64460,7 @@ index cf04cb5..927cfba 100644 + sosreport_append_tmp_files(domain) +') + -+tunable_policy(`allow_domain_fd_use',` ++tunable_policy(`domain_fd_use',` + # Allow all domains to use fds past to them + allow domain domain:fd use; +') @@ -64350,7 +64649,7 @@ index 4429d30..cbcd9d0 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 41346fb..7377b05 100644 +index 41346fb..9ec1de8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -64976,7 +65275,15 @@ index 41346fb..7377b05 100644 ## Get the attributes of the tmp directory (/tmp). ##

## -@@ -4171,7 +4583,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -4161,6 +4573,7 @@ interface(`files_getattr_tmp_dirs',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir getattr; + ') + +@@ -4171,7 +4584,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -64985,7 +65292,23 @@ index 41346fb..7377b05 100644 ## ## # -@@ -4243,7 +4655,7 @@ interface(`files_list_tmp',` +@@ -4198,6 +4611,7 @@ interface(`files_search_tmp',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; + ') + +@@ -4234,6 +4648,7 @@ interface(`files_list_tmp',` + type tmp_t; + ') + ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir list_dir_perms; + ') + +@@ -4243,7 +4658,7 @@ interface(`files_list_tmp',` ## ## ## @@ -64994,7 +65317,7 @@ index 41346fb..7377b05 100644 ## ## # -@@ -4255,6 +4667,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4255,6 +4670,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -65013,13 +65336,22 @@ index 41346fb..7377b05 100644 + type tmp_t; + ') + ++ files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; +') + ######################################## ## ## Remove entries from the tmp directory. -@@ -4311,6 +4741,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4270,6 +4704,7 @@ interface(`files_delete_tmp_dir_entry',` + type tmp_t; + ') + ++ files_search_tmp($1) + allow $1 tmp_t:dir del_entry_dir_perms; + ') + +@@ -4311,6 +4746,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -65052,7 +65384,7 @@ index 41346fb..7377b05 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4365,6 +4821,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4365,6 +4826,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -65095,7 +65427,7 @@ index 41346fb..7377b05 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4428,7 +4920,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4428,7 +4925,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -65104,7 +65436,7 @@ index 41346fb..7377b05 100644 ## ## # -@@ -4488,7 +4980,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4488,7 +4985,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -65113,7 +65445,7 @@ index 41346fb..7377b05 100644 ## ## # -@@ -4573,6 +5065,16 @@ interface(`files_purge_tmp',` +@@ -4573,6 +5070,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -65130,7 +65462,7 @@ index 41346fb..7377b05 100644 ') ######################################## -@@ -5150,6 +5652,24 @@ interface(`files_list_var',` +@@ -5150,6 +5657,24 @@ interface(`files_list_var',` ######################################## ## @@ -65155,7 +65487,7 @@ index 41346fb..7377b05 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5505,6 +6025,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5505,6 +6030,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -65181,7 +65513,7 @@ index 41346fb..7377b05 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,6 +6089,25 @@ interface(`files_manage_mounttab',` +@@ -5550,6 +6094,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -65207,7 +65539,7 @@ index 41346fb..7377b05 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5563,6 +6121,7 @@ interface(`files_search_locks',` +@@ -5563,6 +6126,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -65215,7 +65547,7 @@ index 41346fb..7377b05 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5589,7 +6148,8 @@ interface(`files_dontaudit_search_locks',` +@@ -5589,7 +6153,8 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -65225,7 +65557,7 @@ index 41346fb..7377b05 100644 ## ## ## -@@ -5597,13 +6157,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5597,13 +6162,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -65259,7 +65591,7 @@ index 41346fb..7377b05 100644 ') ######################################## -@@ -5622,7 +6199,7 @@ interface(`files_rw_lock_dirs',` +@@ -5622,7 +6204,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -65268,7 +65600,7 @@ index 41346fb..7377b05 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5635,7 +6212,6 @@ interface(`files_rw_lock_dirs',` +@@ -5635,7 +6217,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -65276,7 +65608,7 @@ index 41346fb..7377b05 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5663,8 +6239,7 @@ interface(`files_getattr_generic_locks',` +@@ -5663,8 +6244,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -65286,7 +65618,7 @@ index 41346fb..7377b05 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5680,13 +6255,12 @@ interface(`files_getattr_generic_locks',` +@@ -5680,13 +6260,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -65304,7 +65636,7 @@ index 41346fb..7377b05 100644 ') ######################################## -@@ -5705,8 +6279,7 @@ interface(`files_manage_generic_locks',` +@@ -5705,8 +6284,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -65314,7 +65646,7 @@ index 41346fb..7377b05 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5748,8 +6321,7 @@ interface(`files_read_all_locks',` +@@ -5748,8 +6326,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -65324,7 +65656,7 @@ index 41346fb..7377b05 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5771,8 +6343,7 @@ interface(`files_manage_all_locks',` +@@ -5771,8 +6348,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -65334,7 +65666,7 @@ index 41346fb..7377b05 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6380,7 @@ interface(`files_lock_filetrans',` +@@ -5809,8 +6385,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -65344,7 +65676,7 @@ index 41346fb..7377b05 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5873,6 +6443,43 @@ interface(`files_search_pids',` +@@ -5873,6 +6448,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -65388,7 +65720,7 @@ index 41346fb..7377b05 100644 ######################################## ## ## Do not audit attempts to search -@@ -5895,6 +6502,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5895,6 +6507,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -65414,7 +65746,7 @@ index 41346fb..7377b05 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6010,7 +6636,6 @@ interface(`files_pid_filetrans',` +@@ -6010,7 +6641,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -65422,19 +65754,17 @@ index 41346fb..7377b05 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6096,24 +6721,189 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6096,6 +6726,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. +## Relable all pid directories - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`files_relabel_all_pid_dirs',` + gen_require(` @@ -65538,15 +65868,10 @@ index 41346fb..7377b05 100644 + +######################################## +## -+## Read all process ID files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## - # + ## Read all process ID files. + ## + ## +@@ -6108,12 +6848,67 @@ interface(`files_dontaudit_ioctl_all_pids',` interface(`files_read_all_pids',` gen_require(` attribute pidfile; @@ -65616,7 +65941,7 @@ index 41346fb..7377b05 100644 ') ######################################## -@@ -6184,6 +6974,90 @@ interface(`files_delete_all_pid_dirs',` +@@ -6184,6 +6979,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -65707,7 +66032,7 @@ index 41346fb..7377b05 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6406,3 +7280,332 @@ interface(`files_unconfined',` +@@ -6406,3 +7285,332 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -66041,7 +66366,7 @@ index 41346fb..7377b05 100644 + files_root_filetrans($1, var_t, dir, "nsr") +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1ce8aa0..032b869 100644 +index 1ce8aa0..24dfed0 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -10,7 +10,9 @@ attribute files_unconfined_type; @@ -66108,6 +66433,14 @@ index 1ce8aa0..032b869 100644 ######################################## # +@@ -229,6 +244,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil + # Mount/unmount any filesystem with the context= option. + allow files_unconfined_type file_type:filesystem *; + +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + allow files_unconfined_type file_type:file execmod; + ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index cda5588..e89e4bf 100644 --- a/policy/modules/kernel/filesystem.fc @@ -68479,9 +68812,18 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 01dd2f1..b283c17 100644 +index 01dd2f1..dfeffc7 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if +@@ -124,7 +124,7 @@ interface(`term_user_tty',` + type_change $1 ttynode:chr_file $2; + ') + +- tunable_policy(`console_login',` ++ tunable_policy(`login_console_enabled',` + # When user logs in from /dev/console, relabel it + # to user tty type as well. + type_change $1 console_device_t:chr_file $2; @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` ######################################## @@ -69292,7 +69634,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index e5aee97..19aa6fd 100644 +index e5aee97..f373c8d 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,52 @@ policy_module(staff, 2.3.0) @@ -69592,7 +69934,7 @@ index e5aee97..19aa6fd 100644 ') ') + -+tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(staff_t) +') diff --git a/policy/modules/roles/sysadm.if b/policy/modules/roles/sysadm.if @@ -70823,7 +71165,7 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..07b26fb +index 0000000..7b69ace --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,392 @@ @@ -70930,11 +71272,11 @@ index 0000000..07b26fb + allow unconfined_t self:process execmem; +') + -+tunable_policy(`allow_execstack',` ++tunable_policy(`selinuxuser_execstack',` + allow unconfined_t self:process execstack; +') + -+tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(unconfined_t) +') + @@ -71230,7 +71572,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 9f6d4c3..5d2fa38 100644 +index 9f6d4c3..cad6364 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -12,12 +12,90 @@ role user_r; @@ -71243,7 +71585,7 @@ index 9f6d4c3..5d2fa38 100644 +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + -+tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + userdom_execmod_user_home_files(user_t) +') + @@ -72206,7 +72548,7 @@ index fe0c682..93ec53f 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..f82584d 100644 +index b17e27a..f87cce0 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0) @@ -72220,16 +72562,17 @@ index b17e27a..f82584d 100644 +## allow host key based authentication +##

## - gen_tunable(allow_ssh_keysign, false) - - ## +-gen_tunable(allow_ssh_keysign, false) ++gen_tunable(ssh_keysign, false) ++ ++## +##

+## Allow ssh logins as sysadm_r:sysadm_t +##

+## +gen_tunable(ssh_sysadm_login, false) -+ -+## + + ## ##

-## Allow ssh logins as sysadm_r:sysadm_t +## Allow ssh with chroot env to read and write files @@ -72370,13 +72713,8 @@ index b17e27a..f82584d 100644 +userdom_use_inherited_user_terminals(ssh_t) +# needs to read krb/write tgt userdom_read_user_tmp_files(ssh_t) -+userdom_write_user_tmp_files(ssh_t) -+userdom_read_user_home_content_symlinks(ssh_t) -+userdom_rw_inherited_user_home_content_files(ssh_t) -+userdom_read_home_certs(ssh_t) -+userdom_home_manager(ssh_t) - - tunable_policy(`allow_ssh_keysign',` +- +-tunable_policy(`allow_ssh_keysign',` - domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) - allow ssh_keysign_t ssh_t:fd use; - allow ssh_keysign_t ssh_t:process sigchld; @@ -72391,6 +72729,13 @@ index b17e27a..f82584d 100644 -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ssh_t) - fs_manage_cifs_files(ssh_t) ++userdom_write_user_tmp_files(ssh_t) ++userdom_read_user_home_content_symlinks(ssh_t) ++userdom_rw_inherited_user_home_content_files(ssh_t) ++userdom_read_home_certs(ssh_t) ++userdom_home_manager(ssh_t) ++ ++tunable_policy(`ssh_keysign',` + domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) ') @@ -72406,7 +72751,7 @@ index b17e27a..f82584d 100644 ') optional_policy(` -@@ -195,6 +212,7 @@ optional_policy(` +@@ -195,28 +212,24 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -72414,7 +72759,10 @@ index b17e27a..f82584d 100644 ############################## # # ssh_keysign_t local policy -@@ -204,19 +222,14 @@ tunable_policy(`allow_ssh_keysign',` + # + +-tunable_policy(`allow_ssh_keysign',` ++tunable_policy(`ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -72684,7 +73032,7 @@ index b17e27a..f82584d 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..4eaf2fd 100644 +index fc86b7c..7421ac9 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,34 @@ @@ -72726,11 +73074,11 @@ index fc86b7c..4eaf2fd 100644 /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/etc/gdm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) -+/etc/gdm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/gdm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/gdm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) -+/etc/gdm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_etc_t,s0) ++/etc/[mg]dm/Init(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PostLogin(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PostSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) ++/etc/[mg]dm/PreSession(/.*)? gen_context(system_u:object_r:xdm_unconfined_exec_t,s0) + /etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0) @@ -72741,7 +73089,7 @@ index fc86b7c..4eaf2fd 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,11 +74,10 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,23 +74,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -72757,7 +73105,14 @@ index fc86b7c..4eaf2fd 100644 # # /usr -@@ -63,6 +90,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + # + ++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) +-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) ++/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -72765,26 +73120,30 @@ index fc86b7c..4eaf2fd 100644 /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -92,6 +120,9 @@ ifndef(`distro_debian',` +@@ -90,24 +119,43 @@ ifndef(`distro_debian',` + /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) + /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/[mxkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) + -+/var/cache/gdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -@@ -99,15 +130,32 @@ ifndef(`distro_debian',` +-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) + -+/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) ++/var/spool/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0) -+/var/run/kdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/gdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) +/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -72810,7 +73169,7 @@ index fc86b7c..4eaf2fd 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..56cb1f8 100644 +index 130ced9..647cc5c 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -72907,7 +73266,8 @@ index 130ced9..56cb1f8 100644 + modutils_run_insmod(xserver_t, $1) # Client write xserver shm - tunable_policy(`allow_write_xshm',` +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -72993,6 +73353,15 @@ index 130ced9..56cb1f8 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; +@@ -316,7 +341,7 @@ interface(`xserver_user_client',` + xserver_read_xdm_tmp_files($1) + + # Client write xserver shm +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` + allow $1 xserver_t:shm rw_shm_perms; + allow $1 xserver_tmpfs_t:file rw_file_perms; + ') @@ -342,19 +367,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` @@ -73093,7 +73462,8 @@ index 130ced9..56cb1f8 100644 + xserver_common_x_domain_template($1, $2) # Client write xserver shm - tunable_policy(`allow_write_xshm',` +- tunable_policy(`allow_write_xshm',` ++ tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') @@ -74096,7 +74466,7 @@ index 130ced9..56cb1f8 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index c4f7c35..f072b29 100644 +index c4f7c35..a4b887d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -74112,16 +74482,17 @@ index c4f7c35..f072b29 100644 +## memory segments. +##

## - gen_tunable(allow_write_xshm, false) - - ## +-gen_tunable(allow_write_xshm, false) ++gen_tunable(xserver_clients_write_xshm, false) ++ ++## +##

+## Allows XServer to execute writable memory +##

+## -+gen_tunable(allow_xserver_execmem, false) -+ -+## ++gen_tunable(xserver_execmem, false) + + ## ##

-## Allow xdm logins as sysadm +## Allow the graphical login program to execute bootloader @@ -75219,7 +75590,7 @@ index c4f7c35..f072b29 100644 -allow xserver_unconfined_type xextension_type:x_extension *; -allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; -allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; -+tunable_policy(`allow_xserver_execmem',` ++tunable_policy(`xserver_execmem',` + allow xserver_t self:process { execheap execmem execstack }; +') + @@ -75228,7 +75599,7 @@ index c4f7c35..f072b29 100644 + allow xdm_t self:process execmem; +') + -+tunable_policy(`allow_execstack',` ++tunable_policy(`selinuxuser_execstack',` + allow xdm_t self:process { execstack execmem }; +') + @@ -76138,7 +76509,7 @@ index 6ce867a..283f236 100644 + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index f12b8ff..4847c97 100644 +index f12b8ff..b3e0efd 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1) @@ -76256,14 +76627,14 @@ index f12b8ff..4847c97 100644 + xserver_rw_xdm_pipes(utempter_t) +') + -+tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(polydomain) ') optional_policy(` - xserver_use_xdm_fds(utempter_t) - xserver_rw_xdm_pipes(utempter_t) -+ tunable_policy(`allow_polyinstantiation',` ++ tunable_policy(`polyinstantiation_enabled',` + namespace_init_domtrans(polydomain) + ') +') @@ -76561,7 +76932,7 @@ index e1a1848..909af45 100644 /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fd100fc..86e1fd0 100644 +index fd100fc..8409f5c 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t) @@ -76575,6 +76946,15 @@ index fd100fc..86e1fd0 100644 init_rw_utmp(getty_t) init_use_script_ptys(getty_t) +@@ -113,7 +115,7 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`console_login',` ++tunable_policy(`login_console_enabled',` + # Support logging in from /dev/console + term_use_console(getty_t) + ',` @@ -125,10 +127,6 @@ optional_policy(` ') @@ -77839,7 +78219,7 @@ index d26fe81..b0bb610 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5fb9683..da5e37d 100644 +index 5fb9683..28b9f3b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -77858,21 +78238,21 @@ index 5fb9683..da5e37d 100644 +## Allow all daemons to use tcp wrappers. +##

+## -+gen_tunable(allow_daemons_use_tcp_wrapper, false) ++gen_tunable(daemons_use_tcp_wrapper, false) + +## +##

+## Allow all daemons the ability to read/write terminals +##

+## -+gen_tunable(allow_daemons_use_tty, false) ++gen_tunable(daemons_use_tty, false) + +## +##

+## Allow all daemons to write corefiles to / +##

+## -+gen_tunable(allow_daemons_dump_core, false) ++gen_tunable(daemons_dump_core, false) + # used for direct running of init scripts # by admin domains @@ -78527,11 +78907,11 @@ index 5fb9683..da5e37d 100644 +userdom_dontaudit_list_admin_dir(daemon) +userdom_dontaudit_search_user_tmp(daemon) + -+tunable_policy(`allow_daemons_use_tcp_wrapper',` ++tunable_policy(`daemons_use_tcp_wrapper',` + corenet_tcp_connect_auth_port(daemon) +') + -+tunable_policy(`allow_daemons_use_tty',` ++tunable_policy(`daemons_use_tty',` + term_use_unallocated_ttys(daemon) + term_use_generic_ptys(daemon) + term_use_all_ttys(daemon) @@ -78544,7 +78924,7 @@ index 5fb9683..da5e37d 100644 + ') + +# system-config-services causes avc messages that should be dontaudited -+tunable_policy(`allow_daemons_dump_core',` ++tunable_policy(`daemons_dump_core',` + files_manage_root_files(daemon) +') + @@ -78923,7 +79303,7 @@ index 5fb9683..da5e37d 100644 +userdom_dontaudit_rw_stream(systemprocess) +userdom_dontaudit_write_user_tmp_files(systemprocess) + -+tunable_policy(`allow_daemons_use_tty',` ++tunable_policy(`daemons_use_tty',` + term_use_all_ttys(systemprocess) + term_use_all_ptys(systemprocess) +',` @@ -79226,7 +79606,7 @@ index 14cffd2..5effebe 100644 +/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index c42fbc3..174cfdb 100644 +index c42fbc3..7071460 100644 --- a/policy/modules/system/iptables.if +++ b/policy/modules/system/iptables.if @@ -17,10 +17,6 @@ interface(`iptables_domtrans',` @@ -79240,8 +79620,33 @@ index c42fbc3..174cfdb 100644 ') ######################################## -@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',` - init_labeled_script_domtrans($1, iptables_initrc_exec_t) +@@ -42,11 +38,22 @@ interface(`iptables_domtrans',` + # + interface(`iptables_run',` + gen_require(` +- attribute_role iptables_roles; ++ #attribute_role iptables_roles; ++ type iptables_t; + ') + ++ #iptables_domtrans($1) ++ #roleattribute $2 iptables_roles; ++ + iptables_domtrans($1) +- roleattribute $2 iptables_roles; ++ role $2 types iptables_t; ++ ++ sysnet_run_ifconfig(iptables_t, $2) ++ ++ optional_policy(` ++ modutils_run_insmod(iptables_t, $2) ++ ') ++ + ') + + ######################################## +@@ -86,6 +93,29 @@ interface(`iptables_initrc_domtrans',` + init_labeled_script_domtrans($1, iptables_initrc_exec_t) ') +######################################## @@ -79271,10 +79676,25 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 0646ee7..cc8d773 100644 +index 0646ee7..36e02fa 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te -@@ -16,15 +16,15 @@ role iptables_roles types iptables_t; +@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.0) + # Declarations + # + +-attribute_role iptables_roles; +-roleattribute system_r iptables_roles; ++#attribute_role iptables_roles; ++#roleattribute system_r iptables_roles; + + type iptables_t; + type iptables_exec_t; + init_system_domain(iptables_t, iptables_exec_t) +-role iptables_roles types iptables_t; ++#role iptables_roles types iptables_t; ++role system_r types iptables_t; + type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -79293,7 +79713,7 @@ index 0646ee7..cc8d773 100644 ######################################## # # Iptables local policy -@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; +@@ -37,8 +38,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:netlink_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms; @@ -79304,7 +79724,7 @@ index 0646ee7..cc8d773 100644 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) files_pid_filetrans(iptables_t, iptables_var_run_t, file) -@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; +@@ -49,6 +50,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms; allow iptables_t iptables_tmp_t:file manage_file_perms; files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir }) @@ -79312,7 +79732,7 @@ index 0646ee7..cc8d773 100644 kernel_request_load_module(iptables_t) kernel_read_system_state(iptables_t) kernel_read_network_state(iptables_t) -@@ -64,6 +65,9 @@ corenet_relabelto_all_packets(iptables_t) +@@ -64,6 +66,9 @@ corenet_relabelto_all_packets(iptables_t) corenet_dontaudit_rw_tun_tap_dev(iptables_t) dev_read_sysfs(iptables_t) @@ -79322,7 +79742,7 @@ index 0646ee7..cc8d773 100644 fs_getattr_xattr_fs(iptables_t) fs_search_auto_mountpoints(iptables_t) -@@ -72,11 +76,13 @@ fs_list_inotifyfs(iptables_t) +@@ -72,11 +77,13 @@ fs_list_inotifyfs(iptables_t) mls_file_read_all_levels(iptables_t) term_dontaudit_use_console(iptables_t) @@ -79337,7 +79757,7 @@ index 0646ee7..cc8d773 100644 auth_use_nsswitch(iptables_t) -@@ -85,6 +91,7 @@ init_use_script_ptys(iptables_t) +@@ -85,15 +92,17 @@ init_use_script_ptys(iptables_t) # to allow rules to be saved on reboot: init_rw_script_tmp_files(iptables_t) init_rw_script_stream_sockets(iptables_t) @@ -79345,8 +79765,11 @@ index 0646ee7..cc8d773 100644 logging_send_syslog_msg(iptables_t) -@@ -93,7 +100,7 @@ miscfiles_read_localization(iptables_t) - sysnet_run_ifconfig(iptables_t, iptables_roles) + miscfiles_read_localization(iptables_t) + +-sysnet_run_ifconfig(iptables_t, iptables_roles) ++#sysnet_run_ifconfig(iptables_t, iptables_roles) ++sysnet_domtrans_ifconfig(iptables_t) sysnet_dns_name_resolve(iptables_t) -userdom_use_user_terminals(iptables_t) @@ -79354,7 +79777,7 @@ index 0646ee7..cc8d773 100644 userdom_use_all_users_fds(iptables_t) ifdef(`hide_broken_symptoms',` -@@ -102,6 +109,8 @@ ifdef(`hide_broken_symptoms',` +@@ -102,6 +111,8 @@ ifdef(`hide_broken_symptoms',` optional_policy(` fail2ban_append_log(iptables_t) @@ -79363,7 +79786,17 @@ index 0646ee7..cc8d773 100644 ') optional_policy(` -@@ -124,6 +133,7 @@ optional_policy(` +@@ -110,7 +121,8 @@ optional_policy(` + ') + + optional_policy(` +- modutils_run_insmod(iptables_t, iptables_roles) ++ modutils_domtrans_insmod(iptables_t) ++ #modutils_run_insmod(iptables_t, iptables_roles) + ') + + optional_policy(` +@@ -124,6 +136,7 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) @@ -79371,7 +79804,7 @@ index 0646ee7..cc8d773 100644 ') optional_policy(` -@@ -137,6 +147,7 @@ optional_policy(` +@@ -137,6 +150,7 @@ optional_policy(` optional_policy(` shorewall_read_tmp_files(iptables_t) shorewall_rw_lib_files(iptables_t) @@ -79915,7 +80348,7 @@ index 0e3c2a9..40adf5a 100644 +') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 9fd5be7..db7e141 100644 +index 9fd5be7..226328b 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -79982,7 +80415,13 @@ index 9fd5be7..db7e141 100644 miscfiles_read_localization(local_login_t) -@@ -146,14 +148,14 @@ tunable_policy(`console_login',` +@@ -141,19 +143,19 @@ ifdef(`distro_ubuntu',` + ') + ') + +-tunable_policy(`console_login',` ++tunable_policy(`login_console_enabled',` + # Able to relabel /dev/console to user tty types. term_relabel_console(local_login_t) ') @@ -79997,7 +80436,7 @@ index 9fd5be7..db7e141 100644 -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(local_login_t) - fs_read_cifs_symlinks(local_login_t) -+tunable_policy(`allow_console_login',` ++tunable_policy(`login_console_enabled',` + term_use_console(local_login_t) + term_relabel_console(local_login_t) + term_setattr_console(local_login_t) @@ -81307,7 +81746,7 @@ index 2410551..e5026a9 100644 + +/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 350c450..786f87a 100644 +index 350c450..2debedc 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -81364,7 +81803,28 @@ index 350c450..786f87a 100644 ## Read the configuration options used when ## loading modules. ## -@@ -332,3 +370,25 @@ interface(`modutils_exec_update_mods',` +@@ -307,11 +345,18 @@ interface(`modutils_domtrans_update_mods',` + # + interface(`modutils_run_update_mods',` + gen_require(` +- attribute_role update_modules_roles; ++ #attribute_role update_modules_roles; ++ type update_modules_t; + ') + ++ #modutils_domtrans_update_mods($1) ++ #roleattribute $2 update_modules_roles; ++ + modutils_domtrans_update_mods($1) +- roleattribute $2 update_modules_roles; ++ role $2 types update_modules_t; ++ ++ modutils_run_insmod(update_modules_t, $2) ++ + ') + + ######################################## +@@ -332,3 +377,25 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') @@ -81391,9 +81851,18 @@ index 350c450..786f87a 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 560d5d9..b83608d 100644 +index 560d5d9..86a7107 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te +@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) + # Declarations + # + +-attribute_role update_modules_roles; ++#attribute_role update_modules_roles; + + type depmod_t; + type depmod_exec_t; @@ -16,11 +16,12 @@ type insmod_t; type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -81408,7 +81877,16 @@ index 560d5d9..b83608d 100644 # module dependencies type modules_dep_t; -@@ -35,6 +36,9 @@ role update_modules_roles types update_modules_t; +@@ -29,12 +30,16 @@ files_type(modules_dep_t) + type update_modules_t; + type update_modules_exec_t; + init_system_domain(update_modules_t, update_modules_exec_t) +-roleattribute system_r update_modules_roles; +-role update_modules_roles types update_modules_t; ++#roleattribute system_r update_modules_roles; ++#role update_modules_roles types update_modules_t; ++role system_r types update_modules_t; + type update_modules_tmp_t; files_tmp_file(update_modules_tmp_t) @@ -81418,7 +81896,7 @@ index 560d5d9..b83608d 100644 ######################################## # # depmod local policy -@@ -54,12 +58,15 @@ corecmd_search_bin(depmod_t) +@@ -54,12 +59,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -81434,7 +81912,7 @@ index 560d5d9..b83608d 100644 fs_getattr_xattr_fs(depmod_t) -@@ -69,10 +76,12 @@ init_use_fds(depmod_t) +@@ -69,10 +77,12 @@ init_use_fds(depmod_t) init_use_script_fds(depmod_t) init_use_script_ptys(depmod_t) @@ -81448,7 +81926,7 @@ index 560d5d9..b83608d 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -80,12 +89,8 @@ ifdef(`distro_ubuntu',` +@@ -80,12 +90,8 @@ ifdef(`distro_ubuntu',` ') ') @@ -81463,7 +81941,7 @@ index 560d5d9..b83608d 100644 ') optional_policy(` -@@ -94,7 +99,6 @@ optional_policy(` +@@ -94,7 +100,6 @@ optional_policy(` ') optional_policy(` @@ -81471,7 +81949,7 @@ index 560d5d9..b83608d 100644 unconfined_domain(depmod_t) ') -@@ -103,11 +107,12 @@ optional_policy(` +@@ -103,11 +108,12 @@ optional_policy(` # insmod local policy # @@ -81485,7 +81963,7 @@ index 560d5d9..b83608d 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -117,7 +122,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +@@ -117,7 +123,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) can_exec(insmod_t, insmod_exec_t) @@ -81497,7 +81975,7 @@ index 560d5d9..b83608d 100644 kernel_request_load_module(insmod_t) kernel_read_system_state(insmod_t) kernel_read_network_state(insmod_t) -@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t) +@@ -125,6 +135,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -81505,7 +81983,7 @@ index 560d5d9..b83608d 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t) +@@ -142,6 +153,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -81513,7 +81991,7 @@ index 560d5d9..b83608d 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -151,20 +162,30 @@ files_read_etc_runtime_files(insmod_t) +@@ -151,20 +163,30 @@ files_read_etc_runtime_files(insmod_t) files_read_etc_files(insmod_t) files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) @@ -81544,7 +82022,7 @@ index 560d5d9..b83608d 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,8 +194,7 @@ miscfiles_read_localization(insmod_t) +@@ -173,8 +195,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -81554,7 +82032,7 @@ index 560d5d9..b83608d 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +204,28 @@ optional_policy(` +@@ -184,28 +205,28 @@ optional_policy(` ') optional_policy(` @@ -81590,7 +82068,7 @@ index 560d5d9..b83608d 100644 ') optional_policy(` -@@ -225,6 +245,7 @@ optional_policy(` +@@ -225,6 +246,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -81598,7 +82076,7 @@ index 560d5d9..b83608d 100644 ') optional_policy(` -@@ -233,6 +254,10 @@ optional_policy(` +@@ -233,6 +255,10 @@ optional_policy(` ') optional_policy(` @@ -81609,9 +82087,12 @@ index 560d5d9..b83608d 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -295,7 +320,7 @@ miscfiles_read_localization(update_modules_t) +@@ -293,9 +319,9 @@ logging_send_syslog_msg(update_modules_t) - modutils_run_insmod(update_modules_t, update_modules_roles) + miscfiles_read_localization(update_modules_t) + +-modutils_run_insmod(update_modules_t, update_modules_roles) ++#modutils_run_insmod(update_modules_t, update_modules_roles) -userdom_use_user_terminals(update_modules_t) +userdom_use_inherited_user_terminals(update_modules_t) @@ -81646,7 +82127,7 @@ index 72c746e..fa210cd 100644 +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..52e78b8 100644 +index 4584457..4881d86 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,12 @@ interface(`mount_domtrans',` @@ -81662,10 +82143,46 @@ index 4584457..52e78b8 100644 ') ######################################## -@@ -47,6 +53,54 @@ interface(`mount_run',` +@@ -38,11 +44,84 @@ interface(`mount_domtrans',` + # + interface(`mount_run',` + gen_require(` +- attribute_role mount_roles; ++ #attribute_role mount_roles; ++ type mount_t; + ') - ######################################## - ## ++ #mount_domtrans($1) ++ #roleattribute $2 mount_roles; ++ + mount_domtrans($1) +- roleattribute $2 mount_roles; ++ role $2 types mount_t; ++ ++ optional_policy(` ++ fstools_run(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ lvm_run(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ modutils_run_insmod(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ rpc_run_rpcd(mount_t, $2) ++ ') ++ ++ optional_policy(` ++ samba_run_smbmount(mount_t, $2) ++ ') ++ ++') ++ ++######################################## ++## +## Execute fusermount in the mount domain, and +## allow the specified role the mount domain, +## and use the caller's terminal. @@ -81710,14 +82227,10 @@ index 4584457..52e78b8 100644 + + allow $1 mount_var_run_t:file read_file_perms; + files_search_pids($1) -+') -+ -+######################################## -+## - ## Execute mount in the caller domain. - ## - ## -@@ -91,7 +145,7 @@ interface(`mount_signal',` + ') + + ######################################## +@@ -91,7 +170,7 @@ interface(`mount_signal',` ## ## ## @@ -81726,7 +82239,7 @@ index 4584457..52e78b8 100644 ## ## # -@@ -131,45 +185,119 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +210,119 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -81863,19 +82376,34 @@ index 4584457..52e78b8 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6d3b14b..cc76452 100644 +index 6d3b14b..3eddba2 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -20,25 +20,41 @@ type mount_exec_t; - init_system_domain(mount_t, mount_exec_t) - role mount_roles types mount_t; +@@ -10,35 +10,52 @@ policy_module(mount, 1.14.2) + ## Allow the mount command to mount any directory or file. + ##

+ ## +-gen_tunable(allow_mount_anyfile, false) ++gen_tunable(mount_anyfile, false) + +-attribute_role mount_roles; +-roleattribute system_r mount_roles; ++#attribute_role mount_roles; ++#roleattribute system_r mount_roles; + type mount_t; + type mount_exec_t; + init_system_domain(mount_t, mount_exec_t) +-role mount_roles types mount_t; ++#role mount_roles types mount_t; ++role system_r types mount_t; ++ +type fusermount_exec_t; +domain_entry_file(mount_t, fusermount_exec_t) + +typealias mount_t alias mount_ntfs_t; +typealias mount_exec_t alias mount_ntfs_exec_t; -+ + type mount_loopback_t; # customizable files_type(mount_loopback_t) +typealias mount_loopback_t alias mount_loop_t; @@ -81915,7 +82443,7 @@ index 6d3b14b..cc76452 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -49,9 +65,24 @@ can_exec(mount_t, mount_exec_t) +@@ -49,9 +66,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -81941,7 +82469,7 @@ index 6d3b14b..cc76452 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -60,31 +91,46 @@ kernel_request_load_module(mount_t) +@@ -60,31 +92,46 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -81991,7 +82519,7 @@ index 6d3b14b..cc76452 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +138,39 @@ files_list_mnt(mount_t) +@@ -92,28 +139,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -82037,7 +82565,7 @@ index 6d3b14b..cc76452 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,6 +178,8 @@ auth_use_nsswitch(mount_t) +@@ -121,6 +179,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -82046,7 +82574,7 @@ index 6d3b14b..cc76452 100644 logging_send_syslog_msg(mount_t) -@@ -131,6 +190,8 @@ sysnet_use_portmap(mount_t) +@@ -131,6 +191,8 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -82055,15 +82583,16 @@ index 6d3b14b..cc76452 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +207,28 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +208,28 @@ ifdef(`distro_ubuntu',` ') ') -+corecmd_exec_shell(mount_t) -+ - tunable_policy(`allow_mount_anyfile',` +-tunable_policy(`allow_mount_anyfile',` - files_list_non_auth_dirs(mount_t) - files_read_non_auth_files(mount_t) ++corecmd_exec_shell(mount_t) ++ ++tunable_policy(`mount_anyfile',` + files_read_non_security_files(mount_t) files_mounton_non_security(mount_t) + files_rw_all_inherited_files(mount_t) @@ -82094,7 +82623,7 @@ index 6d3b14b..cc76452 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +242,8 @@ optional_policy(` +@@ -179,6 +243,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -82103,7 +82632,7 @@ index 6d3b14b..cc76452 100644 ') optional_policy(` -@@ -186,6 +251,28 @@ optional_policy(` +@@ -186,6 +252,28 @@ optional_policy(` ') optional_policy(` @@ -82132,7 +82661,7 @@ index 6d3b14b..cc76452 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -193,21 +280,92 @@ optional_policy(` +@@ -193,21 +281,96 @@ optional_policy(` ') ') @@ -82142,25 +82671,28 @@ index 6d3b14b..cc76452 100644 + +# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 +optional_policy(` -+ lvm_run(mount_t, mount_roles) ++# lvm_run(mount_t, mount_roles) ++ lvm_domtrans(mount_t) +') + +optional_policy(` -+ modutils_run_insmod(mount_t, mount_roles) ++ #modutils_run_insmod(mount_t, mount_roles) ++ modutils_domtrans_insmod(mount_t) + modutils_read_module_deps(mount_t) +') + +optional_policy(` -+ fstools_run(mount_t, mount_roles) ++ fstools_domtrans(mount_t) ++ #fstools_run(mount_t, mount_roles) +') + +optional_policy(` + rhcs_stream_connect_gfs_controld(mount_t) +') + -+optional_policy(` -+ rpc_run_rpcd(mount_t, mount_roles) -+') ++#optional_policy(` ++# rpc_run_rpcd(mount_t, mount_roles) ++#') + # for kernel package installation optional_policy(` @@ -82169,8 +82701,10 @@ index 6d3b14b..cc76452 100644 ') optional_policy(` +- samba_run_smbmount(mount_t, mount_roles) + samba_read_config(mount_t) - samba_run_smbmount(mount_t, mount_roles) ++ samba_domtrans_smbmount(mount_t) ++ #samba_run_smbmount(mount_t, mount_roles) ') -######################################## @@ -82180,20 +82714,20 @@ index 6d3b14b..cc76452 100644 +optional_policy(` + ssh_exec(mount_t) +') -+ -+optional_policy(` + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) + usbmuxd_stream_connect(mount_t) -+') + ') + +optional_policy(` + userhelper_exec_console(mount_t) +') - - optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) ++ ++optional_policy(` + virt_read_blk_images(mount_t) - ') ++') + +optional_policy(` + vmware_exec_host(mount_t) @@ -82302,10 +82836,35 @@ index d43f3b1..5858c5f 100644 +/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 3822072..a853819 100644 +index 3822072..a783cb1 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if -@@ -359,6 +359,27 @@ interface(`seutil_exec_restorecon',` +@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` + # + interface(`seutil_run_newrole',` + gen_require(` +- attribute_role newrole_roles; ++ type newrole_t; ++ #attribute_role newrole_roles; + ') + ++ #seutil_domtrans_newrole($1) ++ #roleattribute $2 newrole_roles; ++ + seutil_domtrans_newrole($1) +- roleattribute $2 newrole_roles; ++ role $2 types newrole_t; ++ ++ auth_run_upd_passwd(newrole_t, $2) ++ ++ optional_policy(` ++ namespace_init_run(newrole_t, $2) ++ ') ++ + ') + + ######################################## +@@ -359,6 +370,27 @@ interface(`seutil_exec_restorecon',` ######################################## ## @@ -82333,7 +82892,54 @@ index 3822072..a853819 100644 ## Execute run_init in the run_init domain. ## ## -@@ -535,6 +556,53 @@ interface(`seutil_run_setfiles',` +@@ -425,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` + # + interface(`seutil_run_runinit',` + gen_require(` +- attribute_role run_init_roles; ++ #attribute_role run_init_roles; ++ type run_init_t; ++ role system_r; + ') + +- seutil_domtrans_runinit($1) +- roleattribute $2 run_init_roles; ++ #seutil_domtrans_runinit($1) ++ #roleattribute $2 run_init_roles; ++ ++ auth_run_chk_passwd(run_init_t, $2) ++ seutil_domtrans_runinit($1) ++ role $2 types run_init_t; ++ ++ allow $2 system_r; ++ + ') + + ######################################## +@@ -461,11 +502,19 @@ interface(`seutil_run_runinit',` + # + interface(`seutil_init_script_run_runinit',` + gen_require(` +- attribute_role run_init_roles; ++ #attribute_role run_init_roles; ++ type run_init_t; ++ role system_r; + ') + +- seutil_init_script_domtrans_runinit($1) +- roleattribute $2 run_init_roles; ++ #seutil_init_script_domtrans_runinit($1) ++ #roleattribute $2 run_init_roles; ++ auth_run_chk_passwd(run_init_t, $2) ++ seutil_init_script_domtrans_runinit($1) ++ role $2 types run_init_t; ++ ++ allow $2 system_r; ++ + ') + + ######################################## +@@ -535,6 +584,53 @@ interface(`seutil_run_setfiles',` ######################################## ## @@ -82387,7 +82993,7 @@ index 3822072..a853819 100644 ## Execute setfiles in the caller domain. ## ## -@@ -680,6 +748,7 @@ interface(`seutil_manage_config',` +@@ -680,6 +776,7 @@ interface(`seutil_manage_config',` ') files_search_etc($1) @@ -82395,7 +83001,7 @@ index 3822072..a853819 100644 manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -746,6 +815,29 @@ interface(`seutil_read_default_contexts',` +@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',` read_files_pattern($1, default_context_t, default_context_t) ') @@ -82425,7 +83031,7 @@ index 3822072..a853819 100644 ######################################## ## ## Create, read, write, and delete the default_contexts files. -@@ -999,6 +1091,26 @@ interface(`seutil_domtrans_semanage',` +@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',` ######################################## ## @@ -82452,10 +83058,28 @@ index 3822072..a853819 100644 ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1026,6 +1138,54 @@ interface(`seutil_run_semanage',` +@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',` + # + interface(`seutil_run_semanage',` + gen_require(` +- attribute_role semanage_roles; ++ #attribute_role semanage_roles; ++ type semanage_t; + ') - ######################################## - ## ++ #seutil_domtrans_semanage($1) ++ #roleattribute $2 semanage_roles; ++ + seutil_domtrans_semanage($1) +- roleattribute $2 semanage_roles; ++ seutil_run_setfiles(semanage_t, $2) ++ seutil_run_loadpolicy(semanage_t, $2) ++ role $2 types semanage_t; ++ ++') ++ ++######################################## ++## +## Execute setsebool in the semanage domain, and +## allow the specified role the semanage domain, +## and use the caller's terminal. @@ -82500,14 +83124,10 @@ index 3822072..a853819 100644 + files_search_etc($1) + list_dirs_pattern($1, selinux_config_t, semanage_store_t) + read_files_pattern($1, semanage_store_t, semanage_store_t) -+') -+ -+######################################## -+## - ## Full management of the semanage - ## module store. - ## -@@ -1137,3 +1297,107 @@ interface(`seutil_dontaudit_libselinux_linked',` + ') + + ######################################## +@@ -1137,3 +1332,107 @@ interface(`seutil_dontaudit_libselinux_linked',` selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') @@ -82616,18 +83236,31 @@ index 3822072..a853819 100644 + auth_relabelto_shadow($1) +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc0c03b..2aee0c0 100644 +index dc0c03b..03121df 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -11,6 +11,8 @@ gen_require(` +@@ -11,14 +11,16 @@ gen_require(` attribute can_write_binary_policy; attribute can_relabelto_binary_policy; +attribute setfiles_domain; +attribute seutil_semanage_domain; - attribute_role newrole_roles; +-attribute_role newrole_roles; ++#attribute_role newrole_roles; + +-attribute_role run_init_roles; +-role system_r types run_init_t; ++#attribute_role run_init_roles; ++#role system_r types run_init_t; +-attribute_role semanage_roles; +-roleattribute system_r semanage_roles; ++#attribute_role semanage_roles; ++#roleattribute system_r semanage_roles; + + # + # selinux_config_t is the type applied to @@ -30,6 +32,9 @@ roleattribute system_r semanage_roles; type selinux_config_t; files_type(selinux_config_t) @@ -82638,7 +83271,15 @@ index dc0c03b..2aee0c0 100644 type checkpolicy_t, can_write_binary_policy; type checkpolicy_exec_t; application_domain(checkpolicy_t, checkpolicy_exec_t) -@@ -66,8 +71,13 @@ role newrole_roles types newrole_t; +@@ -60,14 +65,20 @@ application_domain(newrole_t, newrole_exec_t) + domain_role_change_exemption(newrole_t) + domain_obj_id_change_exemption(newrole_t) + domain_interactive_fd(newrole_t) +-role newrole_roles types newrole_t; ++#role newrole_roles types newrole_t; ++role system_r types newrole_t; + + # # policy_config_t is the type of /etc/security/selinux/* # the security server policy configuration. # @@ -82654,7 +83295,7 @@ index dc0c03b..2aee0c0 100644 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; #neverallow ~can_write_binary_policy policy_config_t:file { write append }; -@@ -83,7 +93,6 @@ type restorecond_t; +@@ -83,7 +94,6 @@ type restorecond_t; type restorecond_exec_t; init_daemon_domain(restorecond_t, restorecond_exec_t) domain_obj_id_change_exemption(restorecond_t) @@ -82662,19 +83303,28 @@ index dc0c03b..2aee0c0 100644 type restorecond_var_run_t; files_pid_file(restorecond_var_run_t) -@@ -97,20 +106,26 @@ role run_init_roles types run_init_t; +@@ -92,25 +102,33 @@ type run_init_t; + type run_init_exec_t; + application_domain(run_init_t, run_init_exec_t) + domain_system_change_exemption(run_init_t) +-role run_init_roles types run_init_t; ++#role run_init_roles types run_init_t; ++role system_r types run_init_t; + type semanage_t; type semanage_exec_t; application_domain(semanage_t, semanage_exec_t) +dbus_system_domain(semanage_t, semanage_exec_t) +init_daemon_domain(semanage_t, semanage_exec_t) domain_interactive_fd(semanage_t) - role semanage_roles types semanage_t; - +-role semanage_roles types semanage_t; ++#role semanage_roles types semanage_t; ++role system_r types semanage_t; ++ +type setsebool_t; +type setsebool_exec_t; +init_system_domain(setsebool_t, setsebool_exec_t) -+ + type semanage_store_t; files_type(semanage_store_t) @@ -82692,7 +83342,7 @@ index dc0c03b..2aee0c0 100644 type semanage_var_lib_t; files_type(semanage_var_lib_t) -@@ -120,6 +135,11 @@ type setfiles_exec_t alias restorecon_exec_t; +@@ -120,6 +138,11 @@ type setfiles_exec_t alias restorecon_exec_t; init_system_domain(setfiles_t, setfiles_exec_t) domain_obj_id_change_exemption(setfiles_t) @@ -82704,7 +83354,7 @@ index dc0c03b..2aee0c0 100644 ######################################## # # Checkpolicy local policy -@@ -151,7 +171,7 @@ term_use_console(checkpolicy_t) +@@ -151,7 +174,7 @@ term_use_console(checkpolicy_t) init_use_fds(checkpolicy_t) init_use_script_ptys(checkpolicy_t) @@ -82713,7 +83363,7 @@ index dc0c03b..2aee0c0 100644 userdom_use_all_users_fds(checkpolicy_t) ifdef(`distro_ubuntu',` -@@ -188,13 +208,15 @@ term_list_ptys(load_policy_t) +@@ -188,13 +211,15 @@ term_list_ptys(load_policy_t) init_use_script_fds(load_policy_t) init_use_script_ptys(load_policy_t) @@ -82730,7 +83380,7 @@ index dc0c03b..2aee0c0 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -220,7 +242,7 @@ optional_policy(` +@@ -220,7 +245,7 @@ optional_policy(` # Newrole local policy # @@ -82739,7 +83389,7 @@ index dc0c03b..2aee0c0 100644 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow newrole_t self:process setexec; allow newrole_t self:fd use; -@@ -232,7 +254,7 @@ allow newrole_t self:msgq create_msgq_perms; +@@ -232,7 +257,7 @@ allow newrole_t self:msgq create_msgq_perms; allow newrole_t self:msg { send receive }; allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -82748,7 +83398,7 @@ index dc0c03b..2aee0c0 100644 read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) -@@ -249,6 +271,7 @@ domain_use_interactive_fds(newrole_t) +@@ -249,6 +274,7 @@ domain_use_interactive_fds(newrole_t) # for when the user types "exec newrole" at the command line: domain_sigchld_interactive_fds(newrole_t) @@ -82756,7 +83406,21 @@ index dc0c03b..2aee0c0 100644 files_read_etc_files(newrole_t) files_read_var_files(newrole_t) files_read_var_symlinks(newrole_t) -@@ -285,16 +308,29 @@ auth_rw_faillog(newrole_t) +@@ -276,25 +302,39 @@ term_relabel_all_ptys(newrole_t) + term_getattr_unallocated_ttys(newrole_t) + term_dontaudit_use_unallocated_ttys(newrole_t) + +-auth_use_nsswitch(newrole_t) +-auth_run_chk_passwd(newrole_t, newrole_roles) +-auth_run_upd_passwd(newrole_t, newrole_roles) +-auth_rw_faillog(newrole_t) ++#auth_use_nsswitch(newrole_t) ++#auth_run_chk_passwd(newrole_t, newrole_roles) ++#auth_run_upd_passwd(newrole_t, newrole_roles) ++#auth_rw_faillog(newrole_t) ++auth_use_pam(newrole_t) + + # Write to utmp. init_rw_utmp(newrole_t) init_use_fds(newrole_t) @@ -82776,9 +83440,9 @@ index dc0c03b..2aee0c0 100644 + dbus_system_bus_client(newrole_t) +') + -+optional_policy(` -+ namespace_init_run(newrole_t, newrole_roles) -+') ++#optional_policy(` ++# namespace_init_run(newrole_t, newrole_roles) ++#') + + +optional_policy(` @@ -82788,7 +83452,16 @@ index dc0c03b..2aee0c0 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) -@@ -328,9 +364,13 @@ kernel_use_fds(restorecond_t) +@@ -309,7 +349,7 @@ if(secure_mode) { + userdom_spec_domtrans_all_users(newrole_t) + } + +-tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(newrole_t) + ') + +@@ -328,9 +368,13 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) @@ -82803,7 +83476,7 @@ index dc0c03b..2aee0c0 100644 fs_list_inotifyfs(restorecond_t) selinux_validate_context(restorecond_t) -@@ -341,6 +381,7 @@ selinux_compute_user_contexts(restorecond_t) +@@ -341,6 +385,7 @@ selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) files_read_non_auth_files(restorecond_t) @@ -82811,7 +83484,7 @@ index dc0c03b..2aee0c0 100644 auth_use_nsswitch(restorecond_t) locallogin_dontaudit_use_fds(restorecond_t) -@@ -351,6 +392,8 @@ miscfiles_read_localization(restorecond_t) +@@ -351,6 +396,8 @@ miscfiles_read_localization(restorecond_t) seutil_libselinux_linked(restorecond_t) @@ -82820,7 +83493,13 @@ index dc0c03b..2aee0c0 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(restorecond_t) -@@ -371,16 +414,19 @@ allow run_init_roles system_r; +@@ -366,21 +413,24 @@ optional_policy(` + # Run_init local policy + # + +-allow run_init_roles system_r; ++#allow run_init_roles system_r; + allow run_init_t self:process setexec; allow run_init_t self:capability setuid; allow run_init_t self:fifo_file rw_file_perms; @@ -82841,16 +83520,25 @@ index dc0c03b..2aee0c0 100644 dev_dontaudit_list_all_dev_nodes(run_init_t) domain_use_interactive_fds(run_init_t) -@@ -398,6 +444,8 @@ selinux_compute_create_context(run_init_t) +@@ -398,14 +448,23 @@ selinux_compute_create_context(run_init_t) selinux_compute_relabel_context(run_init_t) selinux_compute_user_contexts(run_init_t) +term_use_console(run_init_t) + ++#auth_use_nsswitch(run_init_t) ++#auth_run_chk_passwd(run_init_t, run_init_roles) ++#auth_run_upd_passwd(run_init_t, run_init_roles) ++#auth_dontaudit_read_shadow(run_init_t) ++ auth_use_nsswitch(run_init_t) - auth_run_chk_passwd(run_init_t, run_init_roles) - auth_run_upd_passwd(run_init_t, run_init_roles) -@@ -406,6 +454,7 @@ auth_dontaudit_read_shadow(run_init_t) +-auth_run_chk_passwd(run_init_t, run_init_roles) +-auth_run_upd_passwd(run_init_t, run_init_roles) ++auth_domtrans_chk_passwd(run_init_t) ++auth_domtrans_upd_passwd(run_init_t) + auth_dontaudit_read_shadow(run_init_t) + ++ init_spec_domtrans_script(run_init_t) # for utmp init_rw_utmp(run_init_t) @@ -82858,7 +83546,7 @@ index dc0c03b..2aee0c0 100644 logging_send_syslog_msg(run_init_t) -@@ -414,7 +463,7 @@ miscfiles_read_localization(run_init_t) +@@ -414,7 +473,7 @@ miscfiles_read_localization(run_init_t) seutil_libselinux_linked(run_init_t) seutil_read_default_contexts(run_init_t) @@ -82867,7 +83555,7 @@ index dc0c03b..2aee0c0 100644 ifndef(`direct_sysadm_daemon',` ifdef(`distro_gentoo',` -@@ -425,6 +474,19 @@ ifndef(`direct_sysadm_daemon',` +@@ -425,6 +484,19 @@ ifndef(`direct_sysadm_daemon',` ') ') @@ -82887,7 +83575,7 @@ index dc0c03b..2aee0c0 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -458,40 +520,15 @@ manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) +@@ -458,172 +530,204 @@ manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t) kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) @@ -82913,14 +83601,14 @@ index dc0c03b..2aee0c0 100644 +can_exec(semanage_t, semanage_exec_t) -term_use_all_terms(semanage_t) -+# Admins are creating pp files in random locations -+files_read_non_security_files(semanage_t) - +- -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) -- ++# Admins are creating pp files in random locations ++files_read_non_security_files(semanage_t) + -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) @@ -82928,11 +83616,25 @@ index dc0c03b..2aee0c0 100644 -seutil_libselinux_linked(semanage_t) seutil_manage_file_contexts(semanage_t) seutil_manage_config(semanage_t) -+ - seutil_run_setfiles(semanage_t, semanage_roles) - seutil_run_loadpolicy(semanage_t, semanage_roles) - seutil_manage_bin_policy(semanage_t) -@@ -505,125 +542,181 @@ seutil_manage_default_contexts(semanage_t) +-seutil_run_setfiles(semanage_t, semanage_roles) +-seutil_run_loadpolicy(semanage_t, semanage_roles) +-seutil_manage_bin_policy(semanage_t) +-seutil_use_newrole_fds(semanage_t) +-seutil_manage_module_store(semanage_t) +-seutil_get_semanage_trans_lock(semanage_t) +-seutil_get_semanage_read_lock(semanage_t) ++seutil_domtrans_setfiles(semanage_t) ++ ++#seutil_run_setfiles(semanage_t, semanage_roles) ++#seutil_run_loadpolicy(semanage_t, semanage_roles) ++#seutil_manage_bin_policy(semanage_t) ++#seutil_use_newrole_fds(semanage_t) ++#seutil_manage_module_store(semanage_t) ++#seutil_get_semanage_trans_lock(semanage_t) ++#seutil_get_semanage_read_lock(semanage_t) + # netfilter_contexts: + seutil_manage_default_contexts(semanage_t) + # Handle pp files created in homedir and /tmp userdom_read_user_home_content_files(semanage_t) userdom_read_user_tmp_files(semanage_t) @@ -83275,10 +83977,60 @@ index 346a7cc..1285089 100644 + +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 41a1853..7b08f77 100644 +index 41a1853..f79ad37 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if -@@ -271,6 +271,43 @@ interface(`sysnet_delete_dhcpc_state',` +@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` + # + interface(`sysnet_run_dhcpc',` + gen_require(` +- attribute_role dhcpc_roles; ++ type dhcpc_t; ++ #attribute_role dhcpc_roles; + ') + ++ #sysnet_domtrans_dhcpc($1) ++ #roleattribute $2 dhcpc_roles; ++ + sysnet_domtrans_dhcpc($1) +- roleattribute $2 dhcpc_roles; ++ role $2 types dhcpc_t; ++ ++ modutils_run_insmod(dhcpc_t, $2) ++ ++ sysnet_run_ifconfig(dhcpc_t, $2) ++ ++ optional_policy(` ++ hostname_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ netutils_run(dhcpc_t, $2) ++ netutils_run_ping(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ networkmanager_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nis_run_ypbind(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ nscd_run(dhcpc_t, $2) ++ ') ++ ++ optional_policy(` ++ ntp_run(dhcpc_t, $2) ++ ') ++ ++ seutil_run_setfiles(dhcpc_t, $2) ++ + ') + + ######################################## +@@ -271,6 +307,43 @@ interface(`sysnet_delete_dhcpc_state',` delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) ') @@ -83322,7 +84074,7 @@ index 41a1853..7b08f77 100644 ####################################### ## ## Set the attributes of network config files. -@@ -292,6 +329,44 @@ interface(`sysnet_setattr_config',` +@@ -292,6 +365,44 @@ interface(`sysnet_setattr_config',` ####################################### ## @@ -83367,7 +84119,15 @@ index 41a1853..7b08f77 100644 ## Read network config files. ## ## -@@ -433,6 +508,7 @@ interface(`sysnet_manage_config',` +@@ -331,6 +442,7 @@ interface(`sysnet_read_config',` + + ifdef(`distro_redhat',` + allow $1 net_conf_t:dir list_dir_perms; ++ allow $1 net_conf_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, net_conf_t, net_conf_t) + ') + ') +@@ -433,6 +545,7 @@ interface(`sysnet_manage_config',` allow $1 net_conf_t:file manage_file_perms; ifdef(`distro_redhat',` @@ -83375,7 +84135,7 @@ index 41a1853..7b08f77 100644 manage_files_pattern($1, net_conf_t, net_conf_t) ') ') -@@ -471,6 +547,7 @@ interface(`sysnet_delete_dhcpc_pid',` +@@ -471,6 +584,7 @@ interface(`sysnet_delete_dhcpc_pid',` type dhcpc_var_run_t; ') @@ -83383,7 +84143,7 @@ index 41a1853..7b08f77 100644 allow $1 dhcpc_var_run_t:file unlink; ') -@@ -561,6 +638,45 @@ interface(`sysnet_signal_ifconfig',` +@@ -561,6 +675,45 @@ interface(`sysnet_signal_ifconfig',` ######################################## ## @@ -83429,7 +84189,7 @@ index 41a1853..7b08f77 100644 ## Read the DHCP configuration files. ## ## -@@ -673,6 +789,8 @@ interface(`sysnet_dns_name_resolve',` +@@ -673,6 +826,8 @@ interface(`sysnet_dns_name_resolve',` corenet_tcp_connect_dns_port($1) corenet_sendrecv_dns_client_packets($1) @@ -83438,7 +84198,7 @@ index 41a1853..7b08f77 100644 sysnet_read_config($1) optional_policy(` -@@ -714,6 +832,9 @@ interface(`sysnet_use_ldap',` +@@ -714,6 +869,9 @@ interface(`sysnet_use_ldap',` dev_read_urand($1) sysnet_read_config($1) @@ -83448,7 +84208,7 @@ index 41a1853..7b08f77 100644 ') ######################################## -@@ -747,3 +868,73 @@ interface(`sysnet_use_portmap',` +@@ -747,3 +905,73 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -83523,13 +84283,15 @@ index 41a1853..7b08f77 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 8aed9d0..2d2b6ef 100644 +index 8aed9d0..6a6f03f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te -@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.13.2) +@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.13.2) # Declarations # +-attribute_role dhcpc_roles; +-roleattribute system_r dhcpc_roles; +## +##

+## Allow dhcpc client applications to execute iptables commands @@ -83537,20 +84299,25 @@ index 8aed9d0..2d2b6ef 100644 +## +gen_tunable(dhcpc_exec_iptables, false) + - attribute_role dhcpc_roles; - roleattribute system_r dhcpc_roles; ++#attribute_role dhcpc_roles; ++#roleattribute system_r dhcpc_roles; -@@ -22,6 +29,9 @@ type dhcpc_exec_t; + # this is shared between dhcpc and dhcpd: + type dhcp_etc_t; +@@ -20,7 +27,11 @@ files_type(dhcp_state_t) + type dhcpc_t; + type dhcpc_exec_t; init_daemon_domain(dhcpc_t, dhcpc_exec_t) - role dhcpc_roles types dhcpc_t; - +-role dhcpc_roles types dhcpc_t; ++#role dhcpc_roles types dhcpc_t; ++role system_r types dhcpc_t; ++ +type dhcpc_helper_exec_t; +init_script_file(dhcpc_helper_exec_t) -+ + type dhcpc_state_t; files_type(dhcpc_state_t) - -@@ -37,17 +47,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) +@@ -37,17 +48,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; type net_conf_t alias resolv_conf_t; @@ -83571,7 +84338,7 @@ index 8aed9d0..2d2b6ef 100644 allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -60,8 +70,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -60,8 +71,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -83583,7 +84350,7 @@ index 8aed9d0..2d2b6ef 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -69,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) +@@ -69,6 +83,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -83592,7 +84359,7 @@ index 8aed9d0..2d2b6ef 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -92,25 +107,28 @@ corecmd_exec_shell(dhcpc_t) +@@ -92,25 +108,28 @@ corecmd_exec_shell(dhcpc_t) corenet_all_recvfrom_unlabeled(dhcpc_t) corenet_all_recvfrom_netlabel(dhcpc_t) @@ -83629,7 +84396,7 @@ index 8aed9d0..2d2b6ef 100644 domain_use_interactive_fds(dhcpc_t) domain_dontaudit_read_all_domains_state(dhcpc_t) -@@ -130,10 +148,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -130,15 +149,21 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -83644,11 +84411,25 @@ index 8aed9d0..2d2b6ef 100644 +miscfiles_read_generic_certs(dhcpc_t) miscfiles_read_localization(dhcpc_t) - modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -158,6 +181,17 @@ optional_policy(` +-modutils_run_insmod(dhcpc_t, dhcpc_roles) ++#modutils_run_insmod(dhcpc_t, dhcpc_roles) ++modutils_domtrans_insmod(dhcpc_t) ++#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) + +-sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) + + userdom_use_user_terminals(dhcpc_t) + userdom_dontaudit_search_user_home_dirs(dhcpc_t) +@@ -153,8 +178,19 @@ ifdef(`distro_ubuntu',` + ') ') ++#optional_policy(` ++# consoletype_run(dhcpc_t, dhcpc_roles) ++#') ++ optional_policy(` +- consoletype_run(dhcpc_t, dhcpc_roles) + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) + chronyd_read_keys(dhcpc_t) @@ -83657,13 +84438,17 @@ index 8aed9d0..2d2b6ef 100644 +optional_policy(` + devicekit_dontaudit_rw_log(dhcpc_t) + devicekit_dontaudit_read_pid_files(dhcpc_t) -+') -+ -+optional_policy(` - init_dbus_chat_script(dhcpc_t) + ') - dbus_system_bus_client(dhcpc_t) -@@ -174,6 +208,8 @@ optional_policy(` + optional_policy(` +@@ -169,11 +205,14 @@ optional_policy(` + ') + + optional_policy(` +- hostname_run(dhcpc_t, dhcpc_roles) ++ hostname_domtrans(dhcpc_t) ++# hostname_run(dhcpc_t, dhcpc_roles) + ') optional_policy(` hal_dontaudit_rw_dgram_sockets(dhcpc_t) @@ -83672,7 +84457,19 @@ index 8aed9d0..2d2b6ef 100644 ') optional_policy(` -@@ -195,17 +231,31 @@ optional_policy(` +@@ -187,25 +226,41 @@ optional_policy(` + + # for the dhcp client to run ping to check IP addresses + optional_policy(` +- netutils_run_ping(dhcpc_t, dhcpc_roles) +- netutils_run(dhcpc_t, dhcpc_roles) ++ #netutils_run_ping(dhcpc_t, dhcpc_roles) ++ #netutils_run(dhcpc_t, dhcpc_roles) ++ netutils_domtrans_ping(dhcpc_t) ++ netutils_domtrans(dhcpc_t) + ',` + allow dhcpc_t self:capability setuid; + allow dhcpc_t self:rawip_socket create_socket_perms; ') optional_policy(` @@ -83704,7 +84501,7 @@ index 8aed9d0..2d2b6ef 100644 ') optional_policy(` -@@ -216,6 +266,11 @@ optional_policy(` +@@ -216,6 +271,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -83716,7 +84513,7 @@ index 8aed9d0..2d2b6ef 100644 ') optional_policy(` -@@ -258,6 +313,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -258,6 +318,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -83724,7 +84521,7 @@ index 8aed9d0..2d2b6ef 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,11 +332,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) +@@ -276,11 +337,17 @@ corenet_rw_tun_tap_dev(ifconfig_t) dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) @@ -83742,7 +84539,7 @@ index 8aed9d0..2d2b6ef 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -293,7 +355,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -293,7 +360,7 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -83751,7 +84548,7 @@ index 8aed9d0..2d2b6ef 100644 init_use_fds(ifconfig_t) init_use_script_ptys(ifconfig_t) -@@ -304,11 +366,11 @@ logging_send_syslog_msg(ifconfig_t) +@@ -304,11 +371,11 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -83766,7 +84563,7 @@ index 8aed9d0..2d2b6ef 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -317,7 +379,22 @@ ifdef(`distro_ubuntu',` +@@ -317,7 +384,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -83789,7 +84586,7 @@ index 8aed9d0..2d2b6ef 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -328,8 +405,14 @@ ifdef(`hide_broken_symptoms',` +@@ -328,8 +410,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -83804,7 +84601,7 @@ index 8aed9d0..2d2b6ef 100644 ') optional_policy(` -@@ -338,7 +421,15 @@ optional_policy(` +@@ -338,7 +426,15 @@ optional_policy(` ') optional_policy(` @@ -83821,7 +84618,7 @@ index 8aed9d0..2d2b6ef 100644 ') optional_policy(` -@@ -359,3 +450,9 @@ optional_policy(` +@@ -359,3 +455,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -83862,10 +84659,10 @@ index 0000000..161f271 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..0898030 +index 0000000..2497606 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,696 @@ +@@ -0,0 +1,697 @@ +##

SELinux policy for systemd components + +####################################### @@ -84316,6 +85113,7 @@ index 0000000..0898030 + type systemd_passwd_var_run_t; + ') + ++ init_search_pid_dirs($1) + read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) +') + @@ -85510,7 +86308,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index db7aabb..6fc471d 100644 +index db7aabb..2ffcae9 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,59 @@ @@ -85565,10 +86363,11 @@ index db7aabb..6fc471d 100644 + domain_mmap_low($1) + + mcs_file_read_all($1) -+ -+ ubac_process_exempt($1) - tunable_policy(`allow_execheap',` +- tunable_policy(`allow_execheap',` ++ ubac_process_exempt($1) ++ ++ tunable_policy(`selinuxuser_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') @@ -85580,10 +86379,11 @@ index db7aabb..6fc471d 100644 allow $1 self:process execmem; ') - tunable_policy(`allow_execstack',` +- tunable_policy(`allow_execstack',` - # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; ++ tunable_policy(`selinuxuser_execstack',` + allow $1 self:process execstack; # auditallow $1 self:process execstack; ') @@ -85596,7 +86396,7 @@ index db7aabb..6fc471d 100644 ') optional_policy(` -@@ -122,6 +129,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,9 +129,13 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -85606,7 +86406,11 @@ index db7aabb..6fc471d 100644 + unconfined_domain_noaudit($1) - tunable_policy(`allow_execheap',` +- tunable_policy(`allow_execheap',` ++ tunable_policy(`selinuxuser_execheap',` + auditallow $1 self:process execheap; + ') + ') @@ -150,7 +161,7 @@ interface(`unconfined_domain',` ## # @@ -86306,7 +87110,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..6afcee9 100644 +index e720dcd..3361868 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -86487,7 +87291,7 @@ index e720dcd..6afcee9 100644 ') - tunable_policy(`allow_execmem && allow_execstack',` -+ tunable_policy(`allow_execstack',` ++ tunable_policy(`selinuxuser_execstack',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -86974,7 +87778,7 @@ index e720dcd..6afcee9 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -575,67 +701,113 @@ template(`userdom_common_user_template',` +@@ -575,71 +701,117 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -87109,6 +87913,11 @@ index e720dcd..6afcee9 100644 ') optional_policy(` +- tunable_policy(`allow_user_mysql_connect',` ++ tunable_policy(`user_mysql_connect',` + mysql_stream_connect($1_t) + ') + ') @@ -651,40 +823,52 @@ template(`userdom_common_user_template',` optional_policy(` @@ -87125,9 +87934,10 @@ index e720dcd..6afcee9 100644 ') optional_policy(` - tunable_policy(`allow_user_postgresql_connect',` +- tunable_policy(`allow_user_postgresql_connect',` - postgresql_stream_connect($1_t) - postgresql_tcp_connect($1_t) ++ tunable_policy(`user_postgresql_connect',` + postgresql_stream_connect($1_usertype) + postgresql_tcp_connect($1_usertype) ') @@ -87193,19 +88003,19 @@ index e720dcd..6afcee9 100644 + userdom_manage_tmpfs_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) ++ gen_tunable($1_exec_content, true) + -+ tunable_policy(`allow_$1_exec_content',` ++ tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) + ') -+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` ++ tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) -+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` ++ tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') + ') @@ -90069,10 +90879,10 @@ index e720dcd..6afcee9 100644 + typeattribute $1 userdom_home_manager_type; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 47efe9a..6b27e9c 100644 +index 47efe9a..55dc5cc 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te -@@ -7,7 +7,7 @@ policy_module(userdomain, 4.7.2) +@@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2) ## ##

@@ -90080,7 +90890,19 @@ index 47efe9a..6b27e9c 100644 +## Allow users to connect to the local mysql server ##

## - gen_tunable(allow_user_mysql_connect, false) +-gen_tunable(allow_user_mysql_connect, false) ++gen_tunable(user_mysql_connect, false) + + ## + ##

+ ## Allow users to connect to PostgreSQL + ##

+ ## +-gen_tunable(allow_user_postgresql_connect, false) ++gen_tunable(user_postgresql_connect, false) + + ## + ##

@@ -43,12 +43,27 @@ gen_tunable(user_rw_noexattrfile, false) ## @@ -90181,7 +91003,7 @@ index 47efe9a..6b27e9c 100644 +userdom_user_home_content(home_cert_t) +ubac_constrained(home_cert_t) + -+tunable_policy(`allow_console_login',` ++tunable_policy(`login_console_enabled',` + term_use_console(userdomain) +') + diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index bd356c1..28dd5c1 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644 + dontaudit $1 abrt_t:sock_file write; ') diff --git a/abrt.te b/abrt.te -index 30861ec..4ca892f 100644 +index 30861ec..cb6f88a 100644 --- a/abrt.te +++ b/abrt.te @@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0) @@ -481,7 +481,7 @@ index 30861ec..4ca892f 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +203,26 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +203,30 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -501,20 +501,23 @@ index 30861ec..4ca892f 100644 +tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +') - - optional_policy(` -- dbus_system_domain(abrt_t, abrt_exec_t) ++ ++optional_policy(` + apache_list_modules(abrt_t) + apache_read_modules(abrt_t) ++') + + optional_policy(` + dbus_system_domain(abrt_t, abrt_exec_t) ') optional_policy(` - nis_use_ypbind(abrt_t) -+ dbus_system_domain(abrt_t, abrt_exec_t) ++ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t) ') optional_policy(` -@@ -167,6 +243,7 @@ optional_policy(` +@@ -167,6 +247,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -522,7 +525,7 @@ index 30861ec..4ca892f 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,9 +255,32 @@ optional_policy(` +@@ -178,9 +259,32 @@ optional_policy(` ') optional_policy(` @@ -555,7 +558,7 @@ index 30861ec..4ca892f 100644 ######################################## # # abrt--helper local policy -@@ -200,23 +300,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +304,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -584,7 +587,7 @@ index 30861ec..4ca892f 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +323,146 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -592,7 +595,7 @@ index 30861ec..4ca892f 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -717,7 +720,7 @@ index 30861ec..4ca892f 100644 + +optional_policy(` + unconfined_domain(abrt_watch_log_t) - ') ++') + +####################################### +# @@ -2450,7 +2453,7 @@ index 6480167..d0bf548 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index a36a01d..a5457d4 100644 +index a36a01d..777623e 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2) @@ -2462,14 +2465,27 @@ index a36a01d..a5457d4 100644 ## ##

## Allow Apache to modify public files -@@ -36,6 +38,27 @@ gen_tunable(allow_httpd_mod_auth_pam, false) +@@ -25,14 +27,35 @@ policy_module(apache, 2.3.2) + ## be labeled public_content_rw_t. + ##

+ ## +-gen_tunable(allow_httpd_anon_write, false) ++gen_tunable(httpd_anon_write, false) ## ##

+ ## Allow Apache to use mod_auth_pam + ##

+ ## +-gen_tunable(allow_httpd_mod_auth_pam, false) ++gen_tunable(httpd_mod_auth_pam, false) ++ ++## ++##

+## Allow Apache to use mod_auth_ntlm_winbind +##

+## -+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) ++gen_tunable(httpd_mod_auth_ntlm_winbind, false) + +## +##

@@ -2484,12 +2500,9 @@ index a36a01d..a5457d4 100644 +##

+## +gen_tunable(httpd_manage_ipa, false) -+ -+## -+##

- ## Allow httpd to use built in scripting (usually php) - ##

- ## + + ## + ##

@@ -50,6 +73,20 @@ gen_tunable(httpd_can_network_connect, false) ## @@ -2639,7 +2652,7 @@ index a36a01d..a5457d4 100644 +## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t. +##

+## -+gen_tunable(allow_httpd_sys_script_anon_write, false) ++gen_tunable(httpd_sys_script_anon_write, false) + +## +##

@@ -2865,12 +2878,13 @@ index a36a01d..a5457d4 100644 userdom_use_unpriv_users_fds(httpd_t) +-tunable_policy(`allow_httpd_anon_write',` +tunable_policy(`httpd_setrlimit',` + allow httpd_t self:process setrlimit; + allow httpd_t self:capability sys_resource; +') + - tunable_policy(`allow_httpd_anon_write',` ++tunable_policy(`httpd_anon_write',` miscfiles_manage_public_files(httpd_t) ') @@ -2878,14 +2892,15 @@ index a36a01d..a5457d4 100644 # # We need optionals to be able to be within booleans to make this work # - tunable_policy(`allow_httpd_mod_auth_pam',` +-tunable_policy(`allow_httpd_mod_auth_pam',` - auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`httpd_mod_auth_pam',` + auth_domtrans_chkpwd(httpd_t) + logging_send_audit_msgs(httpd_t) ') + +optional_policy(` -+ tunable_policy(`allow_httpd_mod_auth_ntlm_winbind',` ++ tunable_policy(`httpd_mod_auth_ntlm_winbind',` + samba_domtrans_winbind_helper(httpd_t) + ') ') @@ -2934,7 +2949,7 @@ index a36a01d..a5457d4 100644 + can_exec(httpd_sys_script_t, httpd_sys_content_t) +') + -+tunable_policy(`allow_httpd_sys_script_anon_write',` ++tunable_policy(`httpd_sys_script_anon_write',` + miscfiles_manage_public_files(httpd_sys_script_t) ') @@ -3594,7 +3609,7 @@ index a36a01d..a5457d4 100644 +miscfiles_read_localization(httpd_script_type) +allow httpd_script_type httpd_sys_content_t:dir search_dir_perms; + -+tunable_policy(`httpd_enable_cgi && allow_ypbind',` ++tunable_policy(`httpd_enable_cgi && nis_enabled',` + nis_use_ypbind_uncond(httpd_script_type) +') + @@ -9442,10 +9457,10 @@ index 0000000..40415f8 + diff --git a/collectd.te b/collectd.te new file mode 100644 -index 0000000..e7ca6fc +index 0000000..6cefd75 --- /dev/null +++ b/collectd.te -@@ -0,0 +1,88 @@ +@@ -0,0 +1,91 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -9482,8 +9497,8 @@ index 0000000..e7ca6fc +# collectd local policy +# + -+allow collectd_t self:capability ipc_lock; -+allow collectd_t self:process { signal fork }; ++allow collectd_t self:capability { ipc_lock sys_nice }; ++allow collectd_t self:process { getsched setsched signal fork }; + +allow collectd_t self:fifo_file rw_fifo_file_perms; +allow collectd_t self:packet_socket create_socket_perms; @@ -9534,6 +9549,9 @@ index 0000000..e7ca6fc + miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) +') + ++optional_policy(` ++ virt_read_config(collectd_t) ++') diff --git a/colord.fc b/colord.fc index 78b2fea..ef975ac 100644 --- a/colord.fc @@ -11855,7 +11873,7 @@ index 6e12dc7..bd94df7 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/cron.te b/cron.te -index b357856..4545fb1 100644 +index b357856..de056ab 100644 --- a/cron.te +++ b/cron.te @@ -1,4 +1,4 @@ @@ -12090,6 +12108,15 @@ index b357856..4545fb1 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` +@@ -241,7 +282,7 @@ ifdef(`distro_redhat', ` + ') + ') + +-tunable_policy(`allow_polyinstantiation',` ++tunable_policy(`polyinstantiation_enabled',` + files_polyinstantiate_all(crond_t) + ') + @@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', ` ') @@ -13236,9 +13263,18 @@ index c43ff4c..5da88b5 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) diff --git a/cvs.te b/cvs.te -index 88e7e97..fdfbb2c 100644 +index 88e7e97..1c723fb 100644 --- a/cvs.te +++ b/cvs.te +@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0) + ## Allow cvs daemon to read shadow + ##

+ ## +-gen_tunable(allow_cvs_read_shadow, false) ++gen_tunable(cvs_read_shadow, false) + + type cvs_t; + type cvs_exec_t; @@ -35,12 +35,12 @@ files_pid_file(cvs_var_run_t) # Local policy # @@ -13262,6 +13298,15 @@ index 88e7e97..fdfbb2c 100644 logging_send_syslog_msg(cvs_t) logging_send_audit_msgs(cvs_t) +@@ -90,7 +92,7 @@ mta_send_mail(cvs_t) + + # cjp: typeattribute doesnt work in conditionals yet + auth_can_read_shadow_passwords(cvs_t) +-tunable_policy(`allow_cvs_read_shadow',` ++tunable_policy(`cvs_read_shadow',` + allow cvs_t self:capability dac_override; + auth_tunable_read_shadow(cvs_t) + ') @@ -112,4 +114,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -16744,6 +16789,163 @@ index 2df7766..ef8b0d7 100644 + # Handle sieve scripts + sendmail_domtrans(dovecot_deliver_t) ') +diff --git a/dpkg.if b/dpkg.if +index 4d32b42..78736d8 100644 +--- a/dpkg.if ++++ b/dpkg.if +@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',` + # + interface(`dpkg_run',` + gen_require(` +- attribute_role dpkg_roles; ++ #attribute_role dpkg_roles; ++ type dpkg_t, dpkg_script_t; + ') + ++ #dpkg_domtrans($1) ++ #roleattribute $2 dpkg_roles; ++ + dpkg_domtrans($1) +- roleattribute $2 dpkg_roles; ++ role $2 types dpkg_t; ++ role $2 types dpkg_script_t; ++ seutil_run_loadpolicy(dpkg_script_t, $2) ++ + ') + + ######################################## +diff --git a/dpkg.te b/dpkg.te +index a1b8f92..71ee186 100644 +--- a/dpkg.te ++++ b/dpkg.te +@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) + # Declarations + # + +-attribute_role dpkg_roles; +-roleattribute system_r dpkg_roles; ++#attribute_role dpkg_roles; ++#roleattribute system_r dpkg_roles; + + type dpkg_t; + type dpkg_exec_t; +@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t) + domain_role_change_exemption(dpkg_t) + domain_system_change_exemption(dpkg_t) + domain_interactive_fd(dpkg_t) +-role dpkg_roles types dpkg_t; ++#role dpkg_roles types dpkg_t; ++role system_r types dpkg_t; + + # lockfile + type dpkg_lock_t; +@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t) + domain_obj_id_change_exemption(dpkg_script_t) + domain_system_change_exemption(dpkg_script_t) + domain_interactive_fd(dpkg_script_t) +-role dpkg_roles types dpkg_script_t; ++#role dpkg_roles types dpkg_script_t; ++role system_r types dpkg_script_t; + + type dpkg_script_tmp_t; + files_tmp_file(dpkg_script_tmp_t) +@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t) + init_domtrans_script(dpkg_t) + init_use_script_ptys(dpkg_t) + ++#libs_exec_ld_so(dpkg_t) ++#libs_exec_lib_files(dpkg_t) ++#libs_run_ldconfig(dpkg_t, dpkg_roles) + libs_exec_ld_so(dpkg_t) + libs_exec_lib_files(dpkg_t) +-libs_run_ldconfig(dpkg_t, dpkg_roles) ++libs_domtrans_ldconfig(dpkg_t) + + logging_send_syslog_msg(dpkg_t) + +@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t) + files_read_etc_runtime_files(dpkg_t) + files_exec_usr_files(dpkg_t) + miscfiles_read_localization(dpkg_t) +-modutils_run_depmod(dpkg_t, dpkg_roles) +-modutils_run_insmod(dpkg_t, dpkg_roles) +-seutil_run_loadpolicy(dpkg_t, dpkg_roles) +-seutil_run_setfiles(dpkg_t, dpkg_roles) ++#modutils_run_depmod(dpkg_t, dpkg_roles) ++#modutils_run_insmod(dpkg_t, dpkg_roles) ++#seutil_run_loadpolicy(dpkg_t, dpkg_roles) ++#seutil_run_setfiles(dpkg_t, dpkg_roles) + userdom_use_all_users_fds(dpkg_t) + optional_policy(` + mta_send_mail(dpkg_t) + ') ++ ++ + optional_policy(` +- usermanage_run_groupadd(dpkg_t, dpkg_roles) +- usermanage_run_useradd(dpkg_t, dpkg_roles) ++ modutils_domtrans_depmod(dpkg_t) ++ modutils_domtrans_insmod(dpkg_t) ++ seutil_domtrans_loadpolicy(dpkg_t) ++ seutil_domtrans_setfiles(dpkg_t) ++ usermanage_domtrans_groupadd(dpkg_t) ++ usermanage_domtrans_useradd(dpkg_t) + ') + ++#optional_policy(` ++# usermanage_run_groupadd(dpkg_t, dpkg_roles) ++# usermanage_run_useradd(dpkg_t, dpkg_roles) ++#') ++ + ######################################## + # + # dpkg-script Local policy +@@ -302,15 +318,15 @@ logging_send_syslog_msg(dpkg_script_t) + + miscfiles_read_localization(dpkg_script_t) + +-modutils_run_depmod(dpkg_script_t, dpkg_roles) +-modutils_run_insmod(dpkg_script_t, dpkg_roles) ++#modutils_run_depmod(dpkg_script_t, dpkg_roles) ++#modutils_run_insmod(dpkg_script_t, dpkg_roles) + +-seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) +-seutil_run_setfiles(dpkg_script_t, dpkg_roles) ++#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) ++#seutil_run_setfiles(dpkg_script_t, dpkg_roles) + + userdom_use_all_users_fds(dpkg_script_t) + +-tunable_policy(`allow_execmem',` ++tunable_policy(`selinuxuser_execmem',` + allow dpkg_script_t self:process execmem; + ') + +@@ -319,9 +335,9 @@ optional_policy(` + apt_use_fds(dpkg_script_t) + ') + +-optional_policy(` +- bootloader_run(dpkg_script_t, dpkg_roles) +-') ++#optional_policy(` ++# bootloader_run(dpkg_script_t, dpkg_roles) ++#') + + optional_policy(` + mta_send_mail(dpkg_script_t) +@@ -335,7 +351,7 @@ optional_policy(` + unconfined_domain(dpkg_script_t) + ') + +-optional_policy(` +- usermanage_run_groupadd(dpkg_script_t, dpkg_roles) +- usermanage_run_useradd(dpkg_script_t, dpkg_roles) +-') ++#optional_policy(` ++# usermanage_run_groupadd(dpkg_script_t, dpkg_roles) ++# usermanage_run_useradd(dpkg_script_t, dpkg_roles) ++#') diff --git a/drbd.fc b/drbd.fc new file mode 100644 index 0000000..60c19b9 @@ -18728,13 +18930,45 @@ index 9d3201b..6e75e3d 100644 + allow $1 ftpd_unit_file_t:service all_service_perms; ') diff --git a/ftp.te b/ftp.te -index 4285c83..ed96e96 100644 +index 4285c83..2edc3a2 100644 --- a/ftp.te +++ b/ftp.te -@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false) +@@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1) + ## public_content_rw_t. + ##

+ ## +-gen_tunable(allow_ftpd_anon_write, false) ++gen_tunable(ftpd_anon_write, false) + + ## + ##

+@@ -20,7 +20,7 @@ gen_tunable(allow_ftpd_anon_write, false) + ## read/write all files on the system, governed by DAC. + ##

+ ## +-gen_tunable(allow_ftpd_full_access, false) ++gen_tunable(ftpd_full_access, false) + + ## + ##

+@@ -28,7 +28,7 @@ gen_tunable(allow_ftpd_full_access, false) + ## used for public file transfer services. + ##

+ ## +-gen_tunable(allow_ftpd_use_cifs, false) ++gen_tunable(ftpd_use_cifs, false) ## ##

+@@ -36,7 +36,28 @@ gen_tunable(allow_ftpd_use_cifs, false) + ## used for public file transfer services. + ##

+ ## +-gen_tunable(allow_ftpd_use_nfs, false) ++gen_tunable(ftpd_use_nfs, false) ++ ++## ++##

+## Allow ftp servers to connect to mysql database ports +##

+## @@ -18753,12 +18987,9 @@ index 4285c83..ed96e96 100644 +##

+## +gen_tunable(ftpd_connect_all_unreserved, false) -+ -+## -+##

- ## Allow ftp to read and write files in the user home directories - ##

- ## + + ## + ##

@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false) ## gen_tunable(sftpd_full_access, false) @@ -18873,9 +19104,39 @@ index 4285c83..ed96e96 100644 init_rw_utmp(ftpd_t) -@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` +@@ -237,31 +270,39 @@ sysnet_use_ldap(ftpd_t) + userdom_dontaudit_use_unpriv_user_fds(ftpd_t) + userdom_dontaudit_search_user_home_dirs(ftpd_t) + +-tunable_policy(`allow_ftpd_anon_write',` ++tunable_policy(`ftpd_anon_write',` + miscfiles_manage_public_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_cifs',` ++tunable_policy(`ftpd_use_cifs',` + fs_read_cifs_files(ftpd_t) + fs_read_cifs_symlinks(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',` ++tunable_policy(`ftpd_use_cifs && ftpd_anon_write',` + fs_manage_cifs_files(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_nfs',` ++tunable_policy(`ftpd_use_nfs',` + fs_read_nfs_files(ftpd_t) + fs_read_nfs_symlinks(ftpd_t) + ') + +-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',` ++tunable_policy(`ftpd_use_nfs && ftpd_anon_write',` + fs_manage_nfs_files(ftpd_t) + ') - tunable_policy(`allow_ftpd_full_access',` +-tunable_policy(`allow_ftpd_full_access',` ++tunable_policy(`ftpd_full_access',` allow ftpd_t self:capability { dac_override dac_read_search }; - files_manage_non_auth_files(ftpd_t) + files_manage_non_security_files(ftpd_t) @@ -19794,10 +20055,10 @@ index 7ff9d6d..6b0a7ff 100644 allow $1 glance_api_t:process signal_perms; ps_process_pattern($1, glance_api_t) diff --git a/glance.te b/glance.te -index 4afb81f..2e451b7 100644 +index 4afb81f..842165a 100644 --- a/glance.te +++ b/glance.te -@@ -57,12 +57,15 @@ manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) +@@ -57,12 +57,17 @@ manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t) kernel_read_system_state(glance_domain) corecmd_exec_bin(glance_domain) @@ -19810,10 +20071,12 @@ index 4afb81f..2e451b7 100644 +auth_read_passwd(glance_domain) + ++libs_exec_ldconfig(glance_domain) ++ miscfiles_read_localization(glance_domain) optional_policy(` -@@ -80,6 +83,14 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) +@@ -80,6 +85,14 @@ files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir }) corenet_tcp_bind_generic_node(glance_registry_t) corenet_tcp_bind_glance_registry_port(glance_registry_t) @@ -19828,7 +20091,7 @@ index 4afb81f..2e451b7 100644 ######################################## # -@@ -94,8 +105,10 @@ can_exec(glance_api_t, glance_tmp_t) +@@ -94,11 +107,11 @@ can_exec(glance_api_t, glance_tmp_t) corecmd_exec_shell(glance_api_t) corenet_tcp_bind_generic_node(glance_api_t) @@ -19839,6 +20102,9 @@ index 4afb81f..2e451b7 100644 dev_read_urand(glance_api_t) + fs_getattr_xattr_fs(glance_api_t) +- +-libs_exec_ldconfig(glance_api_t) diff --git a/gnome.fc b/gnome.fc index 00a19e3..d776f66 100644 --- a/gnome.fc @@ -23749,6 +24015,28 @@ index 53e53ca..91bdd44 100644 +miscfiles_read_localization(jabberd_domain) + +sysnet_read_config(jabberd_domain) +diff --git a/java.te b/java.te +index 95771f4..41c2fa1 100644 +--- a/java.te ++++ b/java.te +@@ -10,7 +10,7 @@ policy_module(java, 2.5.1) + ## Allow java executable stack + ##

+ ## +-gen_tunable(allow_java_execstack, false) ++gen_tunable(java_execstack, false) + + type java_t; + type java_exec_t; +@@ -108,7 +108,7 @@ userdom_manage_user_home_content_sockets(java_t) + userdom_user_home_dir_filetrans_user_home_content(java_t, { file lnk_file sock_file fifo_file }) + userdom_write_user_tmp_sockets(java_t) + +-tunable_policy(`allow_java_execstack',` ++tunable_policy(`java_execstack',` + allow java_t self:process execstack; + + allow java_t java_tmp_t:file execute; diff --git a/jetty.fc b/jetty.fc new file mode 100644 index 0000000..1725b7e @@ -24553,10 +24841,19 @@ index 3525d24..ee0a3d5 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index 604f67b..da4a93f 100644 +index 604f67b..8714225 100644 --- a/kerberos.if +++ b/kerberos.if -@@ -103,7 +103,8 @@ interface(`kerberos_use',` +@@ -84,7 +84,7 @@ interface(`kerberos_use',` + selinux_dontaudit_validate_context($1) + seutil_dontaudit_read_file_contexts($1) + +- tunable_policy(`allow_kerberos',` ++ tunable_policy(`kerberos_enabled',` + allow $1 self:tcp_socket create_socket_perms; + allow $1 self:udp_socket create_socket_perms; + +@@ -103,11 +103,12 @@ interface(`kerberos_use',` corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) @@ -24566,6 +24863,11 @@ index 604f67b..da4a93f 100644 ') optional_policy(` +- tunable_policy(`allow_kerberos',` ++ tunable_policy(`kerberos_enabled',` + pcscd_stream_connect($1) + ') + ') @@ -218,6 +219,25 @@ interface(`kerberos_rw_keytab',` ######################################## @@ -24592,7 +24894,15 @@ index 604f67b..da4a93f 100644 ## Create a derived type for kerberos keytab ## ## -@@ -289,31 +309,18 @@ interface(`kerberos_manage_host_rcache',` +@@ -282,38 +302,25 @@ interface(`kerberos_manage_host_rcache',` + # does not work in conditionals + domain_obj_id_change_exemption($1) + +- tunable_policy(`allow_kerberos',` ++ tunable_policy(`kerberos_enabled',` + allow $1 self:process setfscreate; + + selinux_validate_context($1) seutil_read_file_contexts($1) @@ -24602,7 +24912,7 @@ index 604f67b..da4a93f 100644 files_search_tmp($1) ') -') -- + -######################################## -## -## Connect to krb524 service @@ -24616,7 +24926,7 @@ index 604f67b..da4a93f 100644 -interface(`kerberos_connect_524',` - tunable_policy(`allow_kerberos',` - allow $1 self:udp_socket create_socket_perms; - +- - corenet_all_recvfrom_unlabeled($1) - corenet_udp_sendrecv_generic_if($1) - corenet_udp_sendrecv_generic_node($1) @@ -24776,9 +25086,18 @@ index 604f67b..da4a93f 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") +') diff --git a/kerberos.te b/kerberos.te -index 8edc29b..41d4869 100644 +index 8edc29b..86ba21b 100644 --- a/kerberos.te +++ b/kerberos.te +@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) + ## Allow confined applications to run with kerberos. + ##

+ ## +-gen_tunable(allow_kerberos, false) ++gen_tunable(kerberos_enabled, false) + + type kadmind_t; + type kadmind_exec_t; @@ -35,12 +35,12 @@ init_daemon_domain(kpropd_t, kpropd_exec_t) domain_obj_id_change_exemption(kpropd_t) @@ -26174,21 +26493,30 @@ index 6a78de1..8db7d14 100644 logging_send_syslog_msg(lircd_t) diff --git a/livecd.if b/livecd.if -index ae29d9f..bfbf676 100644 +index ae29d9f..fb7869e 100644 --- a/livecd.if +++ b/livecd.if -@@ -36,11 +36,32 @@ interface(`livecd_domtrans',` +@@ -36,11 +36,39 @@ interface(`livecd_domtrans',` # interface(`livecd_run',` gen_require(` +- attribute_role livecd_roles; + type livecd_t; + type livecd_exec_t; - attribute_role livecd_roles; ++ #attribute_role livecd_roles; ') livecd_domtrans($1) - roleattribute $2 livecd_roles; +- roleattribute $2 livecd_roles; ++ #roleattribute $2 livecd_roles; ++ role $2 types livecd_t; + role_transition $2 livecd_exec_t system_r; ++ ++ seutil_run_setfiles_mac(livecd_t, system_r) ++ ++ optional_policy(` ++ mount_run(livecd_t, $2) ++ ') +') + +######################################## @@ -26211,10 +26539,28 @@ index ae29d9f..bfbf676 100644 ######################################## diff --git a/livecd.te b/livecd.te -index 008f718..65efdae 100644 +index 008f718..7a944b5 100644 --- a/livecd.te +++ b/livecd.te -@@ -29,15 +29,27 @@ manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) +@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) + # Declarations + # + +-attribute_role livecd_roles; +-roleattribute system_r livecd_roles; ++#attribute_role livecd_roles; ++#roleattribute system_r livecd_roles; + + type livecd_t; + type livecd_exec_t; + application_domain(livecd_t, livecd_exec_t) +-role livecd_roles types livecd_t; ++role system_r types livecd_t; ++#role livecd_roles types livecd_t; + + type livecd_tmp_t; + files_tmp_file(livecd_tmp_t) +@@ -29,15 +30,27 @@ manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t) files_tmp_filetrans(livecd_t, livecd_tmp_t, { dir file }) @@ -26224,26 +26570,28 @@ index 008f718..65efdae 100644 + +sysnet_filetrans_named_content(livecd_t) + ++#optional_policy(` ++# mount_run(livecd_t, livecd_roles) ++# seutil_run_setfiles_mac(livecd_t, livecd_roles) ++#') ++ optional_policy(` - mount_run(livecd_t, livecd_roles) -+ seutil_run_setfiles_mac(livecd_t, livecd_roles) +- mount_run(livecd_t, livecd_roles) ++ ssh_filetrans_admin_home_content(livecd_t) ') optional_policy(` - hal_dbus_chat(livecd_t) -+ ssh_filetrans_admin_home_content(livecd_t) ++ unconfined_domain_noaudit(livecd_t) ') optional_policy(` - unconfined_domain(livecd_t) -+ unconfined_domain_noaudit(livecd_t) - ') - -+optional_policy(` + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(livecd_t) + rpm_domtrans(livecd_t) -+') + ') +- diff --git a/lldpad.fc b/lldpad.fc new file mode 100644 index 0000000..83a4348 @@ -26958,7 +27306,7 @@ index a4f32f5..628b63c 100644 ## in the caller domain. ## diff --git a/lpd.te b/lpd.te -index a03b63a..9f70692 100644 +index a03b63a..e154044 100644 --- a/lpd.te +++ b/lpd.te @@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t) @@ -27008,7 +27356,7 @@ index a03b63a..9f70692 100644 # Write to /var/spool/lpd. manage_files_pattern(lpd_t, print_spool_t, print_spool_t) -@@ -275,19 +276,19 @@ miscfiles_read_localization(lpr_t) +@@ -275,19 +276,20 @@ miscfiles_read_localization(lpr_t) userdom_read_user_tmp_symlinks(lpr_t) # Write to the user domain tty. @@ -27016,6 +27364,7 @@ index a03b63a..9f70692 100644 +userdom_use_inherited_user_terminals(lpr_t) userdom_read_user_home_content_files(lpr_t) userdom_read_user_tmp_files(lpr_t) ++userdom_write_user_tmp_sockets(lpr_t) tunable_policy(`use_lpd_server',` # lpr can run in lightweight mode, without a local print spooler. @@ -27033,7 +27382,7 @@ index a03b63a..9f70692 100644 # Send SIGHUP to lpd. allow lpr_t lpd_t:process signal; -@@ -305,17 +306,7 @@ tunable_policy(`use_lpd_server',` +@@ -305,17 +307,7 @@ tunable_policy(`use_lpd_server',` read_lnk_files_pattern(lpr_t, printconf_t, printconf_t) ') @@ -27052,7 +27401,7 @@ index a03b63a..9f70692 100644 optional_policy(` cups_read_config(lpr_t) -@@ -324,5 +315,13 @@ optional_policy(` +@@ -324,5 +316,13 @@ optional_policy(` ') optional_policy(` @@ -29125,10 +29474,10 @@ index dff0f12..ecab36d 100644 init_dbus_chat_script(mono_t) diff --git a/mozilla.fc b/mozilla.fc -index 3a73e74..f1f3e51 100644 +index 3a73e74..60e7237 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -2,8 +2,16 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0 +@@ -2,8 +2,17 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0 HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -29142,10 +29491,11 @@ index 3a73e74..f1f3e51 100644 +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /bin -@@ -16,6 +24,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +@@ -16,6 +25,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) @@ -29158,7 +29508,7 @@ index 3a73e74..f1f3e51 100644 ifdef(`distro_debian',` /usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0) ') -@@ -23,11 +37,20 @@ ifdef(`distro_debian',` +@@ -23,11 +38,20 @@ ifdef(`distro_debian',` # # /lib # @@ -29186,12 +29536,29 @@ index 3a73e74..f1f3e51 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index b397fde..30b0241 100644 +index b397fde..30bfefb 100644 --- a/mozilla.if +++ b/mozilla.if -@@ -48,6 +48,22 @@ interface(`mozilla_role',` +@@ -18,10 +18,11 @@ + interface(`mozilla_role',` + gen_require(` + type mozilla_t, mozilla_exec_t, mozilla_home_t; +- attribute_role mozilla_roles; ++ #attribute_role mozilla_roles; + ') + +- roleattribute $1 mozilla_roles; ++ #roleattribute $1 mozilla_roles; ++ role $1 types mozilla_t; + + domain_auto_trans($2, mozilla_exec_t, mozilla_t) + # Unrestricted inheritance from the caller. +@@ -47,7 +48,24 @@ interface(`mozilla_role',` + relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) ++ #should be remove then with adding of roleattribute ++ mozilla_run_plugin(mozilla_t, $1) mozilla_dbus_chat($2) + + userdom_manage_tmp_role($1, mozilla_t) @@ -29208,11 +29575,10 @@ index b397fde..30b0241 100644 + + mozilla_filetrans_home_content($2) + -+ mozilla_dbus_chat($2) ') ######################################## -@@ -105,7 +121,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',` +@@ -105,7 +123,7 @@ interface(`mozilla_dontaudit_rw_user_home_files',` type mozilla_home_t; ') @@ -29221,7 +29587,7 @@ index b397fde..30b0241 100644 ') ######################################## -@@ -193,11 +209,34 @@ interface(`mozilla_domtrans',` +@@ -193,11 +211,34 @@ interface(`mozilla_domtrans',` # interface(`mozilla_domtrans_plugin',` gen_require(` @@ -29257,7 +29623,7 @@ index b397fde..30b0241 100644 allow mozilla_plugin_t $1:process signull; ') -@@ -224,6 +263,31 @@ interface(`mozilla_run_plugin',` +@@ -224,6 +265,31 @@ interface(`mozilla_run_plugin',` mozilla_domtrans_plugin($1) role $2 types mozilla_plugin_t; @@ -29289,7 +29655,7 @@ index b397fde..30b0241 100644 ') ######################################## -@@ -265,9 +329,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -265,9 +331,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -29318,7 +29684,7 @@ index b397fde..30b0241 100644 ## ## ## -@@ -275,28 +357,98 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -275,28 +359,98 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -29349,10 +29715,11 @@ index b397fde..30b0241 100644 gen_require(` - type mozilla_plugin_tmpfs_t; + type mozilla_plugin_t; -+ ') -+ + ') + +- allow $1 mozilla_plugin_tmpfs_t:file unlink; + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; -+') + ') + +####################################### +## @@ -29407,9 +29774,8 @@ index b397fde..30b0241 100644 + + gen_require(` + type mozilla_home_t; - ') - -- allow $1 mozilla_plugin_tmpfs_t:file unlink; ++ ') ++ + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") @@ -29422,16 +29788,17 @@ index b397fde..30b0241 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") - ') ++') + diff --git a/mozilla.te b/mozilla.te -index 0724816..7bf56bf 100644 +index 0724816..7ccc738 100644 --- a/mozilla.te +++ b/mozilla.te -@@ -12,6 +12,13 @@ policy_module(mozilla, 2.5.3) +@@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) ## gen_tunable(mozilla_read_content, false) +-attribute_role mozilla_roles; +## +##

+## Allow mozilla_plugins to create random content in the users home directory @@ -29439,11 +29806,26 @@ index 0724816..7bf56bf 100644 +## +gen_tunable(mozilla_plugin_enable_homedirs, false) + - attribute_role mozilla_roles; ++#attribute_role mozilla_roles; type mozilla_t; -@@ -35,11 +42,21 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) - role mozilla_roles types mozilla_plugin_t; + type mozilla_exec_t; + typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; + typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; + userdom_user_application_domain(mozilla_t, mozilla_exec_t) +-role mozilla_roles types mozilla_t; ++#role mozilla_roles types mozilla_t; ++role system_r types mozilla_t; + + type mozilla_conf_t; + files_config_file(mozilla_conf_t) +@@ -32,14 +40,26 @@ userdom_user_home_content(mozilla_home_t) + type mozilla_plugin_t; + type mozilla_plugin_exec_t; + application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +-role mozilla_roles types mozilla_plugin_t; ++#role mozilla_roles types mozilla_plugin_t; ++role system_r types mozilla_plugin_t; type mozilla_plugin_tmp_t; +userdom_user_tmp_content(mozilla_plugin_tmp_t) @@ -29459,12 +29841,13 @@ index 0724816..7bf56bf 100644 +type mozilla_plugin_config_t; +type mozilla_plugin_config_exec_t; +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) -+role mozilla_roles types mozilla_plugin_config_t; ++#role mozilla_roles types mozilla_plugin_config_t; ++role system_r types mozilla_plugin_config_t; + type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -110,6 +127,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) +@@ -110,6 +130,7 @@ corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) corenet_tcp_sendrecv_squid_port(mozilla_t) corenet_tcp_sendrecv_ftp_port(mozilla_t) @@ -29472,7 +29855,7 @@ index 0724816..7bf56bf 100644 corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -155,6 +173,8 @@ fs_rw_tmpfs_files(mozilla_t) +@@ -155,6 +176,8 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -29481,22 +29864,23 @@ index 0724816..7bf56bf 100644 logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -@@ -164,7 +184,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -164,29 +187,23 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) -userdom_use_user_ptys(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t) - mozilla_run_plugin(mozilla_t, mozilla_roles) +-mozilla_run_plugin(mozilla_t, mozilla_roles) ++#mozilla_run_plugin(mozilla_t, mozilla_roles) -@@ -172,21 +192,15 @@ xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) + xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) xserver_dontaudit_read_xdm_tmp_files(mozilla_t) xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t) -tunable_policy(`allow_execmem',` - allow mozilla_t self:process { execmem execstack }; -+tunable_policy(`allow_execstack',` ++tunable_policy(`selinuxuser_execstack',` + allow mozilla_t self:process execstack; ') @@ -29517,7 +29901,7 @@ index 0724816..7bf56bf 100644 # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -263,6 +277,7 @@ optional_policy(` +@@ -263,6 +280,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -29525,7 +29909,17 @@ index 0724816..7bf56bf 100644 ') optional_policy(` -@@ -297,25 +312,34 @@ optional_policy(` +@@ -283,7 +301,8 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_role(mozilla_roles, mozilla_t) ++ #pulseaudio_role(mozilla_roles, mozilla_t) ++ pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) + pulseaudio_manage_home_files(mozilla_t) + ') +@@ -297,25 +316,33 @@ optional_policy(` # mozilla_plugin local policy # @@ -29563,12 +29957,11 @@ index 0724816..7bf56bf 100644 +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) -+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -323,31 +347,45 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -323,31 +350,46 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -29600,6 +29993,7 @@ index 0724816..7bf56bf 100644 corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) ++corenet_tcp_connect_ircd_port(mozilla_plugin_t) +corenet_tcp_connect_jabber_client_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) +corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) @@ -29620,7 +30014,7 @@ index 0724816..7bf56bf 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -356,6 +394,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -356,6 +398,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -29628,7 +30022,7 @@ index 0724816..7bf56bf 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,15 +402,20 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,15 +406,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -29646,10 +30040,12 @@ index 0724816..7bf56bf 100644 +init_dontaudit_getattr_initctl(mozilla_plugin_t) + ++libs_exec_lib_files(mozilla_plugin_t) ++ logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -384,35 +428,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -384,35 +434,26 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -29696,7 +30092,7 @@ index 0724816..7bf56bf 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -422,11 +457,19 @@ optional_policy(` +@@ -422,35 +463,134 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -29716,23 +30112,24 @@ index 0724816..7bf56bf 100644 ') optional_policy(` -@@ -434,12 +477,12 @@ optional_policy(` + java_exec(mozilla_plugin_t) ') ++#optional_policy(` ++# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) ++#') ++ optional_policy(` -- mplayer_exec(mozilla_plugin_t) -- mplayer_read_user_home_files(mozilla_plugin_t) -+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles) + mplayer_exec(mozilla_plugin_t) + mplayer_read_user_home_files(mozilla_plugin_t) ') optional_policy(` - pcscd_stream_connect(mozilla_plugin_t) -+ mplayer_exec(mozilla_plugin_t) -+ mplayer_read_user_home_files(mozilla_plugin_t) - ') - - optional_policy(` -@@ -447,10 +490,99 @@ optional_policy(` +-') +- +-optional_policy(` + pulseaudio_exec(mozilla_plugin_t) pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -29745,13 +30142,15 @@ index 0724816..7bf56bf 100644 + +optional_policy(` + rtkit_scheduled(mozilla_plugin_t) -+') -+ -+optional_policy(` -+ udev_read_db(mozilla_plugin_t) ') optional_policy(` ++ udev_read_db(mozilla_plugin_t) ++') ++ ++optional_policy(` ++ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) xserver_read_xdm_pid(mozilla_plugin_t) xserver_stream_connect(mozilla_plugin_t) xserver_use_user_fonts(mozilla_plugin_t) @@ -29955,9 +30354,18 @@ index d8ea41d..8bdc526 100644 + domtrans_pattern($1, mplayer_exec_t, $2) +') diff --git a/mplayer.te b/mplayer.te -index 0cdea57..f48b610 100644 +index 0cdea57..55015bf 100644 --- a/mplayer.te +++ b/mplayer.te +@@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0) + ## Allow mplayer executable stack + ##

+ ## +-gen_tunable(allow_mplayer_execstack, false) ++gen_tunable(mplayer_execstack, false) + + type mencoder_t; + type mencoder_exec_t; @@ -73,13 +73,14 @@ storage_raw_read_removable_device(mencoder_t) miscfiles_read_localization(mencoder_t) @@ -29974,7 +30382,7 @@ index 0cdea57..f48b610 100644 # Read content to encode ifndef(`enable_mls',` -@@ -88,7 +89,7 @@ ifndef(`enable_mls',` +@@ -88,58 +89,18 @@ ifndef(`enable_mls',` fs_read_removable_symlinks(mencoder_t) ') @@ -29983,7 +30391,13 @@ index 0cdea57..f48b610 100644 allow mencoder_t self:process execmem; ') -@@ -100,46 +101,6 @@ tunable_policy(`allow_mplayer_execstack',` +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + dev_execmod_zero(mencoder_t) + ') + +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` allow mencoder_t self:process { execmem execstack }; ') @@ -30062,7 +30476,7 @@ index 0cdea57..f48b610 100644 xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t) -@@ -243,7 +210,7 @@ ifdef(`enable_mls',`',` +@@ -243,62 +210,31 @@ ifdef(`enable_mls',`',` fs_read_removable_symlinks(mplayer_t) ') @@ -30071,7 +30485,13 @@ index 0cdea57..f48b610 100644 allow mplayer_t self:process execmem; ') -@@ -255,50 +222,19 @@ tunable_policy(`allow_mplayer_execstack',` +-tunable_policy(`allow_execmod',` ++tunable_policy(`selinuxuser_execmod',` + dev_execmod_zero(mplayer_t) + ') + +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` allow mplayer_t self:process { execmem execstack }; ') @@ -30087,7 +30507,8 @@ index 0cdea57..f48b610 100644 -') - # Legacy domain issues - tunable_policy(`allow_mplayer_execstack',` +-tunable_policy(`allow_mplayer_execstack',` ++tunable_policy(`mplayer_execstack',` allow mplayer_t mplayer_tmpfs_t:file execute; ') @@ -32534,27 +32955,56 @@ index 0000000..2f7149c +userdom_relabelto_user_home_files(namespace_init_t) +userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file }) diff --git a/ncftool.if b/ncftool.if -index a648982..1520b6c 100644 +index a648982..59f096b 100644 --- a/ncftool.if +++ b/ncftool.if -@@ -37,8 +37,9 @@ interface(`ncftool_domtrans',` +@@ -36,9 +36,19 @@ interface(`ncftool_domtrans',` + # interface(`ncftool_run',` gen_require(` - attribute_role ncftool_roles; +- attribute_role ncftool_roles; - ') ++ type ncftool_t; ++ #attribute_role ncftool_roles; + ') ++ ++ #ncftool_domtrans($1) ++ #roleattribute $2 ncftool_roles; -- ncftool_domtrans($1) + ncftool_domtrans($1) - roleattribute $2 ncftool_roles; -+ ncftool_domtrans($1) -+ roleattribute $2 ncftool_roles; ++ role $2 types ncftool_t; ++ ++ optional_policy(` ++ brctl_run(ncftool_t, $2) ++ ') ++ ') + diff --git a/ncftool.te b/ncftool.te -index f19ca0b..91ab36d 100644 +index f19ca0b..8c48c33 100644 --- a/ncftool.te +++ b/ncftool.te -@@ -20,10 +20,13 @@ role ncftool_roles types ncftool_t; +@@ -5,25 +5,29 @@ policy_module(ncftool, 1.1.0) + # Declarations + # + +-attribute_role ncftool_roles; +-roleattribute system_r ncftool_roles; ++#attribute_role ncftool_roles; ++#roleattribute system_r ncftool_roles; + + type ncftool_t; + type ncftool_exec_t; + application_domain(ncftool_t, ncftool_exec_t) + domain_obj_id_change_exemption(ncftool_t) + domain_system_change_exemption(ncftool_t) +-role ncftool_roles types ncftool_t; ++#role ncftool_roles types ncftool_t; ++role system_r types ncftool_t; + + ######################################## + # # ncftool local policy # @@ -32569,7 +33019,7 @@ index f19ca0b..91ab36d 100644 allow ncftool_t self:tcp_socket create_stream_socket_perms; allow ncftool_t self:netlink_route_socket create_netlink_socket_perms; -@@ -41,18 +44,22 @@ domain_read_all_domains_state(ncftool_t) +@@ -41,24 +45,34 @@ domain_read_all_domains_state(ncftool_t) dev_read_sysfs(ncftool_t) @@ -32584,8 +33034,12 @@ index f19ca0b..91ab36d 100644 +miscfiles_read_localization(ncftool_t) sysnet_delete_dhcpc_pid(ncftool_t) - sysnet_run_dhcpc(ncftool_t, ncftool_roles) - sysnet_run_ifconfig(ncftool_t, ncftool_roles) +-sysnet_run_dhcpc(ncftool_t, ncftool_roles) +-sysnet_run_ifconfig(ncftool_t, ncftool_roles) ++sysnet_domtrans_dhcpc(ncftool_t) ++sysnet_domtrans_ifconfig(ncftool_t) ++#sysnet_run_dhcpc(ncftool_t, ncftool_roles) ++#sysnet_run_ifconfig(ncftool_t, ncftool_roles) sysnet_etc_filetrans_config(ncftool_t) sysnet_manage_config(ncftool_t) sysnet_read_dhcpc_state(ncftool_t) @@ -32594,18 +33048,17 @@ index f19ca0b..91ab36d 100644 sysnet_read_dhcpc_pid(ncftool_t) sysnet_signal_dhcpc(ncftool_t) -@@ -60,6 +67,10 @@ userdom_use_user_terminals(ncftool_t) + userdom_use_user_terminals(ncftool_t) userdom_read_user_tmp_files(ncftool_t) - optional_policy(` -+ brctl_run(ncftool_t, ncftool_roles) -+') ++#optional_policy(` ++# brctl_run(ncftool_t, ncftool_roles) ++#') + -+optional_policy(` + optional_policy(` consoletype_exec(ncftool_t) ') - -@@ -69,6 +80,7 @@ optional_policy(` +@@ -69,13 +83,17 @@ optional_policy(` optional_policy(` iptables_initrc_domtrans(ncftool_t) @@ -32613,6 +33066,18 @@ index f19ca0b..91ab36d 100644 ') optional_policy(` + modutils_read_module_config(ncftool_t) +- modutils_run_insmod(ncftool_t, ncftool_roles) ++ modutils_domtrans_insmod(ncftool_t) ++ #modutils_run_insmod(ncftool_t, ncftool_roles) ++ + ') + + optional_policy(` +- netutils_run(ncftool_t, ncftool_roles) ++ netutils_domtrans(ncftool_t) ++ #netutils_run(ncftool_t, ncftool_roles) + ') diff --git a/networkmanager.fc b/networkmanager.fc index 386543b..8fe1d63 100644 --- a/networkmanager.fc @@ -33099,7 +33564,7 @@ index 632a565..cd0e015 100644 +/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) +/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0) diff --git a/nis.if b/nis.if -index abe3f7f..875f873 100644 +index abe3f7f..8c0b6f9 100644 --- a/nis.if +++ b/nis.if @@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',` @@ -33129,6 +33594,24 @@ index abe3f7f..875f873 100644 corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) +@@ -88,7 +87,7 @@ interface(`nis_use_ypbind_uncond',` + ## + # + interface(`nis_use_ypbind',` +- tunable_policy(`allow_ypbind',` ++ tunable_policy(`nis_enabled',` + nis_use_ypbind_uncond($1) + ') + ') +@@ -105,7 +104,7 @@ interface(`nis_use_ypbind',` + ## + # + interface(`nis_authenticate',` +- tunable_policy(`allow_ypbind',` ++ tunable_policy(`nis_enabled',` + nis_use_ypbind_uncond($1) + corenet_tcp_bind_all_rpc_ports($1) + corenet_udp_bind_all_rpc_ports($1) @@ -337,6 +336,55 @@ interface(`nis_initrc_domtrans_ypbind',` ######################################## @@ -33400,7 +33883,7 @@ index 0000000..0d11800 +') diff --git a/nova.te b/nova.te new file mode 100644 -index 0000000..b0d25bb +index 0000000..415b098 --- /dev/null +++ b/nova.te @@ -0,0 +1,328 @@ @@ -33547,7 +34030,7 @@ index 0000000..b0d25bb + +allow nova_cert_t self:udp_socket create_socket_perms; + -+auth_read_passwd(nova_cert_t) ++auth_use_nsswitch(nova_cert_t) + +miscfiles_read_certs(nova_cert_t) + @@ -34624,7 +35107,7 @@ index 0000000..fce899a +') diff --git a/nsplugin.te b/nsplugin.te new file mode 100644 -index 0000000..eeb5955 +index 0000000..5f14e91 --- /dev/null +++ b/nsplugin.te @@ -0,0 +1,328 @@ @@ -34640,7 +35123,7 @@ index 0000000..eeb5955 +## Allow nsplugin code to execmem/execstack +##

+## -+gen_tunable(allow_nsplugin_execmem, false) ++gen_tunable(nsplugin_execmem, false) + +## +##

@@ -34697,7 +35180,7 @@ index 0000000..eeb5955 +read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) +read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) + -+tunable_policy(`allow_nsplugin_execmem',` ++tunable_policy(`nsplugin_execmem',` + allow nsplugin_t self:process { execstack execmem }; + allow nsplugin_config_t self:process { execstack execmem }; +') @@ -38435,11 +38918,73 @@ index 0000000..c08cddc +') + +userdom_home_manager(polipo_session_t) +diff --git a/portage.if b/portage.if +index b4bb48a..7098ded 100644 +--- a/portage.if ++++ b/portage.if +@@ -43,11 +43,15 @@ interface(`portage_domtrans',` + # + interface(`portage_run',` + gen_require(` +- attribute_role portage_roles; ++ type portage_t, portage_fetch_t, portage_sandbox_t; ++ #attribute_role portage_roles; + ') + +- portage_domtrans($1) +- roleattribute $2 portage_roles; ++ #portage_domtrans($1) ++ #roleattribute $2 portage_roles; ++ portage_domtrans($1) ++ role $2 types { portage_t portage_fetch_t portage_sandbox_t }; ++ + ') + + ######################################## diff --git a/portage.te b/portage.te -index 2af04b9..22bdf7d 100644 +index 2af04b9..f726e1d 100644 --- a/portage.te +++ b/portage.te -@@ -56,7 +56,7 @@ type portage_db_t; +@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) + ## + gen_tunable(portage_use_nfs, false) + +-attribute_role portage_roles; ++#attribute_role portage_roles; + + type gcc_config_t; + type gcc_config_exec_t; +@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t) + domain_obj_id_change_exemption(portage_t) + rsync_entry_type(portage_t) + corecmd_shell_entry_type(portage_t) +-role portage_roles types portage_t; ++#role portage_roles types portage_t; ++role system_r types portage_t; + + # portage compile sandbox domain + type portage_sandbox_t; +@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t) + # the shell is the entrypoint if regular sandbox is disabled + # portage_exec_t is the entrypoint if regular sandbox is enabled + corecmd_shell_entry_type(portage_sandbox_t) +-role portage_roles types portage_sandbox_t; ++#role portage_roles types portage_sandbox_t; ++role system_r types portage_sandbox_t; + + # portage package fetching domain + type portage_fetch_t; +@@ -41,7 +43,8 @@ type portage_fetch_exec_t; + application_domain(portage_fetch_t, portage_fetch_exec_t) + corecmd_shell_entry_type(portage_fetch_t) + rsync_entry_type(portage_fetch_t) +-role portage_roles types portage_fetch_t; ++#role portage_roles types portage_fetch_t; ++role system_r types portage_fetch_t; + + type portage_devpts_t; + term_pty(portage_devpts_t) +@@ -56,7 +59,7 @@ type portage_db_t; files_type(portage_db_t) type portage_conf_t; @@ -38448,7 +38993,17 @@ index 2af04b9..22bdf7d 100644 type portage_cache_t; files_type(portage_cache_t) -@@ -124,9 +124,11 @@ logging_send_syslog_msg(gcc_config_t) +@@ -115,7 +118,8 @@ files_list_all(gcc_config_t) + init_dontaudit_read_script_status_files(gcc_config_t) + + libs_read_lib_files(gcc_config_t) +-libs_run_ldconfig(gcc_config_t, portage_roles) ++#libs_run_ldconfig(gcc_config_t, portage_roles) ++libs_domtrans_ldconfig(gcc_config_t) + libs_manage_shared_libs(gcc_config_t) + # gcc-config creates a temp dir for the libs + libs_manage_lib_dirs(gcc_config_t) +@@ -124,9 +128,11 @@ logging_send_syslog_msg(gcc_config_t) miscfiles_read_localization(gcc_config_t) @@ -38462,7 +39017,62 @@ index 2af04b9..22bdf7d 100644 ifdef(`distro_gentoo',` init_exec_rc(gcc_config_t) -@@ -302,11 +304,9 @@ miscfiles_read_localization(portage_fetch_t) +@@ -194,33 +200,41 @@ auth_manage_shadow(portage_t) + init_exec(portage_t) + + # run setfiles -r +-seutil_run_setfiles(portage_t, portage_roles) ++#seutil_run_setfiles(portage_t, portage_roles) + # run semodule +-seutil_run_semanage(portage_t, portage_roles) ++#seutil_run_semanage(portage_t, portage_roles) + +-portage_run_gcc_config(portage_t, portage_roles) ++#portage_run_gcc_config(portage_t, portage_roles) + # if sesandbox is disabled, compiling is performed in this domain + portage_compile_domain(portage_t) + +-optional_policy(` +- bootloader_run(portage_t, portage_roles) +-') ++#optional_policy(` ++# bootloader_run(portage_t, portage_roles) ++#') + + optional_policy(` + cron_system_entry(portage_t, portage_exec_t) + cron_system_entry(portage_fetch_t, portage_fetch_exec_t) + ') + +-optional_policy(` +- modutils_run_depmod(portage_t, portage_roles) +- modutils_run_update_mods(portage_t, portage_roles) ++#optional_policy(` ++# modutils_run_depmod(portage_t, portage_roles) ++# modutils_run_update_mods(portage_t, portage_roles) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; + ') + +-optional_policy(` +- usermanage_run_groupadd(portage_t, portage_roles) +- usermanage_run_useradd(portage_t, portage_roles) +-') ++#optional_policy(` ++# usermanage_run_groupadd(portage_t, portage_roles) ++# usermanage_run_useradd(portage_t, portage_roles) ++#') ++ ++seutil_domtrans_setfiles(portage_t) ++seutil_domtrans_semanage(portage_t) ++bootloader_domtrans(portage_t) ++modutils_domtrans_depmod(portage_t) ++modutils_domtrans_update_mods(portage_t) ++usermanage_domtrans_groupadd(portage_t) ++usermanage_domtrans_useradd(portage_t) + + ifdef(`TODO',` + # seems to work ok without these +@@ -302,11 +316,9 @@ miscfiles_read_localization(portage_fetch_t) sysnet_read_config(portage_fetch_t) sysnet_dns_name_resolve(portage_fetch_t) @@ -38475,7 +39085,7 @@ index 2af04b9..22bdf7d 100644 ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') -@@ -322,6 +322,10 @@ optional_policy(` +@@ -322,6 +334,10 @@ optional_policy(` gpg_exec(portage_fetch_t) ') @@ -39082,7 +39692,7 @@ index 46bee12..99499ef 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index 69cbd06..f278544 100644 +index 69cbd06..c990292 100644 --- a/postfix.te +++ b/postfix.te @@ -1,10 +1,19 @@ @@ -39099,7 +39709,7 @@ index 69cbd06..f278544 100644 +## Allow postfix_local domain full write access to mail_spool directories +##

+## -+gen_tunable(allow_postfix_local_write_mail_spool, true) ++gen_tunable(postfix_local_write_mail_spool, true) + +attribute postfix_domain; +attribute postfix_spool_type; @@ -39291,7 +39901,7 @@ index 69cbd06..f278544 100644 +userdom_read_user_home_content_files(postfix_local_t) +userdom_exec_user_bin_files(postfix_local_t) + -+tunable_policy(`allow_postfix_local_write_mail_spool',` ++tunable_policy(`postfix_local_write_mail_spool',` + mta_manage_spool(postfix_local_t) +') @@ -39725,7 +40335,7 @@ index 2d82c6d..ff2c96a 100644 -/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) +/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/ppp.if b/ppp.if -index de4bdb7..c174b05 100644 +index de4bdb7..a4cad0b 100644 --- a/ppp.if +++ b/ppp.if @@ -66,7 +66,6 @@ interface(`ppp_sigchld',` @@ -39736,7 +40346,29 @@ index de4bdb7..c174b05 100644 interface(`ppp_kill',` gen_require(` type pppd_t; -@@ -276,7 +275,8 @@ interface(`ppp_read_pid_files',` +@@ -176,11 +175,18 @@ interface(`ppp_run_cond',` + # + interface(`ppp_run',` + gen_require(` +- attribute_role pppd_roles; ++ #attribute_role pppd_roles; ++ type pppd_t; + ') + +- ppp_domtrans($1) +- roleattribute $2 pppd_roles; ++ #ppp_domtrans($1) ++ #roleattribute $2 pppd_roles; ++ ++ role $2 types pppd_t; ++ ++ tunable_policy(`pppd_for_user',` ++ ppp_domtrans($1) ++ ') + ') + + ######################################## +@@ -276,7 +282,8 @@ interface(`ppp_read_pid_files',` type pppd_var_run_t; ') @@ -39746,7 +40378,7 @@ index de4bdb7..c174b05 100644 ') ######################################## -@@ -294,6 +294,7 @@ interface(`ppp_manage_pid_files',` +@@ -294,6 +301,7 @@ interface(`ppp_manage_pid_files',` type pppd_var_run_t; ') @@ -39754,7 +40386,7 @@ index de4bdb7..c174b05 100644 allow $1 pppd_var_run_t:file manage_file_perms; ') -@@ -335,6 +336,29 @@ interface(`ppp_initrc_domtrans',` +@@ -335,6 +343,29 @@ interface(`ppp_initrc_domtrans',` ######################################## ## @@ -39784,7 +40416,7 @@ index de4bdb7..c174b05 100644 ## All of the rules required to administrate ## an ppp environment ## -@@ -343,20 +367,31 @@ interface(`ppp_initrc_domtrans',` +@@ -343,20 +374,31 @@ interface(`ppp_initrc_domtrans',` ## Domain allowed access. ## ## @@ -39821,7 +40453,7 @@ index de4bdb7..c174b05 100644 ppp_initrc_domtrans($1) domain_system_change_exemption($1) -@@ -369,6 +404,7 @@ interface(`ppp_admin',` +@@ -369,6 +411,7 @@ interface(`ppp_admin',` logging_list_logs($1) admin_pattern($1, pppd_log_t) @@ -39829,7 +40461,7 @@ index de4bdb7..c174b05 100644 admin_pattern($1, pppd_lock_t) files_list_etc($1) -@@ -381,10 +417,11 @@ interface(`ppp_admin',` +@@ -381,10 +424,11 @@ interface(`ppp_admin',` files_list_pids($1) admin_pattern($1, pppd_var_run_t) @@ -39845,10 +40477,28 @@ index de4bdb7..c174b05 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index bcbf9ac..17e10a2 100644 +index bcbf9ac..92cec2b 100644 --- a/ppp.te +++ b/ppp.te -@@ -42,6 +42,9 @@ files_type(pppd_etc_rw_t) +@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) + ## + gen_tunable(pppd_for_user, false) + +-attribute_role pppd_roles; ++#attribute_role pppd_roles; + + # pppd_t is the domain for the pppd program. + # pppd_exec_t is the type of the pppd executable. + type pppd_t; + type pppd_exec_t; + init_daemon_domain(pppd_t, pppd_exec_t) +-role pppd_roles types pppd_t; ++#role pppd_roles types pppd_t; ++role system_r types pppd_t; + + type pppd_devpts_t; + term_pty(pppd_devpts_t) +@@ -42,6 +43,9 @@ files_type(pppd_etc_rw_t) type pppd_initrc_exec_t alias pppd_script_exec_t; init_script_file(pppd_initrc_exec_t) @@ -39858,7 +40508,17 @@ index bcbf9ac..17e10a2 100644 # pppd_secret_t is the type of the pap and chap password files type pppd_secret_t; files_type(pppd_secret_t) -@@ -74,9 +77,9 @@ files_pid_file(pptp_var_run_t) +@@ -61,7 +65,8 @@ files_pid_file(pppd_var_run_t) + type pptp_t; + type pptp_exec_t; + init_daemon_domain(pptp_t, pptp_exec_t) +-role pppd_roles types pptp_t; ++#role pppd_roles types pptp_t; ++role system_r types pptp_t; + + type pptp_log_t; + logging_log_file(pptp_log_t) +@@ -74,9 +79,9 @@ files_pid_file(pptp_var_run_t) # PPPD Local policy # @@ -39870,7 +40530,7 @@ index bcbf9ac..17e10a2 100644 allow pppd_t self:fifo_file rw_fifo_file_perms; allow pppd_t self:socket create_socket_perms; allow pppd_t self:unix_dgram_socket create_socket_perms; -@@ -88,28 +91,29 @@ allow pppd_t self:packet_socket create_socket_perms; +@@ -88,28 +93,29 @@ allow pppd_t self:packet_socket create_socket_perms; domtrans_pattern(pppd_t, pptp_exec_t, pptp_t) @@ -39906,7 +40566,7 @@ index bcbf9ac..17e10a2 100644 allow pppd_t pptp_t:process signal; -@@ -147,10 +151,12 @@ fs_getattr_all_fs(pppd_t) +@@ -147,10 +153,12 @@ fs_getattr_all_fs(pppd_t) fs_search_auto_mountpoints(pppd_t) term_use_unallocated_ttys(pppd_t) @@ -39919,16 +40579,17 @@ index bcbf9ac..17e10a2 100644 # allow running ip-up and ip-down scripts and running chat. corecmd_exec_bin(pppd_t) -@@ -170,6 +176,8 @@ init_dontaudit_write_utmp(pppd_t) +@@ -170,6 +178,9 @@ init_dontaudit_write_utmp(pppd_t) init_signal_script(pppd_t) auth_use_nsswitch(pppd_t) -+auth_run_chk_passwd(pppd_t,pppd_roles) ++auth_domtrans_chk_passwd(pppd_t) ++#auth_run_chk_passwd(pppd_t,pppd_roles) +auth_write_login_records(pppd_t) logging_send_syslog_msg(pppd_t) logging_send_audit_msgs(pppd_t) -@@ -180,9 +188,10 @@ sysnet_exec_ifconfig(pppd_t) +@@ -180,24 +191,34 @@ sysnet_exec_ifconfig(pppd_t) sysnet_manage_config(pppd_t) sysnet_etc_filetrans_config(pppd_t) @@ -39940,16 +40601,19 @@ index bcbf9ac..17e10a2 100644 ppp_exec(pppd_t) -@@ -191,13 +200,21 @@ optional_policy(` - ') - optional_policy(` -+ l2tpd_dgram_send(pppd_t) -+ l2tpd_rw_socket(pppd_t) -+ l2tpd_stream_connect(pppd_t) +- ddclient_run(pppd_t, pppd_roles) ++ #ddclient_run(pppd_t, pppd_roles) ++ ddclient_domtrans(pppd_t) +') + +optional_policy(` ++ l2tpd_dgram_send(pppd_t) ++ l2tpd_rw_socket(pppd_t) ++ l2tpd_stream_connect(pppd_t) + ') + + optional_policy(` tunable_policy(`pppd_can_insmod',` - modutils_domtrans_insmod(pppd_t) + modutils_domtrans_insmod_uncond(pppd_t) @@ -39963,7 +40627,7 @@ index bcbf9ac..17e10a2 100644 ') optional_policy(` -@@ -247,14 +264,18 @@ allow pptp_t pppd_log_t:file append_file_perms; +@@ -247,14 +268,18 @@ allow pptp_t pppd_log_t:file append_file_perms; allow pptp_t pptp_log_t:file manage_file_perms; logging_log_filetrans(pptp_t, pptp_log_t, file) @@ -46076,9 +46740,27 @@ index dddabcf..fa20a5d 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index 19bb611..6119300 100644 +index 19bb611..42ca54c 100644 --- a/rpc.te +++ b/rpc.te +@@ -10,7 +10,7 @@ policy_module(rpc, 1.13.1) + ## Allow gssd to read temp directory. For access to kerberos tgt. + ##

+ ## +-gen_tunable(allow_gssd_read_tmp, true) ++gen_tunable(gssd_read_tmp, true) + + ## + ##

+@@ -19,7 +19,7 @@ gen_tunable(allow_gssd_read_tmp, true) + ## labeled public_content_rw_t. + ##

+ ## +-gen_tunable(allow_nfsd_anon_write, false) ++gen_tunable(nfsd_anon_write, false) + + type exports_t; + files_config_file(exports_t) @@ -39,11 +39,17 @@ rpc_domain_template(rpcd) type rpcd_initrc_exec_t; init_script_file(rpcd_initrc_exec_t) @@ -46204,15 +46886,18 @@ index 19bb611..6119300 100644 storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) -@@ -148,6 +184,8 @@ storage_raw_read_removable_device(nfsd_t) +@@ -148,8 +184,10 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) + # Write access to public_content_t and public_content_rw_t - tunable_policy(`allow_nfsd_anon_write',` +-tunable_policy(`allow_nfsd_anon_write',` ++tunable_policy(`nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) + ') + @@ -158,7 +196,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) @@ -46260,7 +46945,8 @@ index 19bb611..6119300 100644 - userdom_signal_all_users(gssd_t) - tunable_policy(`allow_gssd_read_tmp',` +-tunable_policy(`allow_gssd_read_tmp',` ++tunable_policy(`gssd_read_tmp',` userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) @@ -47057,7 +47743,7 @@ index 3386f29..8d8f6c5 100644 + files_etc_filetrans($1, rsync_etc_t, $2) +') diff --git a/rsync.te b/rsync.te -index ba98794..008c4e1 100644 +index ba98794..77a6381 100644 --- a/rsync.te +++ b/rsync.te @@ -7,6 +7,27 @@ policy_module(rsync, 1.11.1) @@ -47088,6 +47774,15 @@ index ba98794..008c4e1 100644 ## Allow rsync to export any files/directories read only. ##

## +@@ -19,7 +40,7 @@ gen_tunable(rsync_export_all_ro, false) + ## labeled public_content_rw_t. + ##

+ ## +-gen_tunable(allow_rsync_anon_write, false) ++gen_tunable(rsync_anon_write, false) + + type rsync_t; + type rsync_exec_t; @@ -59,7 +80,7 @@ allow rsync_t self:udp_socket connected_socket_perms; allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; #end for identd @@ -47097,6 +47792,15 @@ index ba98794..008c4e1 100644 allow rsync_t rsync_data_t:dir list_dir_perms; read_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +@@ -105,7 +126,7 @@ logging_send_syslog_msg(rsync_t) + miscfiles_read_localization(rsync_t) + miscfiles_read_public_files(rsync_t) + +-tunable_policy(`allow_rsync_anon_write',` ++tunable_policy(`rsync_anon_write',` + miscfiles_manage_public_files(rsync_t) + ') + @@ -121,13 +142,39 @@ optional_policy(` inetd_service_domain(rsync_t, rsync_exec_t) ') @@ -47244,7 +47948,7 @@ index a07b2f4..36b4903 100644 + +userdom_getattr_user_terminals(rwho_t) diff --git a/samba.fc b/samba.fc -index 69a6074..5c02dec 100644 +index 69a6074..3d65472 100644 --- a/samba.fc +++ b/samba.fc @@ -14,6 +14,8 @@ @@ -47256,17 +47960,22 @@ index 69a6074..5c02dec 100644 /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) -@@ -36,6 +38,9 @@ +@@ -36,6 +38,10 @@ /var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0) +/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) ++/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) + +/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) /var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) -@@ -51,3 +56,7 @@ +@@ -48,6 +54,11 @@ + /var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) + /var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) + ++/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0) @@ -47275,13 +47984,32 @@ index 69a6074..5c02dec 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 82cb169..f9a546d 100644 +index 82cb169..9642fe3 100644 --- a/samba.if +++ b/samba.if -@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',` +@@ -42,6 +42,44 @@ interface(`samba_signal_nmbd',` ######################################## ## ++## Search the samba pid directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`samba_search_pid',` ++ gen_require(` ++ type smbd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 smbd_var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## +## Connect to nmbd. +## +## @@ -47295,7 +48023,7 @@ index 82cb169..f9a546d 100644 + type nmbd_t, nmbd_var_run_t; + ') + -+ files_search_pids($1) ++ samba_search_pid($1) + stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) +') + @@ -47304,7 +48032,7 @@ index 82cb169..f9a546d 100644 ## Execute samba server in the samba domain. ## ## -@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',` +@@ -60,6 +98,29 @@ interface(`samba_initrc_domtrans',` ######################################## ## @@ -47334,7 +48062,7 @@ index 82cb169..f9a546d 100644 ## Execute samba net in the samba_net domain. ## ## -@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',` +@@ -79,6 +140,25 @@ interface(`samba_domtrans_net',` ######################################## ## @@ -47360,7 +48088,7 @@ index 82cb169..f9a546d 100644 ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## -@@ -103,6 +164,51 @@ interface(`samba_run_net',` +@@ -103,6 +183,51 @@ interface(`samba_run_net',` role $2 types samba_net_t; ') @@ -47412,7 +48140,7 @@ index 82cb169..f9a546d 100644 ######################################## ## ## Execute smbmount in the smbmount domain. -@@ -409,9 +515,10 @@ interface(`samba_manage_var_files',` +@@ -409,9 +534,10 @@ interface(`samba_manage_var_files',` type samba_var_t; ') @@ -47424,7 +48152,7 @@ index 82cb169..f9a546d 100644 ') ######################################## -@@ -564,6 +671,7 @@ interface(`samba_domtrans_winbind_helper',` +@@ -564,6 +690,7 @@ interface(`samba_domtrans_winbind_helper',` ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) @@ -47432,15 +48160,28 @@ index 82cb169..f9a546d 100644 ') ######################################## -@@ -629,6 +737,7 @@ interface(`samba_stream_connect_winbind',` - files_search_pids($1) +@@ -607,7 +734,7 @@ interface(`samba_read_winbind_pid',` + type winbind_var_run_t; + ') + +- files_search_pids($1) ++ samba_search_pid($1) + allow $1 winbind_var_run_t:file read_file_perms; + ') + +@@ -626,9 +753,10 @@ interface(`samba_stream_connect_winbind',` + type samba_var_t, winbind_t, winbind_var_run_t; + ') + +- files_search_pids($1) ++ samba_search_pid($1) allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) + samba_read_config($1) ifndef(`distro_redhat',` gen_require(` -@@ -644,6 +753,37 @@ interface(`samba_stream_connect_winbind',` +@@ -644,6 +772,37 @@ interface(`samba_stream_connect_winbind',` ######################################## ## @@ -47478,7 +48219,7 @@ index 82cb169..f9a546d 100644 ## All of the rules required to administrate ## an samba environment ## -@@ -661,33 +801,33 @@ interface(`samba_stream_connect_winbind',` +@@ -661,33 +820,33 @@ interface(`samba_stream_connect_winbind',` # interface(`samba_admin',` gen_require(` @@ -47533,7 +48274,7 @@ index 82cb169..f9a546d 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -727,4 +867,9 @@ interface(`samba_admin',` +@@ -727,4 +886,9 @@ interface(`samba_admin',` admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) @@ -47544,9 +48285,18 @@ index 82cb169..f9a546d 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index fc22785..627d070 100644 +index fc22785..350850b 100644 --- a/samba.te +++ b/samba.te +@@ -12,7 +12,7 @@ policy_module(samba, 1.14.1) + ## public_content_rw_t. + ##

+ ## +-gen_tunable(allow_smbd_anon_write, false) ++gen_tunable(smbd_anon_write, false) + + ## + ##

@@ -32,6 +32,14 @@ gen_tunable(samba_domain_controller, false) ## @@ -47621,17 +48371,15 @@ index fc22785..627d070 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -248,7 +265,9 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; - +@@ -249,6 +266,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; -+allow winbind_t smbd_var_run_t:dir search_dir_perms; allow smbd_t nmbd_var_run_t:file rw_file_perms; +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -263,12 +282,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -263,12 +281,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -47646,7 +48394,7 @@ index fc22785..627d070 100644 allow smbd_t smbcontrol_t:process { signal signull }; -@@ -279,7 +299,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -279,7 +298,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -47655,7 +48403,7 @@ index fc22785..627d070 100644 allow smbd_t swat_t:process signal; -@@ -316,6 +336,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -316,6 +335,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -47663,7 +48411,7 @@ index fc22785..627d070 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -323,15 +344,18 @@ dev_getattr_all_blk_files(smbd_t) +@@ -323,15 +343,18 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -47682,7 +48430,7 @@ index fc22785..627d070 100644 domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -343,6 +367,7 @@ files_read_usr_files(smbd_t) +@@ -343,6 +366,7 @@ files_read_usr_files(smbd_t) files_search_spool(smbd_t) # smbd seems to getattr all mountpoints files_dontaudit_getattr_all_dirs(smbd_t) @@ -47690,7 +48438,7 @@ index fc22785..627d070 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -354,6 +379,8 @@ logging_send_syslog_msg(smbd_t) +@@ -354,6 +378,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -47699,9 +48447,12 @@ index fc22785..627d070 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -370,6 +397,11 @@ ifdef(`hide_broken_symptoms', ` +@@ -368,8 +394,13 @@ ifdef(`hide_broken_symptoms', ` + fs_dontaudit_getattr_tmpfs_dirs(smbd_t) + ') - tunable_policy(`allow_smbd_anon_write',` +-tunable_policy(`allow_smbd_anon_write',` ++tunable_policy(`smbd_anon_write',` miscfiles_manage_public_files(smbd_t) +') + @@ -47711,7 +48462,7 @@ index fc22785..627d070 100644 ') tunable_policy(`samba_domain_controller',` -@@ -385,12 +417,7 @@ tunable_policy(`samba_domain_controller',` +@@ -385,12 +416,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -47725,7 +48476,7 @@ index fc22785..627d070 100644 ') # Support Samba sharing of NFS mount points -@@ -411,6 +438,11 @@ tunable_policy(`samba_share_fusefs',` +@@ -411,6 +437,11 @@ tunable_policy(`samba_share_fusefs',` ') optional_policy(` @@ -47737,7 +48488,7 @@ index fc22785..627d070 100644 cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -421,6 +453,11 @@ optional_policy(` +@@ -421,6 +452,11 @@ optional_policy(` ') optional_policy(` @@ -47749,7 +48500,7 @@ index fc22785..627d070 100644 lpd_exec_lpr(smbd_t) ') -@@ -444,26 +481,26 @@ optional_policy(` +@@ -444,26 +480,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -47788,19 +48539,29 @@ index fc22785..627d070 100644 ######################################## # # nmbd Local policy -@@ -483,8 +520,10 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -483,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -+manage_dirs_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) ++manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) +manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) +files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) ++filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -554,18 +593,21 @@ optional_policy(` +@@ -496,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) + + allow nmbd_t smbcontrol_t:process signal; + +-allow nmbd_t smbd_var_run_t:dir rw_dir_perms; +- + kernel_getattr_core_if(nmbd_t) + kernel_getattr_message_if(nmbd_t) + kernel_read_kernel_sysctls(nmbd_t) +@@ -554,18 +591,21 @@ optional_policy(` # smbcontrol local policy # @@ -47826,7 +48587,7 @@ index fc22785..627d070 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -573,11 +615,21 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -573,11 +613,21 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -47849,7 +48610,7 @@ index fc22785..627d070 100644 ######################################## # -@@ -596,7 +648,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; +@@ -596,7 +646,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) @@ -47858,7 +48619,7 @@ index fc22785..627d070 100644 allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -643,19 +695,21 @@ auth_use_nsswitch(smbmount_t) +@@ -643,19 +693,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -47883,7 +48644,7 @@ index fc22785..627d070 100644 ######################################## # # SWAT Local policy -@@ -676,7 +730,8 @@ samba_domtrans_nmbd(swat_t) +@@ -676,7 +728,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -47893,7 +48654,7 @@ index fc22785..627d070 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -691,12 +746,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -691,12 +744,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -47908,7 +48669,7 @@ index fc22785..627d070 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -709,6 +766,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -709,6 +764,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -47916,7 +48677,7 @@ index fc22785..627d070 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -751,8 +809,12 @@ logging_send_syslog_msg(swat_t) +@@ -751,8 +807,12 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -47929,17 +48690,16 @@ index fc22785..627d070 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -782,7 +844,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -782,7 +842,7 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; -allow winbind_t nmbd_var_run_t:file read_file_perms; -+allow winbind_t smbd_var_run_t:dir search_dir_perms; +read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t) allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -805,15 +868,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -805,15 +865,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -47951,11 +48711,14 @@ index fc22785..627d070 100644 +userdom_manage_user_tmp_files(winbind_t) +userdom_tmp_filetrans_user_tmp(winbind_t, { file dir }) -+manage_dirs_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) ++manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) -files_pid_filetrans(winbind_t, winbind_var_run_t, file) -+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir }) ++files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) ++filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) ++# /run/samba/krb5cc_samba ++manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +kernel_read_network_state(winbind_t) kernel_read_kernel_sysctls(winbind_t) @@ -48032,14 +48795,14 @@ index fc22785..627d070 100644 + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) +') - ++ +type samba_unconfined_script_t; +type samba_unconfined_script_exec_t; +domain_type(samba_unconfined_script_t) +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; -+ + +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; + @@ -49201,9 +49964,18 @@ index f1aea88..3e6a93f 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/sasl.te b/sasl.te -index 9d9f8ce..7f7983a 100644 +index 9d9f8ce..15569f0 100644 --- a/sasl.te +++ b/sasl.te +@@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0) + ## Allow sasl to read shadow + ##

+ ## +-gen_tunable(allow_saslauthd_read_shadow, false) ++gen_tunable(saslauthd_read_shadow, false) + + type saslauthd_t; + type saslauthd_exec_t; @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) type saslauthd_initrc_exec_t; init_script_file(saslauthd_initrc_exec_t) @@ -49246,7 +50018,14 @@ index 9d9f8ce..7f7983a 100644 corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_urand(saslauthd_t) -@@ -94,6 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` +@@ -88,12 +89,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) + + # cjp: typeattribute doesnt work in conditionals + auth_can_read_shadow_passwords(saslauthd_t) +-tunable_policy(`allow_saslauthd_read_shadow',` ++tunable_policy(`saslauthd_read_shadow',` + auth_tunable_read_shadow(saslauthd_t) + ') optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) @@ -49950,7 +50729,7 @@ index bcdd16c..039b0c8 100644 files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index 086cd5f..e010142 100644 +index 086cd5f..4e69f51 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te @@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) @@ -50054,7 +50833,7 @@ index 086cd5f..e010142 100644 rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) -@@ -151,7 +173,11 @@ kernel_read_system_state(setroubleshoot_fixit_t) +@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t) corecmd_exec_bin(setroubleshoot_fixit_t) corecmd_exec_shell(setroubleshoot_fixit_t) @@ -50063,10 +50842,11 @@ index 086cd5f..e010142 100644 + seutil_domtrans_setfiles(setroubleshoot_fixit_t) +seutil_domtrans_setsebool(setroubleshoot_fixit_t) ++seutil_read_module_store(setroubleshoot_fixit_t) files_read_usr_files(setroubleshoot_fixit_t) files_read_etc_files(setroubleshoot_fixit_t) -@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) +@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t) miscfiles_read_localization(setroubleshoot_fixit_t) @@ -51451,7 +52231,7 @@ index c954f31..82fc7f6 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..b012a5c 100644 +index 1bbf73b..4b5b6fa 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -6,52 +6,101 @@ policy_module(spamassassin, 2.5.0) @@ -51614,7 +52394,7 @@ index 1bbf73b..b012a5c 100644 sysnet_read_config(spamassassin_t) ') -@@ -154,18 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',` +@@ -154,25 +208,13 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') @@ -51633,6 +52413,14 @@ index 1bbf73b..b012a5c 100644 optional_policy(` # Write pid file and socket in ~/.evolution/cache/tmp evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file }) + ') + + optional_policy(` +- tunable_policy(`spamassassin_can_network && allow_ypbind',` ++ tunable_policy(`spamassassin_can_network && nis_enabled',` + nis_use_ypbind_uncond(spamassassin_t) + ') + ') @@ -180,6 +222,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) @@ -54516,25 +55304,108 @@ index f25ed61..390de9e 100644 + files_search_mnt(consolehelper_domain) + fs_search_cifs(consolehelper_domain) +') +diff --git a/usernetctl.if b/usernetctl.if +index d45c715..2d4f1ba 100644 +--- a/usernetctl.if ++++ b/usernetctl.if +@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',` + # + interface(`usernetctl_run',` + gen_require(` +- attribute_role usernetctl_roles; ++ type usernetctl_t; ++ #attribute_role usernetctl_roles; + ') + +- usernetctl_domtrans($1) +- roleattribute $2 usernetctl_roles; ++ #usernetctl_domtrans($1) ++ #roleattribute $2 usernetctl_roles; ++ ++ sysnet_run_ifconfig(usernetctl_t, $2) ++ sysnet_run_dhcpc(usernetctl_t, $2) ++ ++ optional_policy(` ++ iptables_run(usernetctl_t, $2) ++ ') ++ ++ optional_policy(` ++ modutils_run_insmod(usernetctl_t, $2) ++ ') ++ ++ optional_policy(` ++ ppp_run(usernetctl_t, $2) ++ ') ++ + ') diff --git a/usernetctl.te b/usernetctl.te -index 19c70bb..8604c1c 100644 +index 19c70bb..35b12a6 100644 --- a/usernetctl.te +++ b/usernetctl.te -@@ -60,11 +60,12 @@ miscfiles_read_localization(usernetctl_t) +@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) + # Declarations + # + +-attribute_role usernetctl_roles; ++#attribute_role usernetctl_roles; + + type usernetctl_t; + type usernetctl_exec_t; + application_domain(usernetctl_t, usernetctl_exec_t) + domain_interactive_fd(usernetctl_t) +-role usernetctl_roles types usernetctl_t; ++#role usernetctl_roles types usernetctl_t; ++role system_r types usernetctl_t; + + ######################################## + # +@@ -60,31 +61,33 @@ miscfiles_read_localization(usernetctl_t) seutil_read_config(usernetctl_t) sysnet_read_config(usernetctl_t) -+ +-sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) +-sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) + +-userdom_use_user_terminals(usernetctl_t) +userdom_use_inherited_user_terminals(usernetctl_t) + - sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) - sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) ++#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) ++#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) --userdom_use_user_terminals(usernetctl_t) -- optional_policy(` - consoletype_run(usernetctl_t, usernetctl_roles) +- consoletype_run(usernetctl_t, usernetctl_roles) ++ #consoletype_run(usernetctl_t, usernetctl_roles) ++ consoletype_exec(usernetctl_t) ') + + optional_policy(` + hostname_exec(usernetctl_t) + ') + +-optional_policy(` +- iptables_run(usernetctl_t, usernetctl_roles) +-') ++#optional_policy(` ++# iptables_run(usernetctl_t, usernetctl_roles) ++#') + +-optional_policy(` +- modutils_run_insmod(usernetctl_t, usernetctl_roles) +-') ++#optional_policy(` ++# modutils_run_insmod(usernetctl_t, usernetctl_roles) ++#') + + optional_policy(` + nis_use_ypbind(usernetctl_t) + ') + +-optional_policy(` +- ppp_run(usernetctl_t, usernetctl_roles) +-') ++#optional_policy(` ++# ppp_run(usernetctl_t, usernetctl_roles) ++#') diff --git a/uucp.if b/uucp.if index ebc5414..8f8ac45 100644 --- a/uucp.if @@ -54553,7 +55424,7 @@ index ebc5414..8f8ac45 100644 logging_list_logs($1) admin_pattern($1, uucpd_log_t) diff --git a/uucp.te b/uucp.te -index d4349e9..fef39c0 100644 +index d4349e9..2f0887d 100644 --- a/uucp.te +++ b/uucp.te @@ -24,7 +24,7 @@ type uucpd_ro_t; @@ -54574,15 +55445,22 @@ index d4349e9..fef39c0 100644 uucp_append_log(uux_t) uucp_manage_spool(uux_t) -@@ -147,3 +149,8 @@ optional_policy(` - optional_policy(` - nscd_socket_use(uux_t) - ') +@@ -134,6 +136,8 @@ files_read_etc_files(uux_t) + + fs_rw_anon_inodefs_files(uux_t) + ++auth_use_nsswitch(uux_t) + -+optional_policy(` + logging_send_syslog_msg(uux_t) + + miscfiles_read_localization(uux_t) +@@ -145,5 +149,5 @@ optional_policy(` + ') + + optional_policy(` +- nscd_socket_use(uux_t) + postfix_rw_master_pipes(uux_t) -+') -+ + ') diff --git a/uuidd.fc b/uuidd.fc index a7c9381..d810232 100644 --- a/uuidd.fc @@ -56828,19 +57706,53 @@ index 8121937..275409f 100644 kernel_read_network_state(vnstat_t) kernel_read_system_state(vnstat_t) +diff --git a/vpn.if b/vpn.if +index 7b93e07..a4e2f60 100644 +--- a/vpn.if ++++ b/vpn.if +@@ -37,11 +37,16 @@ interface(`vpn_domtrans',` + # + interface(`vpn_run',` + gen_require(` +- attribute_role vpnc_roles; ++ #attribute_role vpnc_roles; ++ type vpnc_t; + ') + ++ #vpn_domtrans($1) ++ #roleattribute $2 vpnc_roles; ++ + vpn_domtrans($1) +- roleattribute $2 vpnc_roles; ++ role $2 types vpnc_t; ++ sysnet_run_ifconfig(vpnc_t, $2) + ') + + ######################################## diff --git a/vpn.te b/vpn.te -index 83a80ba..99fd457 100644 +index 83a80ba..d2585bb 100644 --- a/vpn.te +++ b/vpn.te -@@ -10,6 +10,7 @@ roleattribute system_r vpnc_roles; +@@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0) + # Declarations + # + +-attribute_role vpnc_roles; +-roleattribute system_r vpnc_roles; ++#attribute_role vpnc_roles; ++#roleattribute system_r vpnc_roles; type vpnc_t; type vpnc_exec_t; +init_system_domain(vpnc_t, vpnc_exec_t) application_domain(vpnc_t, vpnc_exec_t) - role vpnc_roles types vpnc_t; +-role vpnc_roles types vpnc_t; ++#role vpnc_roles types vpnc_t; ++role system_r types vpnc_t; -@@ -24,7 +25,7 @@ files_pid_file(vpnc_var_run_t) + type vpnc_tmp_t; + files_tmp_file(vpnc_tmp_t) +@@ -24,7 +26,7 @@ files_pid_file(vpnc_var_run_t) # Local policy # @@ -56849,7 +57761,7 @@ index 83a80ba..99fd457 100644 allow vpnc_t self:process { getsched signal }; allow vpnc_t self:fifo_file rw_fifo_file_perms; allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; -@@ -80,8 +81,8 @@ domain_use_interactive_fds(vpnc_t) +@@ -80,8 +82,8 @@ domain_use_interactive_fds(vpnc_t) fs_getattr_xattr_fs(vpnc_t) fs_getattr_tmpfs(vpnc_t) @@ -56860,7 +57772,7 @@ index 83a80ba..99fd457 100644 corecmd_exec_all_executables(vpnc_t) -@@ -92,6 +93,8 @@ files_dontaudit_search_home(vpnc_t) +@@ -92,6 +94,8 @@ files_dontaudit_search_home(vpnc_t) auth_use_nsswitch(vpnc_t) @@ -56869,7 +57781,13 @@ index 83a80ba..99fd457 100644 libs_exec_ld_so(vpnc_t) libs_exec_lib_files(vpnc_t) -@@ -110,7 +113,8 @@ sysnet_etc_filetrans_config(vpnc_t) +@@ -105,12 +109,13 @@ miscfiles_read_localization(vpnc_t) + seutil_dontaudit_search_config(vpnc_t) + seutil_use_newrole_fds(vpnc_t) + +-sysnet_run_ifconfig(vpnc_t, vpnc_roles) ++#sysnet_run_ifconfig(vpnc_t, vpnc_roles) + sysnet_etc_filetrans_config(vpnc_t) sysnet_manage_config(vpnc_t) userdom_use_all_users_fds(vpnc_t) @@ -57711,7 +58629,7 @@ index d995c70..1282d4c 100644 - ') ') diff --git a/xguest.te b/xguest.te -index e88b95f..e16a6c5 100644 +index e88b95f..6b9303f 100644 --- a/xguest.te +++ b/xguest.te @@ -14,7 +14,7 @@ gen_tunable(xguest_mount_media, true) @@ -57742,7 +58660,7 @@ index e88b95f..e16a6c5 100644 + +kernel_dontaudit_request_load_module(xguest_t) + -+tunable_policy(`allow_execstack',` ++tunable_policy(`selinuxuser_execstack',` + allow xguest_t self:process execstack; +') + @@ -58295,10 +59213,18 @@ index 6b87605..ef64e73 100644 init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) diff --git a/zebra.te b/zebra.te -index ade6c2c..76f5491 100644 +index ade6c2c..232b7bd 100644 --- a/zebra.te +++ b/zebra.te -@@ -18,7 +18,7 @@ type zebra_exec_t; +@@ -11,14 +11,14 @@ policy_module(zebra, 1.12.0) + ##

+ ## + # +-gen_tunable(allow_zebra_write_config, false) ++gen_tunable(zebra_write_config, false) + + type zebra_t; + type zebra_exec_t; init_daemon_domain(zebra_t, zebra_exec_t) type zebra_conf_t; @@ -58325,6 +59251,15 @@ index ade6c2c..76f5491 100644 logging_send_syslog_msg(zebra_t) miscfiles_read_localization(zebra_t) +@@ -115,7 +117,7 @@ sysnet_read_config(zebra_t) + userdom_dontaudit_use_unpriv_user_fds(zebra_t) + userdom_dontaudit_search_user_home_dirs(zebra_t) + +-tunable_policy(`allow_zebra_write_config',` ++tunable_policy(`zebra_write_config',` + manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) + ') + diff --git a/zoneminder.fc b/zoneminder.fc new file mode 100644 index 0000000..47e388a diff --git a/selinux-policy.spec b/selinux-policy.spec index ab22ad1..fbd69a5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -259,11 +259,9 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-contrib-%{version} -q -b 29 %patch1 -p1 -%patch2 -p1 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch -p1 -%patch3 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib @@ -493,6 +491,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Sat Jun 9 2012 Miroslav Grepl 3.11.0-2 +- Rename boolean names to remove allow_ + * Thu Jun 7 2012 Miroslav Grepl 3.11.0-1 - Mass merge with upstream * new policy topology to include contrib policy modules