From 66791f96f6d1c3a7f000d8a37f790899589ac937 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Oct 27 2015 13:23:44 +0000 Subject: * Tue Oct 27 2015 Lukas Vrabec 3.13.1-156 - Allow fail2ban-client to execute ldconfig. #1268715 - Add interface virt_sandbox_domain() - Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift. -all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets(). - Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets(). - Remove auth_login_pgm_domain(init_t) which has been added by accident. - init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files. - Add interface auth_use_nsswitch() to systemd_domain_template. - Revert "auth_use_nsswitch can be used with attribute systemd_domain." - auth_use_nsswitch can be used with attribute systemd_domain. - ipsec: fix stringSwan charon-nm - docker is communicating with systemd-machined - Add missing systemd_dbus_chat_machined, needed by docker --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 82592d1..41fc4ea 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 20807f6..fdcf930 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -10083,7 +10083,7 @@ index 6a1e4d1..26e5558 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..e9c1427 100644 +index cf04cb5..549d218 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0) @@ -10236,7 +10236,7 @@ index cf04cb5..e9c1427 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +242,369 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -10260,9 +10260,9 @@ index cf04cb5..e9c1427 100644 + fstools_filetrans_named_content_fsadm(named_filetrans_domain) +') + -+#optional_policy(` -+# docker_filetrans_named_content(named_filetrans_domain) -+#') ++optional_policy(` ++ docker_filetrans_named_content(named_filetrans_domain) ++') + +optional_policy(` + locallogin_filetrans_home_content(named_filetrans_domain) @@ -10604,6 +10604,10 @@ index cf04cb5..e9c1427 100644 +') + +optional_policy(` ++ docker_spc_stream_connect(domain) ++') ++ ++optional_policy(` + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc @@ -22103,7 +22107,7 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..eb39093 100644 +index 0fef1fc..008545e 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,72 @@ policy_module(staff, 2.4.0) @@ -22206,10 +22210,11 @@ index 0fef1fc..eb39093 100644 dbadm_role_change(staff_r) ') -+#optional_policy(` -+# docker_stream_connect(staff_t) -+# docker_exec(staff_t) -+#') + optional_policy(` +- git_role(staff_r, staff_t) ++ docker_stream_connect(staff_t) ++ docker_exec(staff_t) ++') + +optional_policy(` + dnsmasq_read_pid_files(staff_t) @@ -22276,8 +22281,7 @@ index 0fef1fc..eb39093 100644 + oident_relabel_user_content(staff_t) +') + - optional_policy(` -- git_role(staff_r, staff_t) ++optional_policy(` + mta_role(staff_r, staff_t) +') + @@ -26593,7 +26597,7 @@ index 8274418..b3baa75 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..b036584 100644 +index 6bf0ecc..f2bbe7e 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,36 @@ @@ -27561,8 +27565,8 @@ index 6bf0ecc..b036584 100644 - ') - - dontaudit $1 xdm_tmp_t:sock_file getattr; -+ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.') -+ usedom_dontaudit_user_getattr_tmp_sockets($1) ++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.') ++ userdom_dontaudit_user_getattr_tmp_sockets($1) ') ######################################## @@ -33737,7 +33741,7 @@ index 79a45f6..9769b64 100644 + read_files_pattern($1, init_var_lib_t, init_var_lib_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..137676e 100644 +index 17eda24..6e6454d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -33792,7 +33796,7 @@ index 17eda24..137676e 100644 # Mark file type as a daemon run directory attribute daemonrundir; -@@ -35,12 +64,20 @@ attribute daemonrundir; +@@ -35,12 +64,21 @@ attribute daemonrundir; # # init_t is the domain of the init process. # @@ -33802,6 +33806,7 @@ index 17eda24..137676e 100644 domain_type(init_t) domain_entry_file(init_t, init_exec_t) +domain_role_change_exemption(init_t) ++domain_subj_id_change_exemption(init_t) kernel_domtrans_to(init_t, init_exec_t) role system_r types init_t; +init_initrc_domain(init_t) @@ -33814,7 +33819,7 @@ index 17eda24..137676e 100644 # # init_var_run_t is the type for /var/run/shutdown.pid. -@@ -49,6 +86,15 @@ type init_var_run_t; +@@ -49,6 +87,15 @@ type init_var_run_t; files_pid_file(init_var_run_t) # @@ -33830,7 +33835,7 @@ index 17eda24..137676e 100644 # initctl_t is the type of the named pipe created # by init during initialization. This pipe is used # to communicate with init. -@@ -57,7 +103,7 @@ type initctl_t; +@@ -57,7 +104,7 @@ type initctl_t; files_type(initctl_t) mls_trusted_object(initctl_t) @@ -33839,7 +33844,7 @@ index 17eda24..137676e 100644 type initrc_exec_t, init_script_file_type; domain_type(initrc_t) domain_entry_file(initrc_t, initrc_exec_t) -@@ -66,6 +112,7 @@ role system_r types initrc_t; +@@ -66,6 +113,7 @@ role system_r types initrc_t; # of the below init_upstart tunable # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) @@ -33847,7 +33852,7 @@ index 17eda24..137676e 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -98,7 +145,11 @@ ifdef(`enable_mls',` +@@ -98,7 +146,11 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -33860,7 +33865,7 @@ index 17eda24..137676e 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +159,43 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -33910,7 +33915,7 @@ index 17eda24..137676e 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +205,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -33935,7 +33940,7 @@ index 17eda24..137676e 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +229,24 @@ domain_signal_all_domains(init_t) +@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -33961,7 +33966,7 @@ index 17eda24..137676e 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +256,55 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +257,55 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -34021,7 +34026,7 @@ index 17eda24..137676e 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +313,242 @@ ifdef(`distro_gentoo',` +@@ -186,29 +314,242 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -34273,7 +34278,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -216,7 +556,31 @@ optional_policy(` +@@ -216,7 +557,31 @@ optional_policy(` ') optional_policy(` @@ -34305,7 +34310,7 @@ index 17eda24..137676e 100644 ') ######################################## -@@ -225,9 +589,9 @@ optional_policy(` +@@ -225,9 +590,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -34317,7 +34322,7 @@ index 17eda24..137676e 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +622,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +623,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -34334,7 +34339,7 @@ index 17eda24..137676e 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +647,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +648,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -34377,7 +34382,7 @@ index 17eda24..137676e 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +684,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +685,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -34389,7 +34394,7 @@ index 17eda24..137676e 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +696,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +697,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -34400,7 +34405,7 @@ index 17eda24..137676e 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +707,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +708,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -34410,7 +34415,7 @@ index 17eda24..137676e 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +716,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +717,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -34418,7 +34423,7 @@ index 17eda24..137676e 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +723,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +724,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -34426,7 +34431,7 @@ index 17eda24..137676e 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +731,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +732,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -34444,7 +34449,7 @@ index 17eda24..137676e 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +749,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +750,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -34458,7 +34463,7 @@ index 17eda24..137676e 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +764,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +765,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -34472,7 +34477,7 @@ index 17eda24..137676e 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +777,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +778,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -34483,7 +34488,7 @@ index 17eda24..137676e 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +790,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +791,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -34491,7 +34496,7 @@ index 17eda24..137676e 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +809,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +810,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -34515,7 +34520,7 @@ index 17eda24..137676e 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +842,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +843,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -34523,7 +34528,7 @@ index 17eda24..137676e 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +876,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +877,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -34534,7 +34539,7 @@ index 17eda24..137676e 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +900,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +901,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -34543,7 +34548,7 @@ index 17eda24..137676e 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +915,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +916,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -34551,7 +34556,7 @@ index 17eda24..137676e 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +936,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +937,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -34559,7 +34564,7 @@ index 17eda24..137676e 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +946,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +947,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -34604,7 +34609,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -559,14 +991,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +992,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -34636,7 +34641,7 @@ index 17eda24..137676e 100644 ') ') -@@ -577,6 +1026,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1027,39 @@ ifdef(`distro_suse',` ') ') @@ -34676,7 +34681,7 @@ index 17eda24..137676e 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1071,8 @@ optional_policy(` +@@ -589,6 +1072,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -34685,7 +34690,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -610,6 +1094,7 @@ optional_policy(` +@@ -610,6 +1095,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -34693,7 +34698,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -626,6 +1111,17 @@ optional_policy(` +@@ -626,6 +1112,17 @@ optional_policy(` ') optional_policy(` @@ -34711,7 +34716,7 @@ index 17eda24..137676e 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1138,13 @@ optional_policy(` +@@ -642,9 +1139,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -34725,7 +34730,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -657,15 +1157,11 @@ optional_policy(` +@@ -657,15 +1158,11 @@ optional_policy(` ') optional_policy(` @@ -34743,7 +34748,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -686,6 +1182,15 @@ optional_policy(` +@@ -686,6 +1183,15 @@ optional_policy(` ') optional_policy(` @@ -34759,7 +34764,7 @@ index 17eda24..137676e 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1231,7 @@ optional_policy(` +@@ -726,6 +1232,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -34767,7 +34772,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -743,7 +1249,13 @@ optional_policy(` +@@ -743,7 +1250,13 @@ optional_policy(` ') optional_policy(` @@ -34782,7 +34787,7 @@ index 17eda24..137676e 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1278,10 @@ optional_policy(` +@@ -766,6 +1279,10 @@ optional_policy(` ') optional_policy(` @@ -34793,7 +34798,7 @@ index 17eda24..137676e 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1291,20 @@ optional_policy(` +@@ -775,10 +1292,20 @@ optional_policy(` ') optional_policy(` @@ -34814,7 +34819,7 @@ index 17eda24..137676e 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1313,10 @@ optional_policy(` +@@ -787,6 +1314,10 @@ optional_policy(` ') optional_policy(` @@ -34825,7 +34830,7 @@ index 17eda24..137676e 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1338,6 @@ optional_policy(` +@@ -808,8 +1339,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -34834,7 +34839,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -818,6 +1346,10 @@ optional_policy(` +@@ -818,6 +1347,10 @@ optional_policy(` ') optional_policy(` @@ -34845,7 +34850,7 @@ index 17eda24..137676e 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1359,12 @@ optional_policy(` +@@ -827,10 +1360,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -34858,7 +34863,7 @@ index 17eda24..137676e 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1391,60 @@ optional_policy(` +@@ -857,21 +1392,60 @@ optional_policy(` ') optional_policy(` @@ -34920,7 +34925,7 @@ index 17eda24..137676e 100644 ') optional_policy(` -@@ -887,6 +1460,10 @@ optional_policy(` +@@ -887,6 +1461,10 @@ optional_policy(` ') optional_policy(` @@ -34931,7 +34936,7 @@ index 17eda24..137676e 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1474,218 @@ optional_policy(` +@@ -897,3 +1475,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -35428,7 +35433,7 @@ index 0d4c8d3..720ece8 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 312cd04..30cecca 100644 +index 312cd04..8e32ea8 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -35441,7 +35446,7 @@ index 312cd04..30cecca 100644 type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -@@ -67,29 +70,42 @@ type setkey_exec_t; +@@ -67,29 +70,43 @@ type setkey_exec_t; init_system_domain(setkey_t, setkey_exec_t) role system_r types setkey_t; @@ -35470,6 +35475,7 @@ index 312cd04..30cecca 100644 +allow ipsec_t self:netlink_selinux_socket create_socket_perms; +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; ++allow ipsec_t self:tun_socket create_socket_perms; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; @@ -35489,7 +35495,7 @@ index 312cd04..30cecca 100644 manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t) -@@ -110,10 +126,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) +@@ -110,10 +127,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; @@ -35502,7 +35508,7 @@ index 312cd04..30cecca 100644 kernel_list_proc(ipsec_t) kernel_read_proc_symlinks(ipsec_t) # allow pluto to access /proc/net/ipsec_eroute; -@@ -128,20 +144,22 @@ corecmd_exec_shell(ipsec_t) +@@ -128,20 +145,24 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -35529,10 +35535,12 @@ index 312cd04..30cecca 100644 corenet_sendrecv_isakmp_server_packets(ipsec_t) +corenet_tcp_connect_http_port(ipsec_t) +corenet_tcp_connect_ldap_port(ipsec_t) ++ ++corenet_rw_tun_tap_dev(ipsec_t) dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,24 +175,32 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,24 +178,32 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -35567,7 +35575,21 @@ index 312cd04..30cecca 100644 seutil_sigchld_newrole(ipsec_t) ') -@@ -187,14 +213,15 @@ optional_policy(` +@@ -182,19 +211,29 @@ optional_policy(` + udev_read_db(ipsec_t) + ') + ++optional_policy(` ++ dbus_system_bus_client(ipsec_t) ++ dbus_connect_system_bus(ipsec_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(ipsec_t) ++ ') ++') ++ + ######################################## + # # ipsec_mgmt Local policy # @@ -35587,7 +35609,7 @@ index 312cd04..30cecca 100644 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -208,12 +235,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) +@@ -208,12 +247,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file) allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) @@ -35603,7 +35625,7 @@ index 312cd04..30cecca 100644 # _realsetup needs to be able to cat /var/run/pluto.pid, # run ps on that pid, and delete the file -@@ -246,6 +275,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +287,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -35620,7 +35642,7 @@ index 312cd04..30cecca 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +294,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +306,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -35629,7 +35651,7 @@ index 312cd04..30cecca 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -269,6 +310,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) +@@ -269,6 +322,7 @@ domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t) files_read_etc_files(ipsec_mgmt_t) files_exec_etc_files(ipsec_mgmt_t) files_read_etc_runtime_files(ipsec_mgmt_t) @@ -35637,7 +35659,7 @@ index 312cd04..30cecca 100644 files_read_usr_files(ipsec_mgmt_t) files_dontaudit_getattr_default_dirs(ipsec_mgmt_t) files_dontaudit_getattr_default_files(ipsec_mgmt_t) -@@ -278,9 +320,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +332,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -35649,7 +35671,7 @@ index 312cd04..30cecca 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -288,17 +331,28 @@ init_exec_script_files(ipsec_mgmt_t) +@@ -288,17 +343,28 @@ init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) @@ -35683,7 +35705,7 @@ index 312cd04..30cecca 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +376,10 @@ optional_policy(` +@@ -322,6 +388,10 @@ optional_policy(` ') optional_policy(` @@ -35694,7 +35716,7 @@ index 312cd04..30cecca 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -335,7 +393,7 @@ optional_policy(` +@@ -335,7 +405,7 @@ optional_policy(` # allow racoon_t self:capability { net_admin net_bind_service }; @@ -35703,7 +35725,7 @@ index 312cd04..30cecca 100644 allow racoon_t self:unix_dgram_socket { connect create ioctl write }; allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; -@@ -370,13 +428,12 @@ kernel_request_load_module(racoon_t) +@@ -370,13 +440,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -35723,7 +35745,7 @@ index 312cd04..30cecca 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +458,10 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +470,10 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -35736,7 +35758,7 @@ index 312cd04..30cecca 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +495,8 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +507,8 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -38505,7 +38527,7 @@ index 58bc27f..8f7b119 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c4..14497e9 100644 +index 79048c4..a6a1d12 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -38737,17 +38759,17 @@ index 79048c4..14497e9 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -320,6 +363,10 @@ optional_policy(` - ccs_stream_connect(lvm_t) +@@ -321,6 +364,10 @@ optional_policy(` ') -+#optional_policy(` -+# docker_rw_sem(lvm_t) -+#') -+ optional_policy(` ++ docker_rw_sem(lvm_t) ++') ++ ++optional_policy(` gpm_dontaudit_getattr_gpmctl(lvm_t) ') + @@ -333,14 +380,30 @@ optional_policy(` ') @@ -43315,10 +43337,10 @@ index 0000000..66b8608 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..4f142e9 +index 0000000..697417b --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1615 @@ +@@ -0,0 +1,1639 @@ +## SELinux policy for systemd components + +###################################### @@ -43342,6 +43364,8 @@ index 0000000..4f142e9 + init_daemon_domain($1_t, $1_exec_t) + + kernel_read_system_state($1_t) ++ ++ auth_use_nsswitch($1_t) +') + +###################################### @@ -44934,12 +44958,34 @@ index 0000000..4f142e9 + files_search_var_lib($1) + manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd machined over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_machined',` ++ gen_require(` ++ type systemd_machined_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_machined_t:dbus send_msg; ++ allow systemd_machined_t $1:dbus send_msg; ++ ps_process_pattern(systemd_machined_t, $1) ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..bf0a5c8 +index 0000000..dde1f34 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,784 @@ +@@ -0,0 +1,780 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45141,7 +45187,6 @@ index 0000000..bf0a5c8 +# /run/user/.* +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) -+auth_use_nsswitch(systemd_logind_t) + +authlogin_read_state(systemd_logind_t) + @@ -45203,7 +45248,7 @@ index 0000000..bf0a5c8 +# systemd_machined local policy +# + -+allow systemd_machined_t self:capability sys_ptrace; ++allow systemd_machined_t self:capability { dac_override setgid sys_admin sys_chroot sys_ptrace }; +allow systemd_machined_t systemd_unit_file_t:service { status start }; +allow systemd_machined_t self:unix_dgram_socket create_socket_perms; + @@ -45218,6 +45263,8 @@ index 0000000..bf0a5c8 +init_var_lib_filetrans(systemd_machined_t, systemd_machined_var_lib_t, dir, "machines") + +kernel_dgram_send(systemd_machined_t) ++# This is a bug, but need for now. ++kernel_read_unlabeled_state(systemd_machined_t) + +init_dbus_chat(systemd_machined_t) +init_status(systemd_machined_t) @@ -45232,7 +45279,13 @@ index 0000000..bf0a5c8 +') + +optional_policy(` ++ docker_read_share_files(systemd_machined_t) ++ docker_spc_read_state(systemd_machined_t) ++') ++ ++optional_policy(` + virt_dbus_chat(systemd_machined_t) ++ virt_sandbox_read_state(systemd_machined_t) +') + +####################################### @@ -45268,8 +45321,6 @@ index 0000000..bf0a5c8 + +dev_read_sysfs(systemd_networkd_t) + -+auth_use_nsswitch(systemd_networkd_t) -+ +logging_send_syslog_msg(systemd_networkd_t) + +sysnet_manage_config(systemd_networkd_t) @@ -45312,8 +45363,6 @@ index 0000000..bf0a5c8 + +term_read_console(systemd_passwd_agent_t) + -+auth_use_nsswitch(systemd_passwd_agent_t) -+ +init_create_pid_dirs(systemd_passwd_agent_t) +init_rw_pipes(systemd_passwd_agent_t) +init_read_utmp(systemd_passwd_agent_t) @@ -45379,7 +45428,6 @@ index 0000000..bf0a5c8 +auth_relabel_var_auth_dirs(systemd_tmpfiles_t) +auth_relabel_login_records(systemd_tmpfiles_t) +auth_setattr_login_records(systemd_tmpfiles_t) -+auth_use_nsswitch(systemd_tmpfiles_t) + +init_dgram_send(systemd_tmpfiles_t) +init_rw_stream_sockets(systemd_tmpfiles_t) @@ -45458,8 +45506,6 @@ index 0000000..bf0a5c8 + +fs_getattr_cgroup_files(systemd_notify_t) + -+auth_use_nsswitch(systemd_notify_t) -+ +init_rw_stream_sockets(systemd_notify_t) + +optional_policy(` @@ -45490,8 +45536,6 @@ index 0000000..bf0a5c8 +# only needs write +term_use_generic_ptys(systemd_logger_t) + -+auth_use_nsswitch(systemd_logger_t) -+ +# /run/systemd/notify +init_write_pid_socket(systemd_logger_t) + @@ -45606,8 +45650,6 @@ index 0000000..bf0a5c8 + +fs_getattr_xattr_fs(systemd_timedated_t) + -+auth_use_nsswitch(systemd_timedated_t) -+ +init_dbus_chat(systemd_timedated_t) +init_status(systemd_timedated_t) + @@ -47137,7 +47179,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..48a4886 100644 +index 9dc60c6..b2ad017 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -49167,7 +49209,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -1872,17 +2463,151 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,17 +2463,167 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -49176,9 +49218,25 @@ index 9dc60c6..48a4886 100644 - type user_home_dir_t, user_home_t; - ') +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` ++ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') ++ userdom_getattr_user_tmp_files($1) ++') ++ ++######################################## ++## ++## Dontaudit getattr on user tmp sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_dontaudit_user_getattr_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') ++ + dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; +') + @@ -49238,7 +49296,8 @@ index 9dc60c6..48a4886 100644 + + dontaudit $1 user_home_t:file setattr_file_perms; +') -+ + +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +######################################## +## +## Set the attributes of all user home directories. @@ -49274,11 +49333,11 @@ index 9dc60c6..48a4886 100644 + ') + + mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ files_search_home($1) -+') -+ -+######################################## -+## + files_search_home($1) + ') + + ######################################## + ## +## Read user home files. +## +## @@ -49292,16 +49351,15 @@ index 9dc60c6..48a4886 100644 + type user_home_dir_t, user_home_t; + attribute user_home_type; + ') - -- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) + read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) - files_search_home($1) - ') - - ######################################## - ## ++ files_search_home($1) ++') ++ ++######################################## ++## +## Do not audit attempts to getattr user home files. +## +## @@ -49324,7 +49382,7 @@ index 9dc60c6..48a4886 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2618,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2634,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -49342,7 +49400,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -1938,7 +2666,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2682,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -49351,7 +49409,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -1946,10 +2674,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2690,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -49364,7 +49422,7 @@ index 9dc60c6..48a4886 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2685,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2701,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -49373,7 +49431,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -1966,12 +2693,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2709,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -49442,7 +49500,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2007,8 +2788,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2804,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -49452,7 +49510,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2024,21 +2804,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,21 +2820,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -49478,7 +49536,7 @@ index 9dc60c6..48a4886 100644 ######################################## ## ## Do not audit attempts to execute user home files. -@@ -2120,7 +2894,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2910,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -49487,7 +49545,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -2128,19 +2902,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2918,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -49511,7 +49569,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -2148,12 +2920,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2936,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -49527,7 +49585,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2388,18 +3160,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3176,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -49585,7 +49643,7 @@ index 9dc60c6..48a4886 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3222,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3238,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -49594,7 +49652,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2455,6 +3263,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3279,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -49620,7 +49678,7 @@ index 9dc60c6..48a4886 100644 ######################################## ## -@@ -2538,7 +3365,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3381,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -49629,7 +49687,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -2546,19 +3373,19 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,18 +3389,59 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -49647,55 +49705,7 @@ index 9dc60c6..48a4886 100644 ######################################## ## ## Create, read, write, and delete user --## temporary named pipes. +## temporary symbolic links. - ## - ## - ## -@@ -2566,19 +3393,19 @@ interface(`userdom_manage_user_tmp_symlinks',` - ## - ## - # --interface(`userdom_manage_user_tmp_pipes',` -+interface(`userdom_manage_user_tmp_symlinks',` - gen_require(` - type user_tmp_t; - ') - -- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user --## temporary named sockets. -+## temporary named pipes. - ## - ## - ## -@@ -2586,18 +3413,59 @@ interface(`userdom_manage_user_tmp_pipes',` - ## - ## - # --interface(`userdom_manage_user_tmp_sockets',` -+interface(`userdom_rw_inherited_user_tmp_pipes',` - gen_require(` - type user_tmp_t; - ') - -- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) -+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - files_search_tmp($1) - ') - -+ - ######################################## - ## --## Create objects in a user temporary directory -+## Create, read, write, and delete user -+## temporary named pipes. +## +## +## @@ -49703,19 +49713,19 @@ index 9dc60c6..48a4886 100644 +## +## +# -+interface(`userdom_manage_user_tmp_pipes',` ++interface(`userdom_manage_user_tmp_symlinks',` + gen_require(` + type user_tmp_t; + ') + -+ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) ++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user -+## temporary named sockets. ++## temporary named pipes. +## +## +## @@ -49723,22 +49733,23 @@ index 9dc60c6..48a4886 100644 +## +## +# -+interface(`userdom_manage_user_tmp_sockets',` ++interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + -+ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp($1) +') + ++ +######################################## +## -+## Create objects in a user temporary directory - ## with an automatic type transition to - ## a specified private type. ++## Create, read, write, and delete user + ## temporary named pipes. ## -@@ -2661,6 +3529,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` + ## +@@ -2661,6 +3545,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -49760,7 +49771,7 @@ index 9dc60c6..48a4886 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3555,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3571,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -49782,7 +49793,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -2692,19 +3570,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3586,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -49805,7 +49816,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -2713,13 +3585,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3601,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -49866,7 +49877,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2814,6 +3729,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3745,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -49891,7 +49902,7 @@ index 9dc60c6..48a4886 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3765,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3781,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -49934,7 +49945,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -2856,14 +3801,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3817,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -49972,7 +49983,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2882,8 +3846,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3862,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -50002,7 +50013,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -2955,69 +3938,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3954,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -50103,7 +50114,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -3025,12 +4007,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +4023,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -50118,7 +50129,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -3094,7 +4076,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4092,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -50127,7 +50138,7 @@ index 9dc60c6..48a4886 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4092,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4108,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -50161,7 +50172,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -3214,7 +4180,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4196,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -50188,7 +50199,7 @@ index 9dc60c6..48a4886 100644 ') ######################################## -@@ -3269,12 +4253,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4269,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -50204,7 +50215,7 @@ index 9dc60c6..48a4886 100644 ## ## ## -@@ -3282,46 +4267,122 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4283,130 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -50262,13 +50273,15 @@ index 9dc60c6..48a4886 100644 gen_require(` - attribute userdomain; + type user_tmp_t; -+ ') -+ + ') + +- allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Inherit the file descriptors from all user domains +## Allow domain to read/write inherited users +## fifo files. +## @@ -50337,10 +50350,18 @@ index 9dc60c6..48a4886 100644 +interface(`userdom_getattr_all_users',` + gen_require(` + attribute userdomain; - ') - - allow $1 userdomain:process getattr; -@@ -3382,6 +4443,42 @@ interface(`userdom_signal_all_users',` ++ ') ++ ++ allow $1 userdomain:process getattr; ++') ++ ++######################################## ++## ++## Inherit the file descriptors from all user domains + ## + ## + ## +@@ -3382,6 +4459,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -50383,7 +50404,7 @@ index 9dc60c6..48a4886 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4499,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4515,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -50444,7 +50465,7 @@ index 9dc60c6..48a4886 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4586,1727 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4602,1727 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 2c9c72b..c0a4779 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -589,7 +589,7 @@ index 058d908..ee0c559 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..853554d 100644 +index eb50f07..e519be5 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -838,9 +838,9 @@ index eb50f07..853554d 100644 +logging_read_syslog_pid(abrt_t) + +auth_use_nsswitch(abrt_t) -+ -+init_read_utmp(abrt_t) ++init_read_utmp(abrt_t) ++ +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) +miscfiles_dontaudit_access_check_cert(abrt_t) @@ -868,10 +868,14 @@ index eb50f07..853554d 100644 ') optional_policy(` -@@ -222,6 +253,28 @@ optional_policy(` +@@ -222,6 +253,32 @@ optional_policy(` ') optional_policy(` ++ docker_stream_connect(abrt_t) ++') ++ ++optional_policy(` + kdump_read_crash(abrt_t) +') + @@ -897,7 +901,7 @@ index eb50f07..853554d 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +287,11 @@ optional_policy(` +@@ -234,6 +291,11 @@ optional_policy(` ') optional_policy(` @@ -909,7 +913,7 @@ index eb50f07..853554d 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +301,7 @@ optional_policy(` +@@ -243,6 +305,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -917,7 +921,7 @@ index eb50f07..853554d 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +312,21 @@ optional_policy(` +@@ -253,9 +316,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -940,7 +944,7 @@ index eb50f07..853554d 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +337,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +341,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -955,7 +959,7 @@ index eb50f07..853554d 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +356,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +360,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -963,7 +967,7 @@ index eb50f07..853554d 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +365,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +369,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -984,7 +988,7 @@ index eb50f07..853554d 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +386,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +390,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -1011,7 +1015,7 @@ index eb50f07..853554d 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +422,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +426,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1025,7 +1029,7 @@ index eb50f07..853554d 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +440,11 @@ optional_policy(` +@@ -343,10 +444,11 @@ optional_policy(` ####################################### # @@ -1039,7 +1043,7 @@ index eb50f07..853554d 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +463,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +467,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1108,7 +1112,7 @@ index eb50f07..853554d 100644 ####################################### # -@@ -404,25 +528,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +532,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1171,7 +1175,7 @@ index eb50f07..853554d 100644 ') ####################################### -@@ -430,10 +589,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +593,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -27932,7 +27936,7 @@ index 50d0084..94e1936 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index cf0e567..6c3ce35 100644 +index cf0e567..7945ad9 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t; @@ -28013,7 +28017,7 @@ index cf0e567..6c3ce35 100644 shorewall_domtrans(fail2ban_t) ') -@@ -131,22 +146,30 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; +@@ -131,22 +146,32 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -28036,6 +28040,8 @@ index cf0e567..6c3ce35 100644 +auth_use_nsswitch(fail2ban_client_t) + ++libs_exec_ldconfig(fail2ban_client_t) ++ logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) - @@ -66423,10 +66429,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..08c51d3 +index 0000000..65502e1 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,268 @@ +@@ -0,0 +1,272 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -66576,6 +66582,10 @@ index 0000000..08c51d3 +userdom_read_user_tmp_files(pcp_pmcd_t) + +optional_policy(` ++ docker_manage_lib_files(pcp_pmcd_t) ++') ++ ++optional_policy(` + mysql_stream_connect(pcp_pmcd_t) +') + @@ -96355,10 +96365,10 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..130eca9 100644 +index ce67935..24c746f 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te -@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) +@@ -7,68 +7,95 @@ policy_module(setroubleshoot, 1.12.1) type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_exec_t; @@ -96382,6 +96392,12 @@ index ce67935..130eca9 100644 type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) ++type setroubleshoot_tmp_t; ++files_tmp_file(setroubleshoot_tmp_t) ++ ++type setroubleshoot_tmpfs_t; ++files_tmpfs_file(setroubleshoot_tmpfs_t) ++ ######################################## # -# Local policy @@ -96402,8 +96418,19 @@ index ce67935..130eca9 100644 +allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; +allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; ++ -allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms; ++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t) ++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmp_t, setroubleshoot_tmp_t) ++files_tmp_filetrans(setroubleshootd_t, setroubleshoot_tmp_t, { file dir }) ++allow setroubleshootd_t setroubleshoot_tmp_t:file mmap_file_perms; ++ ++manage_files_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t) ++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_tmpfs_t, setroubleshoot_tmpfs_t) ++fs_tmpfs_filetrans(setroubleshootd_t, setroubleshoot_tmpfs_t, { file dir }) ++allow setroubleshootd_t setroubleshoot_tmpfs_t:file mmap_file_perms; ++ +# database files +allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t) @@ -96423,7 +96450,12 @@ index ce67935..130eca9 100644 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t) + files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) + ++ + kernel_read_kernel_sysctls(setroubleshootd_t) + kernel_read_system_state(setroubleshootd_t) + kernel_read_net_sysctls(setroubleshootd_t) kernel_read_network_state(setroubleshootd_t) kernel_dontaudit_list_all_proc(setroubleshootd_t) kernel_read_irq_sysctls(setroubleshootd_t) @@ -96448,7 +96480,7 @@ index ce67935..130eca9 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) +@@ -76,10 +103,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) @@ -96460,7 +96492,7 @@ index ce67935..130eca9 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -109,27 +117,24 @@ init_read_utmp(setroubleshootd_t) +@@ -109,27 +135,24 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -96493,7 +96525,7 @@ index ce67935..130eca9 100644 ') optional_policy(` -@@ -137,10 +142,18 @@ optional_policy(` +@@ -137,10 +160,18 @@ optional_policy(` ') optional_policy(` @@ -96512,7 +96544,7 @@ index ce67935..130eca9 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -150,26 +163,36 @@ optional_policy(` +@@ -150,26 +181,36 @@ optional_policy(` ######################################## # @@ -96551,7 +96583,7 @@ index ce67935..130eca9 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -177,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -177,23 +218,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -108083,7 +108115,7 @@ index a4f20bc..374e8ef 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..efe9356 100644 +index facdee8..eae2073 100644 --- a/virt.if +++ b/virt.if @@ -1,318 +1,226 @@ @@ -108905,7 +108937,7 @@ index facdee8..efe9356 100644 ## ## ## -@@ -673,107 +534,136 @@ interface(`virt_home_filetrans',` +@@ -673,54 +534,398 @@ interface(`virt_home_filetrans',` ## ## # @@ -108951,11 +108983,7 @@ index facdee8..efe9356 100644 - allow $1 virt_home_t:sock_file manage_sock_file_perms; + dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; +') - -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_manage_nfs_symlinks($1) ++ +######################################## +## +## Create, read, write, and delete @@ -108970,60 +108998,42 @@ index facdee8..efe9356 100644 +interface(`virt_manage_lib_files',` + gen_require(` + type virt_var_lib_t; - ') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_dirs($1) -- fs_manage_cifs_files($1) -- fs_manage_cifs_symlinks($1) -- ') ++ ') ++ + files_search_var_lib($1) + manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) - ') - - ######################################## - ## --## Relabel virt home content. ++') ++ ++######################################## ++## +## Allow the specified domain to read virt's log files. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`virt_relabel_generic_virt_home_content',` ++# +interface(`virt_read_log',` - gen_require(` -- type virt_home_t; ++ gen_require(` + type virt_log_t; - ') - -- userdom_search_user_home_dirs($1) -- allow $1 virt_home_t:dir relabel_dir_perms; -- allow $1 virt_home_t:file relabel_file_perms; -- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; -- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; -- allow $1 virt_home_t:sock_file relabel_sock_file_perms; ++ ') ++ + logging_search_logs($1) + read_files_pattern($1, virt_log_t, virt_log_t) - ') - - ######################################## - ## --## Create specified objects in user home --## directories with the generic virt --## home type. ++') ++ ++######################################## ++## +## Allow the specified domain to append +## virt log files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`virt_append_log',` + gen_require(` @@ -109039,12 +109049,10 @@ index facdee8..efe9356 100644 +## Allow domain to manage virt log files +## +## - ## --## Class of the object being created. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# +interface(`virt_manage_log',` + gen_require(` @@ -109061,70 +109069,55 @@ index facdee8..efe9356 100644 +## Allow domain to getattr virt image direcories +## +## - ## --## The name of the object being created. ++## +## Domain allowed access. - ## - ## - # --interface(`virt_home_filetrans_virt_home',` ++## ++## ++# +interface(`virt_getattr_images',` - gen_require(` -- type virt_home_t; ++ gen_require(` + attribute virt_image_type; - ') - -- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) ++ ') ++ + virt_search_lib($1) + allow $1 virt_image_type:file getattr_file_perms; - ') - - ######################################## - ## --## Read virt pid files. ++') ++ ++######################################## ++## +## Allow domain to search virt image direcories - ## - ## - ## -@@ -781,19 +671,18 @@ interface(`virt_home_filetrans_virt_home',` - ## - ## - # --interface(`virt_read_pid_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_search_images',` - gen_require(` -- type virt_var_run_t; ++ gen_require(` + attribute virt_image_type; - ') - -- files_search_pids($1) -- read_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ ') ++ + virt_search_lib($1) + allow $1 virt_image_type:dir search_dir_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## virt pid files. ++') ++ ++######################################## ++## +## Allow domain to read virt image files - ## - ## - ## -@@ -801,18 +690,36 @@ interface(`virt_read_pid_files',` - ## - ## - # --interface(`virt_manage_pid_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_read_images',` - gen_require(` -- type virt_var_run_t; ++ gen_require(` + type virt_var_lib_t; + attribute virt_image_type; - ') - -- files_search_pids($1) -- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) ++ ') ++ + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + list_dirs_pattern($1, virt_image_type, virt_image_type) @@ -109132,8 +109125,11 @@ index facdee8..efe9356 100644 + read_lnk_files_pattern($1, virt_image_type, virt_image_type) + read_blk_files_pattern($1, virt_image_type, virt_image_type) + read_chr_files_pattern($1, virt_image_type, virt_image_type) -+ -+ tunable_policy(`virt_use_nfs',` + + tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_manage_nfs_symlinks($1) + fs_list_nfs($1) + fs_read_nfs_files($1) + fs_read_nfs_symlinks($1) @@ -109144,68 +109140,55 @@ index facdee8..efe9356 100644 + fs_read_cifs_files($1) + fs_read_cifs_symlinks($1) + ') - ') - - ######################################## - ## --## Search virt lib directories. ++') ++ ++######################################## ++## +## Allow domain to read virt blk image files - ## - ## - ## -@@ -820,18 +727,17 @@ interface(`virt_manage_pid_files',` - ## - ## - # --interface(`virt_search_lib',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_read_blk_images',` - gen_require(` -- type virt_var_lib_t; ++ gen_require(` + attribute virt_image_type; - ') - -- files_search_var_lib($1) -- allow $1 virt_var_lib_t:dir search_dir_perms; ++ ') ++ + read_blk_files_pattern($1, virt_image_type, virt_image_type) - ') - - ######################################## - ## --## Read virt lib files. ++') ++ ++######################################## ++## +## Allow domain to read/write virt image chr files - ## - ## - ## -@@ -839,20 +745,18 @@ interface(`virt_search_lib',` - ## - ## - # --interface(`virt_read_lib_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_rw_chr_files',` - gen_require(` -- type virt_var_lib_t; ++ gen_require(` + attribute virt_image_type; - ') - -- files_search_var_lib($1) -- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) -- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ ') ++ + rw_chr_files_pattern($1, virt_image_type, virt_image_type) - ') - - ######################################## - ## - ## Create, read, write, and delete --## virt lib files. ++') ++ ++######################################## ++## ++## Create, read, write, and delete +## svirt cache files. - ## - ## - ## -@@ -860,94 +764,267 @@ interface(`virt_read_lib_files',` - ## - ## - # --interface(`virt_manage_lib_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`virt_manage_cache',` + gen_require(` + type virt_cache_t; @@ -109228,13 +109211,11 @@ index facdee8..efe9356 100644 +## +# +interface(`virt_manage_images',` - gen_require(` - type virt_var_lib_t; ++ gen_require(` ++ type virt_var_lib_t; + attribute virt_image_type; - ') - -- files_search_var_lib($1) -- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ++ ') ++ + virt_search_lib($1) + allow $1 virt_image_type:dir list_dir_perms; + manage_dirs_pattern($1, virt_image_type, virt_image_type) @@ -109288,12 +109269,10 @@ index facdee8..efe9356 100644 + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. ++') ++ ++######################################## ++## +## Ptrace the svirt domain +## +## @@ -109331,13 +109310,12 @@ index facdee8..efe9356 100644 +####################################### +## +## Manage Sandbox Files - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`virt_manage_sandbox_files',` + gen_require(` @@ -109357,98 +109335,109 @@ index facdee8..efe9356 100644 +## Relabel Sandbox File systems +## +## - ## --## The type of the object to be created. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# +interface(`virt_relabel_sandbox_filesystem',` + gen_require(` + type svirt_sandbox_file_t; -+ ') -+ + ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_dirs($1) +- fs_manage_cifs_files($1) +- fs_manage_cifs_symlinks($1) +- ') + allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto }; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Relabel virt home content. +## Mounton Sandbox Files -+## -+## + ## + ## ## --## The object class of the object being created. -+## Domain allowed access. +@@ -728,72 +933,98 @@ interface(`virt_manage_generic_virt_home_content',` ## ## --## -+# + # +-interface(`virt_relabel_generic_virt_home_content',` +interface(`virt_mounton_sandbox_file',` -+ gen_require(` + gen_require(` +- type virt_home_t; + type svirt_sandbox_file_t; -+ ') -+ + ') + +- userdom_search_user_home_dirs($1) +- allow $1 virt_home_t:dir relabel_dir_perms; +- allow $1 virt_home_t:file relabel_file_perms; +- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms; +- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms; +- allow $1 virt_home_t:sock_file relabel_sock_file_perms; + allow $1 svirt_sandbox_file_t:dir_file_class_set mounton; -+') -+ + ') + +-######################################## +####################################### -+## + ## +-## Create specified objects in user home +-## directories with the generic virt +-## home type. +## Connect to virt over a unix domain stream socket. -+## -+## + ## + ## ## --## The name of the object being created. -+## Domain allowed access. + ## Domain allowed access. ## ## --## - # --interface(`virt_pid_filetrans',` +-## ++# +interface(`virt_stream_connect_sandbox',` - gen_require(` -- type virt_var_run_t; ++ gen_require(` + attribute svirt_sandbox_domain; + type svirt_sandbox_file_t; - ') - - files_search_pids($1) -- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) ++ ') ++ ++ files_search_pids($1) + stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain) + ps_process_pattern(svirt_sandbox_domain, $1) - ') - - ######################################## - ## --## Read virt log files. ++') ++ ++######################################## ++## +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. - ## - ## ++## ++## ## --## Domain allowed access. +-## Class of the object being created. +## Domain allowed access -+## -+## + ## + ## +-## +## -+## + ## +-## The name of the object being created. +## The role to be allowed the sandbox domain. ## ## - ## ++## # --interface(`virt_read_log',` +-interface(`virt_home_filetrans_virt_home',` +interface(`virt_transition_svirt',` gen_require(` -- type virt_log_t; +- type virt_home_t; + attribute virt_domain; + type virt_bridgehelper_t; + type svirt_image_t; + type svirt_socket_t; ') -- logging_search_logs($1) -- read_files_pattern($1, virt_log_t, virt_log_t) +- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3) + allow $1 virt_domain:process transition; + role $2 types virt_domain; + role $2 types virt_bridgehelper_t; @@ -109467,7 +109456,7 @@ index facdee8..efe9356 100644 ######################################## ## --## Append virt log files. +-## Read virt pid files. +## Do not audit attempts to write virt daemon unnamed pipes. ## ## @@ -109477,15 +109466,15 @@ index facdee8..efe9356 100644 ## ## # --interface(`virt_append_log',` +-interface(`virt_read_pid_files',` +interface(`virt_dontaudit_write_pipes',` gen_require(` -- type virt_log_t; +- type virt_var_run_t; + type virtd_t; ') -- logging_search_logs($1) -- append_files_pattern($1, virt_log_t, virt_log_t) +- files_search_pids($1) +- read_files_pattern($1, virt_var_run_t, virt_var_run_t) + dontaudit $1 virtd_t:fd use; + dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ') @@ -109493,219 +109482,230 @@ index facdee8..efe9356 100644 ######################################## ## -## Create, read, write, and delete --## virt log files. +-## virt pid files. +## Send a sigkill to virtual machines ## ## ## -@@ -955,20 +1032,17 @@ interface(`virt_append_log',` +@@ -801,18 +1032,17 @@ interface(`virt_read_pid_files',` ## ## # --interface(`virt_manage_log',` +-interface(`virt_manage_pid_files',` +interface(`virt_kill_svirt',` gen_require(` -- type virt_log_t; +- type virt_var_run_t; + attribute virt_domain; ') -- logging_search_logs($1) -- manage_dirs_pattern($1, virt_log_t, virt_log_t) -- manage_files_pattern($1, virt_log_t, virt_log_t) -- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) +- files_search_pids($1) +- manage_files_pattern($1, virt_var_run_t, virt_var_run_t) + allow $1 virt_domain:process sigkill; ') ######################################## ## --## Search virt image directories. +-## Search virt lib directories. +## Send a sigkill to virtd daemon. ## ## ## -@@ -976,18 +1050,17 @@ interface(`virt_manage_log',` +@@ -820,18 +1050,17 @@ interface(`virt_manage_pid_files',` ## ## # --interface(`virt_search_images',` +-interface(`virt_search_lib',` +interface(`virt_kill',` gen_require(` -- attribute virt_image_type; +- type virt_var_lib_t; + type virtd_t; ') -- virt_search_lib($1) -- allow $1 virt_image_type:dir search_dir_perms; +- files_search_var_lib($1) +- allow $1 virt_var_lib_t:dir search_dir_perms; + allow $1 virtd_t:process sigkill; ') ######################################## ## --## Read virt image files. +-## Read virt lib files. +## Send a signal to virtd daemon. ## ## ## -@@ -995,36 +1068,35 @@ interface(`virt_search_images',` +@@ -839,20 +1068,17 @@ interface(`virt_search_lib',` ## ## # --interface(`virt_read_images',` +-interface(`virt_read_lib_files',` +interface(`virt_signal',` gen_require(` - type virt_var_lib_t; -- attribute virt_image_type; + type virtd_t; ') -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- list_dirs_pattern($1, virt_image_type, virt_image_type) -- read_files_pattern($1, virt_image_type, virt_image_type) -- read_lnk_files_pattern($1, virt_image_type, virt_image_type) -- read_blk_files_pattern($1, virt_image_type, virt_image_type) +- files_search_var_lib($1) +- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) +- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + allow $1 virtd_t:process signal; -+') + ') -- tunable_policy(`virt_use_nfs',` -- fs_list_nfs($1) -- fs_read_nfs_files($1) -- fs_read_nfs_symlinks($1) -+######################################## -+## + ######################################## + ## +-## Create, read, write, and delete +-## virt lib files. +## Send null signal to virtd daemon. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -860,94 +1086,93 @@ interface(`virt_read_lib_files',` + ## + ## + # +-interface(`virt_manage_lib_files',` +interface(`virt_signull',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; + type virtd_t; ') -- tunable_policy(`virt_use_samba',` -- fs_list_cifs($1) -- fs_read_cifs_files($1) -- fs_read_cifs_symlinks($1) -- ') +- files_search_var_lib($1) +- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) + allow $1 virtd_t:process signull; ') ######################################## ## --## Read and write all virt image --## character files. +-## Create objects in virt pid +-## directories with a private type. +## Send a signal to virtual machines ## ## ## -@@ -1032,20 +1104,17 @@ interface(`virt_read_images',` + ## Domain allowed access. ## ## - # --interface(`virt_rw_all_image_chr_files',` +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## ++# +interface(`virt_signal_svirt',` - gen_require(` -- attribute virt_image_type; ++ gen_require(` + attribute virt_domain; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- rw_chr_files_pattern($1, virt_image_type, virt_image_type) ++ ') ++ + allow $1 virt_domain:process signal; - ') - - ######################################## - ## --## Create, read, write, and delete --## svirt cache files. ++') ++ ++######################################## ++## +## Manage virt home files. - ## - ## ++## ++## ## -@@ -1053,15 +1122,57 @@ interface(`virt_rw_all_image_chr_files',` +-## The name of the object being created. ++## Domain allowed access. ## ## +-## # --interface(`virt_manage_svirt_cache',` -- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') -- virt_manage_virt_cache($1) +-interface(`virt_pid_filetrans',` +interface(`virt_manage_home_files',` -+ gen_require(` + gen_require(` +- type virt_var_run_t; + type virt_home_t; -+ ') -+ + ') + +- files_search_pids($1) +- filetrans_pattern($1, virt_var_run_t, $2, $3, $4) + userdom_search_user_home_dirs($1) + manage_files_pattern($1, virt_home_t, virt_home_t) ') ######################################## ## --## Create, read, write, and delete --## virt cache content. +-## Read virt log files. +## allow domain to read +## virt tmpfs files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access -+## -+## -+# + ## + ## +-## + # +-interface(`virt_read_log',` +interface(`virt_read_tmpfs_files',` -+ gen_require(` + gen_require(` +- type virt_log_t; + attribute virt_tmpfs_type; -+ ') -+ + ') + +- logging_search_logs($1) +- read_files_pattern($1, virt_log_t, virt_log_t) + allow $1 virt_tmpfs_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Append virt log files. +## allow domain to manage +## virt tmpfs files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access -+## -+## -+# + ## + ## + # +-interface(`virt_append_log',` +interface(`virt_manage_tmpfs_files',` -+ gen_require(` + gen_require(` +- type virt_log_t; + attribute virt_tmpfs_type; -+ ') -+ + ') + +- logging_search_logs($1) +- append_files_pattern($1, virt_log_t, virt_log_t) + allow $1 virt_tmpfs_type:file manage_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt log files. +## Create .virt directory in the user home directory +## with an correct label. ## ## ## -@@ -1069,21 +1180,29 @@ interface(`virt_manage_svirt_cache',` +@@ -955,20 +1180,29 @@ interface(`virt_append_log',` ## ## # --interface(`virt_manage_virt_cache',` +-interface(`virt_manage_log',` +interface(`virt_filetrans_home_content',` gen_require(` -- type virt_cache_t; +- type virt_log_t; + type virt_home_t; + type svirt_home_t; ') -- files_search_var($1) -- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) -- manage_files_pattern($1, virt_cache_t, virt_cache_t) -- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) +- logging_search_logs($1) +- manage_dirs_pattern($1, virt_log_t, virt_log_t) +- manage_files_pattern($1, virt_log_t, virt_log_t) +- manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") + filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") @@ -109722,63 +109722,65 @@ index facdee8..efe9356 100644 ######################################## ## --## Create, read, write, and delete --## virt image files. +-## Search virt image directories. +## Dontaudit attempts to Read virt_image_type devices. ## ## ## -@@ -1091,36 +1210,188 @@ interface(`virt_manage_virt_cache',` +@@ -976,92 +1210,133 @@ interface(`virt_manage_log',` ## ## # --interface(`virt_manage_images',` +-interface(`virt_search_images',` +interface(`virt_dontaudit_read_chr_dev',` gen_require(` -- type virt_var_lib_t; attribute virt_image_type; ') - virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- manage_dirs_pattern($1, virt_image_type, virt_image_type) -- manage_files_pattern($1, virt_image_type, virt_image_type) -- read_lnk_files_pattern($1, virt_image_type, virt_image_type) -- rw_blk_files_pattern($1, virt_image_type, virt_image_type) +- allow $1 virt_image_type:dir search_dir_perms; + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; -+') + ') -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_read_nfs_symlinks($1) -+######################################## -+## + ######################################## + ## +-## Read virt image files. +## Creates types and rules for a basic +## virt_lxc process domain. -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Prefix for the domain. -+## -+## -+# + ## + ## + # +-interface(`virt_read_images',` +template(`virt_sandbox_domain_template',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; + attribute svirt_sandbox_domain; ') -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_files($1) -- fs_manage_cifs_files($1) -- fs_read_cifs_symlinks($1) +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- list_dirs_pattern($1, virt_image_type, virt_image_type) +- read_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- read_blk_files_pattern($1, virt_image_type, virt_image_type) + type $1_t, svirt_sandbox_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role system_r types $1_t; -+ + +- tunable_policy(`virt_use_nfs',` +- fs_list_nfs($1) +- fs_read_nfs_files($1) +- fs_read_nfs_symlinks($1) + logging_send_syslog_msg($1_t) + + kernel_read_system_state($1_t) @@ -109797,8 +109799,12 @@ index facdee8..efe9356 100644 +template(`virt_sandbox_domain',` + gen_require(` + attribute svirt_sandbox_domain; -+ ') -+ + ') + +- tunable_policy(`virt_use_samba',` +- fs_list_cifs($1) +- fs_read_cifs_files($1) +- fs_read_cifs_symlinks($1) + typeattribute $1 svirt_sandbox_domain; +') + @@ -109815,49 +109821,63 @@ index facdee8..efe9356 100644 +interface(`virt_exec_qemu',` + gen_require(` + type qemu_exec_t; -+ ') + ') + + can_exec($1, qemu_exec_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write all virt image +-## character files. +## Transition to virt named content -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`virt_rw_all_image_chr_files',` +interface(`virt_filetrans_named_content',` -+ gen_require(` + gen_require(` +- attribute virt_image_type; + type virt_lxc_var_run_t; + type virt_var_run_t; -+ ') -+ + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- rw_chr_files_pattern($1, virt_image_type, virt_image_type) + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## svirt cache files. +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access +## +## +## +## +## The role to be allowed the sandbox domain. -+## -+## + ## + ## +## -+# + # +-interface(`virt_manage_svirt_cache',` +- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') +- virt_manage_virt_cache($1) +interface(`virt_transition_svirt_sandbox',` + gen_require(` + attribute svirt_sandbox_domain; @@ -109870,44 +109890,67 @@ index facdee8..efe9356 100644 + allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms; + allow svirt_sandbox_domain $1:process sigchld; + ps_process_pattern($1, svirt_sandbox_domain) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt cache content. +## Read and write to svirt_image devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1069,21 +1344,17 @@ interface(`virt_manage_svirt_cache',` + ## + ## + # +-interface(`virt_manage_virt_cache',` +interface(`virt_rw_svirt_dev',` -+ gen_require(` + gen_require(` +- type virt_cache_t; + type svirt_image_t; -+ ') -+ + ') + +- files_search_var($1) +- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) +- manage_files_pattern($1, virt_cache_t, virt_cache_t) +- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + allow $1 svirt_image_t:chr_file rw_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt image files. +## Read and write to svirt_image devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -1091,36 +1362,36 @@ interface(`virt_manage_virt_cache',` + ## + ## + # +-interface(`virt_manage_images',` +interface(`virt_rlimitinh',` -+ gen_require(` + gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; + type virtd_t; -+ ') -+ + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- manage_dirs_pattern($1, virt_image_type, virt_image_type) +- manage_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- rw_blk_files_pattern($1, virt_image_type, virt_image_type) + allow $1 virtd_t:process { rlimitinh }; +') -+ + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_read_nfs_symlinks($1) +######################################## +## +## Read and write to svirt_image devices. @@ -109922,7 +109965,12 @@ index facdee8..efe9356 100644 + gen_require(` + type virtd_t; ') -+ + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) +- ') + allow $1 virtd_t:process { noatsecure rlimitinh }; ') @@ -109935,7 +109983,7 @@ index facdee8..efe9356 100644 ## ## ## -@@ -1136,50 +1407,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1407,95 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -109974,26 +110022,20 @@ index facdee8..efe9356 100644 - fs_search_tmpfs($1) - admin_pattern($1, virt_tmpfs_type) -- -- files_search_tmp($1) -- admin_pattern($1, { virt_tmp_type virt_tmp_t }) -- -- files_search_etc($1) -- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + allow $1 virt_domain:process signal_perms; -- logging_search_logs($1) -- admin_pattern($1, virt_log_t) +- files_search_tmp($1) +- admin_pattern($1, { virt_tmp_type virt_tmp_t }) + admin_pattern($1, virt_file_type) + admin_pattern($1, svirt_file_type) -- files_search_pids($1) -- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) +- files_search_etc($1) +- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t }) + virt_systemctl($1) + allow $1 virtd_unit_file_t:service all_service_perms; -- files_search_var($1) -- admin_pattern($1, svirt_cache_t) +- logging_search_logs($1) +- admin_pattern($1, virt_log_t) + virt_stream_connect_sandbox($1) + virt_stream_connect_svirt($1) + virt_stream_connect($1) @@ -110013,9 +110055,32 @@ index facdee8..efe9356 100644 + attribute sandbox_caps_domain; + ') +- files_search_pids($1) +- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t }) ++ typeattribute $1 sandbox_caps_domain; ++') + +- files_search_var($1) +- admin_pattern($1, svirt_cache_t) ++######################################## ++## ++## Allow the domain to read svirt_sandbox_domain state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_sandbox_read_state',` ++ gen_require(` ++ attribute svirt_sandbox_domain; ++ ') + - files_search_var_lib($1) - admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t }) -+ typeattribute $1 sandbox_caps_domain; ++ kernel_search_proc($1) ++ ps_process_pattern($1, svirt_sandbox_domain) +') - files_search_locks($1) @@ -110045,10 +110110,10 @@ index facdee8..efe9356 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..a463e77 100644 +index f03dcf5..27c7cb7 100644 --- a/virt.te +++ b/virt.te -@@ -1,150 +1,241 @@ +@@ -1,150 +1,248 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -110131,6 +110196,13 @@ index f03dcf5..a463e77 100644 -## can use nfs file systems. -##

+##

++## Allow sandbox containers manage fuse files ++##

++## ++gen_tunable(virt_sandbox_use_fusefs, false) ++ ++## ++##

+## Allow confined virtual guests to manage nfs files +##

## @@ -110215,15 +110287,15 @@ index f03dcf5..a463e77 100644 +##

+## +gen_tunable(virt_sandbox_use_audit, true) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to use netlink system calls +##

+## +gen_tunable(virt_sandbox_use_netlink, false) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use sys_admin system calls, for example mount @@ -110272,10 +110344,10 @@ index f03dcf5..a463e77 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; ++ ++type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; -+type qemu_exec_t, virt_file_type; -+ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -110360,7 +110432,7 @@ index f03dcf5..a463e77 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +244,135 @@ ifdef(`enable_mls',` +@@ -153,299 +251,135 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -110625,24 +110697,24 @@ index f03dcf5..a463e77 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -- --corenet_udp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) --corenet_udp_bind_generic_node(svirt_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_bind_generic_node(svirt_t) +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) - corenet_udp_bind_generic_node(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) corenet_udp_bind_all_ports(svirt_t) @@ -110738,7 +110810,7 @@ index f03dcf5..a463e77 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +382,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +389,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -110785,7 +110857,7 @@ index f03dcf5..a463e77 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +417,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +424,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -110795,14 +110867,14 @@ index f03dcf5..a463e77 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -110816,7 +110888,7 @@ index f03dcf5..a463e77 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +438,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +445,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -110844,7 +110916,7 @@ index f03dcf5..a463e77 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +458,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +465,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -110875,7 +110947,7 @@ index f03dcf5..a463e77 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +510,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +517,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -110895,7 +110967,7 @@ index f03dcf5..a463e77 100644 selinux_validate_context(virtd_t) -@@ -620,18 +532,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +539,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -110932,7 +111004,7 @@ index f03dcf5..a463e77 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +560,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +567,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -110941,7 +111013,7 @@ index f03dcf5..a463e77 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +585,12 @@ optional_policy(` +@@ -665,20 +592,12 @@ optional_policy(` ') optional_policy(` @@ -110962,7 +111034,7 @@ index f03dcf5..a463e77 100644 ') optional_policy(` -@@ -691,20 +603,26 @@ optional_policy(` +@@ -691,20 +610,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -110973,30 +111045,27 @@ index f03dcf5..a463e77 100644 ') optional_policy(` -- iptables_domtrans(virtd_t) -- iptables_initrc_domtrans(virtd_t) -- iptables_manage_config(virtd_t) + firewalld_dbus_chat(virtd_t) ++') ++ ++optional_policy(` + iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) ++ iptables_systemctl(virtd_t) ++ ++ # Manages /etc/sysconfig/system-config-firewall + iptables_manage_config(virtd_t) ') optional_policy(` - kerberos_read_keytab(virtd_t) - kerberos_use(virtd_t) -+ iptables_domtrans(virtd_t) -+ iptables_initrc_domtrans(virtd_t) -+ iptables_systemctl(virtd_t) -+ -+ # Manages /etc/sysconfig/system-config-firewall -+ iptables_manage_config(virtd_t) -+') -+ -+optional_policy(` + kerberos_read_keytab(virtd_t) + kerberos_use(virtd_t) ') optional_policy(` -@@ -712,11 +630,18 @@ optional_policy(` +@@ -712,11 +637,18 @@ optional_policy(` ') optional_policy(` @@ -111015,7 +111084,7 @@ index f03dcf5..a463e77 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +652,18 @@ optional_policy(` +@@ -727,10 +659,18 @@ optional_policy(` ') optional_policy(` @@ -111034,7 +111103,7 @@ index f03dcf5..a463e77 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +679,277 @@ optional_policy(` +@@ -746,44 +686,277 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -111088,14 +111157,15 @@ index f03dcf5..a463e77 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) -+ -+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) -+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) -+files_var_filetrans(virt_domain, virt_cache_t, { file dir }) -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) ++manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) ++files_var_filetrans(virt_domain, virt_cache_t, { file dir }) + +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -111127,15 +111197,14 @@ index f03dcf5..a463e77 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --dontaudit virsh_t virt_var_lib_t:file read_file_perms; -+dontaudit virt_domain virt_tmpfs_type:file { read write }; - -allow virsh_t svirt_lxc_domain:process transition; -+append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++dontaudit virt_domain virt_tmpfs_type:file { read write }; -can_exec(virsh_t, virsh_exec_t) ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++ +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - ++ +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -111280,7 +111349,7 @@ index f03dcf5..a463e77 100644 + xserver_stream_connect(virt_domain) + ') +') -+ + +######################################## +# +# xm local policy @@ -111334,7 +111403,7 @@ index f03dcf5..a463e77 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +960,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +967,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -111361,7 +111430,7 @@ index f03dcf5..a463e77 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +980,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +987,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -111378,10 +111447,10 @@ index f03dcf5..a463e77 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -111395,7 +111464,7 @@ index f03dcf5..a463e77 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1017,20 @@ optional_policy(` +@@ -856,14 +1024,20 @@ optional_policy(` ') optional_policy(` @@ -111417,7 +111486,7 @@ index f03dcf5..a463e77 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1055,65 @@ optional_policy(` +@@ -888,49 +1062,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -111501,7 +111570,7 @@ index f03dcf5..a463e77 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1125,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1132,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -111521,7 +111590,7 @@ index f03dcf5..a463e77 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1146,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1153,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -111545,7 +111614,7 @@ index f03dcf5..a463e77 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1171,326 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1178,343 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -111561,13 +111630,17 @@ index f03dcf5..a463e77 100644 +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) - --miscfiles_read_localization(virtd_lxc_t) ++ + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') +-miscfiles_read_localization(virtd_lxc_t) ++optional_policy(` ++ docker_exec_lib(virtd_lxc_t) ++') + -seutil_domtrans_setfiles(virtd_lxc_t) -seutil_read_config(virtd_lxc_t) -seutil_read_default_contexts(virtd_lxc_t) @@ -111644,6 +111717,9 @@ index f03dcf5..a463e77 100644 + +corecmd_exec_all_executables(svirt_sandbox_domain) + ++domain_dontaudit_link_all_domains_keyrings(svirt_sandbox_domain) ++domain_dontaudit_search_all_domains_keyrings(svirt_sandbox_domain) ++ +files_dontaudit_getattr_all_dirs(svirt_sandbox_domain) +files_dontaudit_getattr_all_files(svirt_sandbox_domain) +files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain) @@ -111667,6 +111743,9 @@ index f03dcf5..a463e77 100644 +fs_read_fusefs_files(svirt_sandbox_domain) +fs_read_hugetlbfs_files(svirt_sandbox_domain) +fs_read_tmpfs_symlinks(svirt_sandbox_domain) ++fs_list_tmpfs(svirt_sandbox_domain) ++fs_rw_hugetlbfs_files(svirt_sandbox_domain) ++ + +auth_dontaudit_read_passwd(svirt_sandbox_domain) +auth_dontaudit_read_login_records(svirt_sandbox_domain) @@ -111695,18 +111774,6 @@ index f03dcf5..a463e77 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') -+ -+optional_policy(` -+ gear_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ ssh_use_ptys(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -111791,6 +111858,18 @@ index f03dcf5..a463e77 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` ++ gear_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ ssh_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') @@ -111811,15 +111890,22 @@ index f03dcf5..a463e77 100644 + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) ++') ++ ++tunable_policy(`virt_sandbox_use_fusefs',` ++ fs_manage_fusefs_dirs(svirt_sandbox_domain) ++ fs_manage_fusefs_files(svirt_sandbox_domain) ++ fs_manage_fusefs_symlinks(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ #docker_read_share_files(svirt_sandbox_domain) -+ #docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+ #docker_use_ptys(svirt_sandbox_domain) -+ #docker_spc_stream_connect(svirt_sandbox_domain) ++ docker_read_share_files(svirt_sandbox_domain) ++ docker_exec_share_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) ++ docker_spc_stream_connect(svirt_sandbox_domain) + fs_dontaudit_remount_tmpfs(svirt_sandbox_domain) + dev_dontaudit_mounton_sysfs(svirt_sandbox_domain) ') @@ -111978,13 +112064,13 @@ index f03dcf5..a463e77 100644 +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +term_pty(svirt_sandbox_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) @@ -112013,7 +112099,7 @@ index f03dcf5..a463e77 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1503,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1527,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -112028,7 +112114,7 @@ index f03dcf5..a463e77 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1521,8 @@ optional_policy(` +@@ -1192,9 +1545,8 @@ optional_policy(` ######################################## # @@ -112039,7 +112125,7 @@ index f03dcf5..a463e77 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1205,7 +1533,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) +@@ -1205,7 +1557,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) kernel_read_network_state(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index af968db..b17df2e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 155%{?dist} +Release: 156%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -661,6 +661,21 @@ exit 0 %endif %changelog +* Tue Oct 27 2015 Lukas Vrabec 3.13.1-156 +- Allow fail2ban-client to execute ldconfig. #1268715 +- Add interface virt_sandbox_domain() +- Use mmap_file_perms instead of exec_file_perms in setroubleshoot policy to shave off the execute_no_trans permission. Based on a github communication with Dominick Grift. +-all userdom_dontaudit_user_getattr_tmp_sockets instead() of usedom_dontaudit_user_getattr_tmp_sockets(). +- Rename usedom_dontaudit_user_getattr_tmp_sockets() to userdom_dontaudit_user_getattr_tmp_sockets(). +- Remove auth_login_pgm_domain(init_t) which has been added by accident. +- init_t needs to able to change SELinux identity because it is used as login_pgm domain because of systemd-user and PAM. It allows security_compute_user() returns a list of possible context and then a correct default label is returned by "selinux.get_default_context(sel_user,fromcon)" defined in the policy user config files. +- Add interface auth_use_nsswitch() to systemd_domain_template. +- Revert "auth_use_nsswitch can be used with attribute systemd_domain." +- auth_use_nsswitch can be used with attribute systemd_domain. +- ipsec: fix stringSwan charon-nm +- docker is communicating with systemd-machined +- Add missing systemd_dbus_chat_machined, needed by docker + * Tue Oct 20 2015 Lukas Vrabec 3.13.1-155 - Build including docker selinux interfaces.