From 859a101f23482c0a1f8db565cb3743ae1fb43de7 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Jun 19 2013 19:22:03 +0000 Subject: Make vdagent able to request loading kernel module - Add support for cloud-init make it as unconfined domain - Allow snmpd to run smartctl in fsadm_t domain - remove duplicate openshift_search_lib() interface - Allow mysqld to search openshift lib files - Allow openshift cgroup to interact with passedin file descriptors - Allow colord to list directories inthe users homedir - aide executes prelink to check files - Make sure cupsd_t creates content in /etc/cups with the correct label - Lest dontaudit apache read all domains, so passenger will not cause this avc - Allow gssd to connect to gssproxy - systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS - Allow systemd-tmpfiles to relabel also lock files - Allow useradd to add homdir in /var/lib/openshift - Allow setfiles and semanage to write output to /run/files --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 3cca223..deb0e92 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2373,7 +2373,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..4165b4d 100644 +index d555767..4065a9a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2814,10 +2814,10 @@ index d555767..4165b4d 100644 userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) +userdom_delete_all_user_home_content(useradd_t) @@ -2835,17 +2835,21 @@ index d555767..4165b4d 100644 optional_policy(` apache_manage_all_user_content(useradd_t) ') -@@ -542,7 +593,8 @@ optional_policy(` +@@ -542,7 +593,12 @@ optional_policy(` ') optional_policy(` - nscd_run(useradd_t, useradd_roles) + nscd_domtrans(useradd_t) +# nscd_run(useradd_t, useradd_roles) ++') ++ ++optional_policy(` ++ openshift_manage_lib_dirs(useradd_t) ') optional_policy(` -@@ -550,6 +602,11 @@ optional_policy(` +@@ -550,6 +606,11 @@ optional_policy(` ') optional_policy(` @@ -2857,7 +2861,7 @@ index d555767..4165b4d 100644 tunable_policy(`samba_domain_controller',` samba_append_log(useradd_t) ') -@@ -559,3 +616,12 @@ optional_policy(` +@@ -559,3 +620,12 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') @@ -5637,7 +5641,7 @@ index b31c054..17e11e0 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..0fc6f53 100644 +index 76f285e..7a424f4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6330,18 +6334,105 @@ index 76f285e..0fc6f53 100644 ## ## # -@@ -2975,8 +3250,8 @@ interface(`dev_dontaudit_write_mtrr',` +@@ -2903,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',` + + ######################################## + ## +-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). (Deprecated) + ## + ## + ##

+-## Read the memory type range ++## Write the memory type range + ## registers (MTRR). This interface has + ## been deprecated, dev_rw_mtrr() should be + ## used instead. + ##

+ ##

+ ## The MTRR device ioctls can be used for +-## reading and writing; thus, read access to the +-## device cannot be separated from write access. ++## reading and writing; thus, write access to the ++## device cannot be separated from read access. + ##

+ ##
+ ## +@@ -2925,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',` + ## + ## + # +-interface(`dev_read_mtrr',` ++interface(`dev_write_mtrr',` + refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') + dev_rw_mtrr($1) + ') + + ######################################## + ## +-## Write the memory type range +-## registers (MTRR). (Deprecated) ++## Do not audit attempts to write the memory type ++## range registers (MTRR). + ## +-## +-##

+-## Write the memory type range +-## registers (MTRR). This interface has +-## been deprecated, dev_rw_mtrr() should be +-## used instead. +-##

+-##

+-## The MTRR device ioctls can be used for +-## reading and writing; thus, write access to the +-## device cannot be separated from read access. +-##

+-##
+ ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_mtrr',` +- refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') +- dev_rw_mtrr($1) ++interface(`dev_dontaudit_write_mtrr',` ++ gen_require(` ++ type mtrr_device_t; ++ ') ++ ++ dontaudit $1 mtrr_device_t:file write_file_perms; ++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to write the memory type ++## Do not audit attempts to read the memory type + ## range registers (MTRR). + ## + ## +@@ -2970,13 +3236,13 @@ interface(`dev_write_mtrr',` + ## + ## + # +-interface(`dev_dontaudit_write_mtrr',` ++interface(`dev_dontaudit_read_mtrr',` + gen_require(` type mtrr_device_t; ') - dontaudit $1 mtrr_device_t:file write; - dontaudit $1 mtrr_device_t:chr_file write; -+ dontaudit $1 mtrr_device_t:file write_file_perms; -+ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ++ dontaudit $1 mtrr_device_t:file { open read }; ++ dontaudit $1 mtrr_device_t:chr_file { open read }; ') ######################################## -@@ -3144,6 +3419,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3410,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -6384,7 +6475,7 @@ index 76f285e..0fc6f53 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3474,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3465,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -6409,7 +6500,7 @@ index 76f285e..0fc6f53 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3583,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3574,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6436,7 +6527,7 @@ index 76f285e..0fc6f53 100644 ## ## ## -@@ -3262,12 +3609,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3600,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6453,83 +6544,319 @@ index 76f285e..0fc6f53 100644 ') ######################################## -@@ -3855,6 +4203,96 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4194,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## +-## Search the sysfs directories. +## Set the attributes of sysfs directories. -+## + ## + ## + ## +@@ -3863,53 +4202,53 @@ interface(`dev_getattr_sysfs_dirs',` + ## + ## + # +-interface(`dev_search_sysfs',` ++interface(`dev_setattr_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + +- search_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 sysfs_t:dir setattr_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search sysfs. ++## Get attributes of sysfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_search_sysfs',` ++interface(`dev_getattr_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir search_dir_perms; ++ allow $1 sysfs_t:filesystem getattr; + ') + + ######################################## + ## +-## List the contents of the sysfs directories. ++## Mount a filesystem on /sys + ## + ## + ## +-## Domain allowed access. ++## Domain allow access. + ## + ## + # +-interface(`dev_list_sysfs',` ++interface(`dev_mounton_sysfs',` + gen_require(` + type sysfs_t; + ') + +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 sysfs_t:dir mounton; + ') + + ######################################## + ## +-## Write in a sysfs directories. ++## Mount sysfs filesystems. + ## + ## + ## +@@ -3917,37 +4256,35 @@ interface(`dev_list_sysfs',` + ## + ## + # +-# cjp: added for cpuspeed +-interface(`dev_write_sysfs_dirs',` ++interface(`dev_mount_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- allow $1 sysfs_t:dir write; ++ allow $1 sysfs_t:filesystem mount; + ') + + ######################################## + ## +-## Do not audit attempts to write in a sysfs directory. ++## Unmount sysfs filesystems. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_write_sysfs_dirs',` ++interface(`dev_unmount_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir write; ++ allow $1 sysfs_t:filesystem unmount; + ') + + ######################################## + ## +-## Create, read, write, and delete sysfs +-## directories. ++## Search the sysfs directories. + ## + ## + ## +@@ -3955,47 +4292,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` + ## + ## + # +-interface(`dev_manage_sysfs_dirs',` ++interface(`dev_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ search_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read hardware state information. ++## Do not audit attempts to search sysfs. + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-##
+ ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## +-## + # +-interface(`dev_read_sysfs',` ++interface(`dev_dontaudit_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- read_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ dontaudit $1 sysfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Allow caller to modify hardware state information. ++## List the contents of the sysfs directories. + ## + ## + ## +@@ -4003,20 +4328,18 @@ interface(`dev_read_sysfs',` + ## + ## + # +-interface(`dev_rw_sysfs',` ++interface(`dev_list_sysfs',` + gen_require(` + type sysfs_t; + ') + +- rw_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- + list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read and write the TPM device. ++## Write in a sysfs directories. + ## + ## + ## +@@ -4024,21 +4347,210 @@ interface(`dev_rw_sysfs',` + ## + ## + # +-interface(`dev_rw_tpm',` ++# cjp: added for cpuspeed ++interface(`dev_write_sysfs_dirs',` + gen_require(` +- type device_t, tpm_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ allow $1 sysfs_t:dir write; + ') + + ######################################## + ## +-## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## Do not audit attempts to write in a sysfs directory. + ## +-## +-##

+-## Allow the specified domain to read from pseudo random number +## +##

-+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_setattr_sysfs_dirs',` ++interface(`dev_dontaudit_write_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + -+ allow $1 sysfs_t:dir setattr_dir_perms; ++ dontaudit $1 sysfs_t:dir write; +') + +######################################## +## -+## Get attributes of sysfs filesystems. ++## Read cpu online hardware state information. +## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++##
+## +## +## Domain allowed access. +## +## +# -+interface(`dev_getattr_sysfs_fs',` ++interface(`dev_read_cpu_online',` + gen_require(` -+ type sysfs_t; ++ type cpu_online_t; + ') + -+ allow $1 sysfs_t:filesystem getattr; ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) +') + +######################################## +## -+## Mount a filesystem on /sys ++## Relabel cpu online hardware state information. +## +## +## -+## Domain allow access. ++## Domain allowed access. +## +## +# -+interface(`dev_mounton_sysfs',` ++interface(`dev_relabel_cpu_online',` + gen_require(` ++ type cpu_online_t; + type sysfs_t; + ') + -+ allow $1 sysfs_t:dir mounton; ++ dev_search_sysfs($1) ++ allow $1 cpu_online_t:file relabel_file_perms; +') + ++ +######################################## +## -+## Mount sysfs filesystems. ++## Read hardware state information. +## ++## ++##

++## Allow the specified domain to read the contents of ++## the sysfs filesystem. This filesystem contains ++## information, parameters, and other settings on the ++## hardware installed on the system. ++##

++##
+## +## +## Domain allowed access. +## +## ++## +# -+interface(`dev_mount_sysfs_fs',` ++interface(`dev_read_sysfs',` + gen_require(` + type sysfs_t; + ') + -+ allow $1 sysfs_t:filesystem mount; ++ read_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Unmount sysfs filesystems. ++## Allow caller to modify hardware state information. +## +## +## @@ -6537,59 +6864,20 @@ index 76f285e..0fc6f53 100644 +## +## +# -+interface(`dev_unmount_sysfs_fs',` ++interface(`dev_rw_sysfs',` + gen_require(` + type sysfs_t; + ') + -+ allow $1 sysfs_t:filesystem unmount; -+') -+ -+######################################## -+## - ## Search the sysfs directories. - ## - ## -@@ -3904,6 +4342,7 @@ interface(`dev_list_sysfs',` - type sysfs_t; - ') - ++ rw_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) - list_dirs_pattern($1, sysfs_t, sysfs_t) - ') - -@@ -3946,23 +4385,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` - - ######################################## - ## --## Create, read, write, and delete sysfs --## directories. -+## Read cpu online hardware state information. - ## -+## -+##

-+## Allow the specified domain to read /sys/devices/system/cpu/online file. -+##

-+##
- ## - ## - ## Domain allowed access. - ## - ## - # --interface(`dev_manage_sysfs_dirs',` -+interface(`dev_read_cpu_online',` -+ gen_require(` -+ type cpu_online_t; -+ ') + -+ dev_search_sysfs($1) -+ read_files_pattern($1, cpu_online_t, cpu_online_t) ++ list_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Relabel cpu online hardware state information. ++## Relabel hardware state directories. +## +## +## @@ -6597,38 +6885,8 @@ index 76f285e..0fc6f53 100644 +## +## +# -+interface(`dev_relabel_cpu_online',` - gen_require(` -+ type cpu_online_t; - type sysfs_t; - ') - -- manage_dirs_pattern($1, sysfs_t, sysfs_t) -+ dev_search_sysfs($1) -+ allow $1 cpu_online_t:file relabel_file_perms; - ') - -+ - ######################################## - ## - ## Read hardware state information. -@@ -4016,7 +4481,7 @@ interface(`dev_rw_sysfs',` - - ######################################## - ## --## Read and write the TPM device. -+## Relabel hardware state directories. - ## - ## - ## -@@ -4024,9 +4489,65 @@ interface(`dev_rw_sysfs',` - ## - ## - # --interface(`dev_rw_tpm',` +interface(`dev_relabel_sysfs_dirs',` - gen_require(` -- type device_t, tpm_device_t; ++ gen_require(` + type sysfs_t; + ') + @@ -6686,10 +6944,22 @@ index 76f285e..0fc6f53 100644 +interface(`dev_rw_tpm',` + gen_require(` + type device_t, tpm_device_t; - ') - - rw_chr_files_pattern($1, device_t, tpm_device_t) -@@ -4113,6 +4634,25 @@ interface(`dev_write_urand',` ++ ') ++ ++ rw_chr_files_pattern($1, device_t, tpm_device_t) ++') ++ ++######################################## ++## ++## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## ++## ++##

++## Allow the specified domain to read from pseudo random number + ## generator devices (e.g., /dev/urandom). Typically this is + ## used in situations when a cryptographically secure random + ## number is not necessarily needed. One example is the Stack +@@ -4113,6 +4625,25 @@ interface(`dev_write_urand',` ######################################## ##

@@ -6715,7 +6985,7 @@ index 76f285e..0fc6f53 100644 ## Getattr generic the USB devices. ## ## -@@ -4409,9 +4949,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +4940,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -6727,7 +6997,7 @@ index 76f285e..0fc6f53 100644 ##
## ## -@@ -4419,17 +4959,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +4950,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -6750,7 +7020,7 @@ index 76f285e..0fc6f53 100644 ## ## ## -@@ -4437,12 +4977,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +4968,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -6766,7 +7036,7 @@ index 76f285e..0fc6f53 100644 ') ######################################## -@@ -4539,6 +5079,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5070,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -6901,7 +7171,7 @@ index 76f285e..0fc6f53 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5225,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5216,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -6926,7 +7196,7 @@ index 76f285e..0fc6f53 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5448,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5439,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -6953,7 +7223,7 @@ index 76f285e..0fc6f53 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5557,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5548,943 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8788,7 +9058,7 @@ index c2c6e05..be423a7 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..455cc6c 100644 +index 64ff4d7..fe6d89c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10464,17 +10734,51 @@ index 64ff4d7..455cc6c 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',` +@@ -5761,7 +6701,7 @@ interface(`files_relabel_all_lock_dirs',` + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Relabel to and from all lock file types. + ## + ## + ## +@@ -5769,13 +6709,33 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_relabel_all_lock_files',` + gen_require(` ++ attribute lockfile; type var_t, var_lock_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; + allow $1 var_t:dir search_dir_perms; + allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ + files_search_locks($1) allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6751,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -10492,7 +10796,7 @@ index 64ff4d7..455cc6c 100644 ') ######################################## -@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6775,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -10503,7 +10807,7 @@ index 64ff4d7..455cc6c 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6817,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -10513,7 +10817,7 @@ index 64ff4d7..455cc6c 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6839,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -10523,7 +10827,7 @@ index 64ff4d7..455cc6c 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6876,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -10533,7 +10837,7 @@ index 64ff4d7..455cc6c 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +6915,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -10542,7 +10846,7 @@ index 64ff4d7..455cc6c 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +6914,48 @@ interface(`files_search_pids',` +@@ -5981,10 +6935,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -10591,7 +10895,7 @@ index 64ff4d7..455cc6c 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6999,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -10617,7 +10921,7 @@ index 64ff4d7..455cc6c 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6021,7 +7011,7 @@ interface(`files_list_pids',` +@@ -6021,7 +7032,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -10626,7 +10930,7 @@ index 64ff4d7..455cc6c 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',` +@@ -6040,7 +7051,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -10635,7 +10939,7 @@ index 64ff4d7..455cc6c 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7071,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -10644,7 +10948,7 @@ index 64ff4d7..455cc6c 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7133,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -10652,7 +10956,32 @@ index 64ff4d7..455cc6c 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',` +@@ -6151,6 +7161,24 @@ interface(`files_pid_filetrans_lock_dir',` + + ######################################## + ## ++## rw generic pid files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Read and write generic process ID files. + ## + ## +@@ -6164,7 +7192,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -10661,7 +10990,7 @@ index 64ff4d7..455cc6c 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7259,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -10724,7 +11053,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7303,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -10774,7 +11103,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7339,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -10798,7 +11127,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7358,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -10850,7 +11179,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7399,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -10873,7 +11202,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6406,18 +7378,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7417,18 @@ interface(`files_list_spool',` ## ## # @@ -10897,7 +11226,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6425,19 +7436,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -10922,7 +11251,7 @@ index 64ff4d7..455cc6c 100644 ## ## ## -@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',` +@@ -6445,45 +7455,312 @@ interface(`files_read_generic_spool',` ## ## # @@ -10973,57 +11302,38 @@ index 64ff4d7..455cc6c 100644 - type var_t, var_spool_t; + attribute pidfile; + type var_t, var_run_t; - ') - ++ ') ++ + files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) ++ allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. ++') ++ ++######################################## ++## +## Delete all process ID directories. - ## - ## - ## -@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_dirs',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; ++ gen_require(` + attribute pidfile; + type var_t, var_run_t; - ') - -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') - -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) ++ +######################################## +## +## Make the specified type a file @@ -11275,89 +11585,13 @@ index 64ff4d7..455cc6c 100644 +interface(`files_spool_filetrans',` + gen_require(` + type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` -+ gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; -+ ') -+ -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; + ') -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') -+ -+######################################## -+## -+## Unconfined access to files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_unconfined',` -+ gen_require(` -+ attribute files_unconfined_type; -+ ') -+ -+ typeattribute $1 files_unconfined_type; -+') + allow $1 var_t:dir search_dir_perms; +@@ -6562,3 +7839,474 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## @@ -11483,15 +11717,10 @@ index 64ff4d7..455cc6c 100644 + gen_require(` + attribute tmpfsfile; + ') - -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) ++ + allow $1 tmpfsfile:file { read write }; +') - -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) ++ +######################################## +## +## Do not audit attempts to read security files @@ -11506,13 +11735,7 @@ index 64ff4d7..455cc6c 100644 + gen_require(` + attribute security_file_type; + ') - -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) ++ + dontaudit $1 security_file_type:file read_file_perms; +') + @@ -11534,36 +11757,32 @@ index 64ff4d7..455cc6c 100644 +interface(`files_rw_all_inherited_files',` + gen_require(` + attribute file_type; - ') ++ ') + + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Allow any file point to be the entrypoint of this domain - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`files_unconfined',` ++# +interface(`files_entrypoint_all_files',` - gen_require(` -- attribute files_unconfined_type; ++ gen_require(` + attribute file_type; - ') ++ ') + allow $1 file_type:file entrypoint; +') - -- typeattribute $1 files_unconfined_type; ++ +######################################## +## +## Do not audit attempts to rw inherited file perms @@ -11758,7 +11977,7 @@ index 64ff4d7..455cc6c 100644 + ') + files_type($1) + typeattribute $1 base_file_type; - ') ++') + +######################################## +## @@ -32936,7 +33155,7 @@ index 3822072..1029e3b 100644 + userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ec01d0b..73ef1e8 100644 +index ec01d0b..64db314 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -33373,11 +33592,11 @@ index ec01d0b..73ef1e8 100644 -auth_use_nsswitch(semanage_t) - -locallogin_use_fds(semanage_t) +- +-logging_send_syslog_msg(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) --logging_send_syslog_msg(semanage_t) -- -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -33465,7 +33684,7 @@ index ec01d0b..73ef1e8 100644 ') ######################################## -@@ -522,108 +599,178 @@ ifdef(`distro_ubuntu',` +@@ -522,108 +599,181 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -33547,12 +33766,12 @@ index ec01d0b..73ef1e8 100644 + # pki is leaking + pki_dontaudit_write_log(setfiles_t) +') - --seutil_libselinux_linked(setfiles_t) ++ +optional_policy(` + xserver_append_xdm_tmp_files(setfiles_t) +') -+ + +-seutil_libselinux_linked(setfiles_t) +ifdef(`hide_broken_symptoms',` + + optional_policy(` @@ -33729,6 +33948,9 @@ index ec01d0b..73ef1e8 100644 + +userdom_dontaudit_write_user_home_content_files(policy_manager_domain) +userdom_use_user_ptys(policy_manager_domain) ++ ++files_rw_inherited_generic_pid_files(setfiles_domain) ++files_rw_inherited_generic_pid_files(seutil_semanage_domain) diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc index bea4629..06e2834 100644 --- a/policy/modules/system/setrans.fc @@ -35732,10 +35954,10 @@ index 0000000..2e5b822 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..35c1a7d +index 0000000..87474b2 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,645 @@ +@@ -0,0 +1,647 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -36037,6 +36259,7 @@ index 0000000..35c1a7d +files_getattr_all_sockets(systemd_tmpfiles_t) +files_getattr_all_symlinks(systemd_tmpfiles_t) +files_relabel_all_lock_dirs(systemd_tmpfiles_t) ++files_relabel_all_lock_files(systemd_tmpfiles_t) +files_relabel_all_pid_dirs(systemd_tmpfiles_t) +files_relabel_all_pid_files(systemd_tmpfiles_t) +files_relabel_all_spool_dirs(systemd_tmpfiles_t) @@ -36060,6 +36283,7 @@ index 0000000..35c1a7d + +mls_file_read_all_levels(systemd_tmpfiles_t) +mls_file_write_all_levels(systemd_tmpfiles_t) ++mls_file_upgrade(systemd_tmpfiles_t) + +selinux_get_enforce_mode(systemd_tmpfiles_t) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index dd55837..41328d9 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 4b28ab3..cf64a9a 100644 +index 4b28ab3..6e8746f 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1479,7 +1479,16 @@ index 4b28ab3..cf64a9a 100644 role aide_roles types aide_t; type aide_log_t; -@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file) +@@ -23,7 +24,7 @@ files_type(aide_db_t) + # Local policy + # + +-allow aide_t self:capability { dac_override fowner }; ++allow aide_t self:capability { dac_override fowner ipc_lock }; + + manage_files_pattern(aide_t, aide_db_t, aide_db_t) + +@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) files_read_all_symlinks(aide_t) @@ -1494,6 +1503,10 @@ index 4b28ab3..cf64a9a 100644 -userdom_use_user_terminals(aide_t) +userdom_use_inherited_user_terminals(aide_t) ++ ++optional_policy(` ++ prelink_domtrans(aide_t) ++') optional_policy(` seutil_use_newrole_fds(aide_t) @@ -4511,7 +4524,7 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..a434dfd 100644 +index 1a82e29..392480e 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5199,7 +5212,7 @@ index 1a82e29..a434dfd 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5275,6 +5288,7 @@ index 1a82e29..a434dfd 100644 +corecmd_exec_shell(httpd_t) + +domain_use_interactive_fds(httpd_t) ++domain_dontaudit_read_all_domains_state(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -5427,7 +5441,7 @@ index 1a82e29..a434dfd 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5487,7 +5501,7 @@ index 1a82e29..a434dfd 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5572,7 +5586,7 @@ index 1a82e29..a434dfd 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +810,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5653,7 +5667,7 @@ index 1a82e29..a434dfd 100644 ') optional_policy(` -@@ -743,14 +862,6 @@ optional_policy(` +@@ -743,14 +863,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5668,7 +5682,7 @@ index 1a82e29..a434dfd 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +876,23 @@ optional_policy(` +@@ -765,6 +877,23 @@ optional_policy(` ') optional_policy(` @@ -5692,7 +5706,7 @@ index 1a82e29..a434dfd 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +909,42 @@ optional_policy(` +@@ -781,34 +910,42 @@ optional_policy(` ') optional_policy(` @@ -5746,7 +5760,7 @@ index 1a82e29..a434dfd 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +952,18 @@ optional_policy(` +@@ -816,8 +953,18 @@ optional_policy(` ') optional_policy(` @@ -5765,7 +5779,7 @@ index 1a82e29..a434dfd 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +972,7 @@ optional_policy(` +@@ -826,6 +973,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5773,7 +5787,7 @@ index 1a82e29..a434dfd 100644 ') optional_policy(` -@@ -836,20 +983,38 @@ optional_policy(` +@@ -836,20 +984,38 @@ optional_policy(` ') optional_policy(` @@ -5818,7 +5832,7 @@ index 1a82e29..a434dfd 100644 ') optional_policy(` -@@ -857,6 +1022,16 @@ optional_policy(` +@@ -857,6 +1023,16 @@ optional_policy(` ') optional_policy(` @@ -5835,7 +5849,7 @@ index 1a82e29..a434dfd 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,11 +1040,16 @@ optional_policy(` +@@ -865,11 +1041,16 @@ optional_policy(` ') optional_policy(` @@ -5852,7 +5866,7 @@ index 1a82e29..a434dfd 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1057,166 @@ optional_policy(` +@@ -877,65 +1058,165 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5891,7 +5905,6 @@ index 1a82e29..a434dfd 100644 + allow httpd_t self:process setexec; + + files_dontaudit_getattr_all_files(httpd_t) -+ domain_dontaudit_read_all_domains_state(httpd_t) + domain_getpgid_all_domains(httpd_t) +') + @@ -10891,7 +10904,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index 914ee2d..6567c77 100644 +index 914ee2d..770ae51 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -10904,7 +10917,7 @@ index 914ee2d..6567c77 100644 type chronyd_var_lib_t; files_type(chronyd_var_lib_t) -@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t) +@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t) # Local policy # @@ -10916,13 +10929,12 @@ index 914ee2d..6567c77 100644 +allow chronyd_t self:unix_dgram_socket create_socket_perms; allow chronyd_t self:fifo_file rw_fifo_file_perms; -+ +allow chronyd_t chronyd_keys_t:file append_file_perms; +allow chronyd_t chronyd_keys_t:file setattr_file_perms; allow chronyd_t chronyd_keys_t:file read_file_perms; manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t) -@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) +@@ -76,18 +83,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t) corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) @@ -11439,21 +11451,28 @@ index 29782b8..685edff 100644 ') diff --git a/cloudform.fc b/cloudform.fc new file mode 100644 -index 0000000..8a40857 +index 0000000..cc740da --- /dev/null +++ b/cloudform.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,29 @@ +/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0) + -+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) ++/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) ++/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0) +/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0) -+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) ++/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0) + +/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0) + ++/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) ++ ++/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0) ++ ++/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0) ++/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0) +/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0) -+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) ++/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0) + +/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0) +/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0) @@ -11515,10 +11534,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..c158ef5 +index 0000000..a56e579 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,196 @@ +@@ -0,0 +1,296 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -11530,6 +11549,19 @@ index 0000000..c158ef5 +cloudform_domain_template(deltacloudd) +cloudform_domain_template(iwhd) +cloudform_domain_template(mongod) ++cloudform_domain_template(cloud_init) ++ ++type cloud_init_tmp_t; ++files_tmp_file(cloud_init_tmp_t) ++ ++type cloud_init_unit_file_t; ++systemd_unit_file(cloud_init_unit_file_t) ++ ++type cloud_var_lib_t; ++files_type(cloud_var_lib_t) ++ ++type cloud_log_t; ++logging_log_file(cloud_log_t) + +type deltacloudd_log_t; +logging_log_file(deltacloudd_log_t) @@ -11583,6 +11615,93 @@ index 0000000..c158ef5 + +miscfiles_read_certs(cloudform_domain) + ++################################# ++# ++# cloud-init local policy ++# ++ ++allow cloud_init_t self:capability { fowner chown fsetid dac_override }; ++ ++allow cloud_init_t self:udp_socket create_socket_perms; ++ ++manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) ++manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t) ++files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir }) ++ ++manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t) ++ ++manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t) ++logging_log_filetrans(cloud_init_t, cloud_log_t, { file }) ++ ++kernel_read_network_state(cloud_init_t) ++ ++corenet_tcp_connect_http_port(cloud_init_t) ++ ++corecmd_exec_bin(cloud_init_t) ++corecmd_exec_shell(cloud_init_t) ++ ++fs_getattr_all_fs(cloud_init_t) ++ ++storage_raw_read_fixed_disk(cloud_init_t) ++ ++libs_exec_ldconfig(cloud_init_t) ++ ++logging_send_syslog_msg(cloud_init_t) ++ ++miscfiles_read_localization(cloud_init_t) ++ ++selinux_validate_context(cloud_init_t) ++ ++systemd_dbus_chat_hostnamed(cloud_init_t) ++systemd_exec_systemctl(cloud_init_t) ++systemd_start_all_services(cloud_init_t) ++ ++usermanage_domtrans_passwd(cloud_init_t) ++ ++optional_policy(` ++ dbus_system_bus_client(cloud_init_t) ++') ++ ++optional_policy(` ++ dmidecode_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ fstools_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ hostname_exec(cloud_init_t) ++') ++ ++optional_policy(` ++ mount_domtrans(cloud_init_t) ++') ++ ++optional_policy(` ++ # it check file context and run restorecon ++ seutil_read_file_contexts(cloud_init_t) ++ seutil_domtrans_setfiles(cloud_init_t) ++') ++ ++optional_policy(` ++ ssh_exec_keygen(cloud_init_t) ++ ssh_read_user_home_files(cloud_init_t) ++') ++ ++optional_policy(` ++ sysnet_domtrans_ifconfig(cloud_init_t) ++ sysnet_read_dhcpc_state(cloud_init_t) ++ sysnet_dns_name_resolve(cloud_init_t) ++') ++ ++optional_policy(` ++ unconfined_domain(cloud_init_t) ++') ++ ++ +######################################## +# +# deltacloudd local policy @@ -12252,7 +12371,7 @@ index 8e27a37..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..9d70983 100644 +index 09f18e2..3547d05 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -12315,7 +12434,7 @@ index 09f18e2..9d70983 100644 storage_getattr_fixed_disk_dev(colord_t) storage_getattr_removable_dev(colord_t) -@@ -98,25 +104,28 @@ storage_write_scsi_generic(colord_t) +@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t) auth_use_nsswitch(colord_t) @@ -12337,6 +12456,7 @@ index 09f18e2..9d70983 100644 -') +userdom_rw_user_tmpfs_files(colord_t) +userdom_home_reader(colord_t) ++userdom_list_user_home_content(colord_t) +userdom_read_inherited_user_home_content_files(colord_t) optional_policy(` @@ -12354,7 +12474,7 @@ index 09f18e2..9d70983 100644 ') optional_policy(` -@@ -133,3 +142,16 @@ optional_policy(` +@@ -133,3 +143,16 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) ') @@ -16587,7 +16707,7 @@ index 06da9a0..6d69a2f 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..c7268a7 100644 +index 9f34c2e..ab0eee9 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16729,7 +16849,7 @@ index 9f34c2e..c7268a7 100644 allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -16737,7 +16857,13 @@ index 9f34c2e..c7268a7 100644 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) + filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file) + files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file }) ++cups_filetrans_named_content(cupsd_t) + + allow cupsd_t cupsd_exec_t:dir search_dir_perms; + allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms; +@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -16765,7 +16891,7 @@ index 9f34c2e..c7268a7 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -16777,7 +16903,7 @@ index 9f34c2e..c7268a7 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -16802,7 +16928,7 @@ index 9f34c2e..c7268a7 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -16810,7 +16936,7 @@ index 9f34c2e..c7268a7 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -16830,7 +16956,7 @@ index 9f34c2e..c7268a7 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -16839,7 +16965,7 @@ index 9f34c2e..c7268a7 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -16865,7 +16991,7 @@ index 9f34c2e..c7268a7 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +309,8 @@ optional_policy(` +@@ -275,6 +310,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -16874,7 +17000,7 @@ index 9f34c2e..c7268a7 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +321,10 @@ optional_policy(` +@@ -285,8 +322,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16885,7 +17011,7 @@ index 9f34c2e..c7268a7 100644 ') ') -@@ -299,8 +337,8 @@ optional_policy(` +@@ -299,8 +338,8 @@ optional_policy(` ') optional_policy(` @@ -16895,7 +17021,7 @@ index 9f34c2e..c7268a7 100644 ') optional_policy(` -@@ -309,7 +347,6 @@ optional_policy(` +@@ -309,7 +348,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -16903,7 +17029,7 @@ index 9f34c2e..c7268a7 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +374,11 @@ optional_policy(` +@@ -337,7 +375,11 @@ optional_policy(` ') optional_policy(` @@ -16916,7 +17042,7 @@ index 9f34c2e..c7268a7 100644 ') ######################################## -@@ -345,12 +386,11 @@ optional_policy(` +@@ -345,12 +387,11 @@ optional_policy(` # Configuration daemon local policy # @@ -16932,7 +17058,7 @@ index 9f34c2e..c7268a7 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16953,7 +17079,7 @@ index 9f34c2e..c7268a7 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16974,7 +17100,7 @@ index 9f34c2e..c7268a7 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16986,7 +17112,7 @@ index 9f34c2e..c7268a7 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +477,12 @@ optional_policy(` +@@ -452,9 +478,12 @@ optional_policy(` ') optional_policy(` @@ -17000,7 +17126,7 @@ index 9f34c2e..c7268a7 100644 ') optional_policy(` -@@ -490,10 +518,6 @@ optional_policy(` +@@ -490,10 +519,6 @@ optional_policy(` # Lpd local policy # @@ -17011,7 +17137,7 @@ index 9f34c2e..c7268a7 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -17044,7 +17170,7 @@ index 9f34c2e..c7268a7 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +561,6 @@ optional_policy(` +@@ -546,7 +562,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -17052,7 +17178,7 @@ index 9f34c2e..c7268a7 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -17204,7 +17330,7 @@ index 9f34c2e..c7268a7 100644 ######################################## # -@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -17212,7 +17338,7 @@ index 9f34c2e..c7268a7 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -17226,7 +17352,7 @@ index 9f34c2e..c7268a7 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -17235,7 +17361,7 @@ index 9f34c2e..c7268a7 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) -@@ -769,3 +653,4 @@ optional_policy(` +@@ -769,3 +654,4 @@ optional_policy(` optional_policy(` udev_read_db(ptal_t) ') @@ -38237,7 +38363,7 @@ index 6194b80..af1201e 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..550e8d7 100644 +index 6a306ee..0a31eec 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -38681,7 +38807,7 @@ index 6a306ee..550e8d7 100644 ') optional_policy(` -@@ -300,221 +324,179 @@ optional_policy(` +@@ -300,221 +324,180 @@ optional_policy(` ######################################## # @@ -38888,6 +39014,7 @@ index 6a306ee..550e8d7 100644 -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) +dev_rwx_zero(mozilla_plugin_t) ++dev_dontaudit_read_mtrr(mozilla_plugin_t) +dev_dontaudit_rw_dri(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) @@ -39001,7 +39128,7 @@ index 6a306ee..550e8d7 100644 ') optional_policy(` -@@ -523,36 +505,48 @@ optional_policy(` +@@ -523,36 +506,48 @@ optional_policy(` ') optional_policy(` @@ -39063,7 +39190,7 @@ index 6a306ee..550e8d7 100644 ') optional_policy(` -@@ -560,7 +554,7 @@ optional_policy(` +@@ -560,7 +555,7 @@ optional_policy(` ') optional_policy(` @@ -39072,7 +39199,7 @@ index 6a306ee..550e8d7 100644 ') optional_policy(` -@@ -568,108 +562,118 @@ optional_policy(` +@@ -568,108 +563,118 @@ optional_policy(` ') optional_policy(` @@ -42420,7 +42547,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 9f6179e..dfa6623 100644 +index 9f6179e..2b85b52 100644 --- a/mysql.te +++ b/mysql.te @@ -1,4 +1,4 @@ @@ -42578,7 +42705,18 @@ index 9f6179e..dfa6623 100644 ') optional_policy(` -@@ -153,29 +154,22 @@ optional_policy(` +@@ -144,6 +145,10 @@ optional_policy(` + ') + + optional_policy(` ++ openshift_search_lib(mysqld_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(mysqld_t) + ') + +@@ -153,29 +158,22 @@ optional_policy(` ####################################### # @@ -42613,7 +42751,7 @@ index 9f6179e..dfa6623 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t) +@@ -187,17 +185,21 @@ dev_list_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) @@ -42629,10 +42767,10 @@ index 9f6179e..dfa6623 100644 -miscfiles_read_localization(mysqld_safe_t) +auth_read_passwd(mysqld_safe_t) ++ ++domain_dontaudit_signull_all_domains(mysqld_safe_t) -userdom_search_user_home_dirs(mysqld_safe_t) -+domain_dontaudit_signull_all_domains(mysqld_safe_t) -+ +mysql_manage_db_files(mysqld_safe_t) +mysql_read_config(mysqld_safe_t) +mysql_search_pid_files(mysqld_safe_t) @@ -42641,7 +42779,7 @@ index 9f6179e..dfa6623 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -205,7 +203,7 @@ optional_policy(` +@@ -205,7 +207,7 @@ optional_policy(` ######################################## # @@ -42650,7 +42788,7 @@ index 9f6179e..dfa6623 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -214,11 +216,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -42668,7 +42806,7 @@ index 9f6179e..dfa6623 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -226,31 +229,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -42699,9 +42837,9 @@ index 9f6179e..dfa6623 100644 -files_read_usr_files(mysqlmanagerd_t) -files_search_pids(mysqlmanagerd_t) -files_search_var_lib(mysqlmanagerd_t) - +- -miscfiles_read_localization(mysqlmanagerd_t) - +- -userdom_search_user_home_dirs(mysqlmanagerd_t) +userdom_getattr_user_home_dirs(mysqlmanagerd_t) diff --git a/mythtv.fc b/mythtv.fc @@ -49852,10 +49990,10 @@ index 0000000..bddd4b3 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..d94eda8 +index 0000000..877c71a --- /dev/null +++ b/openshift.te -@@ -0,0 +1,545 @@ +@@ -0,0 +1,546 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -50325,6 +50463,7 @@ index 0000000..d94eda8 + +allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms; +manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t) ++allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms; + +######################################## +# @@ -69325,7 +69464,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..ede6c81 100644 +index e5212e6..74f3e1b 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -69514,24 +69653,24 @@ index e5212e6..ede6c81 100644 optional_policy(` - nis_read_ypserv_config(rpcd_t) + domain_unconfined_signal(rpcd_t) -+') -+ -+optional_policy(` -+ quota_manage_db(rpcd_t) ') optional_policy(` - quota_manage_db_files(rpcd_t) -+ nis_read_ypserv_config(rpcd_t) ++ quota_manage_db(rpcd_t) ') optional_policy(` - rgmanager_manage_tmp_files(rpcd_t) -+ quota_read_db(rpcd_t) ++ nis_read_ypserv_config(rpcd_t) ') optional_policy(` - unconfined_signal(rpcd_t) ++ quota_read_db(rpcd_t) ++') ++ ++optional_policy(` + rhcs_manage_cluster_tmp_files(rpcd_t) ') @@ -69663,13 +69802,17 @@ index e5212e6..ede6c81 100644 ') optional_policy(` -@@ -306,8 +270,7 @@ optional_policy(` +@@ -306,8 +270,11 @@ optional_policy(` optional_policy(` kerberos_keytab_template(gssd, gssd_t) - kerberos_manage_host_rcache(gssd_t) - kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0") ++') ++ ++optional_policy(` ++ gssproxy_stream_connect(gssd_t) ') optional_policy(` @@ -78547,7 +78690,7 @@ index 7a9cc9d..86cbca9 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 81864ce..24fe118 100644 +index 81864ce..4b6b771 100644 --- a/snmp.te +++ b/snmp.te @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t) @@ -78617,11 +78760,15 @@ index 81864ce..24fe118 100644 seutil_dontaudit_search_config(snmpd_t) -@@ -131,7 +133,7 @@ optional_policy(` +@@ -131,7 +133,11 @@ optional_policy(` ') optional_policy(` - corosync_stream_connect(snmpd_t) ++ fstools_domtrans(snmpd_t) ++') ++ ++optional_policy(` + rhcs_stream_connect_cluster(snmpd_t) ') @@ -86439,7 +86586,7 @@ index 31c752e..ef52235 100644 init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 77be35a..4abe2aa 100644 +index 77be35a..0e9a7d1 100644 --- a/vdagent.te +++ b/vdagent.te @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) @@ -86450,21 +86597,27 @@ index 77be35a..4abe2aa 100644 allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; -@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t) +@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) + setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) + logging_log_filetrans(vdagent_t, vdagent_log_t, file) + ++kernel_request_load_module(vdagent_t) ++ + dev_rw_input_dev(vdagent_t) dev_read_sysfs(vdagent_t) dev_dontaudit_write_mtrr(vdagent_t) -files_read_etc_files(vdagent_t) - +- init_read_state(vdagent_t) -logging_send_syslog_msg(vdagent_t) +systemd_read_logind_sessions_files(vdagent_t) +systemd_login_read_pid_files(vdagent_t) ++ ++term_use_virtio_console(vdagent_t) -miscfiles_read_localization(vdagent_t) -+term_use_virtio_console(vdagent_t) -+ +logging_send_syslog_msg(vdagent_t) userdom_read_all_users_state(vdagent_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index cc7fb92..a2c9477 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 52%{?dist} +Release: 53%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -97,6 +97,7 @@ SELinux policy development and man page package %post devel selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null +exit 0 %package doc Summary: SELinux policy documentation @@ -534,6 +535,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jun 18 2013 Miroslav Grepl 3.12.1-53 +- Make vdagent able to request loading kernel module +- Add support for cloud-init make it as unconfined domain +- Allow snmpd to run smartctl in fsadm_t domain +- remove duplicate openshift_search_lib() interface +- Allow mysqld to search openshift lib files +- Allow openshift cgroup to interact with passedin file descriptors +- Allow colord to list directories inthe users homedir +- aide executes prelink to check files +- Make sure cupsd_t creates content in /etc/cups with the correct label +- Lest dontaudit apache read all domains, so passenger will not cause this avc +- Allow gssd to connect to gssproxy +- systemd-tmpfiles needs to be able to raise the level to fix labeling on /run/setrans in MLS +- Allow systemd-tmpfiles to relabel also lock files +- Allow useradd to add homdir in /var/lib/openshift +- Allow setfiles and semanage to write output to /run/files + * Fri Jun 14 2013 Miroslav Grepl 3.12.1-52 - Add labeling for /dev/tgt - Dontaudit leak fd from firewalld for modprobe @@ -726,7 +744,7 @@ SELinux Reference policy mls base module. - Allow certwatch to read net_config_t when it executes apache - Allow readahead to create /run/systemd and then create its own directory with the correct label -* Fri May 10 2013 Miroslav Grepl 3.12.1-43 +* Mon May 13 2013 Miroslav Grepl 3.12.1-43 - Transition directories and files when in a user_tmp_t directory - Change certwatch to domtrans to apache instead of just execute - Allow virsh_t to read xen lib files