From 9238df00c51dd5c6b9c5b5927621a0f47a137a3e Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Nov 12 2010 12:47:15 +0000 Subject: - Turn on mediawiki policy - kdump leaks kdump_etc_t to ifconfig, add dontaudit - uux needs to transition to uucpd_t - More init fixes relabels man,faillog - Remove maxima defs in libraries.fc - insmod needs to be able to create tmpfs_t files - ping needs setcap --- diff --git a/modules-targeted.conf b/modules-targeted.conf index ec4d9b5..eb35a96 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2291,3 +2291,11 @@ pingd = module # # milter = module + +# Layer: apps +# Module: mediawiki +# +# mediawiki is the software used for Wikipedia and the other Wikimedia +# Foundation websites. +# +mediawiki = module diff --git a/policy-F15.patch b/policy-F15.patch index f8f4f66..f183fb0 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -371,6 +371,35 @@ index 66e486e..bfda8e9 100644 gnome_manage_config(firstboot_t) ') +diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if +index 4198ff5..df3f4d6 100644 +--- a/policy/modules/admin/kdump.if ++++ b/policy/modules/admin/kdump.if +@@ -56,6 +56,24 @@ interface(`kdump_read_config',` + allow $1 kdump_etc_t:file read_file_perms; + ') + ++##################################### ++## ++## Dontaudit read kdump configuration file. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kdump_dontaudit_read_config',` ++ gen_require(` ++ type kdump_etc_t; ++ ') ++ ++ dontaudit $1 kdump_etc_t:file read_inherited_file_perms; ++') ++ + #################################### + ## + ## Manage kdump configuration file. diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 7390b15..a46b249 100644 --- a/policy/modules/admin/logrotate.te @@ -662,7 +691,7 @@ index 0000000..eef0c87 + netutils_domtrans(ncftool_t) +') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index 6a53a18..202c770 100644 +index 6a53a18..1bc14ea 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) @@ -684,7 +713,16 @@ index 6a53a18..202c770 100644 fs_getattr_xattr_fs(netutils_t) -@@ -134,8 +139,6 @@ logging_send_syslog_msg(ping_t) +@@ -104,6 +109,8 @@ optional_policy(` + # + + allow ping_t self:capability { setuid net_raw }; ++allow ping_t self:process setcap; ++ + dontaudit ping_t self:capability sys_tty_config; + allow ping_t self:tcp_socket create_socket_perms; + allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; +@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) @@ -693,7 +731,7 @@ index 6a53a18..202c770 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -145,11 +148,25 @@ ifdef(`hide_broken_symptoms',` +@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',` ') ') @@ -719,7 +757,7 @@ index 6a53a18..202c770 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -194,6 +211,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -194,6 +213,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -727,7 +765,7 @@ index 6a53a18..202c770 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -204,9 +222,16 @@ logging_send_syslog_msg(traceroute_t) +@@ -204,9 +224,16 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) @@ -5890,10 +5928,10 @@ index 0000000..9783c8f +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..8211b91 +index 0000000..aa1d56d --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,431 @@ +@@ -0,0 +1,430 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -5999,7 +6037,6 @@ index 0000000..8211b91 +# sandbox local policy +# + -+## internal communication is often done using fifo and unix sockets. +allow sandbox_domain self:fifo_file manage_file_perms; +allow sandbox_domain self:sem create_sem_perms; +allow sandbox_domain self:shm create_shm_perms; @@ -8278,7 +8315,7 @@ index 3517db2..4dd4bef 100644 + +/usr/lib/debug <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 5302dac..9b828ee 100644 +index 5302dac..2c77493 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -8656,7 +8693,7 @@ index 5302dac..9b828ee 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -3950,6 +4233,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -3950,6 +4233,84 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -8696,10 +8733,52 @@ index 5302dac..9b828ee 100644 + +######################################## +## ++## Relabel all tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabelto_all_tmp_files',` ++ gen_require(` ++ attribute tmpfile; ++ type var_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ relabelto_dirs_pattern($1, tmpfile, tmpfile) ++') ++ ++######################################## ++## ++## Relabel all tmp dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabelto_all_tmp_dirs',` ++ gen_require(` ++ attribute tmpfile; ++ type var_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ relabelto_dirs_pattern($1, tmpfile, tmpfile) ++') ++ ++######################################## ++## ## Set the attributes of all tmp directories. ## ## -@@ -4109,6 +4428,13 @@ interface(`files_purge_tmp',` +@@ -4109,6 +4470,13 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -8713,32 +8792,79 @@ index 5302dac..9b828ee 100644 ') ######################################## -@@ -4718,6 +5044,24 @@ interface(`files_read_var_files',` +@@ -4718,7 +5086,7 @@ interface(`files_read_var_files',` ######################################## ## +-## Read and write files in the /var directory. +## Append files in the /var directory. + ## + ## + ## +@@ -4726,36 +5094,54 @@ interface(`files_read_var_files',` + ## + ## + # +-interface(`files_rw_var_files',` ++interface(`files_append_var_files',` + gen_require(` + type var_t; + ') + +- rw_files_pattern($1, var_t, var_t) ++ append_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Do not audit attempts to read and write +-## files in the /var directory. ++## Read and write files in the /var directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_rw_var_files',` ++interface(`files_rw_var_files',` + gen_require(` + type var_t; + ') + +- dontaudit $1 var_t:file rw_file_perms; ++ rw_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete files in the /var directory. ++## Do not audit attempts to read and write ++## files in the /var directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_append_var_files',` ++interface(`files_dontaudit_rw_var_files',` + gen_require(` + type var_t; + ') + -+ append_files_pattern($1, var_t, var_t) ++ dontaudit $1 var_t:file rw_file_perms; +') + +######################################## +## - ## Read and write files in the /var directory. ++## Create, read, write, and delete files in the /var directory. ## ## -@@ -5053,6 +5397,24 @@ interface(`files_manage_mounttab',` + ## +@@ -5053,6 +5439,24 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -8763,7 +8889,7 @@ index 5302dac..9b828ee 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5138,12 +5500,12 @@ interface(`files_getattr_generic_locks',` +@@ -5138,12 +5542,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -8780,85 +8906,35 @@ index 5302dac..9b828ee 100644 ') ######################################## -@@ -5189,29 +5551,28 @@ interface(`files_delete_all_locks',` +@@ -5189,6 +5593,27 @@ interface(`files_delete_all_locks',` ######################################## ## --## Read all lock files. +## Relabel all lock files. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_read_all_locks',` -+interface(`files_relabel_all_lock_dirs',` - gen_require(` - attribute lockfile; -- type var_t, var_lock_t; -+ type var_t; - ') - -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -- allow $1 lockfile:dir list_dir_perms; -- read_files_pattern($1, lockfile, lockfile) -- read_lnk_files_pattern($1, lockfile, lockfile) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, lockfile, lockfile) - ') - - ######################################## - ## --## manage all lock files. -+## Read all lock files. - ## - ## - ## -@@ -5219,15 +5580,37 @@ interface(`files_read_all_locks',` - ## - ## - # --interface(`files_manage_all_locks',` -+interface(`files_read_all_locks',` - gen_require(` - attribute lockfile; - type var_t, var_lock_t; - ') - - allow $1 { var_t var_lock_t }:dir search_dir_perms; -- manage_dirs_pattern($1, lockfile, lockfile) -- manage_files_pattern($1, lockfile, lockfile) -+ allow $1 lockfile:dir list_dir_perms; -+ read_files_pattern($1, lockfile, lockfile) -+ read_lnk_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## manage all lock files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_manage_all_locks',` ++interface(`files_relabel_all_lock_dirs',` + gen_require(` + attribute lockfile; -+ type var_t, var_lock_t; ++ type var_t; + ') + -+ allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ manage_dirs_pattern($1, lockfile, lockfile) -+ manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) - ') - -@@ -5317,6 +5700,43 @@ interface(`files_search_pids',` ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## + ## Read all lock files. + ## + ## +@@ -5317,6 +5742,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -8902,7 +8978,7 @@ index 5302dac..9b828ee 100644 ######################################## ## ## Do not audit attempts to search -@@ -5524,6 +5944,62 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5524,6 +5986,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -8965,7 +9041,7 @@ index 5302dac..9b828ee 100644 ## Read all process ID files. ## ## -@@ -5541,6 +6017,44 @@ interface(`files_read_all_pids',` +@@ -5541,6 +6059,44 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -9010,7 +9086,7 @@ index 5302dac..9b828ee 100644 ') ######################################## -@@ -5826,3 +6340,247 @@ interface(`files_unconfined',` +@@ -5826,3 +6382,247 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -9315,7 +9391,7 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 437a42a..b9e3aa9 100644 +index 437a42a..725b363 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` @@ -9645,7 +9721,33 @@ index 437a42a..b9e3aa9 100644 ## Read removable storage symbolic links. ## ## -@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2653,6 +2829,25 @@ interface(`fs_read_removable_symlinks',` + read_lnk_files_pattern($1, removable_t, removable_t) + ') + ++###################################### ++## ++## Read block nodes on removable filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_removable_blk_files',` ++ gen_require(` ++ type removable_t; ++ ') ++ ++ allow $1 removable_t:dir list_dir_perms; ++ read_blk_files_pattern($1, removable_t, removable_t) ++') ++ + ######################################## + ## + ## Read and write block nodes on removable filesystems. +@@ -2779,6 +2974,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -9653,7 +9755,7 @@ index 437a42a..b9e3aa9 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3015,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -9661,7 +9763,7 @@ index 437a42a..b9e3aa9 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3042,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -9670,7 +9772,7 @@ index 437a42a..b9e3aa9 100644 ## ## ## -@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3056,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -9678,7 +9780,7 @@ index 437a42a..b9e3aa9 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -9721,7 +9823,7 @@ index 437a42a..b9e3aa9 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',` +@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -9730,7 +9832,7 @@ index 437a42a..b9e3aa9 100644 ') ######################################## -@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',` +@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -32441,7 +32543,7 @@ index f1aea88..c3ffa9d 100644 init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index 22184ad..87810ec 100644 +index 22184ad..687f9ae 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr; @@ -32463,6 +32565,14 @@ index 22184ad..87810ec 100644 corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) corenet_tcp_sendrecv_generic_if(saslauthd_t) +@@ -94,6 +98,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` + + optional_policy(` + kerberos_keytab_template(saslauthd, saslauthd_t) ++ kerberos_manage_host_rcache(saslauthd_t) + ') + + optional_policy(` diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc index a86ec50..ef4199b 100644 --- a/policy/modules/services/sendmail.fc @@ -35207,7 +35317,7 @@ index a4fbe31..a717e2d 100644 logging_list_logs($1) diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te -index b775aaf..1e40c2a 100644 +index b775aaf..7718dbb 100644 --- a/policy/modules/services/uucp.te +++ b/policy/modules/services/uucp.te @@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0) @@ -35226,7 +35336,7 @@ index b775aaf..1e40c2a 100644 dev_read_urand(uucpd_t) -@@ -113,13 +113,17 @@ optional_policy(` +@@ -113,13 +113,19 @@ optional_policy(` kerberos_use(uucpd_t) ') @@ -35242,6 +35352,8 @@ index b775aaf..1e40c2a 100644 allow uux_t self:capability { setuid setgid }; -allow uux_t self:fifo_file write_file_perms; +allow uux_t self:fifo_file write_fifo_file_perms; ++ ++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t) uucp_append_log(uux_t) uucp_manage_spool(uux_t) @@ -39362,7 +39474,7 @@ index 88df85d..2fa3974 100644 ssh_sigchld(application_domain_type) ssh_rw_stream_sockets(application_domain_type) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 1c4b1e7..8d326d4 100644 +index 1c4b1e7..ffa4134 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -10,6 +10,7 @@ @@ -39373,7 +39485,7 @@ index 1c4b1e7..8d326d4 100644 /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ifdef(`distro_suse', ` -@@ -27,12 +28,14 @@ ifdef(`distro_gentoo', ` +@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', ` /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) @@ -39381,15 +39493,16 @@ index 1c4b1e7..8d326d4 100644 /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) - /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) - /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) -+/var/log/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) - /var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0) - /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) - /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0) +@@ -39,6 +41,7 @@ ifdef(`distro_gentoo', ` + /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0) + + /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) ++/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index bea0ade..6f47773 100644 +index bea0ade..f459bae 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -39540,12 +39653,30 @@ index bea0ade..6f47773 100644 typeattribute $1 can_relabelto_shadow_passwords; ') -@@ -736,6 +788,25 @@ interface(`auth_rw_faillog',` +@@ -736,6 +788,43 @@ interface(`auth_rw_faillog',` allow $1 faillog_t:file rw_file_perms; ') +######################################## +## ++## Relabel the login failure log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabel_faillog',` ++ gen_require(` ++ type faillog_t; ++ ') ++ ++ allow $1 faillog_t:file relabel_file_perms; ++') ++ ++######################################## ++## +## Manage the login failure log. +## +## @@ -39566,7 +39697,7 @@ index bea0ade..6f47773 100644 ####################################### ## ## Read the last logins log. -@@ -874,6 +945,26 @@ interface(`auth_exec_pam',` +@@ -874,6 +963,26 @@ interface(`auth_exec_pam',` ######################################## ## @@ -39593,7 +39724,7 @@ index bea0ade..6f47773 100644 ## Manage var auth files. Used by various other applications ## and pam applets etc. ## -@@ -896,6 +987,26 @@ interface(`auth_manage_var_auth',` +@@ -896,6 +1005,26 @@ interface(`auth_manage_var_auth',` ######################################## ## @@ -39620,7 +39751,33 @@ index bea0ade..6f47773 100644 ## Read PAM PID files. ## ## -@@ -1500,6 +1611,8 @@ interface(`auth_manage_login_records',` +@@ -1326,6 +1455,25 @@ interface(`auth_setattr_login_records',` + + ######################################## + ## ++## Relabel login record files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabel_login_records',` ++ gen_require(` ++ type wtmp_t; ++ ') ++ ++ allow $1 wtmp_t:file relabel_file_perms; ++') ++ ++ ++######################################## ++## + ## Read login records files (/var/log/wtmp). + ## + ## +@@ -1500,6 +1648,8 @@ interface(`auth_manage_login_records',` # interface(`auth_use_nsswitch',` @@ -39629,7 +39786,7 @@ index bea0ade..6f47773 100644 files_list_var_lib($1) # read /etc/nsswitch.conf -@@ -1531,7 +1644,15 @@ interface(`auth_use_nsswitch',` +@@ -1531,7 +1681,15 @@ interface(`auth_use_nsswitch',` ') optional_policy(` @@ -39867,7 +40024,7 @@ index a97a096..dd65c15 100644 /sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0) /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index a442acc..7cb7582 100644 +index a442acc..e159f32 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -39888,7 +40045,15 @@ index a442acc..7cb7582 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -147,7 +151,7 @@ modutils_read_module_deps(fsadm_t) +@@ -130,6 +134,7 @@ storage_raw_write_fixed_disk(fsadm_t) + storage_raw_read_removable_device(fsadm_t) + storage_raw_write_removable_device(fsadm_t) + storage_read_scsi_generic(fsadm_t) ++storage_rw_fuse(fsadm_t) + storage_swapon_fixed_disk(fsadm_t) + + term_use_console(fsadm_t) +@@ -147,7 +152,7 @@ modutils_read_module_deps(fsadm_t) seutil_read_config(fsadm_t) @@ -39897,7 +40062,7 @@ index a442acc..7cb7582 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +170,14 @@ optional_policy(` +@@ -166,6 +171,14 @@ optional_policy(` ') optional_policy(` @@ -39912,7 +40077,7 @@ index a442acc..7cb7582 100644 nis_use_ypbind(fsadm_t) ') -@@ -175,6 +187,10 @@ optional_policy(` +@@ -175,6 +188,10 @@ optional_policy(` ') optional_policy(` @@ -40395,7 +40560,7 @@ index df3fa64..73dc579 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8a105fd..8a59b8e 100644 +index 8a105fd..eb0cec2 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -40525,7 +40690,7 @@ index 8a105fd..8a59b8e 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +221,107 @@ tunable_policy(`init_upstart',` +@@ -186,12 +221,113 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -40583,6 +40748,8 @@ index 8a105fd..8a59b8e 100644 + + storage_getattr_removable_dev(init_t) + ++ auth_relabel_login_records(init_t) ++ + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) @@ -40599,8 +40766,11 @@ index 8a105fd..8a59b8e 100644 + files_manage_generic_tmp_dirs(init_t) + files_relabelfrom_tmp_dirs(init_t) + files_relabelfrom_tmp_files(init_t) ++ files_relabelto_all_tmp_dirs(init_t) ++ files_relabelto_all_tmp_files(init_t) + -+ auth_manage_faillog(initrc_t) ++ auth_manage_faillog(init_t) ++ auth_relabel_faillog(init_t) + auth_manage_var_auth(init_t) + auth_relabel_var_auth_dirs(init_t) + auth_setattr_login_records(init_t) @@ -40608,6 +40778,7 @@ index 8a105fd..8a59b8e 100644 + logging_create_devlog_dev(init_t) + + miscfiles_delete_man_pages(init_t) ++ miscfiles_relabel_man_pages(init_t) +') + optional_policy(` @@ -40633,7 +40804,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -199,10 +329,24 @@ optional_policy(` +@@ -199,10 +335,24 @@ optional_policy(` ') optional_policy(` @@ -40658,7 +40829,7 @@ index 8a105fd..8a59b8e 100644 unconfined_domain(init_t) ') -@@ -212,7 +356,7 @@ optional_policy(` +@@ -212,7 +362,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -40667,7 +40838,7 @@ index 8a105fd..8a59b8e 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +385,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +391,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -40682,7 +40853,7 @@ index 8a105fd..8a59b8e 100644 init_write_initctl(initrc_t) -@@ -258,11 +404,23 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,11 +410,23 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -40706,7 +40877,7 @@ index 8a105fd..8a59b8e 100644 corecmd_exec_all_executables(initrc_t) -@@ -291,6 +449,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +455,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -40714,7 +40885,7 @@ index 8a105fd..8a59b8e 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +457,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +463,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -40730,7 +40901,7 @@ index 8a105fd..8a59b8e 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -323,8 +482,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +488,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -40742,7 +40913,7 @@ index 8a105fd..8a59b8e 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +501,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +507,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -40756,7 +40927,7 @@ index 8a105fd..8a59b8e 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +516,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +522,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -40765,7 +40936,7 @@ index 8a105fd..8a59b8e 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +530,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +536,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -40773,7 +40944,7 @@ index 8a105fd..8a59b8e 100644 selinux_get_enforce_mode(initrc_t) -@@ -394,13 +562,14 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +568,14 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -40789,7 +40960,7 @@ index 8a105fd..8a59b8e 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -473,7 +642,7 @@ ifdef(`distro_redhat',` +@@ -473,7 +648,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -40798,7 +40969,7 @@ index 8a105fd..8a59b8e 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -519,6 +688,23 @@ ifdef(`distro_redhat',` +@@ -519,6 +694,23 @@ ifdef(`distro_redhat',` optional_policy(` bind_manage_config_dirs(initrc_t) bind_write_config(initrc_t) @@ -40822,7 +40993,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -526,10 +712,17 @@ ifdef(`distro_redhat',` +@@ -526,10 +718,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -40840,7 +41011,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -544,6 +737,35 @@ ifdef(`distro_suse',` +@@ -544,6 +743,35 @@ ifdef(`distro_suse',` ') ') @@ -40876,7 +41047,7 @@ index 8a105fd..8a59b8e 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -556,6 +778,8 @@ optional_policy(` +@@ -556,6 +784,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -40885,7 +41056,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -572,6 +796,7 @@ optional_policy(` +@@ -572,6 +802,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -40893,7 +41064,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -584,6 +809,11 @@ optional_policy(` +@@ -584,6 +815,11 @@ optional_policy(` ') optional_policy(` @@ -40905,7 +41076,7 @@ index 8a105fd..8a59b8e 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -600,9 +830,13 @@ optional_policy(` +@@ -600,9 +836,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -40919,7 +41090,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -701,7 +935,13 @@ optional_policy(` +@@ -701,7 +941,13 @@ optional_policy(` ') optional_policy(` @@ -40933,7 +41104,7 @@ index 8a105fd..8a59b8e 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -724,6 +964,10 @@ optional_policy(` +@@ -724,6 +970,10 @@ optional_policy(` ') optional_policy(` @@ -40944,7 +41115,7 @@ index 8a105fd..8a59b8e 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -737,6 +981,10 @@ optional_policy(` +@@ -737,6 +987,10 @@ optional_policy(` ') optional_policy(` @@ -40955,7 +41126,7 @@ index 8a105fd..8a59b8e 100644 quota_manage_flags(initrc_t) ') -@@ -745,6 +993,10 @@ optional_policy(` +@@ -745,6 +999,10 @@ optional_policy(` ') optional_policy(` @@ -40966,7 +41137,7 @@ index 8a105fd..8a59b8e 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -766,8 +1018,6 @@ optional_policy(` +@@ -766,8 +1024,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -40975,7 +41146,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -776,14 +1026,21 @@ optional_policy(` +@@ -776,14 +1032,21 @@ optional_policy(` ') optional_policy(` @@ -40997,7 +41168,7 @@ index 8a105fd..8a59b8e 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,11 +1062,19 @@ optional_policy(` +@@ -805,11 +1068,19 @@ optional_policy(` ') optional_policy(` @@ -41018,7 +41189,7 @@ index 8a105fd..8a59b8e 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -819,6 +1084,25 @@ optional_policy(` +@@ -819,6 +1090,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -41044,7 +41215,7 @@ index 8a105fd..8a59b8e 100644 ') optional_policy(` -@@ -844,3 +1128,59 @@ optional_policy(` +@@ -844,3 +1134,59 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -41583,7 +41754,7 @@ index 1d1c399..3ab3a47 100644 + tgtd_manage_semaphores(iscsid_t) ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index 9df8c4d..7a942fc 100644 +index 9df8c4d..8d1d7fa 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -44,6 +44,7 @@ ifdef(`distro_redhat',` @@ -41629,7 +41800,16 @@ index 9df8c4d..7a942fc 100644 /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t + /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -41637,7 +41817,7 @@ index 9df8c4d..7a942fc 100644 /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t +@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -41645,7 +41825,7 @@ index 9df8c4d..7a942fc 100644 /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame -@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -41661,7 +41841,7 @@ index 9df8c4d..7a942fc 100644 ') dnl end distro_redhat # -@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -42516,7 +42696,7 @@ index 7711464..a8bd9fe 100644 ifdef(`distro_debian',` /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index fe4e741..926ba65 100644 +index fe4e741..9ce4a4f 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',` @@ -42529,6 +42709,32 @@ index fe4e741..926ba65 100644 ') ######################################## +@@ -585,6 +582,25 @@ interface(`miscfiles_manage_man_pages',` + + ######################################## + ## ++## Allow process to relabel man_pages info ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_relabel_man_pages',` ++ gen_require(` ++ type man_t; ++ ') ++ ++ files_search_usr($1) ++ relabel_files_pattern($1, man_t, man_t) ++') ++ ++######################################## ++## + ## Read public files used for file + ## transfer services. + ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index c51f7f5..59c70bf 100644 --- a/policy/modules/system/miscfiles.te @@ -42581,7 +42787,7 @@ index 9c0faab..def8d5a 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 74a4466..3120e0e 100644 +index 74a4466..7243733 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -18,6 +18,7 @@ type insmod_t; @@ -42592,7 +42798,17 @@ index 74a4466..3120e0e 100644 role system_r types insmod_t; # module loading config -@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t) +@@ -36,6 +37,9 @@ role system_r types update_modules_t; + type update_modules_tmp_t; + files_tmp_file(update_modules_tmp_t) + ++type insmod_tmpfs_t; ++files_tmpfs_file(insmod_tmpfs_t) ++ + ######################################## + # + # depmod local policy +@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t) domain_use_interactive_fds(depmod_t) @@ -42608,7 +42824,7 @@ index 74a4466..3120e0e 100644 fs_getattr_xattr_fs(depmod_t) -@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t) +@@ -74,6 +81,7 @@ userdom_use_user_terminals(depmod_t) # Read System.map from home directories. files_list_home(depmod_t) userdom_read_user_home_content_files(depmod_t) @@ -42616,7 +42832,7 @@ index 74a4466..3120e0e 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -104,7 +109,7 @@ optional_policy(` +@@ -104,11 +112,12 @@ optional_policy(` # insmod local policy # @@ -42625,7 +42841,22 @@ index 74a4466..3120e0e 100644 allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t) + allow insmod_t self:rawip_socket create_socket_perms; ++allow insmod_t self:shm create_shm_perms; + + # Read module config and dependency information + list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) +@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) + + can_exec(insmod_t, insmod_exec_t) + ++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t) ++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file) ++ + kernel_load_module(insmod_t) + kernel_read_system_state(insmod_t) + kernel_read_network_state(insmod_t) +@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -42633,7 +42864,7 @@ index 74a4466..3120e0e 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t) +@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -42641,7 +42872,7 @@ index 74a4466..3120e0e 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t) +@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -42657,7 +42888,7 @@ index 74a4466..3120e0e 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t) +@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -42667,7 +42898,7 @@ index 74a4466..3120e0e 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -186,8 +196,11 @@ optional_policy(` +@@ -186,8 +203,11 @@ optional_policy(` ') optional_policy(` @@ -42681,7 +42912,7 @@ index 74a4466..3120e0e 100644 ') optional_policy(` -@@ -235,6 +248,10 @@ optional_policy(` +@@ -235,6 +255,10 @@ optional_policy(` ') optional_policy(` @@ -42919,7 +43150,7 @@ index 8b5c196..3490497 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index fca6947..e1f7531 100644 +index fca6947..5dadaa8 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -42969,7 +43200,7 @@ index fca6947..e1f7531 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -46,50 +68,84 @@ can_exec(mount_t, mount_exec_t) +@@ -46,50 +68,85 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -43051,6 +43282,7 @@ index fca6947..e1f7531 100644 +fs_rw_anon_inodefs_files(mount_t) fs_rw_tmpfs_chr_files(mount_t) +fs_rw_nfsd_fs(mount_t) ++fs_rw_removable_blk_files(mount_t) +fs_manage_tmpfs_dirs(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) @@ -43061,7 +43293,7 @@ index fca6947..e1f7531 100644 mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -100,6 +156,7 @@ storage_raw_read_fixed_disk(mount_t) +@@ -100,6 +157,7 @@ storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -43069,7 +43301,7 @@ index fca6947..e1f7531 100644 term_use_all_terms(mount_t) -@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t) +@@ -108,6 +166,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -43078,7 +43310,7 @@ index fca6947..e1f7531 100644 logging_send_syslog_msg(mount_t) -@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t) +@@ -118,6 +178,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -43091,7 +43323,7 @@ index fca6947..e1f7531 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',` +@@ -133,10 +199,17 @@ ifdef(`distro_ubuntu',` ') ') @@ -43109,7 +43341,7 @@ index fca6947..e1f7531 100644 ') optional_policy(` -@@ -166,6 +238,8 @@ optional_policy(` +@@ -166,6 +239,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -43118,7 +43350,7 @@ index fca6947..e1f7531 100644 ') optional_policy(` -@@ -173,6 +247,28 @@ optional_policy(` +@@ -173,6 +248,28 @@ optional_policy(` ') optional_policy(` @@ -43147,7 +43379,7 @@ index fca6947..e1f7531 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -180,13 +276,44 @@ optional_policy(` +@@ -180,13 +277,44 @@ optional_policy(` ') ') @@ -43192,7 +43424,7 @@ index fca6947..e1f7531 100644 ') ######################################## -@@ -195,6 +322,42 @@ optional_policy(` +@@ -195,6 +323,42 @@ optional_policy(` # optional_policy(` @@ -44402,7 +44634,7 @@ index 8e71fb7..350d003 100644 + role_transition $1 dhcpc_exec_t system_r; ') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index dfbe736..5740b79 100644 +index dfbe736..e70feca 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0) @@ -44560,10 +44792,14 @@ index dfbe736..5740b79 100644 ') optional_policy(` -@@ -334,6 +379,10 @@ optional_policy(` +@@ -334,6 +379,14 @@ optional_policy(` ') optional_policy(` ++ kdump_dontaudit_read_config(ifconfig_t) ++') ++ ++optional_policy(` + netutils_domtrans(dhcpc_t) +') + @@ -44571,7 +44807,7 @@ index dfbe736..5740b79 100644 nis_use_ypbind(ifconfig_t) ') -@@ -355,3 +404,9 @@ optional_policy(` +@@ -355,3 +408,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 6253bd8..ee60eca 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.8 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,15 @@ exit 0 %endif %changelog +* Fri Nov 12 2010 Miroslav Grepl 3.9.8-5 +- Turn on mediawiki policy +- kdump leaks kdump_etc_t to ifconfig, add dontaudit +- uux needs to transition to uucpd_t +- More init fixes relabels man,faillog +- Remove maxima defs in libraries.fc +- insmod needs to be able to create tmpfs_t files +- ping needs setcap + * Wed Nov 10 2010 Miroslav Grepl 3.9.8-4 - Allow groupd transition to fenced domain when executes fence_node - Fixes for rchs policy