From 60668f6a35fc45764c2d8a6f67a00b502d7c44b2 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 18 2014 17:05:44 +0000 Subject: * Tue Feb 18 2014 Miroslav Grepl 3.13.1-25 - Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() interface - Allow confined users to run vmtools helpers - Fix userdom_common_user_template() - Generic systemd unit scripts do write check on / - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files - Add additional fixes needed for init_t and setup script running in generic unit files - Allow general users to create packet_sockets - added connlcli port - Add init_manage_transient_unit() interface - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t - Fix userdomain.te to require passwd class - devicekit_power sends out a signal to all processes on the message bus when power is going down - Dontaudit rendom domains listing /proc and hittping system_map_t - Dontauit leaks of var_t into ifconfig_t - Allow domains that transition to ssh_t to manipulate its keyring - Define oracleasm_t as a device node - Change to handle /root as a symbolic link for os-tree - Allow sysadm_t to create packet_socket, also move some rules to attributes - Add label for openvswitch port - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. - Allow postfix_local to read .forward in pcp lib files - Allow pegasus_openlmi_storage_t to read lvm metadata - Add additional fixes for pegasus_openlmi_storage_t - Allow bumblebee to manage debugfs - Make bumblebee as unconfined domain - Allow snmp to read etc_aliases_t - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem - Allow pegasus_openlmi_storage_t to read /proc/1/environ - Dontaudit read gconf files for cupsd_config_t - make vmtools as unconfined domain - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. - Allow collectd_t to use a mysql database - Allow ipa-otpd to perform DNS name resolution - Added new policy for keepalived - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd - Add additional fixes new pscs-lite+polkit support - Add labeling for /run/krb5kdc - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 - Allow pcscd to read users proc info - Dontaudit smbd_t sending out random signuls - Add boolean to allow openshift domains to use nfs - Allow w3c_validator to create content in /tmp - zabbix_agent uses nsswitch - Allow procmail and dovecot to work together to deliver mail - Allow spamd to execute files in homedir if boolean turned on - Allow openvswitch to listen on port 6634 - Add net_admin capability in collectd policy - Fixed snapperd policy - Fixed bugsfor pcp policy - Allow dbus_system_domains to be started by init - Fixed some interfaces - Add kerberos_keytab_domain attribute - Fix snapperd_conf_t def --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index da6c7d0..f2eda1e 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..b64c141 100644 +index b191055..aa16691 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5484,7 +5484,7 @@ index b191055..b64c141 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,55 +107,67 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5516,6 +5516,7 @@ index b191055..b64c141 100644 network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) +network_port(conman, tcp,7890,s0, udp,7890,s0) ++network_port(connlcli, tcp,1358,s0, udp,1358,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) @@ -5558,7 +5559,7 @@ index b191055..b64c141 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +175,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5625,7 +5626,7 @@ index b191055..b64c141 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +227,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +228,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5647,6 +5648,7 @@ index b191055..b64c141 100644 +network_port(openflow, tcp,6633,s0, tcp,6653,s0) network_port(openhpid, tcp,4743,s0, udp,4743,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) ++network_port(openvswitch, tcp,6634,s0) +network_port(osapi_compute, tcp, 8774, s0) network_port(pdps, tcp,1314,s0, udp,1314,s0) network_port(pegasus_http, tcp,5988,s0) @@ -5665,7 +5667,7 @@ index b191055..b64c141 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,39 +265,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,39 +267,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5718,7 +5720,7 @@ index b191055..b64c141 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,8 +315,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -259,8 +317,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5729,7 +5731,7 @@ index b191055..b64c141 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -271,10 +330,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5742,7 +5744,7 @@ index b191055..b64c141 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +347,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5769,7 +5771,7 @@ index b191055..b64c141 100644 ######################################## # -@@ -333,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +396,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5778,7 +5780,7 @@ index b191055..b64c141 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +410,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -9452,7 +9454,7 @@ index b876c48..27f60c6 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..1517625 100644 +index f962f76..42fc031 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11508,6 +11510,15 @@ index f962f76..1517625 100644 ## Create, read, write, and delete directories ## in the /var directory. ## +@@ -5328,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',` + type var_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## @@ -5527,6 +6641,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## @@ -14838,7 +14849,7 @@ index 8416beb..75c7b9d 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..79f6c51 100644 +index e7d1738..089cc7a 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); @@ -14861,12 +14872,13 @@ index e7d1738..79f6c51 100644 type bdev_t; fs_type(bdev_t) -@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t) +@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) +type oracleasmfs_t; +fs_type(oracleasmfs_t) ++dev_node(oracleasmfs_t) +files_mountpoint(oracleasmfs_t) +genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) + @@ -14880,7 +14892,7 @@ index e7d1738..79f6c51 100644 fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) -@@ -88,6 +97,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +98,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -14892,7 +14904,7 @@ index e7d1738..79f6c51 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +110,7 @@ type hugetlbfs_t; +@@ -96,6 +111,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -14900,7 +14912,7 @@ index e7d1738..79f6c51 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -118,13 +133,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +134,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -14916,7 +14928,7 @@ index e7d1738..79f6c51 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,11 +166,6 @@ fs_type(spufs_t) +@@ -150,11 +167,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -14928,7 +14940,7 @@ index e7d1738..79f6c51 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -172,6 +183,8 @@ type vxfs_t; +@@ -172,6 +184,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -14937,7 +14949,7 @@ index e7d1738..79f6c51 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +195,8 @@ fs_type(tmpfs_t) +@@ -182,6 +196,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -14946,7 +14958,7 @@ index e7d1738..79f6c51 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +277,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -14955,7 +14967,7 @@ index e7d1738..79f6c51 100644 files_mountpoint(removable_t) # -@@ -280,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +298,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -18283,7 +18295,7 @@ index 0000000..48caabc +allow domain unlabeled_t:packet { send recv }; + diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 834a065..c769f81 100644 +index 834a065..ff93697 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0) @@ -18295,10 +18307,12 @@ index 834a065..c769f81 100644 ######################################## # -@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t) +@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t) domain_kill_all_domains(auditadm_t) ++mls_file_read_all_levels(auditadm_t) ++ +selinux_read_policy(auditadm_t) + logging_send_syslog_msg(auditadm_t) @@ -18375,7 +18389,7 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..cf718d2 100644 +index 0fef1fc..ee4b689 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,71 @@ policy_module(staff, 2.4.0) @@ -18596,7 +18610,7 @@ index 0fef1fc..cf718d2 100644 ') optional_policy(` -@@ -52,11 +226,57 @@ optional_policy(` +@@ -52,11 +226,61 @@ optional_policy(` ') optional_policy(` @@ -18641,6 +18655,10 @@ index 0fef1fc..cf718d2 100644 ') optional_policy(` ++ vmtools_run_helper(staff_t, staff_r) ++') ++ ++optional_policy(` + vnstatd_read_lib_files(staff_t) +') + @@ -18654,7 +18672,7 @@ index 0fef1fc..cf718d2 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +285,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +289,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18665,7 +18683,7 @@ index 0fef1fc..cf718d2 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +294,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +298,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -18676,7 +18694,7 @@ index 0fef1fc..cf718d2 100644 ') optional_policy(` -@@ -101,10 +313,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +317,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18687,7 +18705,7 @@ index 0fef1fc..cf718d2 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +333,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +337,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18698,7 +18716,7 @@ index 0fef1fc..cf718d2 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +345,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +349,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18709,7 +18727,7 @@ index 0fef1fc..cf718d2 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +376,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +380,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -18761,7 +18779,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..9da6c17 100644 +index 2522ca6..5307091 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1) @@ -18919,14 +18937,14 @@ index 2522ca6..9da6c17 100644 optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) ++') ++ ++optional_policy(` ++ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -18983,14 +19001,14 @@ index 2522ca6..9da6c17 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) -+') -+ -+optional_policy(` -+ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) ++ kudzu_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -19266,7 +19284,7 @@ index 2522ca6..9da6c17 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +571,75 @@ ifndef(`distro_redhat',` +@@ -459,15 +571,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19333,6 +19351,10 @@ index 2522ca6..9da6c17 100644 + userhelper_role_template(sysadm, sysadm_r, sysadm_t) + ') + ++ optional_policy(` ++ vmtools_run_helper(sysadm_t, sysadm_r) ++ ') ++ + optional_policy(` + vmware_role(sysadm_r, sysadm_t) + ') @@ -20049,10 +20071,10 @@ index 0000000..b1163a6 +') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..dbb8afa +index 0000000..f5bbd82 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,332 @@ +@@ -0,0 +1,336 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -20212,6 +20234,10 @@ index 0000000..dbb8afa + sandbox_x_transition(unconfined_t, unconfined_r) + ') + ++ optional_policy(` ++ vmtools_run_helper(unconfined_t, unconfined_r) ++ ') ++ + optional_policy(` + gen_require(` + type user_tmpfs_t; @@ -20396,7 +20422,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..8e30f51 100644 +index 6d77e81..849acef 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -20548,7 +20574,18 @@ index 6d77e81..8e30f51 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +259,15 @@ ifndef(`distro_redhat',` +@@ -153,6 +251,10 @@ ifndef(`distro_redhat',` + userhelper_role_template(user, user_r, user_t) + ') + ++ optional_policy(` ++ vmtools_run_helper(user_t, user_r) ++ ') ++ + optional_policy(` + vmware_role(user_r, user_t) + ') +@@ -161,3 +263,15 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -21182,7 +21219,7 @@ index 76d9f66..5c271ce 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index fe0c682..c0413e8 100644 +index fe0c682..e8dcfa7 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,11 @@ @@ -21433,7 +21470,7 @@ index fe0c682..c0413e8 100644 allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; -+ allow $3 ssh_t:key read; ++ allow $3 ssh_t:key { write search read view }; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) @@ -27962,7 +27999,7 @@ index bc0ffc8..8de430d 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..9a14d49 100644 +index 79a45f6..35df3cb 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28944,7 +28981,7 @@ index 79a45f6..9a14d49 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2359,432 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2359,450 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29358,6 +29395,24 @@ index 79a45f6..9a14d49 100644 + +######################################## +## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_manage_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service { start stop reload status }; ++') ++ ++######################################## ++## +## Transition to init named content +## +## @@ -29378,7 +29433,7 @@ index 79a45f6..9a14d49 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..c15f72a 100644 +index 17eda24..f22157d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29433,7 +29488,7 @@ index 17eda24..c15f72a 100644 # Mark file type as a daemon run directory attribute daemonrundir; -@@ -35,12 +64,14 @@ attribute daemonrundir; +@@ -35,12 +64,20 @@ attribute daemonrundir; # # init_t is the domain of the init process. # @@ -29446,10 +29501,16 @@ index 17eda24..c15f72a 100644 kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; +init_initrc_domain(init_t) ++ ++# ++# init_tmp_t is the type for content in /tmp directory ++# ++type init_tmp_t; ++files_tmp_file(init_tmp_t) # # init_var_run_t is the type for /var/run/shutdown.pid. -@@ -49,6 +80,15 @@ type init_var_run_t; +@@ -49,6 +86,15 @@ type init_var_run_t; files_pid_file(init_var_run_t) # @@ -29465,7 +29526,7 @@ index 17eda24..c15f72a 100644 # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -@@ -57,7 +97,7 @@ type initctl_t; +@@ -57,7 +103,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) @@ -29474,7 +29535,7 @@ index 17eda24..c15f72a 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -98,7 +138,9 @@ ifdef(`enable_mls',` +@@ -98,7 +144,9 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -29485,7 +29546,7 @@ index 17eda24..c15f72a 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -29508,6 +29569,11 @@ index 17eda24..c15f72a 100644 +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto }; +allow initrc_t init_t:fifo_file rw_fifo_file_perms; + ++manage_files_pattern(init_t, init_tmp_t, init_tmp_t) ++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t) ++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t) ++files_tmp_filetrans(init_t, init_tmp_t, { file dir }) ++ +manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t) @@ -29529,7 +29595,7 @@ index 17eda24..c15f72a 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -29549,7 +29615,7 @@ index 17eda24..c15f72a 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t) +@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -29567,10 +29633,11 @@ index 17eda24..c15f72a 100644 # Run /etc/X11/prefdm: files_exec_etc_files(init_t) +files_read_usr_files(init_t) ++files_write_root_dirs(init_t) # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -29613,20 +29680,20 @@ index 17eda24..c15f72a 100644 seutil_read_config(init_t) +seutil_read_module_store(init_t) -+ + +-miscfiles_read_localization(init_t) +miscfiles_manage_localization(init_t) +miscfiles_filetrans_named_content(init_t) + +userdom_use_user_ttys(init_t) +userdom_manage_tmp_dirs(init_t) +userdom_manage_tmp_sockets(init_t) - --miscfiles_read_localization(init_t) ++ +allow init_t self:process setsched; ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +286,214 @@ ifdef(`distro_gentoo',` +@@ -186,29 +298,229 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -29805,9 +29872,24 @@ index 17eda24..c15f72a 100644 +auth_rw_login_records(init_t) +auth_domtrans_chk_passwd(init_t) + -+optional_policy(` -+ ipsec_read_config(init_t) -+ ipsec_manage_pid(init_t) ++ifdef(`distro_redhat',` ++ # it comes from setupr scripts used in systemd unit files ++ # has been covered by initrc_t ++ optional_policy(` ++ bind_manage_config_dirs(init_t) ++ bind_manage_config(init_t) ++ bind_write_config(init_t) ++ bind_setattr_zone_dirs(init_t) ++ ') ++ ++ optional_policy(` ++ ipsec_read_config(init_t) ++ ipsec_manage_pid(init_t) ++ ') ++ ++ optional_policy(` ++ rpc_manage_nfs_state_data(init_t) ++ ') +') + +optional_policy(` @@ -29827,18 +29909,18 @@ index 17eda24..c15f72a 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + networkmanager_stream_connect(init_t) +') + @@ -29849,7 +29931,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -216,7 +501,31 @@ optional_policy(` +@@ -216,7 +528,31 @@ optional_policy(` ') optional_policy(` @@ -29881,7 +29963,7 @@ index 17eda24..c15f72a 100644 ') ######################################## -@@ -225,9 +534,9 @@ optional_policy(` +@@ -225,9 +561,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29893,7 +29975,7 @@ index 17eda24..c15f72a 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +567,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +594,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29910,7 +29992,7 @@ index 17eda24..c15f72a 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +592,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +619,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29953,7 +30035,7 @@ index 17eda24..c15f72a 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +629,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +656,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29965,7 +30047,7 @@ index 17eda24..c15f72a 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +641,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +668,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29976,7 +30058,7 @@ index 17eda24..c15f72a 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +652,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +679,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29986,7 +30068,7 @@ index 17eda24..c15f72a 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +661,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +688,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29994,7 +30076,7 @@ index 17eda24..c15f72a 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +668,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +695,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30002,7 +30084,7 @@ index 17eda24..c15f72a 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +676,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +703,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30020,7 +30102,7 @@ index 17eda24..c15f72a 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +694,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +721,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30034,7 +30116,7 @@ index 17eda24..c15f72a 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +709,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +736,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30048,7 +30130,7 @@ index 17eda24..c15f72a 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +722,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +749,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30059,7 +30141,7 @@ index 17eda24..c15f72a 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +735,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +762,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30067,7 +30149,7 @@ index 17eda24..c15f72a 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +754,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +781,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30091,7 +30173,7 @@ index 17eda24..c15f72a 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +787,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +814,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30099,7 +30181,7 @@ index 17eda24..c15f72a 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +821,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +848,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30110,7 +30192,7 @@ index 17eda24..c15f72a 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +845,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +872,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30119,7 +30201,7 @@ index 17eda24..c15f72a 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +860,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +887,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30127,7 +30209,7 @@ index 17eda24..c15f72a 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +881,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +908,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30135,7 +30217,7 @@ index 17eda24..c15f72a 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +891,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +918,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30180,7 +30262,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -559,14 +936,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +963,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30212,7 +30294,7 @@ index 17eda24..c15f72a 100644 ') ') -@@ -577,6 +971,39 @@ ifdef(`distro_suse',` +@@ -577,6 +998,39 @@ ifdef(`distro_suse',` ') ') @@ -30252,7 +30334,7 @@ index 17eda24..c15f72a 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1016,8 @@ optional_policy(` +@@ -589,6 +1043,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30261,7 +30343,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -610,6 +1039,7 @@ optional_policy(` +@@ -610,6 +1066,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30269,7 +30351,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -626,6 +1056,17 @@ optional_policy(` +@@ -626,6 +1083,17 @@ optional_policy(` ') optional_policy(` @@ -30287,7 +30369,7 @@ index 17eda24..c15f72a 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1083,13 @@ optional_policy(` +@@ -642,9 +1110,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30301,7 +30383,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -657,15 +1102,11 @@ optional_policy(` +@@ -657,15 +1129,11 @@ optional_policy(` ') optional_policy(` @@ -30319,7 +30401,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -686,6 +1127,15 @@ optional_policy(` +@@ -686,6 +1154,15 @@ optional_policy(` ') optional_policy(` @@ -30335,7 +30417,7 @@ index 17eda24..c15f72a 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1176,7 @@ optional_policy(` +@@ -726,6 +1203,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30343,7 +30425,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -743,7 +1194,13 @@ optional_policy(` +@@ -743,7 +1221,13 @@ optional_policy(` ') optional_policy(` @@ -30358,7 +30440,7 @@ index 17eda24..c15f72a 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1223,10 @@ optional_policy(` +@@ -766,6 +1250,10 @@ optional_policy(` ') optional_policy(` @@ -30369,7 +30451,7 @@ index 17eda24..c15f72a 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1236,20 @@ optional_policy(` +@@ -775,10 +1263,20 @@ optional_policy(` ') optional_policy(` @@ -30390,7 +30472,7 @@ index 17eda24..c15f72a 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1258,10 @@ optional_policy(` +@@ -787,6 +1285,10 @@ optional_policy(` ') optional_policy(` @@ -30401,7 +30483,7 @@ index 17eda24..c15f72a 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1283,6 @@ optional_policy(` +@@ -808,8 +1310,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30410,7 +30492,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -818,6 +1291,10 @@ optional_policy(` +@@ -818,6 +1318,10 @@ optional_policy(` ') optional_policy(` @@ -30421,7 +30503,7 @@ index 17eda24..c15f72a 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1304,12 @@ optional_policy(` +@@ -827,10 +1331,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30434,7 +30516,7 @@ index 17eda24..c15f72a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1336,60 @@ optional_policy(` +@@ -857,21 +1363,60 @@ optional_policy(` ') optional_policy(` @@ -30496,7 +30578,7 @@ index 17eda24..c15f72a 100644 ') optional_policy(` -@@ -887,6 +1405,10 @@ optional_policy(` +@@ -887,6 +1432,10 @@ optional_policy(` ') optional_policy(` @@ -30507,7 +30589,7 @@ index 17eda24..c15f72a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1419,218 @@ optional_policy(` +@@ -897,3 +1446,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -33496,10 +33578,38 @@ index 6b91740..633e449 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..f0de612 100644 +index 58bc27f..ce880a6 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',` +@@ -86,6 +86,27 @@ interface(`lvm_read_config',` + + ######################################## + ## ++## Read LVM configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`lvm_read_metadata',` ++ gen_require(` ++ type lvm_metadata_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 lvm_etc_t:dir list_dir_perms; ++ read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) ++') ++ ++######################################## ++## + ## Manage LVM configuration files. + ## + ## +@@ -123,3 +144,113 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -37424,7 +37534,7 @@ index 2cea692..f1e2130 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..72131e5 100644 +index a392fc4..b0a854f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -37678,7 +37788,7 @@ index a392fc4..72131e5 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +338,30 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +338,31 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -37702,6 +37812,7 @@ index a392fc4..72131e5 100644 +files_dontaudit_rw_inherited_locks(ifconfig_t) +files_dontaudit_read_root_files(ifconfig_t) +files_rw_inherited_tmp_file(ifconfig_t) ++files_dontaudit_rw_var_files(ifconfig_t) + files_read_etc_files(ifconfig_t) files_read_etc_runtime_files(ifconfig_t) @@ -37709,7 +37820,7 @@ index a392fc4..72131e5 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,24 +374,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,24 +375,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -37738,7 +37849,7 @@ index a392fc4..72131e5 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -325,7 +398,22 @@ ifdef(`distro_ubuntu',` +@@ -325,7 +399,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -37761,7 +37872,7 @@ index a392fc4..72131e5 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +424,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +425,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -37774,7 +37885,7 @@ index a392fc4..72131e5 100644 ') optional_policy(` -@@ -350,7 +442,15 @@ optional_policy(` +@@ -350,7 +443,15 @@ optional_policy(` ') optional_policy(` @@ -37791,7 +37902,7 @@ index a392fc4..72131e5 100644 ') optional_policy(` -@@ -371,3 +471,13 @@ optional_policy(` +@@ -371,3 +472,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -41304,7 +41415,7 @@ index db75976..e4eb903 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..daee32c 100644 +index 9dc60c6..ace307f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -41894,7 +42005,7 @@ index 9dc60c6..daee32c 100644 ') ') -@@ -491,7 +659,8 @@ template(`userdom_common_user_template',` +@@ -491,51 +659,63 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -41904,7 +42015,10 @@ index 9dc60c6..daee32c 100644 ############################## # -@@ -501,41 +670,51 @@ template(`userdom_common_user_template',` + # User domain Local policy + # ++ allow $1_t self:packet_socket create_socket_perms; + # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -41979,7 +42093,7 @@ index 9dc60c6..daee32c 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +725,120 @@ template(`userdom_common_user_template',` +@@ -546,93 +726,120 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -42138,7 +42252,7 @@ index 9dc60c6..daee32c 100644 ') optional_policy(` -@@ -642,23 +848,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +849,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -42167,7 +42281,7 @@ index 9dc60c6..daee32c 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +875,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +876,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -42176,7 +42290,7 @@ index 9dc60c6..daee32c 100644 ') optional_policy(` -@@ -680,9 +884,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +885,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -42189,7 +42303,7 @@ index 9dc60c6..daee32c 100644 ') ') -@@ -693,32 +897,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +898,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -42236,7 +42350,7 @@ index 9dc60c6..daee32c 100644 ') ') -@@ -743,17 +950,33 @@ template(`userdom_common_user_template',` +@@ -743,17 +951,33 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -42274,7 +42388,7 @@ index 9dc60c6..daee32c 100644 userdom_change_password_template($1) -@@ -761,83 +984,107 @@ template(`userdom_login_user_template', ` +@@ -761,83 +985,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -42418,7 +42532,7 @@ index 9dc60c6..daee32c 100644 ') ####################################### -@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1116,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -42431,7 +42545,7 @@ index 9dc60c6..daee32c 100644 ############################## # # Local policy -@@ -907,56 +1160,140 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,56 +1161,140 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -42588,7 +42702,7 @@ index 9dc60c6..daee32c 100644 ## ## The template for creating a unprivileged user roughly ## equivalent to a regular linux user. -@@ -987,27 +1324,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1325,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -42626,7 +42740,7 @@ index 9dc60c6..daee32c 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1361,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1362,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -42697,7 +42811,7 @@ index 9dc60c6..daee32c 100644 ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1423,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1424,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -42708,7 +42822,7 @@ index 9dc60c6..daee32c 100644 ') ') -@@ -1079,7 +1461,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1462,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -42719,7 +42833,7 @@ index 9dc60c6..daee32c 100644 ') ############################## -@@ -1095,6 +1479,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1480,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -42727,25 +42841,24 @@ index 9dc60c6..daee32c 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1106,6 +1491,7 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1491,8 @@ template(`userdom_admin_user_template',` + # $1_t local policy # - allow $1_t self:capability ~{ sys_module audit_control audit_write }; -+ allow $1_t self:capability2 { block_suspend syslog }; - allow $1_t self:process { setexec setfscreate }; - allow $1_t self:netlink_audit_socket nlmsg_readpriv; - allow $1_t self:tun_socket create; -@@ -1114,6 +1500,9 @@ template(`userdom_admin_user_template',` - # Skip authentication when pam_rootok is specified. - allow $1_t self:passwd rootok; - +- allow $1_t self:capability ~{ sys_module audit_control audit_write }; +- allow $1_t self:process { setexec setfscreate }; +- allow $1_t self:netlink_audit_socket nlmsg_readpriv; +- allow $1_t self:tun_socket create; +- # Set password information for other users. +- allow $1_t self:passwd { passwd chfn chsh }; +- # Skip authentication when pam_rootok is specified. +- allow $1_t self:passwd rootok; + # Manipulate other users crontab. + allow $1_t self:passwd crontab; -+ + kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) -@@ -1128,6 +1517,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1508,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -42753,7 +42866,7 @@ index 9dc60c6..daee32c 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1535,14 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1526,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -42768,7 +42881,7 @@ index 9dc60c6..daee32c 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1553,38 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1544,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -42811,7 +42924,7 @@ index 9dc60c6..daee32c 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1594,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1585,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -42820,7 +42933,7 @@ index 9dc60c6..daee32c 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1603,17 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1594,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -42839,7 +42952,7 @@ index 9dc60c6..daee32c 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1649,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1640,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -42848,7 +42961,7 @@ index 9dc60c6..daee32c 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1659,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1650,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -42857,7 +42970,7 @@ index 9dc60c6..daee32c 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1673,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1664,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -42869,7 +42982,7 @@ index 9dc60c6..daee32c 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1687,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1678,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -42912,7 +43025,7 @@ index 9dc60c6..daee32c 100644 ') optional_policy(` -@@ -1357,14 +1772,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1763,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -42931,7 +43044,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -1405,6 +1823,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1405,6 +1814,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -42983,7 +43096,7 @@ index 9dc60c6..daee32c 100644 ## ## ## Domain allowed access. -@@ -1509,11 +1972,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1963,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -43015,7 +43128,7 @@ index 9dc60c6..daee32c 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2038,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2029,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -43030,7 +43143,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -1570,9 +2061,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2052,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -43042,7 +43155,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -1629,6 +2122,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2113,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -43085,7 +43198,7 @@ index 9dc60c6..daee32c 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2237,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2228,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -43094,7 +43207,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -1741,10 +2272,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2263,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -43109,7 +43222,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -1769,7 +2302,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2293,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -43136,7 +43249,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -1779,53 +2330,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1779,53 +2321,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -43219,7 +43332,7 @@ index 9dc60c6..daee32c 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1845,6 +2413,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1845,6 +2404,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -43245,7 +43358,7 @@ index 9dc60c6..daee32c 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2462,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1875,14 +2453,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -43283,7 +43396,7 @@ index 9dc60c6..daee32c 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2502,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2493,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -43301,7 +43414,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -1938,7 +2550,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2541,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -43310,7 +43423,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -1946,10 +2558,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2549,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -43323,7 +43436,7 @@ index 9dc60c6..daee32c 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2569,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2560,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -43332,7 +43445,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -1966,30 +2577,84 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,35 +2568,89 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -43367,10 +43480,11 @@ index 9dc60c6..daee32c 100644 - dontaudit $1 user_home_t:file relabel_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read user home subdirectory symbolic links. +## Delete all sock files in a user home subdirectory. +## +## @@ -43421,10 +43535,15 @@ index 9dc60c6..daee32c 100644 + ') + + dontaudit $1 user_home_t:file relabel_file_perms; - ') - - ######################################## -@@ -2007,8 +2672,7 @@ interface(`userdom_read_user_home_content_symlinks',` ++') ++ ++######################################## ++## ++## Read user home subdirectory symbolic links. + ## + ## + ## +@@ -2007,8 +2663,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -43434,7 +43553,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -2024,20 +2688,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,21 +2679,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -43448,18 +43567,19 @@ index 9dc60c6..daee32c 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -2120,7 +2778,7 @@ interface(`userdom_manage_user_home_content_symlinks',` + ## Do not audit attempts to execute user home files. +@@ -2120,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -43468,7 +43588,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -2128,19 +2786,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -43492,7 +43612,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -2148,12 +2804,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -43508,7 +43628,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -2390,11 +3046,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2390,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -43523,7 +43643,7 @@ index 9dc60c6..daee32c 100644 files_search_tmp($1) ') -@@ -2414,7 +3070,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -43532,7 +43652,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -2661,6 +3317,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -43558,7 +43678,7 @@ index 9dc60c6..daee32c 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3352,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -43574,7 +43694,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -2704,7 +3380,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -43583,7 +43703,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -2712,14 +3388,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -43618,7 +43738,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -2814,6 +3506,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3497,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -43643,7 +43763,7 @@ index 9dc60c6..daee32c 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3542,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3533,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -43686,7 +43806,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -2856,14 +3578,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3569,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -43724,7 +43844,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -2882,8 +3623,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -43754,7 +43874,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -2955,69 +3715,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -43855,7 +43975,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -3025,12 +3784,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -43870,7 +43990,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -3094,7 +3853,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -43879,7 +43999,7 @@ index 9dc60c6..daee32c 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +3869,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -43913,7 +44033,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -3214,7 +3957,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -43940,7 +44060,7 @@ index 9dc60c6..daee32c 100644 ') ######################################## -@@ -3269,12 +4030,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -43956,7 +44076,7 @@ index 9dc60c6..daee32c 100644 ## ## ## -@@ -3282,40 +4044,116 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,36 +4035,112 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -44001,10 +44121,9 @@ index 9dc60c6..daee32c 100644 -## Get the attributes of all user domains. +## Do not audit attempts to read/write users +## temporary fifo files. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. +## +## @@ -44077,14 +44196,10 @@ index 9dc60c6..daee32c 100644 +######################################## +## +## Get the attributes of all user domains. -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -3382,6 +4220,42 @@ interface(`userdom_signal_all_users',` + ## + ## + ## +@@ -3382,6 +4211,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -44127,7 +44242,7 @@ index 9dc60c6..daee32c 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4276,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4267,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -44152,7 +44267,7 @@ index 9dc60c6..daee32c 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4327,1671 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4318,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -44281,6 +44396,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir search_dir_perms; +') + @@ -44299,6 +44415,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:dir list_dir_perms; +') + @@ -44317,6 +44434,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir list_dir_perms; +') + @@ -44335,6 +44453,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; +') + @@ -44429,6 +44548,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, admin_home_t, admin_home_t) +') + @@ -44448,6 +44568,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:file delete_file_perms; +') + @@ -44467,6 +44588,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + exec_files_pattern($1, admin_home_t, admin_home_t) +') + @@ -44615,6 +44737,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ allow $1 admin_home_t:lnk_file read_lnk_file_perms; + filetrans_pattern($1, admin_home_t, $2, $3, $4) +') + @@ -45135,6 +45258,7 @@ index 9dc60c6..daee32c 100644 + type admin_home_t; + ') + ++ dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; + dontaudit $1 admin_home_t:file read_file_perms; +') + @@ -45825,7 +45949,7 @@ index 9dc60c6..daee32c 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..a3fcbf1 100644 +index f4ac38d..799a5cc 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -45914,7 +46038,7 @@ index f4ac38d..a3fcbf1 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,370 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,383 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -46161,8 +46285,21 @@ index f4ac38d..a3fcbf1 100644 +# +gen_require(` + class context contains; ++ class passwd { passwd chfn chsh rootok }; +') + ++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write }; ++allow confined_admindomain self:capability2 { block_suspend syslog }; ++allow confined_admindomain self:process { setexec setfscreate }; ++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv; ++allow confined_admindomain self:tun_socket create_socket_perms; ++allow confined_admindomain self:packet_socket create_socket_perms; ++ ++# Set password information for other users. ++allow confined_admindomain self:passwd { passwd chfn chsh }; ++# Skip authentication when pam_rootok is specified. ++allow confined_admindomain self:passwd rootok; ++ +corecmd_shell_entry_type(confined_admindomain) +corecmd_bin_entry_type(confined_admindomain) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 421c075..0935b97 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10106,10 +10106,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..00e1ff2 +index 0000000..fe923e3 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,58 @@ +@@ -0,0 +1,59 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10145,6 +10145,7 @@ index 0000000..00e1ff2 + +kernel_read_system_state(bumblebee_t) +kernel_dontaudit_access_check_proc(bumblebee_t) ++kernel_manage_debugfs(bumblebee_t) + +corecmd_exec_shell(bumblebee_t) +corecmd_exec_bin(bumblebee_t) @@ -13142,10 +13143,10 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..d078b96 100644 +index 6471fa8..26584f2 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,7 +26,14 @@ files_type(collectd_var_lib_t) +@@ -26,18 +26,28 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -13160,7 +13161,12 @@ index 6471fa8..d078b96 100644 ######################################## # -@@ -38,6 +45,9 @@ allow collectd_t self:process { getsched setsched signal }; + # Local policy + # + +-allow collectd_t self:capability { ipc_lock sys_nice }; ++allow collectd_t self:capability { ipc_lock net_admin sys_nice }; + allow collectd_t self:process { getsched setsched signal }; allow collectd_t self:fifo_file rw_fifo_file_perms; allow collectd_t self:packet_socket create_socket_perms; allow collectd_t self:unix_stream_socket { accept listen }; @@ -13178,13 +13184,13 @@ index 6471fa8..d078b96 100644 +kernel_read_all_sysctls(collectd_t) +kernel_read_all_proc(collectd_t) +kernel_list_all_proc(collectd_t) -+ -+auth_getattr_passwd(collectd_t) -+auth_read_passwd(collectd_t) -kernel_read_network_state(collectd_t) -kernel_read_net_sysctls(collectd_t) -kernel_read_system_state(collectd_t) ++auth_getattr_passwd(collectd_t) ++auth_read_passwd(collectd_t) ++ +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) @@ -13206,10 +13212,14 @@ index 6471fa8..d078b96 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +90,26 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +90,30 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` ++ mysql_stream_connect(collectd_t) ++') ++ ++optional_policy(` + netutils_domtrans_ping(collectd_t) +') + @@ -18109,7 +18119,7 @@ index 3023be7..20e370b 100644 + corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") ') diff --git a/cups.te b/cups.te -index c91813c..f03481e 100644 +index c91813c..3598e62 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.16.2) @@ -18526,7 +18536,7 @@ index c91813c..f03481e 100644 ') optional_policy(` -+ gnome_dontaudit_search_config(cupsd_config_t) ++ gnome_dontaudit_read_config(cupsd_config_t) +') + +optional_policy(` @@ -23747,7 +23757,7 @@ index c880070..4448055 100644 -/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) +/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0) diff --git a/dovecot.if b/dovecot.if -index d5badb7..b093baa 100644 +index d5badb7..f439164 100644 --- a/dovecot.if +++ b/dovecot.if @@ -1,29 +1,49 @@ @@ -23874,8 +23884,29 @@ index d5badb7..b093baa 100644 ## ## ## -@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',` + allow $1 dovecot_tmp_t:file write; + ') ++#################################### ++## ++## Read dovecot configuration file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dovecot_read_config',` ++ gen_require(` ++ type dovecot_etc_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, dovecot_etc_t, dovecot_etc_t) ++') ++ ######################################## ## -## All of the rules required to @@ -23885,7 +23916,7 @@ index d5badb7..b093baa 100644 ## ## ## -@@ -132,7 +148,7 @@ interface(`dovecot_write_inherited_tmp_files',` +@@ -132,7 +167,7 @@ interface(`dovecot_write_inherited_tmp_files',` ## ## ## @@ -23894,7 +23925,7 @@ index d5badb7..b093baa 100644 ## ## ## -@@ -146,9 +162,13 @@ interface(`dovecot_admin',` +@@ -146,9 +181,13 @@ interface(`dovecot_admin',` type dovecot_keytab_t; ') @@ -23909,7 +23940,7 @@ index d5badb7..b093baa 100644 init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dovecot_initrc_exec_t system_r; -@@ -157,20 +177,25 @@ interface(`dovecot_admin',` +@@ -157,20 +196,25 @@ interface(`dovecot_admin',` files_list_etc($1) admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) @@ -33079,10 +33110,10 @@ index 0000000..deb738f + diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..02f7cfa +index 0000000..589066e --- /dev/null +++ b/ipa.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,38 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -33109,6 +33140,11 @@ index 0000000..02f7cfa + +corenet_tcp_connect_radius_port(ipa_otpd_t) + ++dev_read_urand(ipa_otpd_t) ++dev_read_rand(ipa_otpd_t) ++ ++sysnet_dns_name_resolve(ipa_otpd_t) ++ +optional_policy(` + dirsrv_stream_connect(ipa_otpd_t) +') @@ -35454,11 +35490,165 @@ index 2990962..c153d15 100644 +optional_policy(` + policykit_dbus_chat(kdumpgui_t) ') +diff --git a/keepalived.fc b/keepalived.fc +new file mode 100644 +index 0000000..7e6f8be +--- /dev/null ++++ b/keepalived.fc +@@ -0,0 +1,5 @@ ++/usr/lib/systemd/system/keepalived.* -- gen_context(system_u:object_r:keepalived_unit_file_t,s0) ++ ++/usr/sbin/keepalived -- gen_context(system_u:object_r:keepalived_exec_t,s0) ++ ++/var/run/keepalived.* -- gen_context(system_u:object_r:keepalived_var_run_t,s0) +diff --git a/keepalived.if b/keepalived.if +new file mode 100644 +index 0000000..0d61849 +--- /dev/null ++++ b/keepalived.if +@@ -0,0 +1,84 @@ ++ ++## keepalived - load-balancing and high-availability service ++ ++######################################## ++## ++## Execute keepalived in the keepalived domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`keepalived_domtrans',` ++ gen_require(` ++ type keepalived_t, keepalived_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, keepalived_exec_t, keepalived_t) ++') ++######################################## ++## ++## Execute keepalived server in the keepalived domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`keepalived_systemctl',` ++ gen_require(` ++ type keepalived_t; ++ type keepalived_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 keepalived_unit_file_t:file read_file_perms; ++ allow $1 keepalived_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, keepalived_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an keepalived environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`keepalived_admin',` ++ gen_require(` ++ type keepalived_t; ++ type keepalived_unit_file_t; ++ ') ++ ++ allow $1 keepalived_t:process { signal_perms }; ++ ps_process_pattern($1, keepalived_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 keepalived_t:process ptrace; ++ ') ++ ++ keepalived_systemctl($1) ++ admin_pattern($1, keepalived_unit_file_t) ++ allow $1 keepalived_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/keepalived.te b/keepalived.te +new file mode 100644 +index 0000000..535f79b +--- /dev/null ++++ b/keepalived.te +@@ -0,0 +1,47 @@ ++policy_module(keepalived, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type keepalived_t; ++type keepalived_exec_t; ++init_daemon_domain(keepalived_t, keepalived_exec_t) ++ ++type keepalived_unit_file_t; ++systemd_unit_file(keepalived_unit_file_t) ++ ++type keepalived_var_run_t; ++files_pid_file(keepalived_var_run_t) ++ ++######################################## ++# ++# keepalived local policy ++# ++allow keepalived_t self:capability { net_admin net_raw }; ++allow keepalived_t self:process { signal_perms }; ++allow keepalived_t self:netlink_socket create_socket_perms; ++allow keepalived_t self:netlink_route_socket nlmsg_write; ++allow keepalived_t self:packet_socket create_socket_perms; ++allow keepalived_t self:rawip_socket create_socket_perms; ++ ++ ++manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t) ++files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file }) ++ ++kernel_read_system_state(keepalived_t) ++kernel_read_network_state(keepalived_t) ++ ++auth_use_nsswitch(keepalived_t) ++ ++corenet_tcp_connect_connlcli_port(keepalived_t) ++corenet_tcp_connect_http_port(keepalived_t) ++corenet_tcp_connect_smtp_port(keepalived_t) ++ ++dev_read_urand(keepalived_t) ++ ++modutils_domtrans_insmod(keepalived_t) ++ ++logging_send_syslog_msg(keepalived_t) ++ diff --git a/kerberos.fc b/kerberos.fc -index 4fe75fd..8c702c9 100644 +index 4fe75fd..b029c28 100644 --- a/kerberos.fc +++ b/kerberos.fc -@@ -1,52 +1,44 @@ +@@ -1,52 +1,46 @@ -HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) -/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) +HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0) @@ -35492,25 +35682,33 @@ index 4fe75fd..8c702c9 100644 -/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -- ++/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + -/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) -/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) -- ++/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) ++/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) + -/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -- ++/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) ++/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) + -/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +-/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) ++/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -- ++/var/run/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_var_run_t,s0) + -/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) -+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) - /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) +-/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) -/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) -+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) - /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) +-/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0) - -/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0) @@ -35525,13 +35723,6 @@ index 4fe75fd..8c702c9 100644 -/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+ -+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0) -+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0) -+ -+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0) -+ +/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) @@ -36152,7 +36343,7 @@ index f6c00d8..c0946cf 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") ') diff --git a/kerberos.te b/kerberos.te -index 8833d59..3ca9e12 100644 +index 8833d59..ff53b77 100644 --- a/kerberos.te +++ b/kerberos.te @@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0) @@ -36356,12 +36547,17 @@ index 8833d59..3ca9e12 100644 logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; -@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) - manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) - files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) +@@ -201,56 +228,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) + files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir }) --can_exec(krb5kdc_t, krb5kdc_exec_t) + manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) +-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file) - +-can_exec(krb5kdc_t, krb5kdc_exec_t) ++manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) ++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t) ++files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file }) + kernel_read_system_state(krb5kdc_t) kernel_read_kernel_sysctls(krb5kdc_t) +kernel_list_proc(krb5kdc_t) @@ -36422,7 +36618,7 @@ index 8833d59..3ca9e12 100644 sysnet_use_ldap(krb5kdc_t) userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) -@@ -261,11 +287,11 @@ optional_policy(` +@@ -261,11 +289,11 @@ optional_policy(` ') optional_policy(` @@ -36436,7 +36632,7 @@ index 8833d59..3ca9e12 100644 ') optional_policy(` -@@ -273,6 +299,10 @@ optional_policy(` +@@ -273,6 +301,10 @@ optional_policy(` ') optional_policy(` @@ -36447,7 +36643,7 @@ index 8833d59..3ca9e12 100644 udev_read_db(krb5kdc_t) ') -@@ -281,10 +311,12 @@ optional_policy(` +@@ -281,10 +313,12 @@ optional_policy(` # kpropd local policy # @@ -36463,7 +36659,7 @@ index 8833d59..3ca9e12 100644 allow kpropd_t krb5_host_rcache_t:file manage_file_perms; -@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -303,26 +337,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -45369,7 +45565,7 @@ index f42896c..cb2791a 100644 -/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index ed81cac..26c97cd 100644 +index ed81cac..e968c28 100644 --- a/mta.if +++ b/mta.if @@ -1,4 +1,4 @@ @@ -46478,7 +46674,7 @@ index ed81cac..26c97cd 100644 + type etc_mail_t; + ') + -+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) ++ #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) + mta_etc_filetrans_aliases($1, "aliases") + mta_etc_filetrans_aliases($1, "aliases.db") + mta_etc_filetrans_aliases($1, "aliasesdb-stamp") @@ -46486,7 +46682,7 @@ index ed81cac..26c97cd 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index ff1d68c..d5c4ceb 100644 +index ff1d68c..0c688c5 100644 --- a/mta.te +++ b/mta.te @@ -14,8 +14,6 @@ attribute mailserver_sender; @@ -46631,14 +46827,14 @@ index ff1d68c..d5c4ceb 100644 +userdom_use_inherited_user_terminals(system_mail_t) +userdom_dontaudit_list_user_home_dirs(system_mail_t) +userdom_dontaudit_list_admin_dir(system_mail_t) - --userdom_use_user_terminals(system_mail_t) ++ +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t) + +allow system_mail_t mail_home_t:file manage_file_perms; +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file) -+ + +-userdom_use_user_terminals(system_mail_t) +logging_append_all_logs(system_mail_t) + +logging_send_syslog_msg(system_mail_t) @@ -46851,7 +47047,7 @@ index ff1d68c..d5c4ceb 100644 files_search_var_lib(mailserver_delivery) mailman_domtrans(mailserver_delivery) -@@ -372,6 +394,13 @@ optional_policy(` +@@ -372,6 +394,17 @@ optional_policy(` ') optional_policy(` @@ -46862,10 +47058,14 @@ index ff1d68c..d5c4ceb 100644 +') + +optional_policy(` ++ pcp_read_lib_files(mailserver_delivery) ++') ++ ++optional_policy(` postfix_rw_inherited_master_pipes(mailserver_delivery) ') -@@ -381,24 +410,49 @@ optional_policy(` +@@ -381,24 +414,49 @@ optional_policy(` ######################################## # @@ -55874,16 +56074,24 @@ index 0000000..cf03270 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..e40e9d5 +index 0000000..a66bb69 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,559 @@ +@@ -0,0 +1,574 @@ +policy_module(openshift,1.0.0) + +gen_require(` + role system_r; +') + ++## ++##

++## Allow openshift to access nfs file systems without labels ++##

++##
++gen_tunable(openshift_use_nfs, false) ++ ++ +######################################## +# +# Declarations @@ -56437,6 +56645,13 @@ index 0000000..e40e9d5 + ssh_dontaudit_read_server_keys(openshift_cron_t) +') + ++tunable_policy(`openshift_use_nfs',` ++ fs_list_auto_mountpoints(openshift_domain) ++ fs_manage_nfs_dirs(openshift_domain) ++ fs_manage_nfs_files(openshift_domain) ++ fs_manage_nfs_symlinks(openshift_domain) ++ fs_exec_nfs_files(openshift_domain) ++') diff --git a/opensm.fc b/opensm.fc new file mode 100644 index 0000000..51650fa @@ -57243,7 +57458,7 @@ index 9b15730..eedd136 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..75f7ebb 100644 +index 44dbc99..129bba9 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -57260,7 +57475,7 @@ index 44dbc99..75f7ebb 100644 type openvswitch_var_lib_t; files_type(openvswitch_var_lib_t) -@@ -27,20 +24,27 @@ files_tmp_file(openvswitch_tmp_t) +@@ -27,20 +24,28 @@ files_tmp_file(openvswitch_tmp_t) type openvswitch_var_run_t; files_pid_file(openvswitch_var_run_t) @@ -57282,6 +57497,7 @@ index 44dbc99..75f7ebb 100644 -allow openvswitch_t self:rawip_socket create_socket_perms; -allow openvswitch_t self:unix_stream_socket { accept connectto listen }; +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow openvswitch_t self:tcp_socket create_stream_socket_perms; +allow openvswitch_t self:netlink_socket create_socket_perms; +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; @@ -57296,7 +57512,7 @@ index 44dbc99..75f7ebb 100644 manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t) -@@ -48,9 +52,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l +@@ -48,9 +53,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file }) manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) @@ -57307,7 +57523,7 @@ index 44dbc99..75f7ebb 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +67,40 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -65,33 +68,42 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -57322,6 +57538,8 @@ index 44dbc99..75f7ebb 100644 -corenet_raw_sendrecv_generic_if(openvswitch_t) -corenet_raw_sendrecv_generic_node(openvswitch_t) +corenet_tcp_connect_openflow_port(openvswitch_t) ++corenet_tcp_bind_generic_node(openvswitch_t) ++corenet_tcp_bind_openvswitch_port(openvswitch_t) corecmd_exec_bin(openvswitch_t) +corecmd_exec_shell(openvswitch_t) @@ -58599,10 +58817,10 @@ index 0000000..9b8cb6b +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..f099f7c +index 0000000..ba24b40 --- /dev/null +++ b/pcp.if -@@ -0,0 +1,121 @@ +@@ -0,0 +1,139 @@ +## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation + +###################################### @@ -58630,6 +58848,24 @@ index 0000000..f099f7c + +') + ++###################################### ++## ++## Allow domain to read pcp lib files ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++interface(`pcp_read_lib_files',` ++ gen_require(` ++ type pcp_var_lib_t; ++ ') ++ libs_search_lib($1) ++ read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -58945,7 +59181,7 @@ index 43d50f9..6b1544f 100644 ######################################## diff --git a/pcscd.te b/pcscd.te -index 1fb1964..36eb845 100644 +index 1fb1964..5212cd2 100644 --- a/pcscd.te +++ b/pcscd.te @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") @@ -58971,7 +59207,14 @@ index 1fb1964..36eb845 100644 corenet_all_recvfrom_netlabel(pcscd_t) corenet_tcp_sendrecv_generic_if(pcscd_t) corenet_tcp_sendrecv_generic_node(pcscd_t) -@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t) +@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t) + corenet_tcp_connect_http_port(pcscd_t) + corenet_tcp_sendrecv_http_port(pcscd_t) + ++domain_read_all_domains_state(pcscd_t) ++ + dev_rw_generic_usb_dev(pcscd_t) + dev_rw_smartcard(pcscd_t) dev_rw_usbfs(pcscd_t) dev_read_sysfs(pcscd_t) @@ -58979,7 +59222,7 @@ index 1fb1964..36eb845 100644 files_read_etc_runtime_files(pcscd_t) term_use_unallocated_ttys(pcscd_t) -@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t) +@@ -60,16 +61,26 @@ locallogin_use_fds(pcscd_t) logging_send_syslog_msg(pcscd_t) @@ -58987,19 +59230,28 @@ index 1fb1964..36eb845 100644 - sysnet_dns_name_resolve(pcscd_t) ++userdom_read_all_users_state(pcscd_t) ++ optional_policy(` -@@ -73,6 +70,10 @@ optional_policy(` - ') + dbus_system_bus_client(pcscd_t) - optional_policy(` -+ policykit_dbus_chat(pcscd_t) + optional_policy(` + hal_dbus_chat(pcscd_t) + ') ++ ++ optional_policy(` ++ policykit_dbus_chat(pcscd_t) ++ policykit_dbus_chat_auth(pcscd_t) ++ ') ++ +') + +optional_policy(` - openct_stream_connect(pcscd_t) - openct_read_pid_files(pcscd_t) - openct_signull(pcscd_t) -@@ -85,3 +86,8 @@ optional_policy(` ++ policykit_dbus_chat(pcscd_t) + ') + + optional_policy(` +@@ -85,3 +96,8 @@ optional_policy(` optional_policy(` udev_read_db(pcscd_t) ') @@ -59154,7 +59406,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..192f5c5 100644 +index 608f454..b01f04d 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -59173,7 +59425,7 @@ index 608f454..192f5c5 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,304 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,318 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -59351,9 +59603,12 @@ index 608f454..192f5c5 100644 +# pegasus openlmi service local policy +# + ++init_manage_transient_unit(pegasus_openlmi_admin_t) +init_disable_services(pegasus_openlmi_admin_t) +init_enable_services(pegasus_openlmi_admin_t) +init_reload_services(pegasus_openlmi_admin_t) ++init_status(pegasus_openlmi_admin_t) ++init_reboot(pegasus_openlmi_admin_t) +init_exec(pegasus_openlmi_admin_t) + +systemd_config_all_services(pegasus_openlmi_admin_t) @@ -59371,7 +59626,7 @@ index 608f454..192f5c5 100644 +') + +optional_policy(` -+ sssd_search_lib(pegasus_openlmi_admin_t) ++ sssd_stream_connect(pegasus_openlmi_admin_t) +') + +###################################### @@ -59397,9 +59652,11 @@ index 608f454..192f5c5 100644 +files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage") + +kernel_read_all_sysctls(pegasus_openlmi_storage_t) ++kernel_read_network_state(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) +kernel_request_load_module(pegasus_openlmi_storage_t) + ++dev_read_raw_memory(pegasus_openlmi_storage_t) +dev_read_rand(pegasus_openlmi_storage_t) +dev_read_urand(pegasus_openlmi_storage_t) + @@ -59411,6 +59668,7 @@ index 608f454..192f5c5 100644 +seutil_read_file_contexts(pegasus_openlmi_storage_t) + +storage_raw_read_removable_device(pegasus_openlmi_storage_t) ++storage_raw_write_removable_device(pegasus_openlmi_storage_t) +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + @@ -59423,6 +59681,8 @@ index 608f454..192f5c5 100644 +udev_domtrans(pegasus_openlmi_storage_t) +udev_read_pid_files(pegasus_openlmi_storage_t) + ++init_read_state(pegasus_openlmi_storage_t) ++ +miscfiles_read_hwdata(pegasus_openlmi_storage_t) + +optional_policy(` @@ -59435,10 +59695,16 @@ index 608f454..192f5c5 100644 + +optional_policy(` + iscsi_manage_lock(pegasus_openlmi_storage_t) ++ iscsi_read_lib_files(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` ++ libs_exec_ldconfig(pegasus_openlmi_storage_t) +') + +optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) ++ lvm_read_metadata(pegasus_openlmi_storage_t) +') + +optional_policy(` @@ -59483,7 +59749,7 @@ index 608f454..192f5c5 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +351,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -59514,7 +59780,7 @@ index 608f454..192f5c5 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +377,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -59547,7 +59813,7 @@ index 608f454..192f5c5 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +405,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -59559,7 +59825,7 @@ index 608f454..192f5c5 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +421,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -59595,7 +59861,7 @@ index 608f454..192f5c5 100644 ') optional_policy(` -@@ -151,16 +441,24 @@ optional_policy(` +@@ -151,16 +455,24 @@ optional_policy(` ') optional_policy(` @@ -59624,7 +59890,7 @@ index 608f454..192f5c5 100644 ') optional_policy(` -@@ -168,7 +466,7 @@ optional_policy(` +@@ -168,7 +480,7 @@ optional_policy(` ') optional_policy(` @@ -66685,7 +66951,7 @@ index 00edeab..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) ') diff --git a/procmail.te b/procmail.te -index cc426e6..cb47806 100644 +index cc426e6..fe5d842 100644 --- a/procmail.te +++ b/procmail.te @@ -14,7 +14,7 @@ type procmail_home_t; @@ -66714,7 +66980,7 @@ index cc426e6..cb47806 100644 allow procmail_t procmail_log_t:dir setattr_dir_perms; create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -40,83 +44,97 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) +@@ -40,83 +44,98 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir }) allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -66821,6 +67087,7 @@ index cc426e6..cb47806 100644 optional_policy(` - cyrus_stream_connect(procmail_t) + dovecot_stream_connect(procmail_t) ++ dovecot_read_config(procmail_t) ') optional_policy(` @@ -66848,7 +67115,7 @@ index cc426e6..cb47806 100644 postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_use_fds(procmail_t) postfix_read_spool_files(procmail_t) -@@ -126,11 +144,17 @@ optional_policy(` +@@ -126,11 +145,18 @@ optional_policy(` ') optional_policy(` @@ -66862,11 +67129,12 @@ index cc426e6..cb47806 100644 optional_policy(` + mta_read_config(procmail_t) ++ mta_mailserver_delivery(procmail_t) + mta_manage_home_rw(procmail_t) sendmail_domtrans(procmail_t) sendmail_signal(procmail_t) sendmail_dontaudit_rw_tcp_sockets(procmail_t) -@@ -145,3 +169,8 @@ optional_policy(` +@@ -145,3 +171,8 @@ optional_policy(` spamassassin_domtrans_client(procmail_t) spamassassin_read_lib_files(procmail_t) ') @@ -82219,7 +82487,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..9cda11e 100644 +index 2b7c441..3504791 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -82594,7 +82862,7 @@ index 2b7c441..9cda11e 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -321,43 +333,33 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -321,42 +333,34 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -82645,11 +82913,11 @@ index 2b7c441..9cda11e 100644 -files_dontaudit_getattr_all_dirs(smbd_t) -files_dontaudit_list_all_mountpoints(smbd_t) -files_list_mnt(smbd_t) -- ++domain_dontaudit_signull_all_domains(smbd_t) + fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) - fs_get_xattr_fs_quotas(smbd_t) -@@ -366,44 +368,53 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +370,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -82715,7 +82983,7 @@ index 2b7c441..9cda11e 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +430,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -82738,7 +83006,7 @@ index 2b7c441..9cda11e 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +442,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -82746,7 +83014,7 @@ index 2b7c441..9cda11e 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +450,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -82764,7 +83032,7 @@ index 2b7c441..9cda11e 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -466,6 +457,7 @@ optional_policy(` +@@ -466,6 +459,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -82772,7 +83040,7 @@ index 2b7c441..9cda11e 100644 ') optional_policy(` -@@ -479,6 +471,11 @@ optional_policy(` +@@ -479,6 +473,11 @@ optional_policy(` ') optional_policy(` @@ -82784,7 +83052,7 @@ index 2b7c441..9cda11e 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +485,10 @@ optional_policy(` +@@ -488,6 +487,10 @@ optional_policy(` ') optional_policy(` @@ -82795,7 +83063,7 @@ index 2b7c441..9cda11e 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +500,33 @@ optional_policy(` +@@ -499,9 +502,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -82830,7 +83098,7 @@ index 2b7c441..9cda11e 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +537,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -82845,7 +83113,7 @@ index 2b7c441..9cda11e 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +553,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -82869,7 +83137,7 @@ index 2b7c441..9cda11e 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +570,42 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -82936,7 +83204,7 @@ index 2b7c441..9cda11e 100644 ') optional_policy(` -@@ -606,16 +618,22 @@ optional_policy(` +@@ -606,16 +620,22 @@ optional_policy(` ######################################## # @@ -82963,7 +83231,7 @@ index 2b7c441..9cda11e 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +645,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -82981,7 +83249,7 @@ index 2b7c441..9cda11e 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +657,23 @@ optional_policy(` +@@ -644,22 +659,23 @@ optional_policy(` ######################################## # @@ -83013,7 +83281,7 @@ index 2b7c441..9cda11e 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -83049,7 +83317,7 @@ index 2b7c441..9cda11e 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +709,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -83141,7 +83409,7 @@ index 2b7c441..9cda11e 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -83165,7 +83433,7 @@ index 2b7c441..9cda11e 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +802,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -83208,7 +83476,7 @@ index 2b7c441..9cda11e 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +832,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -83222,7 +83490,7 @@ index 2b7c441..9cda11e 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +855,20 @@ optional_policy(` +@@ -840,17 +857,20 @@ optional_policy(` # Winbind local policy # @@ -83248,7 +83516,7 @@ index 2b7c441..9cda11e 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -83259,7 +83527,7 @@ index 2b7c441..9cda11e 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -83289,7 +83557,7 @@ index 2b7c441..9cda11e 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +912,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -83310,7 +83578,7 @@ index 2b7c441..9cda11e 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -83321,7 +83589,7 @@ index 2b7c441..9cda11e 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -83363,7 +83631,7 @@ index 2b7c441..9cda11e 100644 ') optional_policy(` -@@ -959,31 +986,29 @@ optional_policy(` +@@ -959,31 +988,29 @@ optional_policy(` # Winbind helper local policy # @@ -83401,7 +83669,7 @@ index 2b7c441..9cda11e 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1022,38 @@ optional_policy(` +@@ -997,25 +1024,38 @@ optional_policy(` ######################################## # @@ -88462,7 +88730,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 9dcaeb8..4b11846 100644 +index 9dcaeb8..2537e6c 100644 --- a/snmp.te +++ b/snmp.te @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) @@ -88545,6 +88813,14 @@ index 9dcaeb8..4b11846 100644 ') optional_policy(` +@@ -140,6 +146,7 @@ optional_policy(` + + optional_policy(` + mta_read_config(snmpd_t) ++ mta_read_aliases(snmpd_t) + mta_search_queue(snmpd_t) + ') + diff --git a/snort.if b/snort.if index 7d86b34..5f58180 100644 --- a/snort.if @@ -89407,7 +89683,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..b9e1c32 100644 +index cc58e35..c76586c 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -89480,7 +89756,7 @@ index cc58e35..b9e1c32 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +39,198 @@ type spamd_log_t; +@@ -72,87 +39,199 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -89684,6 +89960,7 @@ index cc58e35..b9e1c32 100644 + userdom_manage_user_home_content_dirs(spamd_t) + userdom_manage_user_home_content_files(spamd_t) + userdom_manage_user_home_content_symlinks(spamd_t) ++ userdom_exec_user_bin_files(spamd_t) ') -tunable_policy(`use_samba_home_dirs',` @@ -89701,7 +89978,7 @@ index cc58e35..b9e1c32 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +238,8 @@ optional_policy(` +@@ -160,6 +239,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -89710,7 +89987,7 @@ index cc58e35..b9e1c32 100644 ') ######################################## -@@ -167,72 +247,85 @@ optional_policy(` +@@ -167,72 +248,85 @@ optional_policy(` # Client local policy # @@ -89827,7 +90104,7 @@ index cc58e35..b9e1c32 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +336,7 @@ optional_policy(` +@@ -243,6 +337,7 @@ optional_policy(` ') optional_policy(` @@ -89835,7 +90112,7 @@ index cc58e35..b9e1c32 100644 evolution_stream_connect(spamc_t) ') -@@ -251,10 +345,16 @@ optional_policy(` +@@ -251,10 +346,16 @@ optional_policy(` ') optional_policy(` @@ -89853,7 +90130,7 @@ index cc58e35..b9e1c32 100644 sendmail_stub(spamc_t) ') -@@ -267,36 +367,38 @@ optional_policy(` +@@ -267,36 +368,38 @@ optional_policy(` ######################################## # @@ -89909,7 +90186,7 @@ index cc58e35..b9e1c32 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +410,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +411,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -89919,7 +90196,7 @@ index cc58e35..b9e1c32 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +420,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +421,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -89935,7 +90212,7 @@ index cc58e35..b9e1c32 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +435,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +436,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -90039,7 +90316,7 @@ index cc58e35..b9e1c32 100644 ') optional_policy(` -@@ -421,21 +506,13 @@ optional_policy(` +@@ -421,21 +507,13 @@ optional_policy(` ') optional_policy(` @@ -90063,7 +90340,7 @@ index cc58e35..b9e1c32 100644 ') optional_policy(` -@@ -443,8 +520,8 @@ optional_policy(` +@@ -443,8 +521,8 @@ optional_policy(` ') optional_policy(` @@ -90073,7 +90350,7 @@ index cc58e35..b9e1c32 100644 ') optional_policy(` -@@ -455,7 +532,12 @@ optional_policy(` +@@ -455,7 +533,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -90087,7 +90364,7 @@ index cc58e35..b9e1c32 100644 ') optional_policy(` -@@ -463,9 +545,9 @@ optional_policy(` +@@ -463,9 +546,9 @@ optional_policy(` ') optional_policy(` @@ -90098,7 +90375,7 @@ index cc58e35..b9e1c32 100644 ') optional_policy(` -@@ -474,32 +556,32 @@ optional_policy(` +@@ -474,32 +557,32 @@ optional_policy(` ######################################## # @@ -90141,7 +90418,7 @@ index cc58e35..b9e1c32 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +590,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +591,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -101037,19 +101314,21 @@ index 6b72968..de409cc 100644 +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmtools.fc b/vmtools.fc new file mode 100644 -index 0000000..5726cdb +index 0000000..c5deffb --- /dev/null +++ b/vmtools.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,5 @@ +/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0) + ++/usr/bin/vmware-user-suid-wrapper -- gen_context(system_u:object_r:vmtools_helper_exec_t,s0) ++ +/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0) diff --git a/vmtools.if b/vmtools.if new file mode 100644 -index 0000000..82fc528 +index 0000000..7933d80 --- /dev/null +++ b/vmtools.if -@@ -0,0 +1,78 @@ +@@ -0,0 +1,122 @@ +## VMware Tools daemon + +######################################## @@ -101070,6 +101349,50 @@ index 0000000..82fc528 + corecmd_search_bin($1) + domtrans_pattern($1, vmtools_exec_t, vmtools_t) +') ++ ++######################################## ++## ++## Execute vmtools in the vmtools domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vmtools_domtrans_helper',` ++ gen_require(` ++ type vmtools_helper_t, vmtools_helper_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t) ++') ++ ++######################################## ++## ++## Execute vmtools helpers in the vmtools_heler domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the mozilla_plugin domain. ++## ++## ++# ++interface(`vmtools_run_helper',` ++ gen_require(` ++ attribute_role vmtools_helper_roles; ++ ') ++ ++ vmtools_domtrans_helper($1) ++ roleattribute $2 vmtools_helper_roles; ++') ++ +######################################## +## +## Execute vmtools server in the vmtools domain. @@ -101130,10 +101453,10 @@ index 0000000..82fc528 +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..5549375 +index 0000000..b881c53 --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,46 @@ +@@ -0,0 +1,82 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -101141,9 +101464,19 @@ index 0000000..5549375 +# Declarations +# + ++attribute_role vmtools_helper_roles; ++ ++roleattribute system_r vmtools_helper_roles; ++ +type vmtools_t; +type vmtools_exec_t; +init_daemon_domain(vmtools_t, vmtools_exec_t) ++role vmtools_helper_roles types vmtools_t; ++ ++type vmtools_helper_t; ++type vmtools_helper_exec_t; ++application_domain(vmtools_helper_t, vmtools_helper_exec_t) ++role vmtools_helper_roles types vmtools_t; + +type vmtools_unit_file_t; +systemd_unit_file(vmtools_unit_file_t) @@ -101179,7 +101512,33 @@ index 0000000..5549375 + +auth_use_nsswitch(vmtools_t) + ++#shutdown ++init_rw_utmp(vmtools_t) ++init_stream_connect(vmtools_t) ++init_telinit(vmtools_t) ++ +logging_send_syslog_msg(vmtools_t) ++ ++systemd_exec_systemctl(vmtools_t) ++ ++sysnet_domtrans_ifconfig(vmtools_t) ++ ++xserver_stream_connect_xdm(vmtools_t) ++xserver_stream_connect(vmtools_t) ++ ++optional_policy(` ++ unconfined_domain(vmtools_t) ++') ++ ++######################################## ++# ++# vmtools-helper local policy ++# ++ ++domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t) ++can_exec(vmtools_helper_t, vmtools_helper_exec_t) ++ ++userdom_stream_connect(vmtools_helper_t) diff --git a/vmware.if b/vmware.if index 20a1fb2..470ea95 100644 --- a/vmware.if @@ -101594,19 +101953,26 @@ index 463c799..227feaf 100644 +/usr/share/w3c-markup-validator(/.*)? gen_context(system_u:object_r:w3c_validator_content_t,s0) +/usr/share/w3c-markup-validator/cgi-bin(/.*)? gen_context(system_u:object_r:w3c_validator_script_exec_t,s0) diff --git a/w3c.te b/w3c.te -index b14d6a9..ac1944e 100644 +index b14d6a9..d7c7938 100644 --- a/w3c.te +++ b/w3c.te -@@ -6,29 +6,30 @@ policy_module(w3c, 1.1.0) +@@ -6,29 +6,37 @@ policy_module(w3c, 1.1.0) # apache_content_template(w3c_validator) +apache_content_alias_template(w3c_validator, w3c_validator) ++ ++type w3c_validator_tmp_t; ++files_tmp_file(w3c_validator_tmp_t) ######################################## # # Local policy # ++manage_dirs_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t) ++manage_files_pattern(w3c_validator_script_t, w3c_validator_tmp_t, w3c_validator_tmp_t) ++files_tmp_filetrans(w3c_validator_script_t, w3c_validator_tmp_t, { file dir }) ++ -corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t) -corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t) @@ -104199,7 +104565,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..f24bf4b 100644 +index 7f496c6..eac3196 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0) @@ -104404,7 +104770,7 @@ index 7f496c6..f24bf4b 100644 corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t) corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t) -@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) +@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t) dev_getattr_all_blk_files(zabbix_agent_t) dev_getattr_all_chr_files(zabbix_agent_t) @@ -104418,7 +104784,9 @@ index 7f496c6..f24bf4b 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t) ++auth_use_nsswitch(zabbix_agent_t) ++ + init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index c764abc..c19f68e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,63 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Feb 18 2014 Miroslav Grepl 3.13.1-25 +- Add lvm_read_metadata() +- Allow auditadm to search /var/log/audit dir +- Add lvm_read_metadata() interface +- Allow confined users to run vmtools helpers +- Fix userdom_common_user_template() +- Generic systemd unit scripts do write check on / +- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files +- Add additional fixes needed for init_t and setup script running in generic unit files +- Allow general users to create packet_sockets +- added connlcli port +- Add init_manage_transient_unit() interface +- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t +- Fix userdomain.te to require passwd class +- devicekit_power sends out a signal to all processes on the message bus when power is going down +- Dontaudit rendom domains listing /proc and hittping system_map_t +- Dontauit leaks of var_t into ifconfig_t +- Allow domains that transition to ssh_t to manipulate its keyring +- Define oracleasm_t as a device node +- Change to handle /root as a symbolic link for os-tree +- Allow sysadm_t to create packet_socket, also move some rules to attributes +- Add label for openvswitch port +- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label. +- Allow postfix_local to read .forward in pcp lib files +- Allow pegasus_openlmi_storage_t to read lvm metadata +- Add additional fixes for pegasus_openlmi_storage_t +- Allow bumblebee to manage debugfs +- Make bumblebee as unconfined domain +- Allow snmp to read etc_aliases_t +- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem +- Allow pegasus_openlmi_storage_t to read /proc/1/environ +- Dontaudit read gconf files for cupsd_config_t +- make vmtools as unconfined domain +- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig. +- Allow collectd_t to use a mysql database +- Allow ipa-otpd to perform DNS name resolution +- Added new policy for keepalived +- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd +- Add additional fixes new pscs-lite+polkit support +- Add labeling for /run/krb5kdc +- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20 +- Allow pcscd to read users proc info +- Dontaudit smbd_t sending out random signuls +- Add boolean to allow openshift domains to use nfs +- Allow w3c_validator to create content in /tmp +- zabbix_agent uses nsswitch +- Allow procmail and dovecot to work together to deliver mail +- Allow spamd to execute files in homedir if boolean turned on +- Allow openvswitch to listen on port 6634 +- Add net_admin capability in collectd policy +- Fixed snapperd policy +- Fixed bugsfor pcp policy +- Allow dbus_system_domains to be started by init +- Fixed some interfaces +- Add kerberos_keytab_domain attribute +- Fix snapperd_conf_t def + * Fri Feb 14 2014 Miroslav Grepl 3.13.1-24 - Dontaudit rendom domains listing /proc and hittping system_map_t - devicekit_power sends out a signal to all processes on the message bus when power is going down