From 52ac61da456856a40a76b69e8f312599663ff23e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 25 2012 05:09:24 +0000 Subject: * Mon Jun 25 2012 Miroslav Grepl 3.11.0-6 - Add tomcat policy - Remove pyzor/razor policy - rhsmcertd reads the rpm database - Dontaudit thumb to setattr on xdm_tmp dir - Allow wicd to execute ldconfig in the networkmanager_t domain - Add /var/run/cherokee\.pid labeling - Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too - Allow postfix-master to r/w pipes other postfix domains - Allow snort to create netlink_socket - Add kdumpctl policy - Allow firstboot to create tmp_t files/directories - /usr/bin/paster should not be labeled as piranha_exec_t - remove initrc_domain from tomcat - Allow ddclient to read /etc/passwd - Allow useradd to delete all file types stored in the users homedir - Allow ldconfig and insmod to manage kdumpctl tmp files - Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those - Transition xauth files within firstboot_tmp_t - Fix labeling of /run/media to match /media - Label all lxdm.log as xserver_log_t - Add port definition for mxi port - Allow local_login_t to execute tmux --- diff --git a/modules-targeted.conf b/modules-targeted.conf index f4909bf..1580f19 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2549,3 +2549,10 @@ man2html = module # policy for glusterd service # glusterd = module + +# Layer: contrib +# Module: glusterd +# +# policy for tomcat service +# +tomcat = module diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 96b449d..b43bd59 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -59563,7 +59563,7 @@ index 98b8b2d..da75471 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 81b6608..396909c 100644 +index 81b6608..527c7bb 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) @@ -59931,7 +59931,7 @@ index 81b6608..396909c 100644 auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) auth_etc_filetrans_shadow(useradd_t) -@@ -507,31 +549,33 @@ logging_send_syslog_msg(useradd_t) +@@ -507,31 +549,34 @@ logging_send_syslog_msg(useradd_t) miscfiles_read_localization(useradd_t) @@ -59964,6 +59964,7 @@ index 81b6608..396909c 100644 -userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) ++userdom_delete_all_user_home_content(useradd_t) optional_policy(` mta_manage_spool(useradd_t) @@ -59978,7 +59979,7 @@ index 81b6608..396909c 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +586,8 @@ optional_policy(` +@@ -542,7 +587,8 @@ optional_policy(` ') optional_policy(` @@ -59988,7 +59989,7 @@ index 81b6608..396909c 100644 ') optional_policy(` -@@ -550,6 +595,11 @@ optional_policy(` +@@ -550,6 +596,11 @@ optional_policy(` ') optional_policy(` @@ -61987,7 +61988,7 @@ index 8e0f9cd..da3b374 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 97978e3..fab201e 100644 +index 97978e3..8af38f3 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -14,12 +14,14 @@ attribute node_type; @@ -62129,7 +62130,7 @@ index 97978e3..fab201e 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -139,22 +180,32 @@ network_port(iscsi, tcp,3260,s0) +@@ -139,87 +180,118 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -62165,7 +62166,10 @@ index 97978e3..fab201e 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -164,62 +215,82 @@ network_port(mysqlmanagerd, tcp,2273,s0) + network_port(munin, tcp,4949,s0, udp,4949,s0) ++network_port(mxi, tcp,8005, s0, udp, 8005,s0) + network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) + network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -62257,7 +62261,7 @@ index 97978e3..fab201e 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -228,9 +299,12 @@ network_port(uucpd, tcp,540,s0) +@@ -228,9 +300,12 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -62271,7 +62275,7 @@ index 97978e3..fab201e 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -242,17 +316,22 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -242,17 +317,22 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -62296,7 +62300,7 @@ index 97978e3..fab201e 100644 ######################################## # -@@ -297,9 +376,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -297,9 +377,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -64552,7 +64556,7 @@ index cf04cb5..e43701b 100644 + +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 4429d30..cbcd9d0 100644 +index 4429d30..b8f8a82 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -64603,7 +64607,16 @@ index 4429d30..cbcd9d0 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -151,7 +161,7 @@ ifdef(`distro_debian',` +@@ -127,6 +137,8 @@ ifdef(`distro_debian',` + /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) + /media/[^/]*/.* <> + /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) ++/var/run/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) ++/var/run/media/.* <> + + # + # /misc +@@ -151,7 +163,7 @@ ifdef(`distro_debian',` /opt -d gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) @@ -64612,7 +64625,7 @@ index 4429d30..cbcd9d0 100644 # # /proc -@@ -159,6 +169,12 @@ ifdef(`distro_debian',` +@@ -159,6 +171,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -64625,7 +64638,7 @@ index 4429d30..cbcd9d0 100644 # # /run # -@@ -195,6 +211,7 @@ ifdef(`distro_debian',` +@@ -195,6 +213,7 @@ ifdef(`distro_debian',` /usr -d gen_context(system_u:object_r:usr_t,s0) /usr/.* gen_context(system_u:object_r:usr_t,s0) /usr/\.journal <> @@ -64633,7 +64646,7 @@ index 4429d30..cbcd9d0 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -211,6 +228,7 @@ ifdef(`distro_debian',` +@@ -211,6 +230,7 @@ ifdef(`distro_debian',` /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/lost\+found/.* <> @@ -64641,7 +64654,7 @@ index 4429d30..cbcd9d0 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -219,7 +237,6 @@ ifdef(`distro_debian',` +@@ -219,7 +239,6 @@ ifdef(`distro_debian',` ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -64649,7 +64662,7 @@ index 4429d30..cbcd9d0 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -235,11 +252,14 @@ ifndef(`distro_redhat',` +@@ -235,11 +254,14 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -64664,7 +64677,7 @@ index 4429d30..cbcd9d0 100644 /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> -@@ -262,3 +282,5 @@ ifndef(`distro_redhat',` +@@ -262,3 +284,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -71425,10 +71438,10 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..7b69ace +index 0000000..2a0c726 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,392 @@ +@@ -0,0 +1,376 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -71753,18 +71766,10 @@ index 0000000..7b69ace +') + +optional_policy(` -+ ncftool_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + +optional_policy(` -+ prelink_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + portmap_run_helper(unconfined_t, unconfined_r) +') + @@ -71795,18 +71800,10 @@ index 0000000..7b69ace +') + +optional_policy(` -+ vbetool_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) +') + +optional_policy(` -+ vpn_run(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + webalizer_run(unconfined_t, unconfined_r) +') + @@ -72808,7 +72805,7 @@ index fe0c682..93ec53f 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index b17e27a..f87cce0 100644 +index b17e27a..d193a52 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,37 @@ policy_module(ssh, 2.3.0) @@ -73214,7 +73211,7 @@ index b17e27a..f87cce0 100644 ') optional_policy(` -@@ -339,3 +419,76 @@ optional_policy(` +@@ -339,3 +419,83 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -73248,11 +73245,18 @@ index b17e27a..f87cce0 100644 +# +# chroot_user_t local policy +# ++allow chroot_user_t self:unix_dgram_socket create_socket_perms; ++ ++corecmd_exec_shell(chroot_user_t) ++ ++term_search_ptys(chroot_user_t) ++term_use_ptmx(chroot_user_t) + +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) +userdom_read_user_home_content_symlinks(chroot_user_t) +userdom_exec_user_home_content_files(chroot_user_t) ++userdom_use_inherited_user_ptys(chroot_user_t) + +tunable_policy(`ssh_chroot_rw_homedirs',` + files_list_home(chroot_user_t) @@ -73292,7 +73296,7 @@ index b17e27a..f87cce0 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..decae02 100644 +index fc86b7c..7da0fde 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -73393,9 +73397,10 @@ index fc86b7c..decae02 100644 +/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) -+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) - /var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) +-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0) -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) ++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) @@ -75912,10 +75917,38 @@ index c4f7c35..06c447c 100644 + unconfined_domain(xdm_unconfined_t) +') diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if -index 1b6619e..3aed6ad 100644 +index 1b6619e..232be41 100644 --- a/policy/modules/system/application.if +++ b/policy/modules/system/application.if -@@ -189,6 +189,24 @@ interface(`application_dontaudit_signal',` +@@ -43,6 +43,27 @@ interface(`application_executable_file',` + corecmd_executable_file($1) + ') + ++####################################### ++## ++## Make the specified type usable for files ++## that are exectuables, such as binary programs. ++## This does not include shared libraries. ++## ++## ++## ++## Type to be used for files. ++## ++## ++# ++interface(`application_executable_ioctl',` ++ gen_require(` ++ attribute application_exec_type; ++ ') ++ ++ allow $1 application_exec_type:file ioctl; ++ ++') ++ + ######################################## + ## + ## Execute application executables in the caller domain. +@@ -189,6 +210,24 @@ interface(`application_dontaudit_signal',` ######################################## ## @@ -75940,7 +75973,7 @@ index 1b6619e..3aed6ad 100644 ## Do not audit attempts to send kill signals ## to all application domains. ## -@@ -205,3 +223,21 @@ interface(`application_dontaudit_sigkill',` +@@ -205,3 +244,21 @@ interface(`application_dontaudit_sigkill',` dontaudit $1 application_domain_type:process sigkill; ') @@ -76070,7 +76103,7 @@ index 28ad538..82def3d 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 6ce867a..20a0b0a 100644 +index 6ce867a..ee79c5a 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -76195,7 +76228,7 @@ index 6ce867a..20a0b0a 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +198,84 @@ interface(`auth_login_pgm_domain',` +@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -76239,13 +76272,18 @@ index 6ce867a..20a0b0a 100644 + ') + + optional_policy(` -+ ssh_agent_exec($1) -+ ssh_read_user_home_files($1) ++ # allow execute tmux ++ screen_exec($1) + ') -+') + -+######################################## -+## ++ optional_policy(` ++ ssh_agent_exec($1) ++ ssh_read_user_home_files($1) + ') + ') + + ######################################## + ## +## Read authlogin state files. +## +## @@ -76276,13 +76314,17 @@ index 6ce867a..20a0b0a 100644 +interface(`authlogin_rw_pipes',` + gen_require(` + attribute polydomain; - ') ++ ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## -@@ -395,13 +513,15 @@ interface(`auth_domtrans_chk_passwd',` ++') ++ ++######################################## ++## + ## Use the login program as an entry point program. + ## + ## +@@ -395,13 +518,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -76299,7 +76341,7 @@ index 6ce867a..20a0b0a 100644 ') ######################################## -@@ -448,6 +568,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +573,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -76325,7 +76367,7 @@ index 6ce867a..20a0b0a 100644 ') ######################################## -@@ -467,7 +606,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +611,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -76333,7 +76375,7 @@ index 6ce867a..20a0b0a 100644 ') ######################################## -@@ -664,6 +802,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +807,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -76344,7 +76386,7 @@ index 6ce867a..20a0b0a 100644 ') ####################################### -@@ -763,7 +905,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +910,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -76396,7 +76438,7 @@ index 6ce867a..20a0b0a 100644 ') ####################################### -@@ -959,9 +1144,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1149,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -76430,7 +76472,7 @@ index 6ce867a..20a0b0a 100644 ') ######################################## -@@ -1040,6 +1246,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1251,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -76441,7 +76483,7 @@ index 6ce867a..20a0b0a 100644 ') ######################################## -@@ -1157,6 +1367,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1157,6 +1372,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -76449,7 +76491,7 @@ index 6ce867a..20a0b0a 100644 ') ####################################### -@@ -1526,6 +1737,25 @@ interface(`auth_setattr_login_records',` +@@ -1526,6 +1742,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -76475,7 +76517,7 @@ index 6ce867a..20a0b0a 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,37 +1906,49 @@ interface(`auth_manage_login_records',` +@@ -1676,37 +1911,49 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -76535,7 +76577,7 @@ index 6ce867a..20a0b0a 100644 ##

## ## -@@ -1714,87 +1956,206 @@ interface(`auth_relabel_login_records',` +@@ -1714,87 +1961,206 @@ interface(`auth_relabel_login_records',` ## Domain allowed access. ##
## @@ -77435,7 +77477,7 @@ index d2e40b8..3ba2e4c 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index d26fe81..e07c6b7 100644 +index d26fe81..3ff8fef 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -77594,7 +77636,7 @@ index d26fe81..e07c6b7 100644 ') ') -@@ -336,22 +384,23 @@ interface(`init_ranged_daemon_domain',` +@@ -336,22 +384,25 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -77603,6 +77645,7 @@ index d26fe81..e07c6b7 100644 role system_r; + attribute initrc_transition_domain; + attribute systemprocess; ++ attribute initrc_domain; ') + typeattribute $1 systemprocess; @@ -77612,6 +77655,7 @@ index d26fe81..e07c6b7 100644 - domtrans_pattern(initrc_t, $2, $1) + domtrans_pattern(initrc_t,$2,$1) ++ domtrans_pattern(initrc_domain, $2,$1) - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray @@ -77625,7 +77669,7 @@ index d26fe81..e07c6b7 100644 ') ') -@@ -401,20 +450,41 @@ interface(`init_system_domain',` +@@ -401,20 +452,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -77667,7 +77711,7 @@ index d26fe81..e07c6b7 100644 ######################################## ## ## Execute init (/sbin/init) with a domain transition. -@@ -442,7 +512,6 @@ interface(`init_domtrans',` +@@ -442,7 +514,6 @@ interface(`init_domtrans',` ## Domain allowed access. ## ## @@ -77675,7 +77719,7 @@ index d26fe81..e07c6b7 100644 # interface(`init_exec',` gen_require(` -@@ -451,6 +520,29 @@ interface(`init_exec',` +@@ -451,6 +522,29 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -77705,7 +77749,7 @@ index d26fe81..e07c6b7 100644 ') ######################################## -@@ -539,6 +631,24 @@ interface(`init_sigchld',` +@@ -539,6 +633,24 @@ interface(`init_sigchld',` ######################################## ## @@ -77730,7 +77774,7 @@ index d26fe81..e07c6b7 100644 ## Connect to init with a unix socket. ## ## -@@ -549,10 +659,66 @@ interface(`init_sigchld',` +@@ -549,10 +661,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -77799,7 +77843,7 @@ index d26fe81..e07c6b7 100644 ') ######################################## -@@ -718,19 +884,25 @@ interface(`init_telinit',` +@@ -718,19 +886,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -77826,7 +77870,7 @@ index d26fe81..e07c6b7 100644 ') ') -@@ -760,7 +932,7 @@ interface(`init_rw_initctl',` +@@ -760,7 +934,7 @@ interface(`init_rw_initctl',` ##
## ## @@ -77835,7 +77879,7 @@ index d26fe81..e07c6b7 100644 ## ## # -@@ -803,11 +975,12 @@ interface(`init_script_file_entry_type',` +@@ -803,11 +977,12 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -77850,7 +77894,7 @@ index d26fe81..e07c6b7 100644 ifdef(`distro_gentoo',` gen_require(` -@@ -818,11 +991,11 @@ interface(`init_spec_domtrans_script',` +@@ -818,11 +993,11 @@ interface(`init_spec_domtrans_script',` ') ifdef(`enable_mcs',` @@ -77864,7 +77908,7 @@ index d26fe81..e07c6b7 100644 ') ') -@@ -838,19 +1011,41 @@ interface(`init_spec_domtrans_script',` +@@ -838,19 +1013,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -77910,7 +77954,7 @@ index d26fe81..e07c6b7 100644 ') ######################################## -@@ -906,9 +1101,14 @@ interface(`init_script_file_domtrans',` +@@ -906,9 +1103,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -77925,7 +77969,7 @@ index d26fe81..e07c6b7 100644 files_search_etc($1) ') -@@ -999,7 +1199,9 @@ interface(`init_ptrace',` +@@ -999,7 +1201,9 @@ interface(`init_ptrace',` type init_t; ') @@ -77936,7 +77980,7 @@ index d26fe81..e07c6b7 100644 ') ######################################## -@@ -1117,6 +1319,24 @@ interface(`init_read_all_script_files',` +@@ -1117,6 +1321,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -77961,7 +78005,7 @@ index d26fe81..e07c6b7 100644 ## Dontaudit read all init script files. ## ## -@@ -1168,12 +1388,7 @@ interface(`init_read_script_state',` +@@ -1168,12 +1390,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -77975,7 +78019,7 @@ index d26fe81..e07c6b7 100644 ') ######################################## -@@ -1413,6 +1628,27 @@ interface(`init_dbus_send_script',` +@@ -1413,6 +1630,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -78003,7 +78047,7 @@ index d26fe81..e07c6b7 100644 ## init scripts over dbus. ## ## -@@ -1499,6 +1735,25 @@ interface(`init_getattr_script_status_files',` +@@ -1499,6 +1737,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -78029,7 +78073,7 @@ index d26fe81..e07c6b7 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1557,6 +1812,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1557,6 +1814,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -78054,7 +78098,7 @@ index d26fe81..e07c6b7 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1629,6 +1902,43 @@ interface(`init_read_utmp',` +@@ -1629,6 +1904,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -78098,7 +78142,7 @@ index d26fe81..e07c6b7 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1717,7 +2027,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1717,7 +2029,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -78107,7 +78151,7 @@ index d26fe81..e07c6b7 100644 ') ######################################## -@@ -1758,6 +2068,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1758,6 +2070,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -78236,7 +78280,7 @@ index d26fe81..e07c6b7 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1792,3 +2224,284 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1792,3 +2226,284 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -79715,7 +79759,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index fac0a01..6af70bb 100644 +index fac0a01..002b264 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,13 +73,15 @@ role system_r types setkey_t; @@ -79772,7 +79816,13 @@ index fac0a01..6af70bb 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t) +@@ -164,11 +170,14 @@ auth_use_nsswitch(ipsec_t) + init_use_fds(ipsec_t) + init_use_script_ptys(ipsec_t) + ++logging_read_all_logs(ipsec_mgmt_t) + logging_send_syslog_msg(ipsec_t) + miscfiles_read_localization(ipsec_t) sysnet_domtrans_ifconfig(ipsec_t) @@ -79781,7 +79831,7 @@ index fac0a01..6af70bb 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -186,9 +194,9 @@ optional_policy(` +@@ -186,9 +195,9 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -79794,7 +79844,7 @@ index fac0a01..6af70bb 100644 allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms; allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; -@@ -245,6 +253,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -245,6 +254,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -79811,7 +79861,7 @@ index fac0a01..6af70bb 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -254,6 +272,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -254,6 +273,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -79820,7 +79870,7 @@ index fac0a01..6af70bb 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -277,9 +297,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -79832,7 +79882,7 @@ index fac0a01..6af70bb 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -297,7 +318,12 @@ sysnet_manage_config(ipsec_mgmt_t) +@@ -297,7 +319,12 @@ sysnet_manage_config(ipsec_mgmt_t) sysnet_domtrans_ifconfig(ipsec_mgmt_t) sysnet_etc_filetrans_config(ipsec_mgmt_t) @@ -79846,7 +79896,7 @@ index fac0a01..6af70bb 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -370,12 +396,12 @@ corecmd_exec_shell(racoon_t) +@@ -370,12 +397,12 @@ corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) corenet_all_recvfrom_unlabeled(racoon_t) @@ -79865,7 +79915,7 @@ index fac0a01..6af70bb 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -404,6 +430,8 @@ miscfiles_read_localization(racoon_t) +@@ -404,6 +431,8 @@ miscfiles_read_localization(racoon_t) sysnet_exec_ifconfig(racoon_t) @@ -79874,7 +79924,7 @@ index fac0a01..6af70bb 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -441,5 +469,6 @@ miscfiles_read_localization(setkey_t) +@@ -441,5 +470,6 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) @@ -80506,7 +80556,7 @@ index 808ba93..f94b80a 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 992d105..501de4e 100644 +index 992d105..e412258 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -59,9 +59,11 @@ optional_policy(` @@ -80570,7 +80620,7 @@ index 992d105..501de4e 100644 optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +147,10 @@ optional_policy(` +@@ -131,6 +147,14 @@ optional_policy(` ') optional_policy(` @@ -80578,10 +80628,14 @@ index 992d105..501de4e 100644 +') + +optional_policy(` ++ kdump_manage_kdumpctl_tmp_files(ldconfig_t) ++') ++ ++optional_policy(` puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +161,3 @@ optional_policy(` +@@ -141,6 +165,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -82169,7 +82223,7 @@ index 350c450..2debedc 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 560d5d9..86a7107 100644 +index 560d5d9..3d8e252 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) @@ -82350,7 +82404,7 @@ index 560d5d9..86a7107 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +205,28 @@ optional_policy(` +@@ -184,28 +205,32 @@ optional_policy(` ') optional_policy(` @@ -82373,11 +82427,15 @@ index 560d5d9..86a7107 100644 optional_policy(` - mount_domtrans(insmod_t) + hal_write_log(insmod_t) ++') ++ ++optional_policy(` ++ hotplug_search_config(insmod_t) ') optional_policy(` - nis_use_ypbind(insmod_t) -+ hotplug_search_config(insmod_t) ++ kdump_manage_kdumpctl_tmp_files(insmod_t) ') optional_policy(` @@ -82386,7 +82444,7 @@ index 560d5d9..86a7107 100644 ') optional_policy(` -@@ -225,6 +246,7 @@ optional_policy(` +@@ -225,6 +250,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -82394,7 +82452,7 @@ index 560d5d9..86a7107 100644 ') optional_policy(` -@@ -233,6 +255,10 @@ optional_policy(` +@@ -233,6 +259,10 @@ optional_policy(` ') optional_policy(` @@ -82405,7 +82463,7 @@ index 560d5d9..86a7107 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -293,9 +319,9 @@ logging_send_syslog_msg(update_modules_t) +@@ -293,9 +323,9 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) @@ -85038,10 +85096,10 @@ index 0000000..161f271 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..2497606 +index 0000000..6a29fb0 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,697 @@ +@@ -0,0 +1,698 @@ +## SELinux policy for systemd components + +####################################### @@ -85512,6 +85570,7 @@ index 0000000..2497606 + type systemd_passwd_var_run_t; + ') + ++ init_search_pid_dirs($1) + manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) + @@ -86685,7 +86744,7 @@ index 0abaf84..8b34dbc 100644 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index db7aabb..2ffcae9 100644 +index db7aabb..4012a61 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -12,53 +12,59 @@ @@ -86704,7 +86763,7 @@ index db7aabb..2ffcae9 100644 + # Use any Linux capability. + + allow $1 self:capability ~{ sys_module }; -+ allow $1 self:capability2 syslog; ++ allow $1 self:capability2 ~{ mac_admin mac_override }; + allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; # Transition to myself, to make get_ordered_context_list happy. @@ -87487,7 +87546,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..4272eef 100644 +index e720dcd..18fff60 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -89293,7 +89352,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -1856,6 +2421,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1856,6 +2421,78 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -89351,10 +89410,28 @@ index e720dcd..4272eef 100644 + +######################################## +## ++## Delete all files in a user home subdirectory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_delete_all_user_home_content',` ++ gen_require(` ++ attribute user_home_type; ++ ') ++ ++ allow $1 user_home_type:dir_file_class_set delete_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to write user home files. ## ## -@@ -1887,8 +2506,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1887,8 +2524,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -89364,7 +89441,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -1904,20 +2522,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1904,20 +2540,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -89389,7 +89466,7 @@ index e720dcd..4272eef 100644 ######################################## ## -@@ -2018,6 +2630,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -2018,6 +2648,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -89414,7 +89491,7 @@ index e720dcd..4272eef 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2250,11 +2880,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2250,11 +2898,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -89429,7 +89506,7 @@ index e720dcd..4272eef 100644 files_search_tmp($1) ') -@@ -2274,7 +2904,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2274,7 +2922,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -89438,7 +89515,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -2521,6 +3151,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2521,6 +3169,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -89464,7 +89541,7 @@ index e720dcd..4272eef 100644 ######################################## ## ## Read user tmpfs files. -@@ -2537,13 +3186,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2537,13 +3204,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -89480,7 +89557,7 @@ index e720dcd..4272eef 100644 ## ## ## -@@ -2564,7 +3214,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2564,7 +3232,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -89489,7 +89566,7 @@ index e720dcd..4272eef 100644 ## ## ## -@@ -2572,14 +3222,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2572,19 +3240,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -89503,11 +89580,31 @@ index e720dcd..4272eef 100644 - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmpfs_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Get the attributes of a user domain tty. ++## Execute user tmpfs files. + ## + ## + ## +@@ -2592,7 +3258,25 @@ interface(`userdom_manage_user_tmpfs_files',` + ## + ## + # +-interface(`userdom_getattr_user_ttys',` ++interface(`userdom_execute_user_tmpfs_files',` ++ gen_require(` ++ type user_tmpfs_t; ++ ') ++ ++ allow $1 user_tmpfs_t:file execute; +') + +######################################## +## -+## Execute user tmpfs files. ++## Get the attributes of a user domain tty. +## +## +## @@ -89515,20 +89612,14 @@ index e720dcd..4272eef 100644 +## +## +# -+interface(`userdom_execute_user_tmpfs_files',` -+ gen_require(` -+ type user_tmpfs_t; -+ ') -+ -+ allow $1 user_tmpfs_t:file execute; - ') - - ######################################## -@@ -2674,7 +3340,25 @@ interface(`userdom_use_user_ttys',` ++interface(`userdom_getattr_user_ttys',` + gen_require(` + type user_tty_device_t; + ') +@@ -2674,6 +3358,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## --## Read and write a user domain pty. +## Read and write a inherited user domain tty. +## +## @@ -89547,11 +89638,10 @@ index e720dcd..4272eef 100644 + +######################################## +## -+## Read and write a user domain pty. + ## Read and write a user domain pty. ## ## - ## -@@ -2692,22 +3376,34 @@ interface(`userdom_use_user_ptys',` +@@ -2692,22 +3394,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -89594,7 +89684,7 @@ index e720dcd..4272eef 100644 ## ## ## -@@ -2716,14 +3412,33 @@ interface(`userdom_use_user_ptys',` +@@ -2716,14 +3430,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -89632,7 +89722,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -2742,8 +3457,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2742,8 +3475,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -89662,7 +89752,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -2815,69 +3549,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2815,69 +3567,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -89763,7 +89853,7 @@ index e720dcd..4272eef 100644 ## ## ## -@@ -2885,12 +3618,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2885,12 +3636,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -89778,7 +89868,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -2954,7 +3687,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2954,7 +3705,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -89787,7 +89877,7 @@ index e720dcd..4272eef 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2970,29 +3703,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2970,29 +3721,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -89821,7 +89911,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -3074,7 +3791,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3074,7 +3809,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -89830,7 +89920,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -3129,7 +3846,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3129,7 +3864,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -89877,7 +89967,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -3147,7 +3902,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3147,7 +3920,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -89886,7 +89976,7 @@ index e720dcd..4272eef 100644 ') ######################################## -@@ -3166,6 +3921,7 @@ interface(`userdom_read_all_users_state',` +@@ -3166,6 +3939,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -89894,7 +89984,7 @@ index e720dcd..4272eef 100644 kernel_search_proc($1) ') -@@ -3242,6 +3998,42 @@ interface(`userdom_signal_all_users',` +@@ -3242,6 +4016,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -89937,7 +90027,7 @@ index e720dcd..4272eef 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3262,6 +4054,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3262,6 +4072,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -89962,7 +90052,7 @@ index e720dcd..4272eef 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4106,1282 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4124,1282 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -91477,7 +91567,7 @@ index e79d545..101086d 100644 ') diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 6e91317..34d96df 100644 +index 6e91317..be530a5 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }') @@ -91577,7 +91667,7 @@ index 6e91317..34d96df 100644 # # Sockets -@@ -271,3 +278,20 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept +@@ -271,3 +278,8 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept # Keys # define(`manage_key_perms', `{ create link read search setattr view write } ') @@ -91586,18 +91676,6 @@ index 6e91317..34d96df 100644 +# Service +# +define(`manage_service_perms', `{ start stop status reload kill load } ') -+ -+# -+# All -+# -+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap } -+') -+ -+define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') -+define(`all_dbus_perms', `{ acquire_svc send_msg } ') -+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') -+define(`all_service_perms', `{ enable disable manage_service_perms } ') -+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/policy/users b/policy/users index c4ebc7e..30d6d7a 100644 --- a/policy/users diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index 2ee5085..d1693f6 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -1560,7 +1560,7 @@ index e81bdbd..63ab279 100644 optional_policy(` diff --git a/apache.fc b/apache.fc -index fd9fa07..2679748 100644 +index fd9fa07..95f6a90 100644 --- a/apache.fc +++ b/apache.fc @@ -1,39 +1,54 @@ @@ -1651,7 +1651,7 @@ index fd9fa07..2679748 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,31 +92,43 @@ ifdef(`distro_suse', ` +@@ -73,31 +92,44 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -1690,6 +1690,7 @@ index fd9fa07..2679748 100644 +/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) + /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -1699,7 +1700,7 @@ index fd9fa07..2679748 100644 /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) -@@ -109,3 +140,25 @@ ifdef(`distro_debian', ` +@@ -109,3 +141,25 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -4065,7 +4066,7 @@ index c804110..06a516f 100644 + allow $1 arpwatch_unit_file_t:service all_service_perms; ') diff --git a/arpwatch.te b/arpwatch.te -index 804135f..613f77f 100644 +index 804135f..0f7ec8d 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t) @@ -4082,7 +4083,7 @@ index 804135f..613f77f 100644 allow arpwatch_t self:udp_socket create_socket_perms; allow arpwatch_t self:packet_socket create_socket_perms; allow arpwatch_t self:socket create_socket_perms; -+allow arpwatch_t self:netlink_socket create_socket_perms;; ++allow arpwatch_t self:netlink_socket create_socket_perms; manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) @@ -14234,7 +14235,7 @@ index 0a1a61b..64742c6 100644 domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; diff --git a/ddclient.te b/ddclient.te -index 24ba98a..f744997 100644 +index 24ba98a..32de93f 100644 --- a/ddclient.te +++ b/ddclient.te @@ -18,6 +18,9 @@ init_script_file(ddclient_initrc_exec_t) @@ -14247,7 +14248,13 @@ index 24ba98a..f744997 100644 type ddclient_var_t; files_type(ddclient_var_t) -@@ -37,12 +40,17 @@ allow ddclient_t self:process signal_perms; +@@ -32,17 +35,23 @@ files_pid_file(ddclient_var_run_t) + # Declarations + # + ++ + dontaudit ddclient_t self:capability sys_tty_config; + allow ddclient_t self:process signal_perms; allow ddclient_t self:fifo_file rw_fifo_file_perms; allow ddclient_t self:tcp_socket create_socket_perms; allow ddclient_t self:udp_socket create_socket_perms; @@ -14266,7 +14273,7 @@ index 24ba98a..f744997 100644 manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -@@ -62,6 +70,7 @@ kernel_read_software_raid_state(ddclient_t) +@@ -62,6 +71,7 @@ kernel_read_software_raid_state(ddclient_t) kernel_getattr_core_if(ddclient_t) kernel_getattr_message_if(ddclient_t) kernel_read_kernel_sysctls(ddclient_t) @@ -14274,7 +14281,7 @@ index 24ba98a..f744997 100644 corecmd_exec_shell(ddclient_t) corecmd_exec_bin(ddclient_t) -@@ -74,6 +83,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) +@@ -74,6 +84,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) corenet_udp_sendrecv_generic_node(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) @@ -14283,7 +14290,7 @@ index 24ba98a..f744997 100644 corenet_tcp_connect_all_ports(ddclient_t) corenet_sendrecv_all_client_packets(ddclient_t) -@@ -89,10 +100,14 @@ files_read_usr_files(ddclient_t) +@@ -89,10 +101,14 @@ files_read_usr_files(ddclient_t) fs_getattr_all_fs(ddclient_t) fs_search_auto_mountpoints(ddclient_t) @@ -16456,10 +16463,10 @@ index 0000000..98ba6e1 + + diff --git a/dovecot.fc b/dovecot.fc -index 3a3ecb2..ed55d7c 100644 +index 3a3ecb2..c5c1e32 100644 --- a/dovecot.fc +++ b/dovecot.fc -@@ -24,6 +24,7 @@ ifdef(`distro_debian',` +@@ -24,12 +24,13 @@ ifdef(`distro_debian',` ifdef(`distro_debian', ` /usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) @@ -16467,6 +16474,13 @@ index 3a3ecb2..ed55d7c 100644 ') ifdef(`distro_redhat', ` + /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) + /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) +-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) + /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) + ') + @@ -37,6 +38,7 @@ ifdef(`distro_redhat', ` # /var # @@ -16596,7 +16610,7 @@ index e1d7dc5..df96c0d 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te -index 2df7766..0e55b6d 100644 +index 2df7766..d536976 100644 --- a/dovecot.te +++ b/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -16688,17 +16702,15 @@ index 2df7766..0e55b6d 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t) - userdom_manage_user_home_content_pipes(dovecot_t) +@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t) userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) -+mta_manage_home_rw(dovecot_t) ++mta_manage_home_rw(dovecot_t) mta_manage_spool(dovecot_t) -+mta_read_home_rw(dovecot_t) optional_policy(` - kerberos_keytab_template(dovecot, dovecot_t) +@@ -160,10 +171,24 @@ optional_policy(` ') optional_policy(` @@ -16723,7 +16735,7 @@ index 2df7766..0e55b6d 100644 seutil_sigchld_newrole(dovecot_t) ') -@@ -180,8 +206,8 @@ optional_policy(` +@@ -180,8 +205,8 @@ optional_policy(` # dovecot auth local policy # @@ -16734,7 +16746,7 @@ index 2df7766..0e55b6d 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -16744,7 +16756,7 @@ index 2df7766..0e55b6d 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -16757,7 +16769,7 @@ index 2df7766..0e55b6d 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t) +@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) @@ -16767,7 +16779,7 @@ index 2df7766..0e55b6d 100644 init_rw_utmp(dovecot_auth_t) -@@ -236,6 +269,8 @@ optional_policy(` +@@ -236,6 +268,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -16776,7 +16788,7 @@ index 2df7766..0e55b6d 100644 ') optional_policy(` -@@ -243,6 +278,8 @@ optional_policy(` +@@ -243,6 +277,8 @@ optional_policy(` ') optional_policy(` @@ -16785,7 +16797,7 @@ index 2df7766..0e55b6d 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +287,42 @@ optional_policy(` +@@ -250,23 +286,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -16830,7 +16842,7 @@ index 2df7766..0e55b6d 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +338,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -16841,8 +16853,11 @@ index 2df7766..0e55b6d 100644 - fs_manage_nfs_dirs(dovecot_t) - fs_manage_nfs_files(dovecot_t) - fs_manage_nfs_symlinks(dovecot_t) --') +userdom_home_manager(dovecot_deliver_t) ++ ++optional_policy(` ++ gnome_manage_data(dovecot_deliver_t) + ') -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(dovecot_deliver_t) @@ -16851,21 +16866,16 @@ index 2df7766..0e55b6d 100644 - fs_manage_cifs_dirs(dovecot_t) - fs_manage_cifs_files(dovecot_t) - fs_manage_cifs_symlinks(dovecot_t) ++mta_manage_spool(dovecot_deliver_t) ++mta_read_queue(dovecot_deliver_t) ++mta_manage_home_rw(dovecot_deliver_t) ++ +optional_policy(` -+ gnome_manage_data(dovecot_deliver_t) ++ postfix_use_fds_master(dovecot_deliver_t) ') optional_policy(` - mta_manage_spool(dovecot_deliver_t) -+ mta_read_queue(dovecot_deliver_t) -+ mta_read_home_rw(dovecot_deliver_t) -+') -+ -+optional_policy(` -+ postfix_use_fds_master(dovecot_deliver_t) -+') -+ -+optional_policy(` +- mta_manage_spool(dovecot_deliver_t) + # Handle sieve scripts + sendmail_domtrans(dovecot_deliver_t) ') @@ -18763,31 +18773,20 @@ index 8fa451c..f3a67c9 100644 ') diff --git a/firstboot.te b/firstboot.te -index c4d8998..2a18d96 100644 +index c4d8998..9101c30 100644 --- a/firstboot.te +++ b/firstboot.te -@@ -19,6 +19,9 @@ role system_r types firstboot_t; - type firstboot_etc_t; - files_config_file(firstboot_etc_t) - -+type firstboot_tmp_t; -+files_tmp_file(firstboot_tmp_t) -+ - ######################################## - # - # Local policy -@@ -33,6 +36,10 @@ allow firstboot_t self:passwd rootok; +@@ -33,6 +33,9 @@ allow firstboot_t self:passwd rootok; allow firstboot_t firstboot_etc_t:file read_file_perms; -+manage_dirs_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t) -+manage_files_pattern(firstboot_t, firstboot_tmp_t, firstboot_tmp_t) -+files_tmp_filetrans(firstboot_t, firstboot_tmp_t, { dir file }) ++files_manage_generic_tmp_dirs(firstboot_t) ++files_manage_generic_tmp_files(firstboot_t) + kernel_read_system_state(firstboot_t) kernel_read_kernel_sysctls(firstboot_t) -@@ -62,6 +69,8 @@ files_read_usr_files(firstboot_t) +@@ -62,6 +65,8 @@ files_read_usr_files(firstboot_t) files_manage_var_dirs(firstboot_t) files_manage_var_files(firstboot_t) files_manage_var_symlinks(firstboot_t) @@ -18796,7 +18795,7 @@ index c4d8998..2a18d96 100644 init_domtrans_script(firstboot_t) init_rw_utmp(firstboot_t) -@@ -75,12 +84,10 @@ logging_send_syslog_msg(firstboot_t) +@@ -75,12 +80,10 @@ logging_send_syslog_msg(firstboot_t) miscfiles_read_localization(firstboot_t) @@ -18812,7 +18811,7 @@ index c4d8998..2a18d96 100644 # Add/remove user home directories userdom_manage_user_home_content_dirs(firstboot_t) userdom_manage_user_home_content_files(firstboot_t) -@@ -103,8 +110,18 @@ optional_policy(` +@@ -103,8 +106,18 @@ optional_policy(` ') optional_policy(` @@ -18831,7 +18830,7 @@ index c4d8998..2a18d96 100644 optional_policy(` samba_rw_config(firstboot_t) -@@ -113,7 +130,7 @@ optional_policy(` +@@ -113,7 +126,7 @@ optional_policy(` optional_policy(` unconfined_domtrans(firstboot_t) # The big hammer @@ -18840,7 +18839,7 @@ index c4d8998..2a18d96 100644 ') optional_policy(` -@@ -125,6 +142,7 @@ optional_policy(` +@@ -125,6 +138,7 @@ optional_policy(` ') optional_policy(` @@ -18848,7 +18847,7 @@ index c4d8998..2a18d96 100644 gnome_manage_config(firstboot_t) ') -@@ -132,4 +150,5 @@ optional_policy(` +@@ -132,4 +146,5 @@ optional_policy(` xserver_domtrans(firstboot_t) xserver_rw_shm(firstboot_t) xserver_unconfined(firstboot_t) @@ -25009,21 +25008,23 @@ index 0000000..f9b9c0f +') + diff --git a/kdump.fc b/kdump.fc -index c66934f..9f05409 100644 +index c66934f..dd91210 100644 --- a/kdump.fc +++ b/kdump.fc -@@ -3,3 +3,9 @@ +@@ -3,3 +3,11 @@ /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + -+/usr/lib/systemd/system/kdump.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) + ++/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdumpctl_unit_file_t,s0) ++ ++/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0) +/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) +/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) + diff --git a/kdump.if b/kdump.if -index 4198ff5..9bf4898 100644 +index 4198ff5..d1ab262 100644 --- a/kdump.if +++ b/kdump.if @@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',` @@ -25082,7 +25083,35 @@ index 4198ff5..9bf4898 100644 #################################### ## ## Manage kdump configuration file. -@@ -96,10 +138,14 @@ interface(`kdump_admin',` +@@ -75,6 +117,27 @@ interface(`kdump_manage_config',` + allow $1 kdump_etc_t:file manage_file_perms; + ') + ++################################### ++## ++## Manage kdump /var/tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_manage_kdumpctl_tmp_files',` ++ gen_require(` ++ type kdumpctl_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) ++') ++ + ###################################### + ## + ## All of the rules required to administrate +@@ -96,10 +159,14 @@ interface(`kdump_admin',` gen_require(` type kdump_t, kdump_etc_t; type kdump_initrc_exec_t; @@ -25098,7 +25127,7 @@ index 4198ff5..9bf4898 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -108,4 +154,8 @@ interface(`kdump_admin',` +@@ -108,4 +175,8 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -25108,20 +25137,31 @@ index 4198ff5..9bf4898 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index b29d8e2..ed79499 100644 +index b29d8e2..c1b4a64 100644 --- a/kdump.te +++ b/kdump.te -@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t) +@@ -15,6 +15,20 @@ files_config_file(kdump_etc_t) type kdump_initrc_exec_t; init_script_file(kdump_initrc_exec_t) +type kdump_unit_file_t; +systemd_unit_file(kdump_unit_file_t) + ++type kdumpctl_t; ++type kdumpctl_exec_t; ++init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) ++init_initrc_domain(kdumpctl_t) ++ ++type kdumpctl_unit_file_t; ++systemd_unit_file(kdumpctl_unit_file_t) ++ ++type kdumpctl_tmp_t; ++files_tmp_file(kdumpctl_tmp_t) ++ ##################################### # # kdump local policy -@@ -24,6 +27,7 @@ allow kdump_t self:capability { sys_boot dac_override }; +@@ -24,6 +38,7 @@ allow kdump_t self:capability { sys_boot dac_override }; read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) @@ -25129,6 +25169,91 @@ index b29d8e2..ed79499 100644 files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) +@@ -36,3 +51,84 @@ dev_read_framebuffer(kdump_t) + dev_read_sysfs(kdump_t) + + term_use_console(kdump_t) ++ ++####################################### ++# ++# kdumpctl local policy ++# ++ ++#cjp:almost all rules are needed by dracut ++ ++kdump_domtrans(kdumpctl_t) ++ ++allow kdumpctl_t self:capability dac_override; ++allow kdumpctl_t self:process setfscreate; ++ ++allow kdumpctl_t self:fifo_file rw_fifo_file_perms; ++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) ++manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) ++manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) ++files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) ++ ++read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) ++ ++kernel_read_system_state(kdumpctl_t) ++ ++corecmd_exec_bin(kdumpctl_t) ++corecmd_exec_shell(kdumpctl_t) ++ ++dev_read_sysfs(kdumpctl_t) ++# dracut ++dev_manage_all_dev_nodes(kdumpctl_t) ++ ++domain_use_interactive_fds(kdumpctl_t) ++ ++files_create_kernel_img(kdumpctl_t) ++files_read_etc_files(kdumpctl_t) ++files_read_etc_runtime_files(kdumpctl_t) ++files_read_usr_files(kdumpctl_t) ++files_read_kernel_modules(kdumpctl_t) ++files_getattr_all_dirs(kdumpctl_t) ++ ++fs_getattr_all_fs(kdumpctl_t) ++ ++application_executable_ioctl(kdumpctl_t) ++ ++auth_read_passwd(kdumpctl_t) ++ ++init_exec(kdumpctl_t) ++systemd_exec_systemctl(kdumpctl_t) ++ ++libs_exec_ld_so(kdumpctl_t) ++ ++logging_send_syslog_msg(kdumpctl_t) ++ ++miscfiles_read_localization(kdumpctl_t) ++ ++optional_policy(` ++ gpg_exec(kdumpctl_t) ++') ++ ++optional_policy(` ++ lvm_read_config(kdumpctl_t) ++') ++ ++optional_policy(` ++ modutils_domtrans_insmod(kdumpctl_t) ++ modutils_list_module_config(kdumpctl_t) ++ modutils_read_module_config(kdumpctl_t) ++') ++ ++optional_policy(` ++ plymouthd_domtrans_plymouth(kdumpctl_t) ++') ++ ++optional_policy(` ++ ssh_exec(kdumpctl_t) ++') ++ ++optional_policy(` ++ unconfined_domain(kdumpctl_t) ++') diff --git a/kdumpgui.te b/kdumpgui.te index 0c52f60..a085fbd 100644 --- a/kdumpgui.te @@ -30165,7 +30290,7 @@ index b397fde..30bfefb 100644 +') + diff --git a/mozilla.te b/mozilla.te -index 0724816..0749777 100644 +index 0724816..8a17b85 100644 --- a/mozilla.te +++ b/mozilla.te @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) @@ -30293,7 +30418,7 @@ index 0724816..0749777 100644 pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) ') -@@ -297,25 +316,33 @@ optional_policy(` +@@ -297,25 +316,35 @@ optional_policy(` # mozilla_plugin local policy # @@ -30325,17 +30450,19 @@ index 0724816..0749777 100644 manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) ++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) -files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) -userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file }) +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) +files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) ++xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -323,31 +350,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug +@@ -323,31 +352,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -30389,7 +30516,7 @@ index 0724816..0749777 100644 dev_read_video_dev(mozilla_plugin_t) dev_write_video_dev(mozilla_plugin_t) dev_read_sysfs(mozilla_plugin_t) -@@ -356,6 +399,7 @@ dev_write_sound(mozilla_plugin_t) +@@ -356,6 +401,7 @@ dev_write_sound(mozilla_plugin_t) # for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) dev_dontaudit_rw_dri(mozilla_plugin_t) @@ -30397,7 +30524,7 @@ index 0724816..0749777 100644 domain_use_interactive_fds(mozilla_plugin_t) domain_dontaudit_read_all_domains_state(mozilla_plugin_t) -@@ -363,15 +407,22 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) +@@ -363,15 +409,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) @@ -30415,12 +30542,13 @@ index 0724816..0749777 100644 +init_dontaudit_getattr_initctl(mozilla_plugin_t) + ++libs_exec_ld_so(mozilla_plugin_t) +libs_exec_lib_files(mozilla_plugin_t) + logging_send_syslog_msg(mozilla_plugin_t) miscfiles_read_localization(mozilla_plugin_t) -@@ -384,35 +435,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t) +@@ -384,35 +438,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t) term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) @@ -30468,7 +30596,7 @@ index 0724816..0749777 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -422,24 +465,36 @@ optional_policy(` +@@ -422,24 +468,36 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -30509,7 +30637,7 @@ index 0724816..0749777 100644 ') optional_policy(` -@@ -447,10 +502,102 @@ optional_policy(` +@@ -447,10 +505,102 @@ optional_policy(` pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -31008,7 +31136,7 @@ index afa18c8..f6e2bb8 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index 4e2a5ba..d5a1725 100644 +index 4e2a5ba..68e2429 100644 --- a/mta.if +++ b/mta.if @@ -37,6 +37,7 @@ interface(`mta_stub',` @@ -31415,7 +31543,7 @@ index 4e2a5ba..d5a1725 100644 ## Read sendmail binary. ## ## -@@ -901,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -901,3 +983,170 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -31508,6 +31636,7 @@ index 4e2a5ba..d5a1725 100644 + userdom_search_user_home_dirs($1) + manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) + userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + + ifdef(`distro_redhat',` @@ -33700,7 +33829,7 @@ index 2324d9e..da61d01 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") +') diff --git a/networkmanager.te b/networkmanager.te -index 0619395..103f6f8 100644 +index 0619395..ff617f1 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -33798,7 +33927,14 @@ index 0619395..103f6f8 100644 files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) -@@ -133,30 +165,37 @@ logging_send_syslog_msg(NetworkManager_t) +@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t) + + auth_use_nsswitch(NetworkManager_t) + ++libs_exec_ldconfig(NetworkManager_t) ++ + logging_send_syslog_msg(NetworkManager_t) + miscfiles_read_localization(NetworkManager_t) miscfiles_read_generic_certs(NetworkManager_t) @@ -33838,7 +33974,7 @@ index 0619395..103f6f8 100644 ') optional_policy(` -@@ -176,10 +215,17 @@ optional_policy(` +@@ -176,10 +217,17 @@ optional_policy(` ') optional_policy(` @@ -33856,7 +33992,7 @@ index 0619395..103f6f8 100644 ') ') -@@ -191,6 +237,7 @@ optional_policy(` +@@ -191,6 +239,7 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -33864,7 +34000,7 @@ index 0619395..103f6f8 100644 ') optional_policy(` -@@ -202,23 +249,45 @@ optional_policy(` +@@ -202,23 +251,45 @@ optional_policy(` ') optional_policy(` @@ -33899,18 +34035,18 @@ index 0619395..103f6f8 100644 # Dispatcher starting and stoping ntp ntp_initrc_domtrans(NetworkManager_t) + ntp_systemctl(NetworkManager_t) -+') -+ -+optional_policy(` -+ modutils_domtrans_insmod(NetworkManager_t) ') optional_policy(` ++ modutils_domtrans_insmod(NetworkManager_t) ++') ++ ++optional_policy(` + openvpn_read_config(NetworkManager_t) openvpn_domtrans(NetworkManager_t) openvpn_kill(NetworkManager_t) openvpn_signal(NetworkManager_t) -@@ -234,6 +303,10 @@ optional_policy(` +@@ -234,6 +305,10 @@ optional_policy(` ') optional_policy(` @@ -33921,7 +34057,7 @@ index 0619395..103f6f8 100644 ppp_initrc_domtrans(NetworkManager_t) ppp_domtrans(NetworkManager_t) ppp_manage_pid_files(NetworkManager_t) -@@ -241,6 +314,7 @@ optional_policy(` +@@ -241,6 +316,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -33929,7 +34065,7 @@ index 0619395..103f6f8 100644 ') optional_policy(` -@@ -254,6 +328,10 @@ optional_policy(` +@@ -254,6 +330,10 @@ optional_policy(` ') optional_policy(` @@ -33940,7 +34076,7 @@ index 0619395..103f6f8 100644 udev_exec(NetworkManager_t) udev_read_db(NetworkManager_t) ') -@@ -263,6 +341,7 @@ optional_policy(` +@@ -263,6 +343,7 @@ optional_policy(` vpn_kill(NetworkManager_t) vpn_signal(NetworkManager_t) vpn_signull(NetworkManager_t) @@ -37720,10 +37856,10 @@ index e9cf8a4..9a7e5dc 100644 diff --git a/piranha.fc b/piranha.fc new file mode 100644 -index 0000000..2c7e06f +index 0000000..20ea9f5 --- /dev/null +++ b/piranha.fc -@@ -0,0 +1,26 @@ +@@ -0,0 +1,24 @@ + +/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0) + @@ -37732,8 +37868,6 @@ index 0000000..2c7e06f + +/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0) + -+/usr/bin/paster -- gen_context(system_u:object_r:piranha_web_exec_t,s0) -+ +/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0) +/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0) +/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0) @@ -40120,7 +40254,7 @@ index 46bee12..99499ef 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index 69cbd06..2f19c1c 100644 +index 69cbd06..080e2e1 100644 --- a/postfix.te +++ b/postfix.te @@ -1,10 +1,19 @@ @@ -40541,7 +40675,7 @@ index 69cbd06..2f19c1c 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +732,75 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +732,76 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -40563,6 +40697,7 @@ index 69cbd06..2f19c1c 100644 +allow postfix_domain self:unix_stream_socket connectto; +allow postfix_domain self:fifo_file rw_fifo_file_perms; + ++allow postfix_master_t postfix_domain:fifo_file { read write }; +allow postfix_master_t postfix_domain:process signal; +#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456 +allow postfix_domain postfix_master_t:file read; @@ -46256,7 +46391,7 @@ index 137605a..7624759 100644 + ') ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index 783f678..d45cfe5 100644 +index 783f678..f82fdec 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t) @@ -46269,7 +46404,7 @@ index 783f678..d45cfe5 100644 allow rhsmcertd_t self:fifo_file rw_fifo_file_perms; allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms; -@@ -43,17 +46,24 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) +@@ -43,17 +46,26 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) @@ -46295,6 +46430,8 @@ index 783f678..d45cfe5 100644 +miscfiles_read_certs(rhsmcertd_t) sysnet_dns_name_resolve(rhsmcertd_t) ++ ++rpm_read_db(rhsmcertd_t) diff --git a/ricci.fc b/ricci.fc index 5b08327..ed5dc05 100644 --- a/ricci.fc @@ -47168,7 +47305,7 @@ index dddabcf..fa20a5d 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index 19bb611..42ca54c 100644 +index 19bb611..2719eee 100644 --- a/rpc.te +++ b/rpc.te @@ -10,7 +10,7 @@ policy_module(rpc, 1.13.1) @@ -47314,11 +47451,12 @@ index 19bb611..42ca54c 100644 storage_dontaudit_read_fixed_disk(nfsd_t) storage_raw_read_removable_device(nfsd_t) -@@ -148,8 +184,10 @@ storage_raw_read_removable_device(nfsd_t) +@@ -148,8 +184,11 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) +userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) ++userdom_list_user_tmp(nfsd_t) + # Write access to public_content_t and public_content_rw_t -tunable_policy(`allow_nfsd_anon_write',` @@ -47326,7 +47464,7 @@ index 19bb611..42ca54c 100644 miscfiles_manage_public_files(nfsd_t) ') -@@ -158,7 +196,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -158,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -47334,7 +47472,7 @@ index 19bb611..42ca54c 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -170,8 +207,11 @@ tunable_policy(`nfs_export_all_ro',` +@@ -170,8 +208,11 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -47348,7 +47486,7 @@ index 19bb611..42ca54c 100644 ') ######################################## -@@ -181,7 +221,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -181,7 +222,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; @@ -47357,7 +47495,7 @@ index 19bb611..42ca54c 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +239,7 @@ corecmd_exec_bin(gssd_t) +@@ -199,6 +240,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -47365,7 +47503,7 @@ index 19bb611..42ca54c 100644 fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +251,14 @@ auth_manage_cache(gssd_t) +@@ -210,14 +252,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -47383,7 +47521,7 @@ index 19bb611..42ca54c 100644 ') optional_policy(` -@@ -226,6 +267,11 @@ optional_policy(` +@@ -226,6 +268,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) @@ -52281,15 +52419,16 @@ index c117e8b..0eb909b 100644 + files_list_pids($1) ') diff --git a/snort.te b/snort.te -index 179bc1b..735c400 100644 +index 179bc1b..ad84161 100644 --- a/snort.te +++ b/snort.te -@@ -32,17 +32,17 @@ files_pid_file(snort_var_run_t) +@@ -32,17 +32,18 @@ files_pid_file(snort_var_run_t) allow snort_t self:capability { setgid setuid net_admin net_raw dac_override }; dontaudit snort_t self:capability sys_tty_config; allow snort_t self:process signal_perms; -allow snort_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow snort_t self:netlink_route_socket create_netlink_socket_perms; ++allow snort_t self:netlink_socket create_socket_perms; allow snort_t self:tcp_socket create_stream_socket_perms; allow snort_t self:udp_socket create_socket_perms; allow snort_t self:packet_socket create_socket_perms; @@ -52409,13 +52548,17 @@ index 93fe7bf..1b07ed4 100644 init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/spamassassin.fc b/spamassassin.fc -index 6b3abf9..21f3e07 100644 +index 6b3abf9..663ebeb 100644 --- a/spamassassin.fc +++ b/spamassassin.fc -@@ -1,15 +1,38 @@ +@@ -1,15 +1,50 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) ++HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) ++/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) @@ -52447,12 +52590,20 @@ index 6b3abf9..21f3e07 100644 +/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + ++/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0) +/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0) ++/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) + +/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0) + ++/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) +/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0) ++ ++/var/log/pyzord\.log -- gen_context(system_u:object_r:spamd_log_t,s0) +/var/log/razor-agent\.log -- gen_context(system_u:object_r:spamd_log_t,s0) ++ ++/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) ++/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if index c954f31..82fc7f6 100644 --- a/spamassassin.if @@ -52670,10 +52821,10 @@ index c954f31..82fc7f6 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..4b5b6fa 100644 +index 1bbf73b..716877c 100644 --- a/spamassassin.te +++ b/spamassassin.te -@@ -6,52 +6,101 @@ policy_module(spamassassin, 2.5.0) +@@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0) # ## @@ -52722,6 +52873,36 @@ index 1bbf73b..4b5b6fa 100644 -typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; -typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; -userdom_user_tmp_file(spamc_tmp_t) ++ ++type spamd_update_t; ++type spamd_update_exec_t; ++application_domain(spamd_update_t, spamd_update_exec_t) ++cron_system_entry(spamd_update_t, spamd_update_exec_t) ++role system_r types spamd_update_t; + + type spamd_t; + type spamd_exec_t; + init_daemon_domain(spamd_t, spamd_exec_t) + ++type spamd_compiled_t; ++files_type(spamd_compiled_t) ++ ++type spamd_initrc_exec_t; ++init_script_file(spamd_initrc_exec_t) ++ ++type spamd_log_t; ++logging_log_file(spamd_log_t) ++ + type spamd_spool_t; +-files_type(spamd_spool_t) ++files_spool_file(spamd_spool_t) + + type spamd_tmp_t; + files_tmp_file(spamd_tmp_t) +@@ -63,6 +52,89 @@ files_type(spamd_var_lib_t) + type spamd_var_run_t; + files_pid_file(spamd_var_run_t) + +ifdef(`distro_redhat',` + # spamassassin client executable + type spamc_t; @@ -52750,6 +52931,28 @@ index 1bbf73b..4b5b6fa 100644 + + typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t }; + typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t }; ++ typealias spamc_t alias pyzor_t; ++ typealias spamc_exec_t alias pyzor_exec_t; ++ typealias spamd_t alias pyzord_t; ++ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t; ++ typealias spamd_exec_t alias pyzord_exec_t; ++ typealias spamc_tmp_t alias pyzor_tmp_t; ++ typealias spamd_log_t alias pyzor_log_t; ++ typealias spamd_log_t alias pyzord_log_t; ++ typealias spamd_var_lib_t alias pyzor_var_lib_t; ++ typealias spamd_etc_t alias pyzor_etc_t; ++ typealias spamc_home_t alias pyzor_home_t; ++ typealias spamc_home_t alias user_pyzor_home_t; ++ typealias spamc_t alias razor_t; ++ typealias spamc_exec_t alias razor_exec_t; ++ typealias spamd_log_t alias razor_log_t; ++ typealias spamd_var_lib_t alias razor_var_lib_t; ++ typealias spamd_etc_t alias razor_etc_t; ++ typealias spamc_home_t alias razor_home_t; ++ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t }; ++ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t }; ++ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t }; ++ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t }; +',` + type spamassassin_t; + type spamassassin_exec_t; @@ -52783,32 +52986,10 @@ index 1bbf73b..4b5b6fa 100644 + ubac_constrained(spamc_tmp_t) +') + -+type spamd_update_t; -+type spamd_update_exec_t; -+application_domain(spamd_update_t, spamd_update_exec_t) -+cron_system_entry(spamd_update_t, spamd_update_exec_t) -+role system_r types spamd_update_t; - - type spamd_t; - type spamd_exec_t; - init_daemon_domain(spamd_t, spamd_exec_t) - -+type spamd_compiled_t; -+files_type(spamd_compiled_t) -+ -+type spamd_initrc_exec_t; -+init_script_file(spamd_initrc_exec_t) -+ -+type spamd_log_t; -+logging_log_file(spamd_log_t) -+ - type spamd_spool_t; --files_type(spamd_spool_t) -+files_spool_file(spamd_spool_t) - - type spamd_tmp_t; - files_tmp_file(spamd_tmp_t) -@@ -98,12 +147,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) + ############################## + # + # Standalone program local policy +@@ -98,12 +170,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file }) @@ -52823,7 +53004,7 @@ index 1bbf73b..4b5b6fa 100644 # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -144,6 +195,9 @@ tunable_policy(`spamassassin_can_network',` +@@ -144,6 +218,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -52833,7 +53014,7 @@ index 1bbf73b..4b5b6fa 100644 sysnet_read_config(spamassassin_t) ') -@@ -154,25 +208,13 @@ tunable_policy(`spamd_enable_home_dirs',` +@@ -154,25 +231,13 @@ tunable_policy(`spamd_enable_home_dirs',` userdom_manage_user_home_content_symlinks(spamd_t) ') @@ -52860,7 +53041,7 @@ index 1bbf73b..4b5b6fa 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -180,6 +222,8 @@ optional_policy(` +@@ -180,6 +245,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -52869,7 +53050,7 @@ index 1bbf73b..4b5b6fa 100644 ') ######################################## -@@ -202,15 +246,32 @@ allow spamc_t self:unix_stream_socket connectto; +@@ -202,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -52902,7 +53083,7 @@ index 1bbf73b..4b5b6fa 100644 corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -222,6 +283,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) +@@ -222,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) @@ -52910,7 +53091,7 @@ index 1bbf73b..4b5b6fa 100644 fs_search_auto_mountpoints(spamc_t) -@@ -240,9 +302,14 @@ files_read_usr_files(spamc_t) +@@ -240,9 +325,14 @@ files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -52925,7 +53106,7 @@ index 1bbf73b..4b5b6fa 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -250,27 +317,35 @@ seutil_read_config(spamc_t) +@@ -250,27 +340,35 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -52967,7 +53148,7 @@ index 1bbf73b..4b5b6fa 100644 ') ######################################## -@@ -282,7 +357,7 @@ optional_policy(` +@@ -282,7 +380,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -52976,7 +53157,7 @@ index 1bbf73b..4b5b6fa 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -298,10 +373,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -298,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -52995,7 +53176,7 @@ index 1bbf73b..4b5b6fa 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -310,11 +392,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -310,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -53013,7 +53194,7 @@ index 1bbf73b..4b5b6fa 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -363,23 +449,23 @@ files_read_var_lib_files(spamd_t) +@@ -363,23 +472,23 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -53045,7 +53226,7 @@ index 1bbf73b..4b5b6fa 100644 ') optional_policy(` -@@ -395,7 +481,9 @@ optional_policy(` +@@ -395,7 +504,9 @@ optional_policy(` ') optional_policy(` @@ -53055,7 +53236,7 @@ index 1bbf73b..4b5b6fa 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -404,25 +492,17 @@ optional_policy(` +@@ -404,25 +515,17 @@ optional_policy(` ') optional_policy(` @@ -53083,7 +53264,7 @@ index 1bbf73b..4b5b6fa 100644 postgresql_stream_connect(spamd_t) ') -@@ -433,6 +513,10 @@ optional_policy(` +@@ -433,6 +536,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -53094,7 +53275,7 @@ index 1bbf73b..4b5b6fa 100644 ') optional_policy(` -@@ -440,6 +524,7 @@ optional_policy(` +@@ -440,6 +547,7 @@ optional_policy(` ') optional_policy(` @@ -53102,7 +53283,7 @@ index 1bbf73b..4b5b6fa 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -@@ -447,3 +532,51 @@ optional_policy(` +@@ -447,3 +555,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -54771,10 +54952,10 @@ index 0000000..9127cec +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..89684c9 +index 0000000..f6538d0 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,110 @@ +@@ -0,0 +1,111 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -54870,6 +55051,7 @@ index 0000000..89684c9 +xserver_read_xdm_home_files(thumb_t) +xserver_append_xdm_home_files(thumb_t) +xserver_dontaudit_read_xdm_pid(thumb_t) ++xserver_dontaudit_xdm_tmp_dirs(thumb_t) +xserver_stream_connect(thumb_t) + +optional_policy(` @@ -54997,6 +55179,496 @@ index 0521d5a..3d3f88a 100644 - unconfined_domain(tmpreaper_t) + rpm_manage_cache(tmpreaper_t) ') +diff --git a/tomcat.fc b/tomcat.fc +new file mode 100644 +index 0000000..1647b92 +--- /dev/null ++++ b/tomcat.fc +@@ -0,0 +1,11 @@ ++/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0) ++ ++/usr/sbin/tomcat -- gen_context(system_u:object_r:tomcat_exec_t,s0) ++ ++/var/cache/tomcat(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0) ++ ++/var/lib/tomcat(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0) ++ ++/var/log/tomcat(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0) ++ ++/var/run/tomcat.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0) +diff --git a/tomcat.if b/tomcat.if +new file mode 100644 +index 0000000..23251b7 +--- /dev/null ++++ b/tomcat.if +@@ -0,0 +1,353 @@ ++ ++## policy for tomcat ++ ++###################################### ++## ++## Creates types and rules for a basic ++## tomcat daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`tomcat_domain_template',` ++ gen_require(` ++ attribute tomcat_domain; ++ ') ++ ++ type $1_t, tomcat_domain; ++ type $1_exec_t; ++ init_daemon_domain($1_t, $1_exec_t) ++ ++ can_exec($1_t, $1_exec_t) ++ ++') ++ ++######################################## ++## ++## Transition to tomcat. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tomcat_domtrans',` ++ gen_require(` ++ type tomcat_t, tomcat_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, tomcat_exec_t, tomcat_t) ++') ++ ++######################################## ++## ++## Search tomcat cache directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_search_cache',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ allow $1 tomcat_cache_t:dir search_dir_perms; ++ files_search_var($1) ++') ++ ++######################################## ++## ++## Read tomcat cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_read_cache_files',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ files_search_var($1) ++ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## tomcat cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_cache_files',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t) ++') ++ ++######################################## ++## ++## Manage tomcat cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_cache_dirs',` ++ gen_require(` ++ type tomcat_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t) ++') ++ ++######################################## ++## ++## Read tomcat's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`tomcat_read_log',` ++ gen_require(` ++ type tomcat_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, tomcat_log_t, tomcat_log_t) ++') ++ ++######################################## ++## ++## Append to tomcat log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_append_log',` ++ gen_require(` ++ type tomcat_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, tomcat_log_t, tomcat_log_t) ++') ++ ++######################################## ++## ++## Manage tomcat log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_log',` ++ gen_require(` ++ type tomcat_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t) ++ manage_files_pattern($1, tomcat_log_t, tomcat_log_t) ++ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t) ++') ++ ++######################################## ++## ++## Search tomcat lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_search_lib',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ allow $1 tomcat_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_read_lib_files',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) ++') ++ ++######################################## ++## ++## Manage tomcat lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_lib_files',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) ++') ++ ++######################################## ++## ++## Manage tomcat lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_manage_lib_dirs',` ++ gen_require(` ++ type tomcat_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) ++') ++ ++######################################## ++## ++## Read tomcat PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tomcat_read_pid_files',` ++ gen_require(` ++ type tomcat_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 tomcat_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Execute tomcat server in the tomcat domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`tomcat_systemctl',` ++ gen_require(` ++ type tomcat_t; ++ type tomcat_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_password_run($1) ++ allow $1 tomcat_unit_file_t:file read_file_perms; ++ allow $1 tomcat_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, tomcat_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an tomcat environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`tomcat_admin',` ++ gen_require(` ++ type tomcat_t; ++ type tomcat_cache_t; ++ type tomcat_log_t; ++ type tomcat_var_lib_t; ++ type tomcat_var_run_t; ++ type tomcat_unit_file_t; ++ ') ++ ++ allow $1 tomcat_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, tomcat_t) ++ ++ files_search_var($1) ++ admin_pattern($1, tomcat_cache_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, tomcat_log_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, tomcat_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, tomcat_var_run_t) ++ ++ tomcat_systemctl($1) ++ admin_pattern($1, tomcat_unit_file_t) ++ allow $1 tomcat_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/tomcat.te b/tomcat.te +new file mode 100644 +index 0000000..a986de8 +--- /dev/null ++++ b/tomcat.te +@@ -0,0 +1,108 @@ ++policy_module(tomcat, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute tomcat_domain; ++ ++tomcat_domain_template(tomcat) ++ ++type tomcat_cache_t; ++files_type(tomcat_cache_t) ++ ++type tomcat_log_t; ++logging_log_file(tomcat_log_t) ++ ++type tomcat_var_lib_t; ++files_type(tomcat_var_lib_t) ++ ++type tomcat_var_run_t; ++files_pid_file(tomcat_var_run_t) ++ ++type tomcat_tmp_t; ++files_tmp_file(tomcat_tmp_t) ++ ++type tomcat_unit_file_t; ++systemd_unit_file(tomcat_unit_file_t) ++ ++####################################### ++# ++# tomcat local policy ++# ++ ++optional_policy(` ++ unconfined_domain(tomcat_t) ++') ++ ++######################################## ++# ++# tomcat domain local policy ++# ++ ++allow tomcat_t self:process execmem; ++allow tomcat_t self:process { signal signull }; ++ ++allow tomcat_t self:tcp_socket { accept listen }; ++allow tomcat_domain self:fifo_file rw_fifo_file_perms; ++allow tomcat_domain self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t) ++manage_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t) ++manage_lnk_files_pattern(tomcat_domain, tomcat_cache_t, tomcat_cache_t) ++files_var_filetrans(tomcat_domain, tomcat_cache_t, { dir file }) ++ ++manage_dirs_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t) ++manage_files_pattern(tomcat_domain, tomcat_log_t, tomcat_log_t) ++logging_log_filetrans(tomcat_domain, tomcat_log_t, { dir file }) ++ ++manage_dirs_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t) ++manage_files_pattern(tomcat_domain, tomcat_var_lib_t, tomcat_var_lib_t) ++files_var_lib_filetrans(tomcat_domain, tomcat_var_lib_t, { dir file }) ++ ++manage_dirs_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t) ++manage_files_pattern(tomcat_domain, tomcat_var_run_t, tomcat_var_run_t) ++files_pid_filetrans(tomcat_domain, tomcat_var_run_t, { dir file }) ++ ++manage_dirs_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t) ++manage_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t) ++manage_fifo_files_pattern(tomcat_t, tomcat_tmp_t, tomcat_tmp_t) ++files_tmp_filetrans(tomcat_t, tomcat_tmp_t, { file fifo_file dir }) ++ ++# we want to stay in a new tomcat domain if we call tomcat binary from a script ++# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t ++can_exec(tomcat_domain, tomcat_exec_t) ++ ++kernel_read_system_state(tomcat_domain) ++kernel_read_network_state(tomcat_domain) ++ ++corecmd_exec_bin(tomcat_domain) ++corecmd_exec_shell(tomcat_domain) ++ ++corenet_tcp_bind_generic_node(tomcat_domain) ++corenet_udp_bind_generic_node(tomcat_domain) ++corenet_tcp_bind_http_port(tomcat_domain) ++corenet_tcp_bind_http_cache_port(tomcat_domain) ++corenet_tcp_bind_mxi_port(tomcat_domain) ++corenet_tcp_connect_http_port(tomcat_domain) ++corenet_tcp_connect_mxi_port(tomcat_domain) ++ ++dev_read_rand(tomcat_domain) ++dev_read_urand(tomcat_domain) ++dev_read_sysfs(tomcat_domain) ++ ++domain_use_interactive_fds(tomcat_domain) ++ ++fs_getattr_all_fs(tomcat_domain) ++fs_read_hugetlbfs_files(tomcat_domain) ++ ++files_read_etc_files(tomcat_domain) ++files_read_usr_files(tomcat_domain) ++ ++auth_read_passwd(tomcat_domain) ++ ++miscfiles_read_localization(tomcat_domain) ++ ++sysnet_dns_name_resolve(tomcat_domain) ++ diff --git a/tor.fc b/tor.fc index e2e06b2..6752bc3 100644 --- a/tor.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 88b9896..700b953 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -235,7 +235,7 @@ fi; if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ if [ %1 -ne 1 ]; then \ - /usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd 2>/dev/null; \ + /usr/sbin/semodule -n -s %2 -r xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor 2>/dev/null; \ fi \ rm -f /etc/selinux/%2/modules/active/modules/qemu.pp /etc/selinux/%2/modules/active/modules/nsplugin.pp /etc/selinux/%2/modules/active/modules/razor.pp /etc/selinux/%2/modules/active/modules/pyzord.pp \ /usr/sbin/semodule -B -n -s %2; \ @@ -491,6 +491,30 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jun 25 2012 Miroslav Grepl 3.11.0-6 +- Add tomcat policy +- Remove pyzor/razor policy +- rhsmcertd reads the rpm database +- Dontaudit thumb to setattr on xdm_tmp dir +- Allow wicd to execute ldconfig in the networkmanager_t domain +- Add /var/run/cherokee\.pid labeling +- Allow mozilla_plugin to create mozilla_plugin_tmp_t lnk files too +- Allow postfix-master to r/w pipes other postfix domains +- Allow snort to create netlink_socket +- Add kdumpctl policy +- Allow firstboot to create tmp_t files/directories +- /usr/bin/paster should not be labeled as piranha_exec_t +- remove initrc_domain from tomcat +- Allow ddclient to read /etc/passwd +- Allow useradd to delete all file types stored in the users homedir +- Allow ldconfig and insmod to manage kdumpctl tmp files +- Firstboot should be just creating tmp_t dirs and xauth should be allowed to write to those +- Transition xauth files within firstboot_tmp_t +- Fix labeling of /run/media to match /media +- Label all lxdm.log as xserver_log_t +- Add port definition for mxi port +- Allow local_login_t to execute tmux + * Tue Jun 19 2012 Miroslav Grepl 3.11.0-5 - apcupsd needs to read /etc/passwd - Sanlock allso sends sigkill