From 69a8d0687ae5b8e87aeeb1b467a1339156fabcfc Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jan 11 2012 12:13:07 +0000 Subject: - Fixed destined form libvirt-sandbox - Allow apps that list sysfs to also read sympolicy links in this filesystem - Add ubac_constrained rules for chrome_sandbox - Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra - Allow postgresql to be executed by the caller - Standardize interfaces of daemons - Add new labeling for mm-handler - Allow all matahari domains to read network state and etc_runtime_t files --- diff --git a/policy-F16.patch b/policy-F16.patch index 6577ce6..1c304f5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -4898,10 +4898,10 @@ index 0000000..1553356 +') diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..aff461c +index 0000000..bd1abf4 --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,184 @@ +@@ -0,0 +1,186 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -4913,6 +4913,7 @@ index 0000000..aff461c +type chrome_sandbox_exec_t; +application_domain(chrome_sandbox_t, chrome_sandbox_exec_t) +role system_r types chrome_sandbox_t; ++ubac_constrained(chrome_sandbox_t) + +type chrome_sandbox_tmp_t; +files_tmp_file(chrome_sandbox_tmp_t) @@ -4925,6 +4926,7 @@ index 0000000..aff461c +type chrome_sandbox_nacl_exec_t; +application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t) +role system_r types chrome_sandbox_nacl_t; ++ubac_constrained(chrome_sandbox_nacl_t) + +######################################## +# @@ -5483,7 +5485,7 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..45580b5 100644 +index f5afe78..242b129 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,880 @@ @@ -6352,7 +6354,7 @@ index f5afe78..45580b5 100644 - ps_process_pattern($2, gconfd_t) +######################################## +## -+## Connect to gnome over an unix stream socket. ++## Connect to gnome over a unix stream socket. +## +## +## @@ -10585,10 +10587,10 @@ index 0000000..809784d +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..76dbb45 +index 0000000..e8f0ef5 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,501 @@ +@@ -0,0 +1,502 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -10811,6 +10813,7 @@ index 0000000..76dbb45 +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) +dev_read_sysfs(sandbox_x_domain) ++dev_dontaudit_rw_dri(sandbox_x_domain) + +files_search_home(sandbox_x_domain) +files_dontaudit_list_all_mountpoints(sandbox_x_domain) @@ -14481,7 +14484,7 @@ index 4f3b542..f4e36ee 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..630e5e2 100644 +index 99b71cb..f7cc16e 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,15 @@ attribute netif_type; @@ -14621,7 +14624,7 @@ index 99b71cb..630e5e2 100644 network_port(ipmi, udp,623,s0, udp,664,s0) network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) -@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -14629,6 +14632,7 @@ index 99b71cb..630e5e2 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) ++network_port(jboss_debug, tcp,8787,s0) +network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) @@ -14651,7 +14655,7 @@ index 99b71cb..630e5e2 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) +@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0) network_port(nessus, tcp,1241,s0) network_port(netport, tcp,3129,s0, udp,3129,s0) network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) @@ -14684,7 +14688,7 @@ index 99b71cb..630e5e2 100644 network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) -@@ -179,34 +238,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,34 +239,40 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -14730,7 +14734,7 @@ index 99b71cb..630e5e2 100644 network_port(traceroute, udp,64000-64010,s0) network_port(transproxy, tcp,8081,s0) network_port(ups, tcp,3493,s0) -@@ -215,9 +280,11 @@ network_port(uucpd, tcp,540,s0) +@@ -215,9 +281,11 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -14743,7 +14747,7 @@ index 99b71cb..630e5e2 100644 network_port(xdmcp, udp,177,s0, tcp,177,s0) network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) -@@ -229,6 +296,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +297,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -14751,7 +14755,7 @@ index 99b71cb..630e5e2 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +306,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +307,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -14764,7 +14768,7 @@ index 99b71cb..630e5e2 100644 ######################################## # -@@ -282,9 +356,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +357,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -14898,7 +14902,7 @@ index 6cf8784..2354089 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..1082bb5 100644 +index f820f3b..d5892cc 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -15404,7 +15408,15 @@ index f820f3b..1082bb5 100644 ## Search the sysfs directories. ## ## -@@ -3902,21 +4176,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3860,6 +4134,7 @@ interface(`dev_list_sysfs',` + type sysfs_t; + ') + ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) + list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + +@@ -3902,21 +4177,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -15436,7 +15448,7 @@ index f820f3b..1082bb5 100644 ') ######################################## -@@ -3972,6 +4251,42 @@ interface(`dev_rw_sysfs',` +@@ -3972,6 +4252,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -15479,7 +15491,7 @@ index f820f3b..1082bb5 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4384,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4385,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -15505,7 +15517,7 @@ index f820f3b..1082bb5 100644 ## Getattr generic the USB devices. ## ## -@@ -4103,6 +4437,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4103,6 +4438,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -15530,7 +15542,7 @@ index f820f3b..1082bb5 100644 ######################################## ## ## Read generic the USB devices. -@@ -4495,6 +4847,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4848,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -15555,7 +15567,7 @@ index f820f3b..1082bb5 100644 ## Read and write VMWare devices. ## ## -@@ -4695,6 +5065,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4695,6 +5066,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -15582,7 +15594,7 @@ index f820f3b..1082bb5 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5174,822 @@ interface(`dev_unconfined',` +@@ -4784,3 +5175,822 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -17000,7 +17012,7 @@ index c19518a..04ef731 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..90fa357 100644 +index ff006ea..6af09db 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -17707,7 +17719,32 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',` +@@ -4914,6 +5294,24 @@ interface(`files_list_var',` + + ######################################## + ## ++## Do not audit listing of the var directory (/var). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_var',` ++ gen_require(` ++ type var_t; ++ ') ++ ++ dontaudit $1 var_t:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Create, read, write, and delete directories + ## in the /var directory. + ## +@@ -5084,7 +5482,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -17716,7 +17753,7 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5617,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17725,7 +17762,7 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5702,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -17751,7 +17788,7 @@ index ff006ea..90fa357 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5716,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5734,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -17760,7 +17797,7 @@ index ff006ea..90fa357 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5755,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -17776,7 +17813,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5770,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -17809,7 +17846,7 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5812,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -17817,7 +17854,7 @@ index ff006ea..90fa357 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5825,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -17825,7 +17862,7 @@ index ff006ea..90fa357 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5851,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -17834,7 +17871,7 @@ index ff006ea..90fa357 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5867,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -17851,7 +17888,7 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5891,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -17860,7 +17897,7 @@ index ff006ea..90fa357 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5932,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -17869,7 +17906,7 @@ index ff006ea..90fa357 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5954,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -17878,7 +17915,7 @@ index ff006ea..90fa357 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5986,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -17889,7 +17926,7 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5608,6 +6029,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6047,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -17933,7 +17970,7 @@ index ff006ea..90fa357 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,6 +6105,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -17959,7 +17996,7 @@ index ff006ea..90fa357 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6231,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17968,7 +18005,7 @@ index ff006ea..90fa357 100644 ') ######################################## -@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6310,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -18002,7 +18039,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',` +@@ -5845,42 +6336,35 @@ interface(`files_read_all_pids',` ## ## # @@ -18052,7 +18089,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',` +@@ -5888,20 +6372,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -18076,7 +18113,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -5909,56 +6390,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -18152,7 +18189,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -5966,18 +6432,17 @@ interface(`files_list_spool',` +@@ -5966,18 +6450,17 @@ interface(`files_list_spool',` ## ## # @@ -18175,7 +18212,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5985,19 +6468,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -18200,7 +18237,7 @@ index ff006ea..90fa357 100644 ## ## ## -@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',` +@@ -6005,70 +6487,333 @@ interface(`files_read_generic_spool',` ## ## # @@ -18234,73 +18271,81 @@ index ff006ea..90fa357 100644 -## -## -## -+# -+interface(`files_mounton_all_poly_members',` -+ gen_require(` -+ attribute polymember; -+ ') -+ -+ allow $1 polymember:dir mounton; -+') -+ -+######################################## -+## -+## Delete all process IDs. -+## -+## - ## +-## -## Object class(es) (single or set including {}) for which this -## the transition will occur. -+## Domain allowed access. - ## - ## -+## +-## +-## # -interface(`files_spool_filetrans',` -+interface(`files_delete_all_pids',` ++interface(`files_mounton_all_poly_members',` gen_require(` - type var_t, var_spool_t; -+ attribute pidfile; -+ type var_t, var_run_t; ++ attribute polymember; ') - allow $1 var_t:dir search_dir_perms; +- allow $1 var_t:dir search_dir_perms; - filetrans_pattern($1, var_spool_t, $2, $3) -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 polymember:dir mounton; ') ######################################## ## -## Allow access to manage all polyinstantiated -## directories on the system. -+## Delete all process ID directories. ++## Delete all process IDs. ## ## ## -@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',` + ## Domain allowed access. ## ## ++## # -interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_pid_dirs',` ++interface(`files_delete_all_pids',` gen_require(` - attribute polydir, polymember, polyparent; - type poly_t; + attribute pidfile; -+ type var_t; ++ type var_t, var_run_t; ') - # Need to give access to /selinux/member - selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ type var_t; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') - -- # Need sys_admin capability for mounting ++ +######################################## +## +## Make the specified type a file @@ -18553,10 +18598,13 @@ index ff006ea..90fa357 100644 + selinux_compute_member($1) + + # Need sys_admin capability for mounting - allow $1 self:capability { chown fsetid sys_admin fowner }; ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated + allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; - # Need to give access to the directories to be polyinstantiated -@@ -6117,3 +6844,284 @@ interface(`files_unconfined',` + # Need to give access to the polyinstantiated subdirectories +@@ -6117,3 +6862,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -18916,7 +18964,7 @@ index cda5588..e89e4bf 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 97fcdac..dc65c9c 100644 +index 97fcdac..e8f904f 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -19162,7 +19210,32 @@ index 97fcdac..dc65c9c 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -2025,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',` + + ######################################## + ## ++## Unmount a configfs filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_configfs',` ++ gen_require(` ++ type configfs_t; ++ ') ++ ++ allow $1 configfs_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Mount a DOS filesystem, such as + ## FAT32 or NTFS. + ## +@@ -2025,6 +2185,24 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -19187,7 +19260,7 @@ index 97fcdac..dc65c9c 100644 ## Get the attributes of an hugetlbfs ## filesystem. ## -@@ -2080,6 +2240,24 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2080,6 +2258,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -19212,7 +19285,7 @@ index 97fcdac..dc65c9c 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,6 +2326,7 @@ interface(`fs_list_inotifyfs',` +@@ -2148,6 +2344,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -19220,7 +19293,7 @@ index 97fcdac..dc65c9c 100644 ') ######################################## -@@ -2480,6 +2659,7 @@ interface(`fs_read_nfs_files',` +@@ -2480,6 +2677,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19228,7 +19301,7 @@ index 97fcdac..dc65c9c 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,6 +2698,7 @@ interface(`fs_write_nfs_files',` +@@ -2518,6 +2716,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19236,7 +19309,7 @@ index 97fcdac..dc65c9c 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2544,6 +2725,25 @@ interface(`fs_exec_nfs_files',` +@@ -2544,6 +2743,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19262,7 +19335,7 @@ index 97fcdac..dc65c9c 100644 ## Append files ## on a NFS filesystem. ## -@@ -2584,6 +2784,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2584,6 +2802,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19305,7 +19378,7 @@ index 97fcdac..dc65c9c 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2598,7 +2834,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2598,7 +2852,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19314,7 +19387,7 @@ index 97fcdac..dc65c9c 100644 ') ######################################## -@@ -2736,7 +2972,7 @@ interface(`fs_search_removable',` +@@ -2736,7 +2990,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19323,7 +19396,7 @@ index 97fcdac..dc65c9c 100644 ## ## # -@@ -2772,7 +3008,7 @@ interface(`fs_read_removable_files',` +@@ -2772,7 +3026,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19332,7 +19405,7 @@ index 97fcdac..dc65c9c 100644 ## ## # -@@ -2965,6 +3201,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2965,6 +3219,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19340,7 +19413,7 @@ index 97fcdac..dc65c9c 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3005,6 +3242,7 @@ interface(`fs_manage_nfs_files',` +@@ -3005,6 +3260,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19348,7 +19421,7 @@ index 97fcdac..dc65c9c 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3045,6 +3283,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3045,6 +3301,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19356,7 +19429,7 @@ index 97fcdac..dc65c9c 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3258,6 +3497,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3258,6 +3515,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -19381,7 +19454,32 @@ index 97fcdac..dc65c9c 100644 ######################################## ## ## Read and write NFS server files. -@@ -3958,6 +4215,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3810,6 +4085,24 @@ interface(`fs_unmount_tmpfs',` + + ######################################## + ## ++## Mount on tmpfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mounton_tmpfs', ` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:dir mounton; ++') ++ ++######################################## ++## + ## Get the attributes of a tmpfs + ## filesystem. + ## +@@ -3958,6 +4251,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -19424,7 +19522,41 @@ index 97fcdac..dc65c9c 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4175,6 +4468,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4059,7 +4388,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:file rw_file_perms; ++ dontaudit $1 tmpfs_t:file rw_inherited_file_perms; + ') + + ######################################## +@@ -4119,6 +4448,24 @@ interface(`fs_rw_tmpfs_files',` + + ######################################## + ## ++## Read and write generic tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_inherited_tmpfs_files',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:file { read write }; ++') ++ ++######################################## ++## + ## Read tmpfs link files. + ## + ## +@@ -4175,6 +4522,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -19449,7 +19581,7 @@ index 97fcdac..dc65c9c 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4251,6 +4562,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4251,6 +4616,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -19475,7 +19607,7 @@ index 97fcdac..dc65c9c 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4457,6 +4787,8 @@ interface(`fs_mount_all_fs',` +@@ -4457,6 +4841,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -19484,7 +19616,7 @@ index 97fcdac..dc65c9c 100644 ') ######################################## -@@ -4503,7 +4835,7 @@ interface(`fs_unmount_all_fs',` +@@ -4503,7 +4889,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -19493,7 +19625,7 @@ index 97fcdac..dc65c9c 100644 ## Example attributes: ##

##
    -@@ -4866,3 +5198,24 @@ interface(`fs_unconfined',` +@@ -4866,3 +5252,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -23930,10 +24062,10 @@ index 1bd5812..0d7d8d1 100644 +/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if -index 0b827c5..d83d4dc 100644 +index 0b827c5..7f57a98 100644 --- a/policy/modules/services/abrt.if +++ b/policy/modules/services/abrt.if -@@ -71,6 +71,7 @@ interface(`abrt_read_state',` +@@ -71,12 +71,13 @@ interface(`abrt_read_state',` type abrt_t; ') @@ -23941,6 +24073,13 @@ index 0b827c5..d83d4dc 100644 ps_process_pattern($1, abrt_t) ') + ######################################## + ## +-## Connect to abrt over an unix stream socket. ++## Connect to abrt over a unix stream socket. + ## + ## + ## @@ -160,8 +161,45 @@ interface(`abrt_run_helper',` ######################################## @@ -25088,7 +25227,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..c738795 100644 +index 9e39aa5..90a9e33 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -25172,7 +25311,7 @@ index 9e39aa5..c738795 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,20 +87,26 @@ ifdef(`distro_suse', ` +@@ -73,25 +87,34 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25201,7 +25340,15 @@ index 9e39aa5..c738795 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -104,8 +124,26 @@ ifdef(`distro_debian', ` + ') + ++/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++ + /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) +@@ -104,8 +127,24 @@ ifdef(`distro_debian', ` /var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -25215,11 +25362,9 @@ index 9e39aa5..c738795 100644 + +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + -+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + -+/var/lib/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -27168,7 +27313,7 @@ index d052bf0..3059bd2 100644 mta_system_content(apcupsd_tmp_t) ') diff --git a/policy/modules/services/apm.if b/policy/modules/services/apm.if -index 1ea99b2..9427dd5 100644 +index 1ea99b2..3582863 100644 --- a/policy/modules/services/apm.if +++ b/policy/modules/services/apm.if @@ -52,7 +52,8 @@ interface(`apm_write_pipes',` @@ -27181,7 +27326,7 @@ index 1ea99b2..9427dd5 100644 ') ######################################## -@@ -89,7 +90,7 @@ interface(`apm_append_log',` +@@ -89,12 +90,12 @@ interface(`apm_append_log',` ') logging_search_logs($1) @@ -27190,6 +27335,12 @@ index 1ea99b2..9427dd5 100644 ') ######################################## + ## +-## Connect to apmd over an unix stream socket. ++## Connect to apmd over a unix stream socket. + ## + ## + ## @@ -108,6 +109,5 @@ interface(`apm_stream_connect',` ') @@ -27466,19 +27617,99 @@ index b3b0176..8e66610 100644 mysql_stream_connect(asterisk_t) ') +diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc +deleted file mode 100644 +index 001235e..0000000 +--- a/policy/modules/services/audioentropy.fc ++++ /dev/null +@@ -1,6 +0,0 @@ +-# +-# /usr +-# +-/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) +- +-/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) +diff --git a/policy/modules/services/audioentropy.if b/policy/modules/services/audioentropy.if +deleted file mode 100644 +index 67906f0..0000000 +--- a/policy/modules/services/audioentropy.if ++++ /dev/null +@@ -1 +0,0 @@ +-## Generate entropy from audio input diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te -index 2b348c7..b89658c 100644 +deleted file mode 100644 +index 2b348c7..0000000 --- a/policy/modules/services/audioentropy.te -+++ b/policy/modules/services/audioentropy.te -@@ -47,6 +47,8 @@ fs_search_auto_mountpoints(entropyd_t) - - domain_use_interactive_fds(entropyd_t) - -+auth_read_passwd(entropyd_t) -+ - logging_send_syslog_msg(entropyd_t) - - miscfiles_read_localization(entropyd_t) ++++ /dev/null +@@ -1,68 +0,0 @@ +-policy_module(audioentropy, 1.6.0) +- +-######################################## +-# +-# Declarations +-# +- +-type entropyd_t; +-type entropyd_exec_t; +-init_daemon_domain(entropyd_t, entropyd_exec_t) +- +-type entropyd_var_run_t; +-files_pid_file(entropyd_var_run_t) +- +-######################################## +-# +-# Local policy +-# +- +-allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; +-dontaudit entropyd_t self:capability sys_tty_config; +-allow entropyd_t self:process signal_perms; +- +-manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) +-files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) +- +-kernel_read_kernel_sysctls(entropyd_t) +-kernel_list_proc(entropyd_t) +-kernel_read_proc_symlinks(entropyd_t) +- +-dev_read_sysfs(entropyd_t) +-dev_read_urand(entropyd_t) +-dev_write_urand(entropyd_t) +-dev_read_rand(entropyd_t) +-dev_write_rand(entropyd_t) +-dev_read_sound(entropyd_t) +-# set sound card parameters such as +-# sample format, number of channels +-# and sample rate. +-dev_write_sound(entropyd_t) +- +-files_read_etc_files(entropyd_t) +-files_read_usr_files(entropyd_t) +- +-fs_getattr_all_fs(entropyd_t) +-fs_search_auto_mountpoints(entropyd_t) +- +-domain_use_interactive_fds(entropyd_t) +- +-logging_send_syslog_msg(entropyd_t) +- +-miscfiles_read_localization(entropyd_t) +- +-userdom_dontaudit_use_unpriv_user_fds(entropyd_t) +-userdom_dontaudit_search_user_home_dirs(entropyd_t) +- +-optional_policy(` +- alsa_read_lib(entropyd_t) +- alsa_read_rw_config(entropyd_t) +-') +- +-optional_policy(` +- seutil_sigchld_newrole(entropyd_t) +-') +- +-optional_policy(` +- udev_read_db(entropyd_t) +-') diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if index d80a16b..4f2a53f 100644 --- a/policy/modules/services/automount.if @@ -28962,7 +29193,7 @@ index 0000000..3e15c63 +/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0) diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if new file mode 100644 -index 0000000..512fcb9 +index 0000000..e07d3b8 --- /dev/null +++ b/policy/modules/services/callweaver.if @@ -0,0 +1,362 @@ @@ -29184,7 +29415,7 @@ index 0000000..512fcb9 + +######################################## +## -+## Connect to callweaver over an unix stream socket. ++## Connect to callweaver over a unix stream socket. +## +## +## @@ -29466,7 +29697,7 @@ index 8a7177d..bc4f6e7 100644 /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0) /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0) diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if -index 6ee2cc8..3105b09 100644 +index 6ee2cc8..b509c40 100644 --- a/policy/modules/services/ccs.if +++ b/policy/modules/services/ccs.if @@ -5,9 +5,9 @@ @@ -29481,6 +29712,15 @@ index 6ee2cc8..3105b09 100644 ## # interface(`ccs_domtrans',` +@@ -20,7 +20,7 @@ interface(`ccs_domtrans',` + + ######################################## + ## +-## Connect to ccs over an unix stream socket. ++## Connect to ccs over a unix stream socket. + ## + ## + ## diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te index 4c90b57..418eb6b 100644 --- a/policy/modules/services/ccs.te @@ -30092,7 +30332,7 @@ index fd8cd0b..c11cd2f 100644 +/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..4d21fbd 100644 +index 9a0da94..e3cec85 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -30207,7 +30447,7 @@ index 9a0da94..4d21fbd 100644 + +######################################## +## -+## Connect to chronyd over an unix stream socket. ++## Connect to chronyd over a unix stream socket. +## +## +## @@ -32296,7 +32536,7 @@ index 01d31f1..8e2754b 100644 /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if -index 9971337..7481ccc 100644 +index 9971337..db88074 100644 --- a/policy/modules/services/courier.if +++ b/policy/modules/services/courier.if @@ -90,7 +90,7 @@ template(`courier_domain_template',` @@ -32314,7 +32554,7 @@ index 9971337..7481ccc 100644 +####################################### +## -+## Connect to courier-authdaemon over an unix stream socket. ++## Connect to courier-authdaemon over a unix stream socket. +## +## +## @@ -33464,7 +33704,7 @@ index 0000000..2db6b61 + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 -index 0000000..5c1e8b0 +index 0000000..4f7d237 --- /dev/null +++ b/policy/modules/services/ctdbd.if @@ -0,0 +1,259 @@ @@ -33665,7 +33905,7 @@ index 0000000..5c1e8b0 + +####################################### +## -+## Connect to ctdbd over an unix stream socket. ++## Connect to ctdbd over a unix stream socket. +## +## +## @@ -33898,7 +34138,7 @@ index 1b492ed..ac5dae0 100644 + +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if -index 305ddf4..2746e6f 100644 +index 305ddf4..c9de648 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -9,6 +9,11 @@ @@ -33913,6 +34153,15 @@ index 305ddf4..2746e6f 100644 # interface(`cups_backend',` gen_require(` +@@ -47,7 +52,7 @@ interface(`cups_domtrans',` + + ######################################## + ## +-## Connect to cupsd over an unix domain stream socket. ++## Connect to cupsd over a unix domain stream socket. + ## + ## + ## @@ -190,10 +195,12 @@ interface(`cups_dbus_chat_config',` interface(`cups_read_config',` gen_require(` @@ -33926,6 +34175,15 @@ index 305ddf4..2746e6f 100644 read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) ') +@@ -277,7 +284,7 @@ interface(`cups_write_log',` + + ######################################## + ## +-## Connect to ptal over an unix domain stream socket. ++## Connect to ptal over a unix domain stream socket. + ## + ## + ## @@ -314,16 +321,19 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` @@ -36343,7 +36601,7 @@ index 0000000..3aae725 +/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if new file mode 100644 -index 0000000..6fd8e9f +index 0000000..b214253 --- /dev/null +++ b/policy/modules/services/dirsrv.if @@ -0,0 +1,208 @@ @@ -36445,7 +36703,7 @@ index 0000000..6fd8e9f + +######################################## +## -+## Connect to dirsrv over an unix stream socket. ++## Connect to dirsrv over a unix stream socket. +## +## +## @@ -38055,6 +38313,113 @@ index 0000000..d409571 + manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t) +') + +diff --git a/policy/modules/services/entropyd.fc b/policy/modules/services/entropyd.fc +new file mode 100644 +index 0000000..d2d8ce3 +--- /dev/null ++++ b/policy/modules/services/entropyd.fc +@@ -0,0 +1,8 @@ ++# ++# /usr ++# ++/usr/sbin/audio-entropyd -- gen_context(system_u:object_r:entropyd_exec_t,s0) ++/usr/sbin/haveged -- gen_context(system_u:object_r:entropyd_exec_t,s0) ++ ++/var/run/audio-entropyd\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) ++/var/run/haveged\.pid -- gen_context(system_u:object_r:entropyd_var_run_t,s0) +diff --git a/policy/modules/services/entropyd.if b/policy/modules/services/entropyd.if +new file mode 100644 +index 0000000..67906f0 +--- /dev/null ++++ b/policy/modules/services/entropyd.if +@@ -0,0 +1 @@ ++## Generate entropy from audio input +diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te +new file mode 100644 +index 0000000..b6ac808 +--- /dev/null ++++ b/policy/modules/services/entropyd.te +@@ -0,0 +1,80 @@ ++policy_module(entropyd, 1.7.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow the use of the audio devices as the source for the entropy feeds ++##

    ++##
    ++gen_tunable(entropyd_use_audio, false) ++ ++type entropyd_t; ++type entropyd_exec_t; ++init_daemon_domain(entropyd_t, entropyd_exec_t) ++ ++type entropyd_var_run_t; ++files_pid_file(entropyd_var_run_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++allow entropyd_t self:capability { dac_override ipc_lock sys_admin }; ++dontaudit entropyd_t self:capability sys_tty_config; ++allow entropyd_t self:process signal_perms; ++allow entropyd_t self:unix_dgram_socket create_socket_perms; ++ ++manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) ++files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) ++ ++kernel_rw_kernel_sysctl(entropyd_t) ++kernel_list_proc(entropyd_t) ++kernel_read_proc_symlinks(entropyd_t) ++ ++dev_read_sysfs(entropyd_t) ++dev_read_urand(entropyd_t) ++dev_write_urand(entropyd_t) ++dev_read_rand(entropyd_t) ++dev_write_rand(entropyd_t) ++ ++files_read_etc_files(entropyd_t) ++files_read_usr_files(entropyd_t) ++ ++fs_getattr_all_fs(entropyd_t) ++fs_search_auto_mountpoints(entropyd_t) ++ ++domain_use_interactive_fds(entropyd_t) ++ ++logging_send_syslog_msg(entropyd_t) ++ ++miscfiles_read_localization(entropyd_t) ++ ++userdom_dontaudit_use_unpriv_user_fds(entropyd_t) ++userdom_dontaudit_search_user_home_dirs(entropyd_t) ++ ++tunable_policy(`entropyd_use_audio',` ++ dev_read_sound(entropyd_t) ++ # set sound card parameters such as sample format, number of channels ++ # and sample rate. ++ dev_write_sound(entropyd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`entropyd_use_audio',` ++ alsa_read_lib(entropyd_t) ++ alsa_read_rw_config(entropyd_t) ++ ') ++') ++ ++optional_policy(` ++ seutil_sigchld_newrole(entropyd_t) ++') ++ ++optional_policy(` ++ udev_read_db(entropyd_t) ++') diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc index 298f066..b54de69 100644 --- a/policy/modules/services/exim.fc @@ -38311,7 +38676,7 @@ index 0de2b83..b93171c 100644 /var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if -index f590a1f..18bdd33 100644 +index f590a1f..eb6f870 100644 --- a/policy/modules/services/fail2ban.if +++ b/policy/modules/services/fail2ban.if @@ -5,9 +5,9 @@ @@ -38326,10 +38691,11 @@ index f590a1f..18bdd33 100644 ## # interface(`fail2ban_domtrans',` -@@ -40,6 +40,25 @@ interface(`fail2ban_stream_connect',` +@@ -40,7 +40,26 @@ interface(`fail2ban_stream_connect',` ######################################## ## +-## Read and write to an fail2ban unix stream socket. +## Read and write inherited temporary files. +## +## @@ -38349,9 +38715,10 @@ index f590a1f..18bdd33 100644 + +######################################## +## - ## Read and write to an fail2ban unix stream socket. ++## Read and write to an fail2ba unix stream socket. ## ## + ## @@ -72,7 +91,7 @@ interface(`fail2ban_read_lib_files',` ') @@ -40175,7 +40542,7 @@ index 0000000..657d8f5 +/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0) diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if new file mode 100644 -index 0000000..8f0f77b +index 0000000..ebe1dde --- /dev/null +++ b/policy/modules/services/glance.if @@ -0,0 +1,268 @@ @@ -40184,7 +40551,7 @@ index 0000000..8f0f77b + +######################################## +## -+## Transition to glance. ++## Transition to glance registry. +## +## +## @@ -40203,7 +40570,7 @@ index 0000000..8f0f77b + +######################################## +## -+## Transition to glance. ++## Transition to glance api. +## +## +## @@ -43067,7 +43434,7 @@ index c62f23e..63e3be1 100644 /var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if -index 3aa8fa7..21b3ecd 100644 +index 3aa8fa7..436aace 100644 --- a/policy/modules/services/ldap.if +++ b/policy/modules/services/ldap.if @@ -1,5 +1,64 @@ @@ -43161,6 +43528,15 @@ index 3aa8fa7..21b3ecd 100644 ## Read the OpenLDAP configuration files. ## ## +@@ -55,7 +133,7 @@ interface(`ldap_use',` + + ######################################## + ## +-## Connect to slapd over an unix stream socket. ++## Connect to slapd over a unix stream socket. + ## + ## + ## @@ -69,8 +147,7 @@ interface(`ldap_stream_connect',` ') @@ -43835,13 +44211,16 @@ index 93c14ca..27d96e1 100644 optional_policy(` cups_read_config(lpr_t) diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc -index 14ad189..2b8efd8 100644 +index 14ad189..8317f33 100644 --- a/policy/modules/services/mailman.fc +++ b/policy/modules/services/mailman.fc -@@ -1,11 +1,11 @@ +@@ -1,11 +1,14 @@ -/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++ +/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) ++/usr/share/doc/mailman.*/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) /var/lib/mailman/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) @@ -43852,7 +44231,7 @@ index 14ad189..2b8efd8 100644 # # distro_debian -@@ -25,10 +25,10 @@ ifdef(`distro_debian', ` +@@ -25,10 +28,10 @@ ifdef(`distro_debian', ` ifdef(`distro_redhat', ` /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) @@ -44455,10 +44834,10 @@ index 0000000..2e8b6d8 +') diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te new file mode 100644 -index 0000000..4ea6ac3 +index 0000000..8f7cdb0 --- /dev/null +++ b/policy/modules/services/matahari.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,93 @@ +policy_module(matahari,1.0.0) + +######################################## @@ -44486,8 +44865,6 @@ index 0000000..4ea6ac3 +# +# matahari_hostd local policy +# -+kernel_read_network_state(matahari_hostd_t) -+ +dev_read_sysfs(matahari_hostd_t) +dev_rw_mtrr(matahari_hostd_t) + @@ -44515,14 +44892,10 @@ index 0000000..4ea6ac3 +# +allow matahari_serviced_t self:process setpgid; + -+kernel_read_network_state(matahari_serviced_t) -+ +dev_read_sysfs(matahari_serviced_t) + +domain_use_interactive_fds(matahari_serviced_t) + -+files_read_etc_runtime_files(matahari_serviced_t) -+ +init_domtrans_script(matahari_serviced_t) + +systemd_config_all_services(matahari_serviced_t) @@ -44544,12 +44917,14 @@ index 0000000..4ea6ac3 +allow matahari_domain self:unix_stream_socket create_stream_socket_perms; + +kernel_read_system_state(matahari_domain) ++kernel_read_network_state(matahari_domain) + +corenet_tcp_connect_matahari_port(matahari_domain) + +dev_read_urand(matahari_domain) + +files_read_etc_files(matahari_domain) ++files_read_etc_runtime_files(matahari_domain) + +logging_send_syslog_msg(matahari_domain) + @@ -46769,7 +47144,7 @@ index f17583b..171ebec 100644 + +miscfiles_read_localization(munin_plugin_domain) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if -index e9c0982..ac7e846 100644 +index e9c0982..840e562 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -18,6 +18,24 @@ interface(`mysql_domtrans',` @@ -46778,7 +47153,7 @@ index e9c0982..ac7e846 100644 +###################################### +## -+## Execute MySQL in the coller domain. ++## Execute MySQL in the caller domain. +## +## +## @@ -46851,7 +47226,7 @@ index e9c0982..ac7e846 100644 +###################################### +## -+## Execute MySQL_safe in the coller domain. ++## Execute MySQL_safe in the caller domain. +## +## +## @@ -48691,7 +49066,7 @@ index 7936e09..2f6a98f 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if -index 23c769c..549d7f8 100644 +index 23c769c..0a334ae 100644 --- a/policy/modules/services/nslcd.if +++ b/policy/modules/services/nslcd.if @@ -5,9 +5,9 @@ @@ -48706,6 +49081,15 @@ index 23c769c..549d7f8 100644 ## # interface(`nslcd_domtrans',` +@@ -57,7 +57,7 @@ interface(`nslcd_read_pid_files',` + + ######################################## + ## +-## Connect to nslcd over an unix stream socket. ++## Connect to nslcd over a unix stream socket. + ## + ## + ## @@ -93,12 +93,15 @@ interface(`nslcd_stream_connect',` # interface(`nslcd_admin',` @@ -49323,7 +49707,7 @@ index 8845174..58148ed 100644 - fs_read_nfs_files(oidentd_t) -') diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if -index 9d0a67b..9197ef0 100644 +index 9d0a67b..351f7c8 100644 --- a/policy/modules/services/openct.if +++ b/policy/modules/services/openct.if @@ -23,9 +23,9 @@ interface(`openct_signull',` @@ -49350,6 +49734,15 @@ index 9d0a67b..9197ef0 100644 ## # interface(`openct_domtrans',` +@@ -77,7 +77,7 @@ interface(`openct_read_pid_files',` + + ######################################## + ## +-## Connect to openct over an unix stream socket. ++## Connect to openct over a unix stream socket. + ## + ## + ## diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te index 7f8fdc2..047d985 100644 --- a/policy/modules/services/openct.te @@ -49624,7 +50017,7 @@ index 87f17e8..63ee18a 100644 /var/run/pcscd\.pub -- gen_context(system_u:object_r:pcscd_var_run_t,s0) /var/run/pcscd\.events(/.*)? gen_context(system_u:object_r:pcscd_var_run_t,s0) diff --git a/policy/modules/services/pcscd.if b/policy/modules/services/pcscd.if -index 1c2a091..10f264c 100644 +index 1c2a091..6be0b2c 100644 --- a/policy/modules/services/pcscd.if +++ b/policy/modules/services/pcscd.if @@ -5,9 +5,9 @@ @@ -49648,6 +50041,15 @@ index 1c2a091..10f264c 100644 ') ######################################## +@@ -77,7 +77,7 @@ interface(`pcscd_manage_pub_pipes',` + + ######################################## + ## +-## Connect to pcscd over an unix stream socket. ++## Connect to pcscd over a unix stream socket. + ## + ## + ## diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index ceafba6..9eb6967 100644 --- a/policy/modules/services/pcscd.te @@ -50872,7 +51274,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te -index 1e7169d..c2771dd 100644 +index 1e7169d..a8b2f63 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -5,47 +5,73 @@ policy_module(policykit, 1.1.0) @@ -50961,7 +51363,7 @@ index 1e7169d..c2771dd 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +82,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +82,107 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -50982,14 +51384,14 @@ index 1e7169d..c2771dd 100644 +userdom_getattr_all_users(policykit_t) +userdom_read_all_users_state(policykit_t) +userdom_dontaudit_search_admin_dir(policykit_t) -+ -+optional_policy(` -+ dbus_system_domain(policykit_t, policykit_exec_t) -miscfiles_read_localization(policykit_t) -+ init_dbus_chat(policykit_t) ++optional_policy(` ++ dbus_system_domain(policykit_t, policykit_exec_t) -userdom_read_all_users_state(policykit_t) ++ init_dbus_chat(policykit_t) ++ + optional_policy(` + consolekit_dbus_chat(policykit_t) + ') @@ -51007,6 +51409,12 @@ index 1e7169d..c2771dd 100644 +optional_policy(` + gnome_read_config(policykit_t) +') ++ ++optional_policy(` ++ systemd_read_logind_sessions_files(policykit_t) ++ systemd_login_list_pid_dirs(policykit_t) ++ systemd_login_read_pid_files(policykit_t) ++') ######################################## # @@ -51075,7 +51483,7 @@ index 1e7169d..c2771dd 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +189,21 @@ optional_policy(` +@@ -118,14 +195,21 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -51099,7 +51507,7 @@ index 1e7169d..c2771dd 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -145,19 +223,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t +@@ -145,19 +229,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t files_read_etc_files(policykit_grant_t) files_read_usr_files(policykit_grant_t) @@ -51124,7 +51532,7 @@ index 1e7169d..c2771dd 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +244,8 @@ optional_policy(` +@@ -167,9 +250,8 @@ optional_policy(` # polkit_resolve local policy # @@ -51136,7 +51544,7 @@ index 1e7169d..c2771dd 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -185,13 +261,9 @@ corecmd_search_bin(policykit_resolve_t) +@@ -185,13 +267,9 @@ corecmd_search_bin(policykit_resolve_t) files_read_etc_files(policykit_resolve_t) files_read_usr_files(policykit_resolve_t) @@ -51151,7 +51559,7 @@ index 1e7169d..c2771dd 100644 userdom_read_all_users_state(policykit_resolve_t) -@@ -207,4 +279,3 @@ optional_policy(` +@@ -207,4 +285,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -52586,7 +52994,7 @@ index f03fad4..1865d8f 100644 ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if -index 09aeffa..d728f3a 100644 +index 09aeffa..e66adbd 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -10,7 +10,7 @@ @@ -52660,7 +53068,32 @@ index 09aeffa..d728f3a 100644 ') ######################################## -@@ -395,7 +398,6 @@ interface(`postgresql_tcp_connect',` +@@ -328,6 +331,24 @@ interface(`postgresql_domtrans',` + + ###################################### + ## ++## Execute Postgresql in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`postgresql_exec',` ++ gen_require(` ++ type postgresql_exec_t; ++ ') ++ ++ can_exec($1, postgresql_exec_t) ++') ++ ++###################################### ++## + ## Allow domain to signal postgresql + ## + ## +@@ -395,7 +416,6 @@ interface(`postgresql_tcp_connect',` ## Domain allowed access. ## ## @@ -52668,7 +53101,7 @@ index 09aeffa..d728f3a 100644 # interface(`postgresql_stream_connect',` gen_require(` -@@ -403,10 +405,8 @@ interface(`postgresql_stream_connect',` +@@ -403,10 +423,8 @@ interface(`postgresql_stream_connect',` ') files_search_pids($1) @@ -52681,7 +53114,7 @@ index 09aeffa..d728f3a 100644 ') ######################################## -@@ -468,6 +468,7 @@ interface(`postgresql_unpriv_client',` +@@ -468,6 +486,7 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ') @@ -52689,7 +53122,7 @@ index 09aeffa..d728f3a 100644 allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; -@@ -492,6 +493,7 @@ interface(`postgresql_unpriv_client',` +@@ -492,6 +511,7 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; @@ -52697,7 +53130,7 @@ index 09aeffa..d728f3a 100644 ') ######################################## -@@ -531,33 +533,38 @@ interface(`postgresql_unconfined',` +@@ -531,33 +551,38 @@ interface(`postgresql_unconfined',` # interface(`postgresql_admin',` gen_require(` @@ -55751,7 +56184,7 @@ index 3c97ef0..c025d59 100644 /var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0) diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if -index 7dc38d1..e3bdea7 100644 +index 7dc38d1..808f9c6 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -5,9 +5,9 @@ @@ -55766,6 +56199,15 @@ index 7dc38d1..e3bdea7 100644 ## # interface(`rgmanager_domtrans',` +@@ -21,7 +21,7 @@ interface(`rgmanager_domtrans',` + + ######################################## + ## +-## Connect to rgmanager over an unix stream socket. ++## Connect to rgmanager over a unix stream socket. + ## + ## + ## @@ -75,3 +75,67 @@ interface(`rgmanager_manage_tmpfs_files',` fs_search_tmpfs($1) manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) @@ -56009,7 +56451,7 @@ index c2ba53b..1f935bf 100644 /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0) /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if -index de37806..a21e737 100644 +index de37806..3e870b7 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -13,7 +13,7 @@ @@ -56082,6 +56524,15 @@ index de37806..a21e737 100644 ###################################### ## ## Allow read and write access to fenced semaphores. +@@ -156,7 +173,7 @@ interface(`rhcs_rw_fenced_semaphores',` + + ###################################### + ## +-## Connect to fenced over an unix domain stream socket. ++## Connect to fenced over a unix domain stream socket. + ## + ## + ## @@ -169,9 +186,8 @@ interface(`rhcs_stream_connect_fenced',` type fenced_var_run_t, fenced_t; ') @@ -56093,6 +56544,15 @@ index de37806..a21e737 100644 ') ##################################### +@@ -237,7 +253,7 @@ interface(`rhcs_rw_gfs_controld_shm',` + + ##################################### + ## +-## Connect to gfs_controld_t over an unix domain stream socket. ++## Connect to gfs_controld_t over a unix domain stream socket. + ## + ## + ## @@ -335,6 +351,65 @@ interface(`rhcs_rw_groupd_shm',` manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') @@ -57039,10 +57499,10 @@ index 0000000..6572600 +') diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..c0952a3 +index 0000000..4adb871 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,63 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## @@ -57105,9 +57565,7 @@ index 0000000..c0952a3 +miscfiles_read_localization(rhsmcertd_t) +miscfiles_read_certs(rhsmcertd_t) + -+optional_policy(` -+ sysnet_dns_name_resolve(rhsmcertd_t) -+') ++sysnet_dns_name_resolve(rhsmcertd_t) diff --git a/policy/modules/services/ricci.fc b/policy/modules/services/ricci.fc index 5b08327..ed5dc05 100644 --- a/policy/modules/services/ricci.fc @@ -57120,7 +57578,7 @@ index 5b08327..ed5dc05 100644 /usr/libexec/ricci-modlog -- gen_context(system_u:object_r:ricci_modlog_exec_t,s0) /usr/libexec/ricci-modrpm -- gen_context(system_u:object_r:ricci_modrpm_exec_t,s0) diff --git a/policy/modules/services/ricci.if b/policy/modules/services/ricci.if -index f7826f9..62ccd55 100644 +index f7826f9..23d579c 100644 --- a/policy/modules/services/ricci.if +++ b/policy/modules/services/ricci.if @@ -5,9 +5,9 @@ @@ -57170,7 +57628,7 @@ index f7826f9..62ccd55 100644 ## # interface(`ricci_domtrans_modcluster',` -@@ -71,7 +89,7 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` +@@ -71,12 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',` type ricci_modcluster_t; ') @@ -57179,6 +57637,12 @@ index f7826f9..62ccd55 100644 ') ######################################## + ## +-## Connect to ricci_modclusterd over an unix stream socket. ++## Connect to ricci_modclusterd over a unix stream socket. + ## + ## + ## @@ -90,18 +108,36 @@ interface(`ricci_stream_connect_modclusterd',` ') @@ -58096,7 +58560,7 @@ index f5c47d6..482b584 100644 /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0) diff --git a/policy/modules/services/rpcbind.if b/policy/modules/services/rpcbind.if -index a96249c..b4f950d 100644 +index a96249c..a345080 100644 --- a/policy/modules/services/rpcbind.if +++ b/policy/modules/services/rpcbind.if @@ -5,9 +5,9 @@ @@ -58111,6 +58575,15 @@ index a96249c..b4f950d 100644 ## # interface(`rpcbind_domtrans',` +@@ -20,7 +20,7 @@ interface(`rpcbind_domtrans',` + + ######################################## + ## +-## Connect to rpcbindd over an unix stream socket. ++## Connect to rpcbindd over a unix stream socket. + ## + ## + ## @@ -34,8 +34,7 @@ interface(`rpcbind_stream_connect',` ') @@ -59249,7 +59722,7 @@ index 0000000..630960e +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if new file mode 100644 -index 0000000..0d53457 +index 0000000..3eb745d --- /dev/null +++ b/policy/modules/services/sanlock.if @@ -0,0 +1,113 @@ @@ -59314,7 +59787,7 @@ index 0000000..0d53457 + +######################################## +## -+## Connect to sanlock over an unix stream socket. ++## Connect to sanlock over a unix stream socket. +## +## +## @@ -59571,7 +60044,7 @@ index 0000000..d5c3c3f +/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if new file mode 100644 -index 0000000..40d0049 +index 0000000..fe23f5a --- /dev/null +++ b/policy/modules/services/sblim.if @@ -0,0 +1,82 @@ @@ -59588,7 +60061,7 @@ index 0000000..40d0049 +## +## +# -+interface(`sblim_gatherd_domtrans',` ++interface(`sblim_domtrans_gatherd',` + gen_require(` + type sblim_gatherd_t, sblim_gatherd_exec_t; + ') @@ -59988,9 +60461,27 @@ index 22dac1f..1c27bd6 100644 + uucp_domtrans_uux(sendmail_t) ') diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if -index bcdd16c..b1c92f9 100644 +index bcdd16c..039b0c8 100644 --- a/policy/modules/services/setroubleshoot.if +++ b/policy/modules/services/setroubleshoot.if +@@ -2,7 +2,7 @@ + + ######################################## + ## +-## Connect to setroubleshootd over an unix stream socket. ++## Connect to setroubleshootd over a unix stream socket. + ## + ## + ## +@@ -23,7 +23,7 @@ interface(`setroubleshoot_stream_connect',` + ######################################## + ## + ## Dontaudit attempts to connect to setroubleshootd +-## over an unix stream socket. ++## over a unix stream socket. + ## + ## + ## @@ -105,6 +105,25 @@ interface(`setroubleshoot_dbus_chat_fixit',` ######################################## @@ -62497,7 +62988,7 @@ index 2dad3c8..12ad27c 100644 + ssh_rw_dgram_sockets(chroot_user_t) ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if -index 941380a..4afc698 100644 +index 941380a..e1095f0 100644 --- a/policy/modules/services/sssd.if +++ b/policy/modules/services/sssd.if @@ -5,9 +5,9 @@ @@ -62544,6 +63035,15 @@ index 941380a..4afc698 100644 ') ######################################## +@@ -193,7 +195,7 @@ interface(`sssd_dbus_chat',` + + ######################################## + ## +-## Connect to sssd over an unix stream socket. ++## Connect to sssd over a unix stream socket. + ## + ## + ## @@ -225,21 +227,18 @@ interface(`sssd_stream_connect',` ## The role to be allowed to manage the sssd domain. ## @@ -63489,7 +63989,7 @@ index 0000000..d810232 +/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if new file mode 100644 -index 0000000..adf79eb +index 0000000..2c30e5b --- /dev/null +++ b/policy/modules/services/uuidd.if @@ -0,0 +1,194 @@ @@ -63630,7 +64130,7 @@ index 0000000..adf79eb + +######################################## +## -+## Connect to uuidd over an unix stream socket. ++## Connect to uuidd over a unix stream socket. +## +## +## @@ -63822,7 +64322,7 @@ index 0000000..2ba852c + diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if new file mode 100644 -index 0000000..6467d91 +index 0000000..c6be180 --- /dev/null +++ b/policy/modules/services/vdagent.if @@ -0,0 +1,128 @@ @@ -63857,7 +64357,7 @@ index 0000000..6467d91 +## +## +# -+interface(`vdagent_getattr_exec',` ++interface(`vdagent_getattr_exec_files',` + gen_require(` + type vdagent_exec_t; + ') @@ -64015,7 +64515,7 @@ index 0000000..4fd2377 +') + diff --git a/policy/modules/services/vhostmd.if b/policy/modules/services/vhostmd.if -index 1f872b5..1250e30 100644 +index 1f872b5..88a8157 100644 --- a/policy/modules/services/vhostmd.if +++ b/policy/modules/services/vhostmd.if @@ -5,9 +5,9 @@ @@ -64057,7 +64557,7 @@ index 1f872b5..1250e30 100644 ') ######################################## -@@ -146,7 +146,8 @@ interface(`vhostmd_manage_pid_files',` +@@ -146,12 +146,13 @@ interface(`vhostmd_manage_pid_files',` type vhostmd_var_run_t; ') @@ -64067,6 +64567,21 @@ index 1f872b5..1250e30 100644 ') ######################################## + ## +-## Connect to vhostmd over an unix domain stream socket. ++## Connect to vhostmd over a unix domain stream socket. + ## + ## + ## +@@ -171,7 +172,7 @@ interface(`vhostmd_stream_connect',` + ####################################### + ## + ## Dontaudit read and write to vhostmd +-## over an unix domain stream socket. ++## over a unix domain stream socket. + ## + ## + ## @@ -209,8 +210,11 @@ interface(`vhostmd_admin',` type vhostmd_t, vhostmd_initrc_exec_t; ') @@ -64182,7 +64697,7 @@ index 2124b6a..49c15d1 100644 +# support for nova-stack +/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0) diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if -index 7c5d8d8..3fd8f12 100644 +index 7c5d8d8..e6bb21e 100644 --- a/policy/modules/services/virt.if +++ b/policy/modules/services/virt.if @@ -13,39 +13,45 @@ @@ -64294,7 +64809,7 @@ index 7c5d8d8..3fd8f12 100644 ## # interface(`virt_domtrans',` -@@ -114,6 +126,25 @@ interface(`virt_domtrans',` +@@ -114,9 +126,28 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') @@ -64319,7 +64834,11 @@ index 7c5d8d8..3fd8f12 100644 + ####################################### ## - ## Connect to virt over an unix domain stream socket. +-## Connect to virt over an unix domain stream socket. ++## Connect to virt over a unix domain stream socket. + ## + ## + ## @@ -164,13 +195,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` @@ -64767,7 +65286,7 @@ index 7c5d8d8..3fd8f12 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..59444ba 100644 +index 3eca020..bc0bf43 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,84 @@ policy_module(virt, 1.4.0) @@ -65324,7 +65843,7 @@ index 3eca020..59444ba 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,25 +626,359 @@ files_search_all(virt_domain) +@@ -440,25 +626,365 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -65332,12 +65851,12 @@ index 3eca020..59444ba 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -65480,8 +65999,8 @@ index 3eca020..59444ba 100644 +# +# virt_lxc local policy +# -+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin }; -+allow virtd_lxc_t self:process { setsched getcap setcap signal_perms }; ++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_resource }; ++allow virtd_lxc_t self:process { setrlimit setsched getcap setcap signal_perms }; +allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms; @@ -65517,8 +66036,8 @@ index 3eca020..59444ba 100644 +corecmd_exec_bin(virtd_lxc_t) +corecmd_exec_shell(virtd_lxc_t) + -+dev_read_sysfs(virtd_lxc_t) +dev_relabel_all_dev_nodes(virtd_lxc_t) ++dev_rw_sysfs(virtd_lxc_t) + +domain_use_interactive_fds(virtd_lxc_t) + @@ -65529,13 +66048,16 @@ index 3eca020..59444ba 100644 +files_unmount_all_file_type_fs(virtd_lxc_t) +files_list_isid_type_dirs(virtd_lxc_t) + ++fs_getattr_all_fs(virtd_lxc_t) +fs_manage_tmpfs_dirs(virtd_lxc_t) +fs_manage_tmpfs_chr_files(virtd_lxc_t) +fs_manage_tmpfs_symlinks(virtd_lxc_t) +fs_manage_cgroup_dirs(virtd_lxc_t) -+fs_rw_cgroup_files(virtd_lxc_t) ++fs_mounton_tmpfs(virtd_lxc_t) +fs_remount_all_fs(virtd_lxc_t) ++fs_rw_cgroup_files(virtd_lxc_t) +fs_unmount_xattr_fs(virtd_lxc_t) ++fs_unmount_configfs(virtd_lxc_t) + +selinux_mount_fs(virtd_lxc_t) +selinux_unmount_fs(virtd_lxc_t) @@ -65549,6 +66071,8 @@ index 3eca020..59444ba 100644 + +miscfiles_read_localization(virtd_lxc_t) + ++seutil_domtrans_setfiles(virtd_lxc_t) ++ +sysnet_domtrans_ifconfig(virtd_lxc_t) + +#optional_policy(` @@ -65569,7 +66093,7 @@ index 3eca020..59444ba 100644 +allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms; +dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write }; + -+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid execstack execmem }; ++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +allow svirt_lxc_domain self:fifo_file manage_file_perms; +allow svirt_lxc_domain self:sem create_sem_perms; +allow svirt_lxc_domain self:shm create_shm_perms; @@ -65651,6 +66175,7 @@ index 3eca020..59444ba 100644 +corenet_udp_bind_generic_node(svirt_lxc_net_t) + +allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service }; ++ +corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) +corenet_udp_bind_all_ports(svirt_lxc_net_t) @@ -65790,7 +66315,7 @@ index 0000000..ad47e05 +/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0) diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if new file mode 100644 -index 0000000..955f1ac +index 0000000..1a04747 --- /dev/null +++ b/policy/modules/services/wdmd.if @@ -0,0 +1,114 @@ @@ -65892,7 +66417,7 @@ index 0000000..955f1ac + +######################################## +## -+## Connect to wdmd over an unix stream socket. ++## Connect to wdmd over a unix stream socket. +## +## +## @@ -66114,7 +66639,7 @@ index 4966c94..cb2e1a3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..351ed06 100644 +index 130ced9..1cb809b 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -66352,13 +66877,15 @@ index 130ced9..351ed06 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,20 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; + userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority") + userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority") ++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l") ++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c") + userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors") + userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc") @@ -66373,7 +66900,7 @@ index 130ced9..351ed06 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +520,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -66402,7 +66929,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +571,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -66410,7 +66937,7 @@ index 130ced9..351ed06 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',` +@@ -549,6 +604,24 @@ interface(`xserver_domtrans_xauth',` ######################################## ## @@ -66435,7 +66962,7 @@ index 130ced9..351ed06 100644 ## Create a Xauthority file in the user home directory. ## ## -@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -66443,7 +66970,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -66452,7 +66979,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -638,6 +710,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +712,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -66478,7 +67005,7 @@ index 130ced9..351ed06 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +744,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -66487,7 +67014,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +763,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -66496,7 +67023,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +781,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -66505,7 +67032,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +796,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -66519,7 +67046,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +816,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -66553,7 +67080,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +864,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -66579,7 +67106,7 @@ index 130ced9..351ed06 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +896,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -66588,7 +67115,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +936,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -66616,7 +67143,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +978,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -66641,7 +67168,7 @@ index 130ced9..351ed06 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1065,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -66650,7 +67177,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1084,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -66659,7 +67186,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1131,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -66705,7 +67232,7 @@ index 130ced9..351ed06 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1183,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -66714,7 +67241,7 @@ index 130ced9..351ed06 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1245,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -66757,7 +67284,7 @@ index 130ced9..351ed06 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1295,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -66766,7 +67293,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1313,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -66778,7 +67305,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1430,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -66788,7 +67315,7 @@ index 130ced9..351ed06 100644 +###################################### +## +## Dontaudit attempts to connect to xserver -+## over an unix stream socket. ++## over a unix stream socket. +## +## +## @@ -66805,7 +67332,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1475,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -66814,7 +67341,7 @@ index 130ced9..351ed06 100644 ## ## ## -@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1485,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -66839,7 +67366,7 @@ index 130ced9..351ed06 100644 ') ######################################## -@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1518,462 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -67261,6 +67788,8 @@ index 130ced9..351ed06 100644 + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") ++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l") ++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") @@ -67293,6 +67822,8 @@ index 130ced9..351ed06 100644 + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") ++ userdom_admin_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l") ++ userdom_admin_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") + userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") @@ -68772,9 +69303,18 @@ index 9fb4747..92c156b 100644 miscfiles_read_localization(zarafa_domain) diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if -index 6b87605..ef64e73 100644 +index 6b87605..c745e03 100644 --- a/policy/modules/services/zebra.if +++ b/policy/modules/services/zebra.if +@@ -24,7 +24,7 @@ interface(`zebra_read_config',` + + ######################################## + ## +-## Connect to zebra over an unix stream socket. ++## Connect to zebra over a unix stream socket. + ## + ## + ## @@ -38,8 +38,7 @@ interface(`zebra_stream_connect',` ') @@ -68860,7 +69400,7 @@ index 0000000..b74fadf +/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0) diff --git a/policy/modules/services/zoneminder.if b/policy/modules/services/zoneminder.if new file mode 100644 -index 0000000..aadeef3 +index 0000000..d3e6527 --- /dev/null +++ b/policy/modules/services/zoneminder.if @@ -0,0 +1,320 @@ @@ -69122,7 +69662,7 @@ index 0000000..aadeef3 + +######################################## +## -+## Connect to zoneminder over an unix stream socket. ++## Connect to zoneminder over a unix stream socket. +## +## +## @@ -71766,7 +72306,7 @@ index 94fd8dd..ef5a3c8 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..ddc7143 100644 +index 29a9565..92781d7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -72670,7 +73210,7 @@ index 29a9565..ddc7143 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1251,160 @@ optional_policy(` +@@ -854,3 +1251,161 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -72725,6 +73265,7 @@ index 29a9565..ddc7143 100644 + allow init_t daemon:unix_stream_socket create_stream_socket_perms; + allow init_t daemon:unix_dgram_socket create_socket_perms; + allow init_t daemon:tcp_socket create_stream_socket_perms; ++ allow init_t daemon:udp_socket create_socket_perms; + allow daemon init_t:unix_dgram_socket sendto; + # need write to /var/run/systemd/notify + init_write_pid_socket(daemon) @@ -74239,9 +74780,27 @@ index 02f4c97..314efca 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 831b909..0410fa3 100644 +index 831b909..9889380 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if +@@ -233,7 +233,7 @@ interface(`logging_run_auditd',` + + ######################################## + ## +-## Connect to auditdstored over an unix stream socket. ++## Connect to auditdstored over a unix stream socket. + ## + ## + ## +@@ -318,7 +318,7 @@ interface(`logging_dispatcher_domain',` + + ######################################## + ## +-## Connect to the audit dispatcher over an unix stream socket. ++## Connect to the audit dispatcher over a unix stream socket. + ## + ## + ## @@ -491,6 +491,63 @@ interface(`logging_log_filetrans',` filetrans_pattern($1, var_log_t, $2, $3) ') @@ -78036,10 +78595,10 @@ index 0000000..0d3e625 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..1688a39 +index 0000000..75e7f1c --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,504 @@ +@@ -0,0 +1,542 @@ +## SELinux policy for systemd components + +####################################### @@ -78212,6 +78771,25 @@ index 0000000..1688a39 + +###################################### +## ++## Read systemd_login PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_login_list_pid_dirs',` ++ gen_require(` ++ type systemd_logind_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) ++') ++ ++###################################### ++## +## Use and and inherited systemd +## logind file descriptors. +## @@ -78231,6 +78809,25 @@ index 0000000..1688a39 + +###################################### +## ++## Read logind sessions files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_logind_sessions_files',` ++ gen_require(` ++ type systemd_logind_sessions_t; ++ ') ++ ++ init_search_pid_dirs($1) ++ read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t) ++') ++ ++###################################### ++## +## Write inherited logind sessions pipes. +## +## @@ -80188,7 +80785,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..17cc2fc 100644 +index 4b2878a..330f877 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -81415,7 +82012,7 @@ index 4b2878a..17cc2fc 100644 optional_policy(` - setroubleshoot_stream_connect($1_t) + vdagent_getattr_log($1_t) -+ vdagent_getattr_exec($1_t) ++ vdagent_getattr_exec_files($1_t) + vdagent_stream_connect($1_t) ') ') @@ -82603,7 +83200,7 @@ index 4b2878a..17cc2fc 100644 + +######################################## +## -+## Connect to users over an unix stream socket. ++## Connect to users over a unix stream socket. +## +## +## @@ -83946,7 +84543,7 @@ index a865da7..a5ed06e 100644 ') diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if -index 77d41b6..7ccb440 100644 +index 77d41b6..138efd8 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',` @@ -84003,7 +84600,25 @@ index 77d41b6..7ccb440 100644 interface(`xen_rw_image_files',` gen_require(` type xen_image_t, xend_var_lib_t; -@@ -213,8 +253,9 @@ interface(`xen_stream_connect',` +@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` + + ######################################## + ## +-## Connect to xenstored over an unix stream socket. ++## Connect to xenstored over a unix stream socket. + ## + ## + ## +@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',` + + ######################################## + ## +-## Connect to xend over an unix domain stream socket. ++## Connect to xend over a unix domain stream socket. + ## + ## + ## +@@ -213,14 +253,15 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; @@ -84014,6 +84629,13 @@ index 77d41b6..7ccb440 100644 domtrans_pattern($1, xm_exec_t, xm_t) ') + ######################################## + ## +-## Connect to xm over an unix stream socket. ++## Connect to xm over a unix stream socket. + ## + ## + ## @@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` diff --git a/selinux-policy.spec b/selinux-policy.spec index 3b565bf..c577be1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,7 +16,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 72%{?dist} +Release: 73%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 11 2012 Miroslav Grepl 3.10.0-73 +- Fixed destined form libvirt-sandbox +- Allow apps that list sysfs to also read sympolicy links in this filesystem +- Add ubac_constrained rules for chrome_sandbox +- Need interface to allow domains to use tmpfs_t files created by the kernel, used by libra +- Allow postgresql to be executed by the caller +- Standardize interfaces of daemons +- Add new labeling for mm-handler +- Allow all matahari domains to read network state and etc_runtime_t files + * Wed Jan 4 2012 Miroslav Grepl 3.10.0-72 - New fix for seunshare, requires seunshare_domains to be able to mounton / - Allow systemctl running as logrotate_t to connect to private systemd socket