From 95987e7bebe081970cd09014582e65652c1247b1 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Jul 26 2016 15:05:44 +0000 Subject: * Tue Jul 26 2016 Lukas Vrabec 3.13.1-204 - Allow lsmd_plugin_t to exec ldconfig. - Allow vnstatd domain to read /sys/class/net/ files - Remove duplicate allow rules in spamassassin SELinux module - Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs - Allow ipa_dnskey domain to search cache dirs - Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file - Allow ipa-dnskey read system state. - Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245 - Add interface to write to nsfs inodes - Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721) - Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf - sysadmin should be allowed to use docker. --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 2a3cd56..4062bfa 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6b2dbbc..8da2c4c 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -18041,7 +18041,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..761fbab 100644 +index 8416beb..acf95e0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18540,7 +18540,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -1878,135 +2122,740 @@ interface(`fs_search_fusefs',` +@@ -1878,96 +2122,759 @@ interface(`fs_search_fusefs',` ## ## # @@ -18908,9 +18908,10 @@ index 8416beb..761fbab 100644 +# +interface(`fs_manage_fusefs_files',` + gen_require(` -+ type fusefs_t; -+ ') -+ + type fusefs_t; + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) + manage_files_pattern($1, fusefs_t, fusefs_t) +') + @@ -19028,10 +19029,9 @@ index 8416beb..761fbab 100644 +# +interface(`fs_getattr_fusefs',` + gen_require(` - type fusefs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:filesystem getattr; +') + @@ -19269,31 +19269,88 @@ index 8416beb..761fbab 100644 + + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Mount an iso9660 filesystem, which ++## is usually used on CDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_mount_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem mount; ++') ++ ++######################################## ++## ++## Remount an iso9660 filesystem, which ++## is usually used on CDs. This allows ++## some mount options to be changed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_remount_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem remount; ++') ++ ++######################################## ++## ++## Unmount an iso9660 filesystem, which ++## is usually used on CDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_iso9660_fs',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:filesystem unmount; ') ######################################## ## -## Create, read, write, and delete files -## on a FUSEFS filesystem. -+## Mount an iso9660 filesystem, which -+## is usually used on CDs. ++## Get the attributes of an iso9660 ++## filesystem, which is usually used on CDs. ## ## ## - ## Domain allowed access. - ## +@@ -1976,37 +2883,38 @@ interface(`fs_exec_fusefs_files',` ## --## + ## # -interface(`fs_manage_fusefs_files',` -+interface(`fs_mount_iso9660_fs',` ++interface(`fs_getattr_iso9660_fs',` gen_require(` - type fusefs_t; + type iso9660_t; ') - manage_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 iso9660_t:filesystem mount; ++ allow $1 iso9660_t:filesystem getattr; ') ######################################## @@ -19301,9 +19358,8 @@ index 8416beb..761fbab 100644 -## Do not audit attempts to create, -## read, write, and delete files -## on a FUSEFS filesystem. -+## Remount an iso9660 filesystem, which -+## is usually used on CDs. This allows -+## some mount options to be changed. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. ## ## ## @@ -19313,30 +19369,31 @@ index 8416beb..761fbab 100644 ## # -interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_remount_iso9660_fs',` ++interface(`fs_getattr_iso9660_files',` gen_require(` - type fusefs_t; + type iso9660_t; ') - dontaudit $1 fusefs_t:file manage_file_perms; -+ allow $1 iso9660_t:filesystem remount; ++ allow $1 iso9660_t:dir list_dir_perms; ++ allow $1 iso9660_t:file getattr; ') ######################################## ## -## Read symbolic links on a FUSEFS filesystem. -+## Unmount an iso9660 filesystem, which ++## Read files on an iso9660 filesystem, which +## is usually used on CDs. ## ## ## -@@ -2014,37 +2863,38 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,19 +2922,20 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # -interface(`fs_read_fusefs_symlinks',` -+interface(`fs_unmount_iso9660_fs',` ++interface(`fs_read_iso9660_files',` gen_require(` - type fusefs_t; + type iso9660_t; @@ -19344,110 +19401,105 @@ index 8416beb..761fbab 100644 - allow $1 fusefs_t:dir list_dir_perms; - read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 iso9660_t:filesystem unmount; ++ allow $1 iso9660_t:dir list_dir_perms; ++ read_files_pattern($1, iso9660_t, iso9660_t) ++ read_lnk_files_pattern($1, iso9660_t, iso9660_t) ') ++ ######################################## ## -## Get the attributes of an hugetlbfs -## filesystem. -+## Get the attributes of an iso9660 -+## filesystem, which is usually used on CDs. ++## Mount kdbus filesystems. ## ## ## - ## Domain allowed access. +@@ -2034,17 +2943,17 @@ interface(`fs_read_fusefs_symlinks',` ## ## -+## # -interface(`fs_getattr_hugetlbfs',` -+interface(`fs_getattr_iso9660_fs',` ++interface(`fs_mount_kdbus', ` gen_require(` - type hugetlbfs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - allow $1 hugetlbfs_t:filesystem getattr; -+ allow $1 iso9660_t:filesystem getattr; ++ allow $1 kdbusfs_t:filesystem mount; ') ######################################## ## -## List hugetlbfs. -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. ++## Remount kdbus filesystems. ## ## ## -@@ -2052,17 +2902,19 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +2961,17 @@ interface(`fs_getattr_hugetlbfs',` ## ## # -interface(`fs_list_hugetlbfs',` -+interface(`fs_getattr_iso9660_files',` ++interface(`fs_remount_kdbus', ` gen_require(` - type hugetlbfs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - allow $1 hugetlbfs_t:dir list_dir_perms; -+ allow $1 iso9660_t:dir list_dir_perms; -+ allow $1 iso9660_t:file getattr; ++ allow $1 kdbusfs_t:filesystem remount; ') ######################################## ## -## Manage hugetlbfs dirs. -+## Read files on an iso9660 filesystem, which -+## is usually used on CDs. ++## Unmount kdbus filesystems. ## ## ## -@@ -2070,17 +2922,20 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +2979,17 @@ interface(`fs_list_hugetlbfs',` ## ## # -interface(`fs_manage_hugetlbfs_dirs',` -+interface(`fs_read_iso9660_files',` ++interface(`fs_unmount_kdbus', ` gen_require(` - type hugetlbfs_t; -+ type iso9660_t; ++ type kdbusfs_t; ') - manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ allow $1 iso9660_t:dir list_dir_perms; -+ read_files_pattern($1, iso9660_t, iso9660_t) -+ read_lnk_files_pattern($1, iso9660_t, iso9660_t) ++ allow $1 kdbusfs_t:filesystem unmount; ') -+ ######################################## ## -## Read and write hugetlbfs files. -+## Mount kdbus filesystems. ++## Get attributes of kdbus filesystems. ## ## ## -@@ -2088,35 +2943,35 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +2997,38 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # -interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_mount_kdbus', ` ++interface(`fs_getattr_kdbus',` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ') - rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ allow $1 kdbusfs_t:filesystem mount; ++ allow $1 kdbusfs_t:filesystem getattr; ') ######################################## ## -## Allow the type to associate to hugetlbfs filesystems. -+## Remount kdbus filesystems. ++## Search kdbusfs directories. ## -## +## @@ -19458,64 +19510,89 @@ index 8416beb..761fbab 100644 ## # -interface(`fs_associate_hugetlbfs',` -+interface(`fs_remount_kdbus', ` ++interface(`fs_search_kdbus_dirs',` gen_require(` - type hugetlbfs_t; + type kdbusfs_t; ++ ') - allow $1 hugetlbfs_t:filesystem associate; -+ allow $1 kdbusfs_t:filesystem remount; ++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ') ######################################## ## -## Search inotifyfs filesystem. -+## Unmount kdbus filesystems. ++## Relabel kdbusfs directories. ## ## ## -@@ -2124,17 +2979,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +3036,18 @@ interface(`fs_associate_hugetlbfs',` ## ## # -interface(`fs_search_inotifyfs',` -+interface(`fs_unmount_kdbus', ` ++interface(`fs_relabel_kdbus_dirs',` gen_require(` - type inotifyfs_t; -+ type kdbusfs_t; ++ type cgroup_t; ++ ') - allow $1 inotifyfs_t:dir search_dir_perms; -+ allow $1 kdbusfs_t:filesystem unmount; ++ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ') ######################################## ## -## List inotifyfs filesystem. -+## Get attributes of kdbus filesystems. ++## List kdbusfs directories. ## ## ## -@@ -2142,71 +2997,136 @@ interface(`fs_search_inotifyfs',` +@@ -2142,71 +3055,78 @@ interface(`fs_search_inotifyfs',` ## ## # -interface(`fs_list_inotifyfs',` -+interface(`fs_getattr_kdbus',` ++interface(`fs_list_kdbus_dirs',` gen_require(` - type inotifyfs_t; + type kdbusfs_t; ') - allow $1 inotifyfs_t:dir list_dir_perms; -+ allow $1 kdbusfs_t:filesystem getattr; ++ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++####################################### ++## ++## Do not audit attempts to search kdbusfs directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_search_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ dontaudit $1 kdbusfs_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ') ######################################## ## -## Dontaudit List inotifyfs filesystem. -+## Search kdbusfs directories. ++## Delete kdbusfs directories. ## ## ## @@ -19525,15 +19602,14 @@ index 8416beb..761fbab 100644 ## # -interface(`fs_dontaudit_list_inotifyfs',` -+interface(`fs_search_kdbus_dirs',` ++interface(`fs_delete_kdbus_dirs', ` gen_require(` - type inotifyfs_t; + type kdbusfs_t; -+ ') - dontaudit $1 inotifyfs_t:dir list_dir_perms; -+ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) ') @@ -19542,7 +19618,7 @@ index 8416beb..761fbab 100644 ## -## Create an object in a hugetlbfs filesystem, with a private -## type using a type transition. -+## Relabel kdbusfs directories. ++## Manage kdbusfs directories. ## ## ## @@ -19550,89 +19626,20 @@ index 8416beb..761fbab 100644 ## ## -## -+# -+interface(`fs_relabel_kdbus_dirs',` -+ gen_require(` -+ type cgroup_t; -+ -+ ') -+ -+ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+') -+ -+######################################## -+## -+## List kdbusfs directories. -+## -+## - ## +-## -## The type of the object to be created. -+## Domain allowed access. - ## - ## +-## +-## -## -+# -+interface(`fs_list_kdbus_dirs',` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+####################################### -+## -+## Do not audit attempts to search kdbusfs directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_search_kdbus_dirs', ` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ dontaudit $1 kdbusfs_t:dir search_dir_perms; -+ dev_dontaudit_search_sysfs($1) -+') -+ -+######################################## -+## -+## Delete kdbusfs directories. -+## -+## - ## +-## -## The object class of the object being created. -+## Domain allowed access. - ## - ## +-## +-## -## -+# -+interface(`fs_delete_kdbus_dirs', ` -+ gen_require(` -+ type kdbusfs_t; -+ ') -+ -+ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) -+ fs_search_tmpfs($1) -+ dev_search_sysfs($1) -+') -+ -+######################################## -+## -+## Manage kdbusfs directories. -+## -+## - ## +-## -## The name of the object being created. -+## Domain allowed access. - ## - ## +-## +-## # -interface(`fs_hugetlbfs_filetrans',` +interface(`fs_manage_kdbus_dirs',` @@ -19813,12 +19820,11 @@ index 8416beb..761fbab 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',` +@@ -2398,6 +3325,24 @@ interface(`fs_getattr_nfs',` ######################################## ## --## Unmount a NFS filesystem. -+## Unmount a NFS filesystem. ++## Set the attributes of nfs directories. +## +## +## @@ -19826,171 +19832,285 @@ index 8416beb..761fbab 100644 +## +## +# -+interface(`fs_unmount_nfs',` ++interface(`fs_setattr_nfs_dirs',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:filesystem unmount; ++ allow $1 nfs_t:dir setattr; +') + +######################################## +## -+## Get the attributes of a NFS filesystem. + ## Search directories on a NFS filesystem. ## ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`fs_unmount_nfs',` -+interface(`fs_getattr_nfs',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:filesystem unmount; -+ allow $1 nfs_t:filesystem getattr; - ') - - ######################################## - ## --## Get the attributes of a NFS filesystem. -+## Set the attributes of nfs directories. +@@ -2439,152 +3384,228 @@ interface(`fs_list_nfs',` ## ## ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_getattr_nfs',` -+interface(`fs_setattr_nfs_dirs',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:filesystem getattr; -+ allow $1 nfs_t:dir setattr; - ') - - ######################################## -@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir list_dir_perms; - read_files_pattern($1, nfs_t, nfs_t) - ') -@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',` - type nfs_t; - ') - -+ fs_search_auto_mountpoints($1) - allow $1 nfs_t:dir list_dir_perms; - write_files_pattern($1, nfs_t, nfs_t) - ') -@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',` - - ######################################## - ## -+## Make general progams in nfs an entrypoint for -+## the specified domain. -+## -+## -+## -+## The domain for which nfs_t is an entrypoint. +-## Domain to not audit. ++## Domain to not audit. +## +## +# -+interface(`fs_nfs_entry_type',` ++interface(`fs_dontaudit_list_nfs',` + gen_require(` + type nfs_t; + ') + -+ domain_entry_file($1, nfs_t) ++ dontaudit $1 nfs_t:dir list_dir_perms; +') + +######################################## +## -+## Make general progams in NFS an entrypoint for -+## the specified domain. ++## Mounton a NFS filesystem. +## +## +## -+## The domain for which nfs_t is an entrypoint. ++## Domain allowed access. +## +## +# -+interface(`fs_nfs_entrypoint',` ++interface(`fs_mounton_nfs',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:file entrypoint; ++ allow $1 nfs_t:dir mounton; +') + +######################################## +## - ## Append files - ## on a NFS filesystem. - ## -@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',` - - ######################################## - ## --## dontaudit Append files -+## Do not audit attempts to append files - ## on a NFS filesystem. - ## - ## -@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',` - - ######################################## - ## -+## Read inherited files on a NFS filesystem. ++## Read files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`fs_read_inherited_nfs_files',` ++interface(`fs_read_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:file read_inherited_file_perms; ++ fs_search_auto_mountpoints($1) ++ allow $1 nfs_t:dir list_dir_perms; ++ read_files_pattern($1, nfs_t, nfs_t) +') + +######################################## +## -+## Read/write inherited files on a NFS filesystem. ++## Do not audit attempts to read ++## files on a NFS filesystem. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`fs_rw_inherited_nfs_files',` ++interface(`fs_dontaudit_read_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:file rw_inherited_file_perms; ++ dontaudit $1 nfs_t:file read_file_perms; +') + +######################################## +## - ## Do not audit attempts to read or - ## write files on a NFS filesystem. ++## Read files on a NFS filesystem. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_list_nfs',` ++interface(`fs_write_nfs_files',` + gen_require(` + type nfs_t; + ') + +- dontaudit $1 nfs_t:dir list_dir_perms; ++ fs_search_auto_mountpoints($1) ++ allow $1 nfs_t:dir list_dir_perms; ++ write_files_pattern($1, nfs_t, nfs_t) + ') + + ######################################## + ## +-## Mounton a NFS filesystem. ++## Execute files on a NFS filesystem. ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_mounton_nfs',` ++interface(`fs_exec_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir mounton; ++ allow $1 nfs_t:dir list_dir_perms; ++ exec_files_pattern($1, nfs_t, nfs_t) + ') + + ######################################## + ## +-## Read files on a NFS filesystem. ++## Make general progams in nfs an entrypoint for ++## the specified domain. + ## + ## + ## +-## Domain allowed access. ++## The domain for which nfs_t is an entrypoint. + ## + ## +-## + # +-interface(`fs_read_nfs_files',` ++interface(`fs_nfs_entry_type',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; +- read_files_pattern($1, nfs_t, nfs_t) ++ domain_entry_file($1, nfs_t) + ') + + ######################################## + ## +-## Do not audit attempts to read +-## files on a NFS filesystem. ++## Make general progams in NFS an entrypoint for ++## the specified domain. + ## + ## + ## +-## Domain to not audit. ++## The domain for which nfs_t is an entrypoint. + ## + ## + # +-interface(`fs_dontaudit_read_nfs_files',` ++interface(`fs_nfs_entrypoint',` + gen_require(` + type nfs_t; + ') + +- dontaudit $1 nfs_t:file read_file_perms; ++ allow $1 nfs_t:file entrypoint; + ') + + ######################################## + ## +-## Read files on a NFS filesystem. ++## Append files ++## on a NFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_write_nfs_files',` ++interface(`fs_append_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; +- write_files_pattern($1, nfs_t, nfs_t) ++ append_files_pattern($1, nfs_t, nfs_t) + ') + + ######################################## + ## +-## Execute files on a NFS filesystem. ++## Do not audit attempts to append files ++## on a NFS filesystem. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + ## + # +-interface(`fs_exec_nfs_files',` ++interface(`fs_dontaudit_append_nfs_files',` + gen_require(` + type nfs_t; + ') + +- allow $1 nfs_t:dir list_dir_perms; +- exec_files_pattern($1, nfs_t, nfs_t) ++ dontaudit $1 nfs_t:file append_file_perms; + ') + + ######################################## + ## +-## Append files +-## on a NFS filesystem. ++## Read inherited files on a NFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_append_nfs_files',` ++interface(`fs_read_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + +- append_files_pattern($1, nfs_t, nfs_t) ++ allow $1 nfs_t:file read_inherited_file_perms; + ') + + ######################################## + ## +-## dontaudit Append files +-## on a NFS filesystem. ++## Read/write inherited files on a NFS filesystem. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## +-## + # +-interface(`fs_dontaudit_append_nfs_files',` ++interface(`fs_rw_inherited_nfs_files',` + gen_require(` + type nfs_t; + ') + +- dontaudit $1 nfs_t:file append_file_perms; ++ allow $1 nfs_t:file rw_inherited_file_perms; + ') + + ######################################## @@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -20169,7 +20289,7 @@ index 8416beb..761fbab 100644 ## ## Read and write NFS server files. ## -@@ -3283,6 +4402,59 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +4402,78 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -20188,6 +20308,7 @@ index 8416beb..761fbab 100644 + + getattr_files_pattern($1, nsfs_t, nsfs_t) +') ++ +####################################### +## +## Read nsfs inodes (e.g. /proc/pid/ns/uts) @@ -20206,6 +20327,24 @@ index 8416beb..761fbab 100644 + allow $1 nsfs_t:file read_file_perms; +') + ++####################################### ++## ++## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_nsfs_files',` ++ gen_require(` ++ type nsfs_fs_t; ++ ') ++ ++ rw_files_pattern($1, nsfs_fs_t, nsfs_fs_t) ++') ++ +######################################## +## +## Manage NFS server files. @@ -20229,7 +20368,7 @@ index 8416beb..761fbab 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +4564,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4583,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20238,7 +20377,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3429,7 +4601,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4620,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20247,7 +20386,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3447,7 +4619,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4638,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20256,7 +20395,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3779,6 +4951,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4970,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20281,7 +20420,7 @@ index 8416beb..761fbab 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5005,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5024,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20306,7 +20445,7 @@ index 8416beb..761fbab 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3866,12 +5093,49 @@ interface(`fs_relabelfrom_tmpfs',` type tmpfs_t; ') @@ -20358,7 +20497,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3879,36 +5124,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5143,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -20402,7 +20541,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3916,35 +5160,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5179,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20446,7 +20585,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3952,17 +5197,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5216,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20467,7 +20606,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -3970,31 +5215,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5234,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20505,7 +20644,7 @@ index 8416beb..761fbab 100644 ') ######################################## -@@ -4105,7 +5349,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5368,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -20514,7 +20653,7 @@ index 8416beb..761fbab 100644 ') ######################################## -@@ -4165,6 +5409,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5428,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -20539,7 +20678,7 @@ index 8416beb..761fbab 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5464,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5483,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -20548,7 +20687,7 @@ index 8416beb..761fbab 100644 ## ## ## -@@ -4221,6 +5483,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5502,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -20609,7 +20748,7 @@ index 8416beb..761fbab 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5594,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5613,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -20654,7 +20793,7 @@ index 8416beb..761fbab 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5651,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5670,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -20680,7 +20819,7 @@ index 8416beb..761fbab 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5780,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5799,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20706,7 +20845,7 @@ index 8416beb..761fbab 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5895,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5914,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20715,7 +20854,7 @@ index 8416beb..761fbab 100644 ') ######################################## -@@ -4549,7 +5943,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5962,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20724,7 +20863,7 @@ index 8416beb..761fbab 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5990,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6009,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20751,7 +20890,7 @@ index 8416beb..761fbab 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6085,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6104,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20777,7 +20916,7 @@ index 8416beb..761fbab 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',` +@@ -4912,3 +6364,82 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -25376,10 +25515,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..a23a472 100644 +index 2522ca6..d389826 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,92 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -25472,13 +25611,17 @@ index 2522ca6..a23a472 100644 +') + +optional_policy(` ++ docker_stream_connect(sysadm_t) ++') ++ ++optional_policy(` + ssh_filetrans_admin_home_content(sysadm_t) + ssh_filetrans_keys(sysadm_t) +') ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +104,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +108,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -25493,7 +25636,7 @@ index 2522ca6..a23a472 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +114,9 @@ optional_policy(` +@@ -71,9 +118,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -25504,7 +25647,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -87,6 +130,7 @@ optional_policy(` +@@ -87,6 +134,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -25512,7 +25655,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -110,11 +154,17 @@ optional_policy(` +@@ -110,11 +158,17 @@ optional_policy(` ') optional_policy(` @@ -25530,20 +25673,20 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -122,11 +172,27 @@ optional_policy(` +@@ -122,11 +176,27 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) ++') ++ ++optional_policy(` ++ consoletype_exec(sysadm_t) ') optional_policy(` - cvs_exec(sysadm_t) -+ consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` + daemonstools_run_start(sysadm_t, sysadm_r) +') + @@ -25560,7 +25703,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -140,6 +206,10 @@ optional_policy(` +@@ -140,6 +210,10 @@ optional_policy(` ') optional_policy(` @@ -25571,7 +25714,7 @@ index 2522ca6..a23a472 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +226,10 @@ optional_policy(` +@@ -156,6 +230,10 @@ optional_policy(` ') optional_policy(` @@ -25582,7 +25725,7 @@ index 2522ca6..a23a472 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -164,6 +238,11 @@ optional_policy(` +@@ -164,6 +242,11 @@ optional_policy(` ') optional_policy(` @@ -25594,7 +25737,7 @@ index 2522ca6..a23a472 100644 hadoop_role(sysadm_r, sysadm_t) ') -@@ -172,13 +251,31 @@ optional_policy(` +@@ -172,13 +255,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -25626,7 +25769,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -190,11 +287,12 @@ optional_policy(` +@@ -190,11 +291,12 @@ optional_policy(` ') optional_policy(` @@ -25641,7 +25784,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -210,22 +308,21 @@ optional_policy(` +@@ -210,22 +312,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25671,7 +25814,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -237,14 +334,32 @@ optional_policy(` +@@ -237,14 +338,32 @@ optional_policy(` ') optional_policy(` @@ -25704,7 +25847,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -252,10 +367,20 @@ optional_policy(` +@@ -252,10 +371,20 @@ optional_policy(` ') optional_policy(` @@ -25725,7 +25868,7 @@ index 2522ca6..a23a472 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +391,46 @@ optional_policy(` +@@ -266,35 +395,46 @@ optional_policy(` ') optional_policy(` @@ -25757,18 +25900,18 @@ index 2522ca6..a23a472 100644 optional_policy(` - rpm_run(sysadm_t, sysadm_r) + quota_filetrans_named_content(sysadm_t) - ') - - optional_policy(` -- rssh_role(sysadm_r, sysadm_t) -+ raid_domtrans_mdadm(sysadm_t) +') + +optional_policy(` -+ rpc_domtrans_nfsd(sysadm_t) ++ raid_domtrans_mdadm(sysadm_t) +') + +optional_policy(` ++ rpc_domtrans_nfsd(sysadm_t) + ') + + optional_policy(` +- rssh_role(sysadm_r, sysadm_t) + rpm_run(sysadm_t, sysadm_r) + rpm_dbus_chat(sysadm_t, sysadm_r) ') @@ -25779,7 +25922,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -308,6 +444,7 @@ optional_policy(` +@@ -308,6 +448,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25787,7 +25930,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -315,12 +452,20 @@ optional_policy(` +@@ -315,12 +456,20 @@ optional_policy(` ') optional_policy(` @@ -25809,7 +25952,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -345,30 +490,38 @@ optional_policy(` +@@ -345,30 +494,38 @@ optional_policy(` ') optional_policy(` @@ -25857,7 +26000,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -380,10 +533,6 @@ optional_policy(` +@@ -380,10 +537,6 @@ optional_policy(` ') optional_policy(` @@ -25868,7 +26011,7 @@ index 2522ca6..a23a472 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +540,9 @@ optional_policy(` +@@ -391,6 +544,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25878,7 +26021,7 @@ index 2522ca6..a23a472 100644 ') optional_policy(` -@@ -398,31 +550,34 @@ optional_policy(` +@@ -398,31 +554,34 @@ optional_policy(` ') optional_policy(` @@ -25919,7 +26062,7 @@ index 2522ca6..a23a472 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +590,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +594,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25930,7 +26073,7 @@ index 2522ca6..a23a472 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +610,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +614,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -28749,7 +28892,7 @@ index fe0c682..60003bc 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index cc877c7..b8e6e98 100644 +index cc877c7..80996f3 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2) @@ -28836,7 +28979,7 @@ index cc877c7..b8e6e98 100644 type ssh_t; type ssh_exec_t; -@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) +@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) type ssh_tmpfs_t; typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; @@ -28857,7 +29000,11 @@ index cc877c7..b8e6e98 100644 ############################## # -@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; + # SSH client local policy + # + +-allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; ++allow ssh_t self:capability { setcap setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -37013,7 +37160,7 @@ index 79a45f6..9926eaf 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..28999af 100644 +index 17eda24..677fc9d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37312,7 +37459,7 @@ index 17eda24..28999af 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +326,259 @@ ifdef(`distro_gentoo',` +@@ -186,29 +326,263 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37370,6 +37517,10 @@ index 17eda24..28999af 100644 +') + +optional_policy(` ++ rpm_read_db(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) +') @@ -37534,19 +37685,19 @@ index 17eda24..28999af 100644 + sysnet_relabelfrom_dhcpc_state(init_t) + sysnet_setattr_dhcp_state(init_t) + ') -+') -+ -+optional_policy(` -+ lvm_rw_pipes(init_t) -+ lvm_read_config(init_t) ') optional_policy(` - auth_rw_login_records(init_t) -+ consolekit_manage_log(init_t) ++ lvm_rw_pipes(init_t) ++ lvm_read_config(init_t) ') optional_policy(` ++ consolekit_manage_log(init_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -37581,7 +37732,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -216,7 +586,30 @@ optional_policy(` +@@ -216,7 +590,30 @@ optional_policy(` ') optional_policy(` @@ -37613,7 +37764,7 @@ index 17eda24..28999af 100644 ') ######################################## -@@ -225,9 +618,9 @@ optional_policy(` +@@ -225,9 +622,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37625,7 +37776,7 @@ index 17eda24..28999af 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +651,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +655,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37642,7 +37793,7 @@ index 17eda24..28999af 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +676,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +680,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37685,7 +37836,7 @@ index 17eda24..28999af 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +713,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +717,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37697,7 +37848,7 @@ index 17eda24..28999af 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +725,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +729,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37708,7 +37859,7 @@ index 17eda24..28999af 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +736,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +740,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37718,7 +37869,7 @@ index 17eda24..28999af 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +745,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +749,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37726,7 +37877,7 @@ index 17eda24..28999af 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +752,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +756,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37734,7 +37885,7 @@ index 17eda24..28999af 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +760,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +764,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37752,7 +37903,7 @@ index 17eda24..28999af 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +778,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +782,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37766,7 +37917,7 @@ index 17eda24..28999af 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +793,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +797,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37780,7 +37931,7 @@ index 17eda24..28999af 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +806,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +810,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37791,7 +37942,7 @@ index 17eda24..28999af 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +819,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +823,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37799,7 +37950,7 @@ index 17eda24..28999af 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +838,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +842,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37823,7 +37974,7 @@ index 17eda24..28999af 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +871,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +875,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37831,7 +37982,7 @@ index 17eda24..28999af 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +905,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +909,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37842,7 +37993,7 @@ index 17eda24..28999af 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +929,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +933,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37851,7 +38002,7 @@ index 17eda24..28999af 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +944,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +948,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37859,7 +38010,7 @@ index 17eda24..28999af 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +965,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +969,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37867,7 +38018,7 @@ index 17eda24..28999af 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +975,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +979,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37912,7 +38063,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -559,14 +1020,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1024,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37944,7 +38095,7 @@ index 17eda24..28999af 100644 ') ') -@@ -577,6 +1055,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1059,39 @@ ifdef(`distro_suse',` ') ') @@ -37984,7 +38135,7 @@ index 17eda24..28999af 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1100,8 @@ optional_policy(` +@@ -589,6 +1104,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37993,7 +38144,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -610,6 +1123,7 @@ optional_policy(` +@@ -610,6 +1127,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38001,7 +38152,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -626,6 +1140,17 @@ optional_policy(` +@@ -626,6 +1144,17 @@ optional_policy(` ') optional_policy(` @@ -38019,7 +38170,7 @@ index 17eda24..28999af 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1167,13 @@ optional_policy(` +@@ -642,9 +1171,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38033,7 +38184,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -657,15 +1186,11 @@ optional_policy(` +@@ -657,15 +1190,11 @@ optional_policy(` ') optional_policy(` @@ -38051,7 +38202,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -686,6 +1211,15 @@ optional_policy(` +@@ -686,6 +1215,15 @@ optional_policy(` ') optional_policy(` @@ -38067,7 +38218,7 @@ index 17eda24..28999af 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1260,7 @@ optional_policy(` +@@ -726,6 +1264,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38075,7 +38226,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -743,7 +1278,13 @@ optional_policy(` +@@ -743,7 +1282,13 @@ optional_policy(` ') optional_policy(` @@ -38090,7 +38241,7 @@ index 17eda24..28999af 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1307,10 @@ optional_policy(` +@@ -766,6 +1311,10 @@ optional_policy(` ') optional_policy(` @@ -38101,7 +38252,7 @@ index 17eda24..28999af 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1320,20 @@ optional_policy(` +@@ -775,10 +1324,20 @@ optional_policy(` ') optional_policy(` @@ -38122,7 +38273,7 @@ index 17eda24..28999af 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1342,10 @@ optional_policy(` +@@ -787,6 +1346,10 @@ optional_policy(` ') optional_policy(` @@ -38133,7 +38284,7 @@ index 17eda24..28999af 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1367,6 @@ optional_policy(` +@@ -808,8 +1371,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38142,7 +38293,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -818,6 +1375,10 @@ optional_policy(` +@@ -818,6 +1379,10 @@ optional_policy(` ') optional_policy(` @@ -38153,7 +38304,7 @@ index 17eda24..28999af 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1388,12 @@ optional_policy(` +@@ -827,10 +1392,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38166,7 +38317,7 @@ index 17eda24..28999af 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1420,62 @@ optional_policy(` +@@ -857,21 +1424,62 @@ optional_policy(` ') optional_policy(` @@ -38230,7 +38381,7 @@ index 17eda24..28999af 100644 ') optional_policy(` -@@ -887,6 +1491,10 @@ optional_policy(` +@@ -887,6 +1495,10 @@ optional_policy(` ') optional_policy(` @@ -38241,7 +38392,7 @@ index 17eda24..28999af 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1505,218 @@ optional_policy(` +@@ -897,3 +1509,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48586,7 +48737,7 @@ index 0000000..16cd1ac +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..180e701 +index 0000000..bdd910a --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,958 @@ @@ -49546,7 +49697,7 @@ index 0000000..180e701 +dev_read_sysfs(systemd_modules_load_t) + +files_read_kernel_modules(systemd_modules_load_t) -+modutils_list_module_config(systemd_modules_load_t) ++modutils_read_module_config(systemd_modules_load_t) + diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 @@ -50963,7 +51114,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..595ad40 100644 +index 9dc60c6..236692c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -51979,7 +52130,7 @@ index 9dc60c6..595ad40 100644 + allow $1_t self:process ~{ ptrace execmem execstack execheap }; + + tunable_policy(`selinuxuser_use_ssh_chroot',` -+ allow $1_t self:capability { setuid setgid sys_chroot }; ++ allow $1_t self:capability { sys_chroot }; + ') - allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap }; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9cce460..9365dbb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12256,7 +12256,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..ea704c2 100644 +index 550b287..f37b9b0 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -12346,7 +12346,7 @@ index 550b287..ea704c2 100644 ') optional_policy(` -@@ -92,11 +110,58 @@ optional_policy(` +@@ -92,11 +110,60 @@ optional_policy(` ') optional_policy(` @@ -12359,8 +12359,10 @@ index 550b287..ea704c2 100644 + +optional_policy(` + ipa_manage_lib(certmonger_t) ++ ipa_manage_log(certmonger_t) + ipa_manage_pid_files(certmonger_t) + ipa_filetrans_pid(certmonger_t,"renewal.lock") ++ ipa_named_filetrans_log_dir(certmonger_t) +') + +optional_policy(` @@ -37452,10 +37454,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..b7b9201 100644 +index 4eb7041..d750c5c 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,148 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,150 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -37493,7 +37495,7 @@ index 4eb7041..b7b9201 100644 # -# Local policy +# hyperv domain local policy - # ++# + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -37507,7 +37509,7 @@ index 4eb7041..b7b9201 100644 +dev_read_sysfs(hyperv_domain) + +######################################## - # ++# +# hypervkvp local policy +# + @@ -37553,6 +37555,8 @@ index 4eb7041..b7b9201 100644 + +modutils_domtrans_insmod(hypervkvp_t) + ++seutil_domtrans_setfiles(hypervkvp_t) ++ +sysnet_dns_name_resolve(hypervkvp_t) +sysnet_domtrans_dhcpc(hypervkvp_t) +sysnet_domtrans_ifconfig(hypervkvp_t) @@ -37596,14 +37600,14 @@ index 4eb7041..b7b9201 100644 +') + +######################################## -+# + # +# hypervvssd local policy -+# -+ -+allow hypervvssd_t self:capability sys_admin; + # -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++allow hypervvssd_t self:capability sys_admin; ++ +dev_rw_hypervvssd(hypervvssd_t) -logging_send_syslog_msg(hypervkvpd_t) @@ -38312,10 +38316,10 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..e1ddda0 +index 0000000..1131ca0 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,19 @@ +@@ -0,0 +1,21 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) @@ -38331,16 +38335,18 @@ index 0000000..e1ddda0 + +/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + ++/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) ++ +/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0) + +/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..ee3a606 +index 0000000..1a30961 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,197 @@ +@@ -0,0 +1,235 @@ +## Policy for IPA services. + +######################################## @@ -38461,6 +38467,25 @@ index 0000000..ee3a606 + +######################################## +## ++## Allow domain to manage ipa log files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_manage_log',` ++ gen_require(` ++ type ipa_log_t; ++ ') ++ ++ manage_files_pattern($1, ipa_log_t, ipa_log_t) ++ manage_dirs_pattern($1, ipa_log_t, ipa_log_t) ++') ++ ++######################################## ++## +## Allow domain to manage ipa lib files/dirs. +## +## @@ -38538,12 +38563,31 @@ index 0000000..ee3a606 + files_search_tmp($1) + allow $1 ipa_tmp_t:file unlink; +') ++ ++######################################## ++## ++## Create log files with a named file ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_named_filetrans_log_dir',` ++ gen_require(` ++ type ipa_log_t; ++ ') ++ ++ logging_log_named_filetrans($1, ipa_log_t, dir, "ipa") ++') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..3ca42f7 +index 0000000..e3b22a3 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,199 @@ +@@ -0,0 +1,201 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38702,6 +38746,7 @@ index 0000000..3ca42f7 +files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file }) + +kernel_dgram_send(ipa_dnskey_t) ++kernel_read_system_state(ipa_dnskey_t) + +auth_use_nsswitch(ipa_dnskey_t) + @@ -38731,6 +38776,7 @@ index 0000000..3ca42f7 + bind_read_dnssec_keys(ipa_dnskey_t) + bind_manage_zone(ipa_dnskey_t) + bind_manage_zone_dirs(ipa_dnskey_t) ++ bind_search_cache(ipa_dnskey_t) +') + +optional_policy(` @@ -46754,7 +46800,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..db7c68b 100644 +index 4ec0eea..693d9ae 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -46796,7 +46842,7 @@ index 4ec0eea..db7c68b 100644 allow lsmd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -@@ -26,4 +44,69 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,71 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -46855,6 +46901,8 @@ index 4ec0eea..db7c68b 100644 +init_stream_connect(lsmd_plugin_t) +init_dontaudit_rw_stream_socket(lsmd_plugin_t) + ++libs_exec_ldconfig(lsmd_plugin_t) ++ +logging_send_syslog_msg(lsmd_plugin_t) + +miscfiles_read_certs(lsmd_plugin_t) @@ -101860,7 +101908,7 @@ index e9bd097..5724bcf 100644 +/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0) +/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0) diff --git a/spamassassin.if b/spamassassin.if -index 1499b0b..6950cab 100644 +index 1499b0b..e695a62 100644 --- a/spamassassin.if +++ b/spamassassin.if @@ -2,39 +2,45 @@ @@ -102244,7 +102292,7 @@ index 1499b0b..6950cab 100644 + ') + + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") -+ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin") + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") + userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor") +') @@ -102265,7 +102313,7 @@ index 1499b0b..6950cab 100644 + ') + + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") -+ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin") ++ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin") + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") + userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor") +') @@ -102315,7 +102363,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..7e5c719 100644 +index cc58e35..d844f55 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1) @@ -102395,7 +102443,7 @@ index cc58e35..7e5c719 100644 type spamd_initrc_exec_t; init_script_file(spamd_initrc_exec_t) -@@ -72,87 +46,199 @@ type spamd_log_t; +@@ -72,87 +46,197 @@ type spamd_log_t; logging_log_file(spamd_log_t) type spamd_spool_t; @@ -102532,8 +102580,6 @@ index cc58e35..7e5c719 100644 +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t) -+userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") -+userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin") +userdom_home_manager(spamassassin_t) + kernel_read_kernel_sysctls(spamassassin_t) @@ -102617,7 +102663,7 @@ index cc58e35..7e5c719 100644 nis_use_ypbind_uncond(spamassassin_t) ') ') -@@ -160,6 +246,8 @@ optional_policy(` +@@ -160,6 +244,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -102626,7 +102672,7 @@ index cc58e35..7e5c719 100644 ') ######################################## -@@ -167,72 +255,95 @@ optional_policy(` +@@ -167,72 +253,95 @@ optional_policy(` # Client local policy # @@ -102753,7 +102799,7 @@ index cc58e35..7e5c719 100644 optional_policy(` abrt_stream_connect(spamc_t) -@@ -243,6 +354,7 @@ optional_policy(` +@@ -243,6 +352,7 @@ optional_policy(` ') optional_policy(` @@ -102761,7 +102807,7 @@ index cc58e35..7e5c719 100644 evolution_stream_connect(spamc_t) ') -@@ -251,11 +363,18 @@ optional_policy(` +@@ -251,11 +361,18 @@ optional_policy(` ') optional_policy(` @@ -102781,7 +102827,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -267,36 +386,40 @@ optional_policy(` +@@ -267,36 +384,40 @@ optional_policy(` ######################################## # @@ -102839,7 +102885,7 @@ index cc58e35..7e5c719 100644 logging_log_filetrans(spamd_t, spamd_log_t, file) manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t) -@@ -308,7 +431,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) +@@ -308,7 +429,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) @@ -102849,7 +102895,7 @@ index cc58e35..7e5c719 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +441,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +439,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -102866,7 +102912,7 @@ index cc58e35..7e5c719 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +457,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +455,60 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -102971,7 +103017,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -421,21 +529,13 @@ optional_policy(` +@@ -421,21 +527,13 @@ optional_policy(` ') optional_policy(` @@ -102995,7 +103041,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -443,8 +543,8 @@ optional_policy(` +@@ -443,8 +541,8 @@ optional_policy(` ') optional_policy(` @@ -103005,7 +103051,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -455,7 +555,17 @@ optional_policy(` +@@ -455,7 +553,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -103024,7 +103070,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -463,9 +573,9 @@ optional_policy(` +@@ -463,9 +571,9 @@ optional_policy(` ') optional_policy(` @@ -103035,7 +103081,7 @@ index cc58e35..7e5c719 100644 ') optional_policy(` -@@ -474,32 +584,32 @@ optional_policy(` +@@ -474,32 +582,32 @@ optional_policy(` ######################################## # @@ -103078,7 +103124,7 @@ index cc58e35..7e5c719 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +616,26 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -115879,7 +115925,7 @@ index 137ac44..b644854 100644 domain_system_change_exemption($1) role_transition $2 vnstatd_initrc_exec_t system_r; diff --git a/vnstatd.te b/vnstatd.te -index e2220ae..0dcf5f6 100644 +index e2220ae..85f393b 100644 --- a/vnstatd.te +++ b/vnstatd.te @@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen }; @@ -115891,12 +115937,16 @@ index e2220ae..0dcf5f6 100644 manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t) +@@ -45,16 +45,14 @@ files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) + kernel_read_network_state(vnstatd_t) + kernel_read_system_state(vnstatd_t) - domain_use_interactive_fds(vnstatd_t) +-domain_use_interactive_fds(vnstatd_t) ++dev_read_sysfs(vnstatd_t) -files_read_etc_files(vnstatd_t) -- ++domain_use_interactive_fds(vnstatd_t) + fs_getattr_xattr_fs(vnstatd_t) logging_send_syslog_msg(vnstatd_t) @@ -115906,7 +115956,7 @@ index e2220ae..0dcf5f6 100644 ######################################## # # Client local policy -@@ -64,23 +60,19 @@ allow vnstat_t self:process signal; +@@ -64,23 +62,19 @@ allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; allow vnstat_t self:unix_stream_socket { accept listen }; diff --git a/selinux-policy.spec b/selinux-policy.spec index e046a91..287041e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 203%{?dist} +Release: 204%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,20 @@ exit 0 %endif %changelog +* Tue Jul 26 2016 Lukas Vrabec 3.13.1-204 +- Allow lsmd_plugin_t to exec ldconfig. +- Allow vnstatd domain to read /sys/class/net/ files +- Remove duplicate allow rules in spamassassin SELinux module +- Allow spamc_t and spamd_t domains create .spamassassin file in user homedirs +- Allow ipa_dnskey domain to search cache dirs +- Allow dogtag-ipa-ca-renew-agent-submit labeled as certmonger_t to create /var/log/ipa/renew.log file +- Allow ipa-dnskey read system state. +- Allow sshd setcap capability. This is needed due to latest changes in sshd Resolves: rhbz#1356245 +- Add interface to write to nsfs inodes +- Allow init_t domain to read rpm db. This is needed due dnf-upgrade process failing. BZ(1349721) +- Allow systemd_modules_load_t to read /etc/modprobe.d/lockd.conf +- sysadmin should be allowed to use docker. + * Mon Jul 18 2016 Lukas Vrabec 3.13.1-203 - Allow hypervkvp domain to run restorecon. - Allow firewalld to manage net_conf_t files