From a0e8efd42cf954b8d64f5e230cc7b70661a88987 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Sep 13 2010 20:17:15 +0000 Subject: - Update to upstream --- diff --git a/.gitignore b/.gitignore index 8fea9fc..0dd8fdf 100644 --- a/.gitignore +++ b/.gitignore @@ -224,3 +224,4 @@ serefpolicy* /serefpolicy-3.9.1.tgz /serefpolicy-3.9.2.tgz /serefpolicy-3.9.3.tgz +/serefpolicy-3.9.4.tgz diff --git a/modules-targeted.conf b/modules-targeted.conf index 1a70e73..23d9eb7 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -655,6 +655,13 @@ hal = module hddtemp = module # Layer: services +# Module: passenger +# +# Passenger +# +passenger = module + +# Layer: services # Module: policykit # # Hardware abstraction layer diff --git a/nsadiff b/nsadiff index 2383e96..3865f5c 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1,3 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.9.0 > /tmp/diff +cd nsaserefpolicy +git diff origin > /tmp/diff + diff --git a/policy-F14.patch b/policy-F14.patch index b7ea4eb..f47fe9a 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -149,9 +149,34 @@ index 0000000..e9c43b1 +.SH "SEE ALSO" +selinux(8), git(8), chcon(1), semodule(8), setsebool(8) diff --git a/policy/global_tunables b/policy/global_tunables -index 3316f6e..56af226 100644 +index 3316f6e..f85244d 100644 --- a/policy/global_tunables +++ b/policy/global_tunables +@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false) + + ## + ##

+-## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") ++## Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla + ##

+ ## + gen_tunable(allow_execmem,false) + + ## + ##

+-## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") ++## Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t + ##

+ ## + gen_tunable(allow_execmod,false) + + ## + ##

+-## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") ++## Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla + ##

+ ## + gen_tunable(allow_execstack,false) @@ -61,15 +61,6 @@ gen_tunable(global_ssp,false) ## @@ -206,135 +231,11 @@ index af90ef2..fbd2c40 100644 (( h1 dom h2 ) or ( t1 == mcskillall )); # -diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if -index d1d035e..2cb11ea 100644 ---- a/policy/modules/admin/amanda.if -+++ b/policy/modules/admin/amanda.if -@@ -1,8 +1,9 @@ --## Automated backup program. -+## Advanced Maryland Automatic Network Disk Archiver. - - ######################################## - ## --## Execute amrecover in the amanda_recover domain. -+## Execute a domain transition to -+## run Amanda Recover. - ## - ## - ## -@@ -16,12 +17,15 @@ interface(`amanda_domtrans_recover',` - ') - - domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) -+ corecmd_search_bin($1) - ') - - ######################################## - ## --## Execute amrecover in the amanda_recover domain, and --## allow the specified role the amanda_recover domain. -+## Execute a domain transition to -+## run Amanda Recover and allow the -+## specified role the Amanda Recover -+## domain. - ## - ## - ## -@@ -46,7 +50,7 @@ interface(`amanda_run_recover',` - - ######################################## - ## --## Search amanda library directories. -+## Search Amanda lib directories. - ## - ## - ## -@@ -61,11 +65,13 @@ interface(`amanda_search_lib',` - - allow $1 amanda_usr_lib_t:dir search_dir_perms; - files_search_usr($1) -+ libs_search_lib($1) - ') - - ######################################## - ## --## Do not audit attempts to read /etc/dumpdates. -+## Do not audit attempts to read -+## dumpdates files. - ## - ## - ## -@@ -78,12 +84,12 @@ interface(`amanda_dontaudit_read_dumpdates',` - type amanda_dumpdates_t; - ') - -- dontaudit $1 amanda_dumpdates_t:file { getattr read }; -+ dontaudit $1 amanda_dumpdates_t:file read_file_perms; - ') - - ######################################## - ## --## Allow read/writing /etc/dumpdates. -+## Read and write dumpdates files. - ## - ## - ## -@@ -97,11 +103,12 @@ interface(`amanda_rw_dumpdates_files',` - ') - - allow $1 amanda_dumpdates_t:file rw_file_perms; -+ files_search_etc($1) - ') - - ######################################## - ## --## Search amanda library directories. -+## Search Amanda lib directories. - ## - ## - ## -@@ -116,11 +123,12 @@ interface(`amanda_manage_lib',` - - allow $1 amanda_usr_lib_t:dir manage_dir_perms; - files_search_usr($1) -+ libs_search_lib($1) - ') - - ######################################## - ## --## Allow read/writing amanda logs -+## Read and write Amanda logs. - ## - ## - ## -@@ -134,11 +142,12 @@ interface(`amanda_append_log_files',` - ') - - allow $1 amanda_log_t:file { read_file_perms append_file_perms }; -+ logging_search_logs($1) - ') - - ####################################### - ## --## Search amanda var library directories. -+## Search Amanda lib directories. - ## - ## - ## -@@ -151,7 +160,6 @@ interface(`amanda_search_var_lib',` - type amanda_var_lib_t; - ') - -- files_search_var_lib($1) - allow $1 amanda_var_lib_t:dir search_dir_perms; -- -+ files_search_var_lib($1) - ') diff --git a/policy/modules/admin/anaconda.te b/policy/modules/admin/anaconda.te -index 96f68e9..6cf5d7a 100644 +index f76ed8a..9a9526a 100644 --- a/policy/modules/admin/anaconda.te +++ b/policy/modules/admin/anaconda.te -@@ -31,6 +31,7 @@ modutils_domtrans_insmod(anaconda_t) +@@ -30,6 +30,7 @@ modutils_domtrans_insmod(anaconda_t) modutils_domtrans_depmod(anaconda_t) seutil_domtrans_semanage(anaconda_t) @@ -342,7 +243,7 @@ index 96f68e9..6cf5d7a 100644 userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file }) -@@ -52,7 +53,7 @@ optional_policy(` +@@ -51,7 +52,7 @@ optional_policy(` ') optional_policy(` @@ -379,10 +280,10 @@ index 5b43db5..fdb453c 100644 + role $2 types brctl_t; +') diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te -index 89b9f2a..9cba75f 100644 +index e0fa983..86644f0 100644 --- a/policy/modules/admin/certwatch.te +++ b/policy/modules/admin/certwatch.te -@@ -35,7 +35,7 @@ miscfiles_read_certs(certwatch_t) +@@ -35,7 +35,7 @@ miscfiles_read_generic_certs(certwatch_t) miscfiles_read_localization(certwatch_t) userdom_use_user_terminals(certwatch_t) @@ -1555,7 +1456,7 @@ index 7bddc02..2b59ed0 100644 + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 5f44f1b..464a11e 100644 +index 5f44f1b..2993130 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` @@ -1593,9 +1494,11 @@ index 5f44f1b..464a11e 100644 auth_run_chk_passwd($1_sudo_t, $2) # sudo stores a token in the pam_pid directory -@@ -134,12 +141,16 @@ template(`sudo_role_template',` +@@ -133,13 +140,18 @@ template(`sudo_role_template',` + userdom_manage_user_tmp_files($1_sudo_t) userdom_manage_user_tmp_symlinks($1_sudo_t) userdom_use_user_terminals($1_sudo_t) ++ userdom_signal_unpriv_users($1_sudo_t) # for some PAM modules and for cwd - userdom_dontaudit_search_user_home_content($1_sudo_t) + userdom_search_user_home_content($1_sudo_t) @@ -1889,10 +1792,10 @@ index 0000000..5ef90cd + diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te new file mode 100644 -index 0000000..90c754f +index 0000000..b09816f --- /dev/null +++ b/policy/modules/apps/chrome.te -@@ -0,0 +1,86 @@ +@@ -0,0 +1,91 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -1933,6 +1836,9 @@ index 0000000..90c754f +kernel_read_system_state(chrome_sandbox_t) +kernel_read_kernel_sysctls(chrome_sandbox_t) + ++fs_manage_cgroup_dirs(chrome_sandbox_t) ++fs_manage_cgroup_files(chrome_sandbox_t) ++ +corecmd_exec_bin(chrome_sandbox_t) + +domain_dontaudit_read_all_domains_state(chrome_sandbox_t) @@ -1955,6 +1861,8 @@ index 0000000..90c754f +miscfiles_read_localization(chrome_sandbox_t) +miscfiles_read_fonts(chrome_sandbox_t) + ++sysnet_dontaudit_read_config(chrome_sandbox_t) ++ +optional_policy(` + execmem_exec(chrome_sandbox_t) +') @@ -2344,7 +2252,7 @@ index 00a19e3..46db5ff 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) + diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..db1a0d0 100644 +index f5afe78..250935a 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -37,8 +37,7 @@ interface(`gnome_role',` @@ -2357,7 +2265,7 @@ index f5afe78..db1a0d0 100644 ## ## ## -@@ -46,37 +45,36 @@ interface(`gnome_role',` +@@ -46,19 +45,276 @@ interface(`gnome_role',` ## ## # @@ -2380,94 +2288,73 @@ index f5afe78..db1a0d0 100644 ## -## +## - ## - ## Domain allowed access. - ## - ## - # --template(`gnome_read_gconf_config',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_domtrans_gconfd',` - gen_require(` -- type gconf_etc_t; ++ gen_require(` + type gconfd_t, gconfd_exec_t; - ') - -- allow $1 gconf_etc_t:dir list_dir_perms; -- read_files_pattern($1, gconf_etc_t, gconf_etc_t) -- files_search_etc($1) ++ ') ++ + domtrans_pattern($1, gconfd_exec_t, gconfd_t) - ') - --####################################### ++') ++ +######################################## - ## --## Create, read, write, and delete gconf config files. ++## +## Dontaudit search gnome homedir content (.config) - ## - ## - ## -@@ -84,37 +82,38 @@ template(`gnome_read_gconf_config',` - ## - ## - # --interface(`gnome_manage_gconf_config',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_dontaudit_search_config',` - gen_require(` -- type gconf_etc_t; ++ gen_require(` + attribute gnome_home_type; - ') - -- manage_files_pattern($1, gconf_etc_t, gconf_etc_t) -- files_search_etc($1) ++ ') ++ + dontaudit $1 gnome_home_type:dir search_dir_perms; - ') - - ######################################## - ## --## gconf connection template. ++') ++ ++######################################## ++## +## manage gnome homedir content (.config) - ## --## ++## +## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_stream_connect_gconf',` ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_manage_config',` - gen_require(` -- type gconfd_t, gconf_tmp_t; ++ gen_require(` + attribute gnome_home_type; - ') - -- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) -- allow $1 gconfd_t:unix_stream_socket connectto; ++ ') ++ + allow $1 gnome_home_type:dir manage_dir_perms; + allow $1 gnome_home_type:file manage_file_perms; + allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; + userdom_search_user_home_dirs($1) - ') - - ######################################## - ## --## Run gconfd in gconfd domain. ++') ++ ++######################################## ++## +## Send general signals to all gconf domains. - ## - ## - ## -@@ -122,12 +121,139 @@ interface(`gnome_stream_connect_gconf',` - ## - ## - # --interface(`gnome_domtrans_gconfd',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`gnome_signal_all',` - gen_require(` -- type gconfd_t, gconfd_exec_t; ++ gen_require(` + attribute gnomedomain; - ') - -- domtrans_pattern($1, gconfd_exec_t, gconfd_t) ++ ') ++ + allow $1 gnomedomain:process signal; +') + @@ -2596,14 +2483,10 @@ index f5afe78..db1a0d0 100644 + list_dirs_pattern($1, gnome_home_type, gnome_home_type) + read_files_pattern($1, gnome_home_type, gnome_home_type) + read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) - ') - - ######################################## -@@ -151,40 +277,306 @@ interface(`gnome_setattr_config_dirs',` - - ######################################## - ## --## Read gnome homedir content (.config) ++') ++ ++######################################## ++## +## Create objects in a Gnome gconf home directory +## with an automatic type transition to +## a specified private type. @@ -2659,24 +2542,21 @@ index f5afe78..db1a0d0 100644 +######################################## +## +## read gconf config files - ## ++## +## -+## -+## Domain allowed access. -+## -+## -+# -+template(`gnome_read_gconf_config',` -+ gen_require(` -+ type gconf_etc_t; -+ ') -+ -+ allow $1 gconf_etc_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_etc_t, gconf_etc_t) -+') -+ -+####################################### -+## + ## + ## Domain allowed access. + ## +@@ -71,12 +327,31 @@ template(`gnome_read_gconf_config',` + + allow $1 gconf_etc_t:dir list_dir_perms; + read_files_pattern($1, gconf_etc_t, gconf_etc_t) +- files_search_etc($1) + ') + + ####################################### + ## +-## Create, read, write, and delete gconf config files. +## Manage gconf config files +## +## @@ -2698,84 +2578,109 @@ index f5afe78..db1a0d0 100644 +## +## Execute gconf programs in +## in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -84,37 +359,39 @@ template(`gnome_read_gconf_config',` + ## + ## + # +-interface(`gnome_manage_gconf_config',` +interface(`gnome_exec_gconf',` -+ gen_require(` + gen_require(` +- type gconf_etc_t; + type gconfd_exec_t; -+ ') -+ + ') + +- manage_files_pattern($1, gconf_etc_t, gconf_etc_t) +- files_search_etc($1) + can_exec($1, gconfd_exec_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## gconf connection template. +## Read gconf home files -+## + ## +-## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-interface(`gnome_stream_connect_gconf',` +interface(`gnome_read_gconf_home_files',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconf_tmp_t; + type gconf_home_t; + type data_home_t; -+ ') -+ + ') + +- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) +- allow $1 gconfd_t:unix_stream_socket connectto; + allow $1 gconf_home_t:dir list_dir_perms; + allow $1 data_home_t:dir list_dir_perms; + read_files_pattern($1, gconf_home_t, gconf_home_t) + read_files_pattern($1, data_home_t, data_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Run gconfd in gconfd domain. +## search gconf homedir (.local) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -122,12 +399,13 @@ interface(`gnome_stream_connect_gconf',` + ## + ## + # +-interface(`gnome_domtrans_gconfd',` +interface(`gnome_search_gconf',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconfd_exec_t; + type gconf_home_t; -+ ') -+ + ') + +- domtrans_pattern($1, gconfd_exec_t, gconfd_t) + allow $1 gconf_home_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## + ') + + ######################################## +@@ -151,40 +429,173 @@ interface(`gnome_setattr_config_dirs',` + + ######################################## + ## +-## Read gnome homedir content (.config) +## Append gconf home files -+## + ## +-## +## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## Domain allowed access. + ## + ## + # +-template(`gnome_read_config',` +interface(`gnome_append_gconf_home_files',` -+ gen_require(` + gen_require(` +- type gnome_home_t; + type gconf_home_t; -+ ') -+ + ') + +- list_dirs_pattern($1, gnome_home_t, gnome_home_t) +- read_files_pattern($1, gnome_home_t, gnome_home_t) +- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) + append_files_pattern($1, gconf_home_t, gconf_home_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## manage gnome homedir content (.config) +## manage gconf home files -+## + ## +## +## +## Domain allowed access. @@ -2825,21 +2730,39 @@ index f5afe78..db1a0d0 100644 ## ## # --template(`gnome_read_config',` +-interface(`gnome_manage_config',` +template(`gnome_list_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; ') -- list_dirs_pattern($1, gnome_home_t, gnome_home_t) -- read_files_pattern($1, gnome_home_t, gnome_home_t) -- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) +- allow $1 gnome_home_t:dir manage_dir_perms; +- allow $1 gnome_home_t:file manage_file_perms; + allow $1 config_home_t:dir list_dir_perms; +') + +######################################## +## ++## Set attributes of gnome homedir content (.config) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++template(`gnome_setattr_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ setattr_dirs_pattern($1, config_home_t, config_home_t) + userdom_search_user_home_dirs($1) + ') ++ ++######################################## ++## +## read gnome homedir content (.config) +## +## @@ -2854,29 +2777,23 @@ index f5afe78..db1a0d0 100644 + ') + + read_files_pattern($1, config_home_t, config_home_t) - ') - - ######################################## - ## - ## manage gnome homedir content (.config) - ## --## ++') ++ ++######################################## ++## ++## manage gnome homedir content (.config) ++## +## - ## - ## Domain allowed access. - ## - ## - # --interface(`gnome_manage_config',` ++## ++## Domain allowed access. ++## ++## ++# +template(`gnome_manage_home_config',` - gen_require(` -- type gnome_home_t; ++ gen_require(` + type config_home_t; - ') - -- allow $1 gnome_home_t:dir manage_dir_perms; -- allow $1 gnome_home_t:file manage_file_perms; -- userdom_search_user_home_dirs($1) ++ ') ++ + manage_files_pattern($1, config_home_t, config_home_t) +') + @@ -2917,7 +2834,7 @@ index f5afe78..db1a0d0 100644 + + allow $1 gconfdefaultsm_t:dbus send_msg; + allow gconfdefaultsm_t $1:dbus send_msg; - ') ++') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 35f7486..26852d2 100644 --- a/policy/modules/apps/gnome.te @@ -3777,7 +3694,7 @@ index 9a6d67d..47aa143 100644 ## mozilla over dbus. ## diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index cbf4bec..ec6a1ff 100644 +index cbf4bec..7c260fa 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) @@ -3850,7 +3767,7 @@ index cbf4bec..ec6a1ff 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,79 @@ optional_policy(` +@@ -266,3 +291,89 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -3878,6 +3795,8 @@ index cbf4bec..ec6a1ff 100644 +manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + ++can_exec(mozilla_plugin_t, mozilla_exec_t) ++ +kernel_read_kernel_sysctls(mozilla_plugin_t) +kernel_read_system_state(mozilla_plugin_t) +kernel_request_load_module(mozilla_plugin_t) @@ -3888,6 +3807,8 @@ index cbf4bec..ec6a1ff 100644 +dev_read_urand(mozilla_plugin_t) +dev_read_video_dev(mozilla_plugin_t) +dev_read_sysfs(mozilla_plugin_t) ++dev_read_sound(mozilla_plugin_t) ++dev_write_sound(mozilla_plugin_t) + +domain_use_interactive_fds(mozilla_plugin_t) +domain_dontaudit_read_all_domains_state(mozilla_plugin_t) @@ -3908,11 +3829,16 @@ index cbf4bec..ec6a1ff 100644 +userdom_dontaudit_use_user_ptys(mozilla_plugin_t) + +optional_policy(` ++ alsa_read_rw_config(mozilla_plugin_t) ++') ++ ++optional_policy(` + dbus_read_lib_files(mozilla_plugin_t) +') + +optional_policy(` + gnome_manage_home_config(mozilla_plugin_t) ++ gnome_setattr_home_config(mozilla_plugin_t) +') + +optional_policy(` @@ -3929,6 +3855,7 @@ index cbf4bec..ec6a1ff 100644 +optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) + xserver_stream_connect(mozilla_plugin_t) ++ xserver_use_user_fonts(mozilla_plugin_t) +') diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index d8ea41d..8bdc526 100644 @@ -4430,10 +4357,10 @@ index 0000000..c779d44 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..23890a7 +index 0000000..7bc0dcf --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,308 @@ +@@ -0,0 +1,310 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -4499,6 +4426,8 @@ index 0000000..23890a7 +allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow nsplugin_t self:unix_dgram_socket create_socket_perms; +allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; ++read_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) ++read_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t) + +tunable_policy(`allow_nsplugin_execmem',` + allow nsplugin_t self:process { execstack execmem }; @@ -4931,7 +4860,7 @@ index 690589e..815d35d 100644 optional_policy(` diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if -index 2ba7787..3b0d3be 100644 +index 2ba7787..15fef11 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -35,6 +35,10 @@ interface(`pulseaudio_role',` @@ -4945,6 +4874,22 @@ index 2ba7787..3b0d3be 100644 allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') +@@ -215,6 +219,7 @@ interface(`pulseaudio_read_home_files',` + + userdom_search_user_home_dirs($1) + read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + ') + + ######################################## +@@ -233,6 +238,7 @@ interface(`pulseaudio_rw_home_files',` + ') + + rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ++ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) + userdom_search_user_home_dirs($1) + ') + diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 5c2680c..db96581 100644 --- a/policy/modules/apps/pulseaudio.te @@ -5186,10 +5131,10 @@ index 0000000..15778fd +# No types are sandbox_exec_t diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..c20d303 +index 0000000..5dd356f --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,335 @@ +@@ -0,0 +1,336 @@ + +## policy for sandbox + @@ -5246,6 +5191,7 @@ index 0000000..c20d303 + allow $1 sandbox_tmpfs_type:file manage_file_perms; + dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; + ++ can_exec($1, sandbox_file_type) + manage_files_pattern($1, sandbox_file_type, sandbox_file_type); + manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type); + manage_sock_files_pattern($1, sandbox_file_type, sandbox_file_type); @@ -6269,10 +6215,10 @@ index 0000000..3d12484 +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..c7250ae +index 0000000..aa34be4 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,320 @@ +@@ -0,0 +1,318 @@ + +policy_module(telepathy, 1.0.0) + @@ -6345,15 +6291,13 @@ index 0000000..c7250ae +files_read_etc_files(telepathy_msn_t) +files_read_usr_files(telepathy_msn_t) + -+kernel_read_system_state(telepathy_msn_t) -+ +auth_use_nsswitch(telepathy_msn_t) + +libs_exec_ldconfig(telepathy_msn_t) + +logging_send_syslog_msg(telepathy_msn_t) + -+miscfiles_read_certs(telepathy_msn_t) ++miscfiles_read_all_certs(telepathy_msn_t) + +sysnet_read_config(telepathy_msn_t) + @@ -6404,7 +6348,7 @@ index 0000000..c7250ae +files_read_config_files(telepathy_gabble_t) +files_read_usr_files(telepathy_gabble_t) + -+miscfiles_read_certs(telepathy_gabble_t) ++miscfiles_read_all_certs(telepathy_gabble_t) + +sysnet_read_config(telepathy_gabble_t) + @@ -6538,8 +6482,6 @@ index 0000000..c7250ae +files_read_etc_files(telepathy_sunshine_t) +files_read_usr_files(telepathy_sunshine_t) + -+kernel_read_system_state(telepathy_sunshine_t) -+ +optional_policy(` + xserver_read_xdm_pid(telepathy_sunshine_t) + xserver_stream_connect(telepathy_sunshine_t) @@ -6550,7 +6492,7 @@ index 0000000..c7250ae +# telepathy domains common policy +# + -+allow telepathy_domain self:process { getsched signal }; ++allow telepathy_domain self:process { getsched signal sigkill }; +allow telepathy_domain self:fifo_file rw_fifo_file_perms; +allow telepathy_domain self:tcp_socket create_socket_perms; +allow telepathy_domain self:udp_socket create_socket_perms; @@ -6565,6 +6507,8 @@ index 0000000..c7250ae +corenet_tcp_sendrecv_generic_node(telepathy_domain) +corenet_udp_bind_generic_node(telepathy_domain) + ++kernel_read_system_state(telepathy_domain) ++ +fs_search_auto_mountpoints(telepathy_domain) + +miscfiles_read_localization(telepathy_domain) @@ -6914,7 +6858,7 @@ index 82842a0..369c3b5 100644 dbus_system_bus_client($1_wm_t) dbus_session_bus_client($1_wm_t) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 0eb1d97..b42af1b 100644 +index 0eb1d97..93c9ec1 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -9,8 +9,11 @@ @@ -6948,26 +6892,29 @@ index 0eb1d97..b42af1b 100644 # # /lib # -@@ -126,6 +134,7 @@ ifdef(`distro_gentoo',` +@@ -126,6 +134,8 @@ ifdef(`distro_gentoo',` /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0) ') ++/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0) +/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) # # /sbin -@@ -145,6 +154,10 @@ ifdef(`distro_gentoo',` +@@ -145,6 +155,12 @@ ifdef(`distro_gentoo',` /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/opt/google/talkplugin/cron(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ ++/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + +/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_gentoo',` /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -169,6 +182,7 @@ ifdef(`distro_gentoo',` +@@ -169,6 +185,7 @@ ifdef(`distro_gentoo',` /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6975,7 +6922,7 @@ index 0eb1d97..b42af1b 100644 /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -218,8 +232,11 @@ ifdef(`distro_gentoo',` +@@ -218,8 +235,11 @@ ifdef(`distro_gentoo',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -6987,7 +6934,7 @@ index 0eb1d97..b42af1b 100644 /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -228,6 +245,8 @@ ifdef(`distro_gentoo',` +@@ -228,6 +248,8 @@ ifdef(`distro_gentoo',` /usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0) /usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -6996,7 +6943,7 @@ index 0eb1d97..b42af1b 100644 /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -314,6 +333,7 @@ ifdef(`distro_redhat', ` +@@ -314,6 +336,7 @@ ifdef(`distro_redhat', ` /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) @@ -7004,7 +6951,7 @@ index 0eb1d97..b42af1b 100644 ') ifdef(`distro_suse', ` -@@ -340,3 +360,27 @@ ifdef(`distro_suse', ` +@@ -340,3 +363,27 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7585,10 +7532,36 @@ index eb9c360..20c2d34 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index aad8c52..09d4b31 100644 +index aad8c52..0d8458a 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if -@@ -611,7 +611,7 @@ interface(`domain_read_all_domains_state',` +@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` + + ######################################## + ## ++## Dontaudit sending general signals to all domains. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`domain_dontaudit_signal_all_domains',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ dontaudit $1 domain:process signal; ++') ++ ++######################################## ++## + ## Send a null signal to all domains. + ## + ## +@@ -611,7 +630,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -7597,7 +7570,7 @@ index aad8c52..09d4b31 100644 ## ## ## -@@ -630,7 +630,7 @@ interface(`domain_getattr_all_domains',` +@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',` ######################################## ## @@ -7606,7 +7579,7 @@ index aad8c52..09d4b31 100644 ## ## ## -@@ -1473,3 +1473,22 @@ interface(`domain_unconfined',` +@@ -1473,3 +1492,22 @@ interface(`domain_unconfined',` typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') @@ -8843,7 +8816,7 @@ index 437a42a..8d6d333 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 0dff98e..31ebaa7 100644 +index 0dff98e..a09ab47 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -52,6 +52,7 @@ type anon_inodefs_t; @@ -8871,7 +8844,7 @@ index 0dff98e..31ebaa7 100644 fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); -+dev_associate_sysfs(hugetlbfs_t) ++dev_associate(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) @@ -9369,7 +9342,7 @@ index ebe6a9c..e3a1987 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0c9876c..fabc1a0 100644 +index 0c9876c..06b7974 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,17 +8,55 @@ policy_module(staff, 2.1.1) @@ -9428,7 +9401,7 @@ index 0c9876c..fabc1a0 100644 auditadm_role_change(staff_r) ') -@@ -27,6 +65,18 @@ optional_policy(` +@@ -27,6 +65,23 @@ optional_policy(` ') optional_policy(` @@ -9444,10 +9417,15 @@ index 0c9876c..fabc1a0 100644 +') + +optional_policy(` ++ oident_manage_user_content(staff_t) ++ oident_relabel_user_content(staff_t) ++') ++ ++optional_policy(` postgresql_role(staff_r, staff_t) ') -@@ -35,6 +85,18 @@ optional_policy(` +@@ -35,6 +90,18 @@ optional_policy(` ') optional_policy(` @@ -9466,7 +9444,7 @@ index 0c9876c..fabc1a0 100644 ssh_role_template(staff, staff_r, staff_t) ') -@@ -48,6 +110,10 @@ optional_policy(` +@@ -48,6 +115,10 @@ optional_policy(` ') optional_policy(` @@ -9477,7 +9455,18 @@ index 0c9876c..fabc1a0 100644 xserver_role(staff_r, staff_t) ') -@@ -137,10 +203,6 @@ ifndef(`distro_redhat',` +@@ -121,10 +192,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) +- ') +- optional_policy(` + pyzor_role(staff_r, staff_t) + ') + +@@ -137,10 +204,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -9488,7 +9477,7 @@ index 0c9876c..fabc1a0 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +234,46 @@ ifndef(`distro_redhat',` +@@ -172,3 +235,46 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -11365,7 +11354,7 @@ index 0b827c5..8a5d6a4 100644 ## ## All of the rules required to administrate diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 93d31d5..65609e5 100644 +index 98646c4..2bd70ae 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,6 +5,14 @@ policy_module(abrt, 1.1.1) @@ -11427,7 +11416,7 @@ index 93d31d5..65609e5 100644 logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -@@ -140,6 +151,15 @@ miscfiles_read_certs(abrt_t) +@@ -140,6 +151,15 @@ miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) @@ -11944,7 +11933,7 @@ index adb3d5f..de26af5 100644 ######################################## diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te -index cf34b4e..cc216a4 100644 +index 3e8002a..31f4612 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -92,9 +92,10 @@ manage_sock_files_pattern(amavis_t, amavis_var_log_t, amavis_var_log_t) @@ -12488,7 +12477,7 @@ index c9e1a44..2244b11 100644 + dontaudit $1 httpd_t:unix_stream_socket { read write }; ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index e33b9cd..de4388a 100644 +index 08dfa0c..86641dd 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.2.0) @@ -12521,7 +12510,15 @@ index e33b9cd..de4388a 100644 ## Allow httpd to use built in scripting (usually php) ##

## -@@ -50,6 +66,13 @@ gen_tunable(httpd_can_network_connect, false) +@@ -43,13 +59,20 @@ gen_tunable(httpd_builtin_scripting, false) + + ## + ##

+-## Allow HTTPD scripts and modules to connect to the network using TCP. ++## Allow HTTPD scripts and modules to connect to the network using any TCP port. + ##

+ ## + gen_tunable(httpd_can_network_connect, false) ## ##

@@ -12563,6 +12560,15 @@ index e33b9cd..de4388a 100644 ## Allow Apache to communicate with avahi service via dbus ##

## +@@ -78,7 +115,7 @@ gen_tunable(httpd_dbus_avahi, false) + + ## + ##

+-## Allow httpd cgi support ++## Allow httpd to execute cgi scripts + ##

+ ## + gen_tunable(httpd_enable_cgi, false) @@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false) ## @@ -12888,10 +12894,16 @@ index e33b9cd..de4388a 100644 ') optional_policy(` -@@ -577,12 +723,23 @@ optional_policy(` +@@ -577,12 +723,29 @@ optional_policy(` ') optional_policy(` ++ passenger_domtrans(httpd_t) ++ passenger_manage_pid_content(httpd_t) ++ passenger_read_lib_files(httpd_t) ++') ++ ++optional_policy(` + rpc_search_nfs_state_data(httpd_t) +') + @@ -12912,7 +12924,7 @@ index e33b9cd..de4388a 100644 ') ') -@@ -591,6 +748,11 @@ optional_policy(` +@@ -591,6 +754,11 @@ optional_policy(` ') optional_policy(` @@ -12924,7 +12936,7 @@ index e33b9cd..de4388a 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +765,10 @@ optional_policy(` +@@ -603,6 +771,10 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -12935,7 +12947,7 @@ index e33b9cd..de4388a 100644 ######################################## # # Apache helper local policy -@@ -618,6 +784,10 @@ logging_send_syslog_msg(httpd_helper_t) +@@ -618,6 +790,10 @@ logging_send_syslog_msg(httpd_helper_t) userdom_use_user_terminals(httpd_helper_t) @@ -12946,7 +12958,7 @@ index e33b9cd..de4388a 100644 ######################################## # # Apache PHP script local policy -@@ -699,17 +869,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +875,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -12968,7 +12980,7 @@ index e33b9cd..de4388a 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,10 +911,21 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,10 +917,21 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -12991,7 +13003,7 @@ index e33b9cd..de4388a 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -769,6 +951,12 @@ optional_policy(` +@@ -769,6 +957,12 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -13004,7 +13016,7 @@ index e33b9cd..de4388a 100644 ######################################## # # Apache system script local policy -@@ -792,9 +980,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) +@@ -792,9 +986,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t) files_search_var_lib(httpd_sys_script_t) files_search_spool(httpd_sys_script_t) @@ -13018,7 +13030,7 @@ index e33b9cd..de4388a 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,6 +995,28 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,6 +1001,28 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -13047,7 +13059,7 @@ index e33b9cd..de4388a 100644 tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms; allow httpd_sys_script_t self:udp_socket create_socket_perms; -@@ -830,6 +1044,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -830,6 +1050,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -13064,7 +13076,7 @@ index e33b9cd..de4388a 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,6 +1066,7 @@ optional_policy(` +@@ -842,6 +1072,7 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -13072,7 +13084,7 @@ index e33b9cd..de4388a 100644 ') optional_policy(` -@@ -891,11 +1116,33 @@ optional_policy(` +@@ -891,11 +1122,33 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -13223,10 +13235,10 @@ index b9e94c4..608e3a1 100644 ') diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te -index a3eaf94..ac13727 100644 +index 39799db..6189565 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te -@@ -145,6 +145,7 @@ miscfiles_read_certs(automount_t) +@@ -145,6 +145,7 @@ miscfiles_read_generic_certs(automount_t) # Run mount in the mount_t domain. mount_domtrans(automount_t) @@ -13247,7 +13259,7 @@ index 210ca0b..e51354d 100644 allow avahi_t $1:dbus send_msg; ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te -index e4c76d0..0aa1998 100644 +index b7bf6f0..803adbf 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -37,10 +37,11 @@ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) @@ -13318,7 +13330,7 @@ index 44a1e3d..71f5514 100644 files_list_pids($1) admin_pattern($1, named_var_run_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 2be1518..190b0bc 100644 +index 4deca04..ece1f1f 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t) @@ -13580,7 +13592,7 @@ index 0000000..9f4885c +') diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te new file mode 100644 -index 0000000..62a48ac +index 0000000..aaf0ba3 --- /dev/null +++ b/policy/modules/services/boinc.te @@ -0,0 +1,153 @@ @@ -13685,7 +13697,7 @@ index 0000000..62a48ac +term_dontaudit_getattr_ptmx(boinc_t) + +miscfiles_read_localization(boinc_t) -+miscfiles_read_certs(boinc_t) ++miscfiles_read_generic_certs(boinc_t) + +logging_send_syslog_msg(boinc_t) + @@ -14162,7 +14174,7 @@ index 4c90b57..bffe6b6 100644 unconfined_use_fds(ccs_t) ') diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if -index 27fe7ca..221ea9e 100644 +index 9629d3d..f9335fb 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -18,6 +18,25 @@ interface(`certmaster_domtrans',` @@ -14192,7 +14204,7 @@ index 27fe7ca..221ea9e 100644 ## ## read certmaster logs. diff --git a/policy/modules/services/certmaster.te b/policy/modules/services/certmaster.te -index 1573914..6e32117 100644 +index d8b8639..da60c93 100644 --- a/policy/modules/services/certmaster.te +++ b/policy/modules/services/certmaster.te @@ -60,6 +60,7 @@ corenet_tcp_bind_generic_node(certmaster_t) @@ -14219,7 +14231,7 @@ index a3728d4..7a6e5ba 100644 + admin_pattern($1, certmonger_var_run_t) ') diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te -index 9e83ed7..52312f5 100644 +index 7106981..261a37c 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -68,5 +68,5 @@ optional_policy(` @@ -15172,24 +15184,10 @@ index 3a6d7eb..2098ee9 100644 /var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 7d2cf85..9d97456 100644 +index 7d2cf85..fdb0dcb 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te -@@ -5,6 +5,13 @@ policy_module(corosync, 1.0.0) - # Declarations - # - -+## -+##

-+## Allow corosync to read and write generic tmpfs files. -+##

-+## -+gen_tunable(allow_corosync_rw_tmpfs, false) -+ - type corosync_t; - type corosync_exec_t; - init_daemon_domain(corosync_t, corosync_exec_t) -@@ -32,8 +39,8 @@ files_pid_file(corosync_var_run_t) +@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t) # corosync local policy # @@ -15200,7 +15198,7 @@ index 7d2cf85..9d97456 100644 allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; -@@ -41,6 +48,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto +@@ -41,6 +41,8 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms; @@ -15209,7 +15207,7 @@ index 7d2cf85..9d97456 100644 manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) -@@ -63,8 +72,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) +@@ -63,8 +65,10 @@ manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) kernel_read_system_state(corosync_t) @@ -15220,7 +15218,7 @@ index 7d2cf85..9d97456 100644 corenet_udp_bind_netsupport_port(corosync_t) -@@ -73,6 +84,7 @@ dev_read_urand(corosync_t) +@@ -73,6 +77,7 @@ dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) @@ -15228,18 +15226,23 @@ index 7d2cf85..9d97456 100644 auth_use_nsswitch(corosync_t) -@@ -83,19 +95,30 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +88,35 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) +userdom_delete_user_tmpfs_files(corosync_t) userdom_rw_user_tmpfs_files(corosync_t) -+tunable_policy(`allow_corosync_rw_tmpfs',` -+ fs_rw_tmpfs_files(corosync_t) + optional_policy(` ++ gen_require(` ++ attribute unconfined_services; ++ ') ++ ++ fs_manage_tmpfs_files(corosync_t) ++ init_manage_script_status_files(corosync_t) +') + - optional_policy(` ++optional_policy(` ccs_read_config(corosync_t) ') @@ -16023,7 +16026,7 @@ index 346f926..1f789f8 100644 kernel_read_system_state(cyphesis_t) kernel_read_kernel_sysctls(cyphesis_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te -index 2a0f1c1..ab82c3c 100644 +index e182bf4..f80e725 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -16162,7 +16165,7 @@ index 39e901a..87fc055 100644 +') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index b738e94..4b3d9c4 100644 +index b354128..c725cae 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) @@ -16485,7 +16488,7 @@ index e1d7dc5..09f6f30 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index 14c6a2e..c771d46 100644 +index cbe14e4..64bc566 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -16497,7 +16500,17 @@ index 14c6a2e..c771d46 100644 type dovecot_deliver_t; type dovecot_deliver_exec_t; -@@ -58,7 +58,7 @@ files_pid_file(dovecot_var_run_t) +@@ -26,6 +26,9 @@ domain_type(dovecot_deliver_t) + domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t) + role system_r types dovecot_deliver_t; + ++type dovecot_deliver_tmp_t; ++files_tmp_file(dovecot_deliver_tmp_t) ++ + type dovecot_etc_t; + files_config_file(dovecot_etc_t) + +@@ -58,7 +61,7 @@ files_pid_file(dovecot_var_run_t) allow dovecot_t self:capability { dac_override dac_read_search chown kill net_bind_service setgid setuid sys_chroot }; dontaudit dovecot_t self:capability sys_tty_config; @@ -16506,7 +16519,7 @@ index 14c6a2e..c771d46 100644 allow dovecot_t self:fifo_file rw_fifo_file_perms; allow dovecot_t self:tcp_socket create_stream_socket_perms; allow dovecot_t self:unix_dgram_socket create_socket_perms; -@@ -72,7 +72,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; +@@ -72,7 +75,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms; read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t) @@ -16516,7 +16529,7 @@ index 14c6a2e..c771d46 100644 files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -@@ -94,10 +95,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -94,10 +98,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -16529,7 +16542,7 @@ index 14c6a2e..c771d46 100644 kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -159,6 +161,11 @@ optional_policy(` +@@ -159,6 +164,11 @@ optional_policy(` ') optional_policy(` @@ -16541,7 +16554,7 @@ index 14c6a2e..c771d46 100644 postgresql_stream_connect(dovecot_t) ') -@@ -242,6 +249,7 @@ optional_policy(` +@@ -242,6 +252,7 @@ optional_policy(` ') optional_policy(` @@ -16549,7 +16562,7 @@ index 14c6a2e..c771d46 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +261,27 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; +@@ -253,19 +264,31 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms; allow dovecot_deliver_t dovecot_t:process signull; @@ -16561,6 +16574,10 @@ index 14c6a2e..c771d46 100644 + +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) + ++manage_dirs_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) ++manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) ++files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) ++ +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + kernel_read_all_sysctls(dovecot_deliver_t) @@ -16579,7 +16596,7 @@ index 14c6a2e..c771d46 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +318,5 @@ tunable_policy(`use_samba_home_dirs',` +@@ -302,4 +325,5 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` mta_manage_spool(dovecot_deliver_t) @@ -16673,7 +16690,7 @@ index 6bef7f8..0217906 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index db36bfa..b55c438 100644 +index f28f64b..6c819a3 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -35,6 +35,9 @@ mta_mailserver_user_agent(exim_t) @@ -16751,7 +16768,7 @@ index 2a69e5e..fd30b02 100644 iptables_domtrans(fail2ban_t) ') diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te -index c92403b..f50e0f1 100644 +index dc2c044..5f5b57b 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -37,8 +37,9 @@ allow fetchmail_t fetchmail_etc_t:file read_file_perms; @@ -16766,9 +16783,21 @@ index c92403b..f50e0f1 100644 kernel_read_kernel_sysctls(fetchmail_t) kernel_list_proc(fetchmail_t) diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te -index 7df52c7..54fada0 100644 +index 7df52c7..899feaf 100644 --- a/policy/modules/services/fprintd.te +++ b/policy/modules/services/fprintd.te +@@ -17,9 +17,9 @@ files_type(fprintd_var_lib_t) + # Local policy + # + +-allow fprintd_t self:capability sys_ptrace; ++allow fprintd_t self:capability { sys_nice sys_ptrace }; + allow fprintd_t self:fifo_file rw_fifo_file_perms; +-allow fprintd_t self:process { getsched signal }; ++allow fprintd_t self:process { getsched setsched signal }; + + manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) + manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) @@ -54,4 +54,5 @@ optional_policy(` policykit_read_lib(fprintd_t) policykit_dbus_chat(fprintd_t) @@ -17673,6 +17702,15 @@ index 7382f85..cf17085 100644 +git_role_template(git_shell) +gen_user(git_shell_u, user, git_shell_r, s0, s0) + +diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc +index 462de63..a8ce02e 100644 +--- a/policy/modules/services/gnomeclock.fc ++++ b/policy/modules/services/gnomeclock.fc +@@ -1,2 +1,4 @@ + /usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) + ++/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0) ++ diff --git a/policy/modules/services/gnomeclock.if b/policy/modules/services/gnomeclock.if index 671d8fd..da0e844 100644 --- a/policy/modules/services/gnomeclock.if @@ -18255,7 +18293,7 @@ index 3525d24..e5db539 100644 /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te -index 8edc29b..6deff48 100644 +index 8edc29b..225e33f 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -126,10 +126,13 @@ corenet_udp_sendrecv_all_ports(kadmind_t) @@ -18276,7 +18314,7 @@ index 8edc29b..6deff48 100644 logging_send_syslog_msg(kadmind_t) -+miscfiles_read_certs(kadmind_t) ++miscfiles_read_generic_certs(kadmind_t) miscfiles_read_localization(kadmind_t) seutil_read_file_contexts(kadmind_t) @@ -18294,7 +18332,7 @@ index 8edc29b..6deff48 100644 logging_send_syslog_msg(krb5kdc_t) -+miscfiles_read_certs(krb5kdc_t) ++miscfiles_read_generic_certs(krb5kdc_t) miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) @@ -18487,7 +18525,7 @@ index 3aa8fa7..e5684f4 100644 ######################################## diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te -index ffa96c6..a715c65 100644 +index 64fd1ff..ee5e345 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -20477,7 +20515,7 @@ index 2324d9e..1a1bfe4 100644 + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te -index 442cff9..45ecee3 100644 +index 0619395..02ae4e0 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) @@ -20948,7 +20986,7 @@ index 4996f62..975deca 100644 kernel_read_kernel_sysctls(openct_t) kernel_list_proc(openct_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te -index f3d5790..80161cd 100644 +index 8b550f4..ba7c06b 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t) @@ -20992,7 +21030,7 @@ index f3d5790..80161cd 100644 corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) -@@ -113,9 +121,11 @@ sysnet_manage_config(openvpn_t) +@@ -113,19 +121,19 @@ sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -21005,7 +21043,17 @@ index f3d5790..80161cd 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -138,3 +148,7 @@ optional_policy(` + fs_read_nfs_files(openvpn_t) +- fs_read_nfs_symlinks(openvpn_t) + ') + + tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(openvpn_t) +- fs_read_cifs_symlinks(openvpn_t) + ') + + optional_policy(` +@@ -138,3 +146,7 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') @@ -21013,6 +21061,167 @@ index f3d5790..80161cd 100644 +optional_policy(` + unconfined_attach_tun_iface(openvpn_t) +') +diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc +new file mode 100644 +index 0000000..8d00972 +--- /dev/null ++++ b/policy/modules/services/passenger.fc +@@ -0,0 +1,6 @@ ++ ++/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0) ++ ++/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0) ++ ++/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0) +diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if +new file mode 100644 +index 0000000..7ca90f6 +--- /dev/null ++++ b/policy/modules/services/passenger.if +@@ -0,0 +1,69 @@ ++## Passenger policy ++ ++###################################### ++## ++## Execute passenger in the passenger domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`passenger_domtrans',` ++ gen_require(` ++ type passenger_t; ++ type passenger_exec_t; ++ ') ++ ++ allow $1 self:capability { fowner fsetid }; ++ ++ allow $1 passenger_t:process signal; ++ ++ domtrans_pattern($1, passenger_exec_t, passenger_t) ++ allow $1 passenger_t:unix_stream_socket { read write shutdown }; ++ allow passenger_t $1:unix_stream_socket { read write }; ++') ++ ++###################################### ++## ++## Manage passenger var_run content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`passenger_manage_pid_content',` ++ gen_require(` ++ type passenger_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ++') ++ ++######################################## ++## ++## Read passenger lib files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`passenger_read_lib_files',` ++ gen_require(` ++ type passenger_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) ++') ++ +diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te +new file mode 100644 +index 0000000..9cb0d1c +--- /dev/null ++++ b/policy/modules/services/passenger.te +@@ -0,0 +1,68 @@ ++ ++policy_module(passanger,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type passenger_t; ++type passenger_exec_t; ++domain_type(passenger_t) ++domain_entry_file(passenger_t, passenger_exec_t) ++role system_r types passenger_t; ++ ++type passenger_tmp_t; ++files_tmp_file(passenger_tmp_t) ++ ++type passenger_var_lib_t; ++files_type(passenger_var_lib_t) ++ ++type passenger_var_run_t; ++files_pid_file(passenger_var_run_t) ++ ++permissive passenger_t; ++ ++######################################## ++# ++# passanger local policy ++# ++ ++allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid }; ++allow passenger_t self:process signal; ++ ++allow passenger_t self:fifo_file rw_fifo_file_perms; ++allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++ ++files_search_var_lib(passenger_t) ++manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) ++manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) ++ ++manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) ++manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) ++manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) ++manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) ++files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) ++ ++kernel_read_system_state(passenger_t) ++kernel_read_kernel_sysctls(passenger_t) ++ ++corenet_tcp_connect_http_port(passenger_t) ++ ++corecmd_exec_bin(passenger_t) ++corecmd_exec_shell(passenger_t) ++ ++dev_read_urand(passenger_t) ++ ++files_read_etc_files(passenger_t) ++ ++auth_use_nsswitch(passenger_t) ++ ++miscfiles_read_localization(passenger_t) ++ ++userdom_dontaudit_use_user_terminals(passenger_t) ++ ++optional_policy(` ++ apache_append_log(passenger_t) ++ apache_read_sys_content(passenger_t) ++') diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te index b881672..da06e9f 100644 --- a/policy/modules/services/pcscd.te @@ -22025,7 +22234,7 @@ index 55e62d2..c114a40 100644 /usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0) /usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index c48b45b..18996a5 100644 +index 46bee12..b6d763d 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -77,6 +77,7 @@ template(`postfix_domain_template',` @@ -23216,7 +23425,7 @@ index 0000000..cf9a327 + +sysnet_dns_name_resolve(qpidd_t) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te -index c53f222..df6769b 100644 +index db6296a..b3f1fd3 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -36,7 +36,7 @@ files_pid_file(radiusd_var_run_t) @@ -24059,7 +24268,7 @@ index cda37bb..b0eac5b 100644 + allow $1 var_lib_nfs_t:file { relabelfrom relabelto }; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index a3b9f86..eae7d14 100644 +index 8e1ab72..9ae080e 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -63,8 +63,9 @@ allow rpcd_t self:process { getcap setcap }; @@ -24073,7 +24282,7 @@ index a3b9f86..eae7d14 100644 # rpc.statd executes sm-notify can_exec(rpcd_t, rpcd_exec_t) -@@ -97,15 +98,26 @@ miscfiles_read_certs(rpcd_t) +@@ -97,15 +98,26 @@ miscfiles_read_generic_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -24762,7 +24971,7 @@ index e30bb63..2a5981d 100644 + can_exec(smbd_t, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index 41d60ad..8655cb0 100644 +index 22184ad..87810ec 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr; @@ -24876,7 +25085,7 @@ index 7e94c7c..4f7eb51 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te -index 53dd7d0..668ce83 100644 +index 22dac1f..b6781d5 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t) @@ -24904,7 +25113,7 @@ index 53dd7d0..668ce83 100644 auth_use_nsswitch(sendmail_t) -@@ -103,7 +108,7 @@ miscfiles_read_certs(sendmail_t) +@@ -103,7 +108,7 @@ miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) @@ -25641,7 +25850,7 @@ index 078bcd7..dd706b0 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:home_ssh_t,s0) +/root/\.shosts gen_context(system_u:object_r:home_ssh_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 5437ffb..8dad56a 100644 +index 22adaca..3061e83 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -36,6 +36,7 @@ template(`ssh_basic_client_template',` @@ -26259,10 +26468,19 @@ index aa0cc45..debff69 100644 + +iscsi_manage_semaphores(tgtd_t) diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te -index 9fa94e4..81e8d3c 100644 +index 9fa94e4..0a0074c 100644 --- a/policy/modules/services/tor.te +++ b/policy/modules/services/tor.te -@@ -67,9 +67,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) +@@ -42,6 +42,8 @@ files_pid_file(tor_var_run_t) + # + + allow tor_t self:capability { setgid setuid sys_tty_config }; ++allow tor_t self:process signal; ++ + allow tor_t self:fifo_file rw_fifo_file_perms; + allow tor_t self:unix_stream_socket create_stream_socket_perms; + allow tor_t self:netlink_route_socket r_netlink_socket_perms; +@@ -67,9 +69,10 @@ manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) # pid file @@ -26274,7 +26492,7 @@ index 9fa94e4..81e8d3c 100644 kernel_read_system_state(tor_t) -@@ -88,6 +89,7 @@ corenet_tcp_connect_all_ports(tor_t) +@@ -88,6 +91,7 @@ corenet_tcp_connect_all_ports(tor_t) corenet_sendrecv_all_client_packets(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) @@ -26282,7 +26500,7 @@ index 9fa94e4..81e8d3c 100644 # tor uses crypto and needs random dev_read_urand(tor_t) -@@ -100,6 +102,8 @@ files_read_usr_files(tor_t) +@@ -100,6 +104,8 @@ files_read_usr_files(tor_t) auth_use_nsswitch(tor_t) @@ -26751,7 +26969,7 @@ index 7c5d8d8..1a0701b 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3cce663..5a77c23 100644 +index 3eca020..f38e1ce 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -4,6 +4,7 @@ policy_module(virt, 1.4.0) @@ -27201,7 +27419,7 @@ index 3cce663..5a77c23 100644 +') + diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te -index 2dec92e..c37d690 100644 +index 1174ad8..f4c4c1b 100644 --- a/policy/modules/services/w3c.te +++ b/policy/modules/services/w3c.te @@ -7,11 +7,18 @@ policy_module(w3c, 1.0.0) @@ -27224,7 +27442,7 @@ index 2dec92e..c37d690 100644 corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) @@ -22,3 +29,5 @@ corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) - miscfiles_read_certs(httpd_w3c_validator_script_t) + miscfiles_read_generic_certs(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) + @@ -28010,7 +28228,7 @@ index da2601a..4bc9fff 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index e226da4..9b9e013 100644 +index e226da4..5fbf38f 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false) @@ -28451,7 +28669,7 @@ index e226da4..9b9e013 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +560,22 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -410,18 +560,23 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -28474,10 +28692,11 @@ index e226da4..9b9e013 100644 # Do not audit denied probes of /proc. domain_dontaudit_read_all_domains_state(xdm_t) +domain_dontaudit_ptrace_all_domains(xdm_t) ++domain_dontaudit_signal_all_domains(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +586,17 @@ files_list_mnt(xdm_t) +@@ -432,9 +587,17 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28495,7 +28714,7 @@ index e226da4..9b9e013 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +605,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -443,28 +606,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28534,7 +28753,7 @@ index e226da4..9b9e013 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,6 +643,13 @@ userdom_read_user_home_content_files(xdm_t) +@@ -473,6 +644,13 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -28548,7 +28767,7 @@ index e226da4..9b9e013 100644 xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,11 +681,17 @@ tunable_policy(`xdm_sysadm_login',` +@@ -504,11 +682,17 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -28566,7 +28785,7 @@ index e226da4..9b9e013 100644 ') optional_policy(` -@@ -516,12 +699,51 @@ optional_policy(` +@@ -516,12 +700,51 @@ optional_policy(` ') optional_policy(` @@ -28618,7 +28837,7 @@ index e226da4..9b9e013 100644 hostname_exec(xdm_t) ') -@@ -539,20 +761,64 @@ optional_policy(` +@@ -539,20 +762,64 @@ optional_policy(` ') optional_policy(` @@ -28685,7 +28904,7 @@ index e226da4..9b9e013 100644 ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -561,7 +827,6 @@ optional_policy(` +@@ -561,7 +828,6 @@ optional_policy(` ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -28693,7 +28912,7 @@ index e226da4..9b9e013 100644 optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -572,6 +837,10 @@ optional_policy(` +@@ -572,6 +838,10 @@ optional_policy(` ') optional_policy(` @@ -28704,7 +28923,7 @@ index e226da4..9b9e013 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +865,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +866,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -28713,7 +28932,7 @@ index e226da4..9b9e013 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +879,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +880,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -28732,7 +28951,7 @@ index e226da4..9b9e013 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +910,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +911,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -28754,7 +28973,7 @@ index e226da4..9b9e013 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +930,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +931,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -28762,7 +28981,7 @@ index e226da4..9b9e013 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +957,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +958,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -28770,7 +28989,7 @@ index e226da4..9b9e013 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,8 +966,13 @@ dev_wx_raw_memory(xserver_t) +@@ -678,8 +967,13 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -28784,7 +29003,7 @@ index e226da4..9b9e013 100644 files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) files_read_usr_files(xserver_t) -@@ -693,8 +986,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +987,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -28798,7 +29017,7 @@ index e226da4..9b9e013 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1014,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1015,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -28813,7 +29032,7 @@ index e226da4..9b9e013 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1074,28 @@ optional_policy(` +@@ -773,12 +1075,28 @@ optional_policy(` ') optional_policy(` @@ -28843,7 +29062,7 @@ index e226da4..9b9e013 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1104,10 @@ optional_policy(` +@@ -787,6 +1105,10 @@ optional_policy(` ') optional_policy(` @@ -28854,7 +29073,7 @@ index e226da4..9b9e013 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1123,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1124,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -28867,7 +29086,7 @@ index e226da4..9b9e013 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -826,6 +1147,13 @@ init_use_fds(xserver_t) +@@ -826,6 +1148,13 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -28881,7 +29100,7 @@ index e226da4..9b9e013 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -841,11 +1169,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1170,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -28898,7 +29117,7 @@ index e226da4..9b9e013 100644 ') optional_policy(` -@@ -991,3 +1322,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; +@@ -991,3 +1323,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *; allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -29320,7 +29539,7 @@ index 1c4b1e7..2997dd7 100644 /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 7fddc24..395f8f3 100644 +index bea0ade..bd3185e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -29504,7 +29723,7 @@ index 7fddc24..395f8f3 100644 optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 7233a6d..bd9d529 100644 +index 54d122b..ee0fe55 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -8,6 +8,7 @@ policy_module(authlogin, 2.2.0) @@ -29878,7 +30097,7 @@ index 9775375..b338481 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index f6aafe7..f28524b 100644 +index f6aafe7..447aaec 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -105,7 +105,11 @@ interface(`init_domain',` @@ -30143,7 +30362,33 @@ index f6aafe7..f28524b 100644 ## init scripts over dbus. ## ## -@@ -1637,7 +1754,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1424,6 +1541,25 @@ interface(`init_getattr_script_status_files',` + + ######################################## + ## ++## Manage init script ++## status files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_manage_script_status_files',` ++ gen_require(` ++ type initrc_state_t; ++ ') ++ ++ manage_files_pattern($1, initrc_state_t, initrc_state_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to read init script + ## status files. + ## +@@ -1637,7 +1773,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -30152,7 +30397,7 @@ index f6aafe7..f28524b 100644 ') ######################################## -@@ -1712,3 +1829,94 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1712,3 +1848,94 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -30248,7 +30493,7 @@ index f6aafe7..f28524b 100644 + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index abab4cf..d96bf27 100644 +index 698c11e..e0dc975 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,27 @@ gen_require(` @@ -30569,7 +30814,7 @@ index abab4cf..d96bf27 100644 miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript --miscfiles_read_certs(initrc_t) +-miscfiles_read_generic_certs(initrc_t) +miscfiles_manage_cert_files(initrc_t) modutils_read_module_config(initrc_t) @@ -32162,10 +32407,18 @@ index 86ef2da..7f649d5 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 7711464..63c1b2f 100644 +index 7711464..1f0ccfd 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc -@@ -75,13 +75,11 @@ ifdef(`distro_redhat',` +@@ -11,6 +11,7 @@ ifdef(`distro_gentoo',` + /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) + /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) ++/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) + + ifdef(`distro_redhat',` + /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) +@@ -75,13 +76,11 @@ ifdef(`distro_redhat',` /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -32182,78 +32435,10 @@ index 7711464..63c1b2f 100644 ifdef(`distro_debian',` /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index 17de283..4eeb1a5 100644 +index fe4e741..926ba65 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if -@@ -2,6 +2,50 @@ - - ######################################## - ## -+## Make the specified type usable as a cert file. -+## -+## -+##

-+## Make the specified type usable for cert files. -+## This will also make the type usable for files, making -+## calls to files_type() redundant. Failure to use this interface -+## for a temporary file may result in problems with -+## cert management tools. -+##

-+##

-+## Related interfaces: -+##

-+##
    -+##
  • files_type()
    • -+##
-+##

-+## Example: -+##

-+##

-+## type mycertfile_t; -+## cert_type(mycertfile_t) -+## allow mydomain_t mycertfile_t:file read_file_perms; -+## files_search_etc(mydomain_t) -+##

-+## -+## -+## -+## Type to be used for files. -+## -+## -+## -+# -+interface(`miscfiles_cert_type',` -+ gen_require(` -+ attribute cert_type; -+ ') -+ -+ typeattribute $1 cert_type; -+ files_type($1) -+') -+ -+######################################## -+## - ## Read system SSL certificates. - ## - ## -@@ -13,12 +57,12 @@ - # - interface(`miscfiles_read_certs',` - gen_require(` -- type cert_t; -+ attribute cert_type; - ') - -- allow $1 cert_t:dir list_dir_perms; -- read_files_pattern($1, cert_t, cert_t) -- read_lnk_files_pattern($1, cert_t, cert_t) -+ allow $1 cert_type:dir list_dir_perms; -+ read_files_pattern($1, cert_type, cert_type) -+ read_lnk_files_pattern($1, cert_type, cert_type) - ') - - ######################################## -@@ -305,9 +349,6 @@ interface(`miscfiles_read_localization',` +@@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',` allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) @@ -32264,24 +32449,25 @@ index 17de283..4eeb1a5 100644 ######################################## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index 4ac5d56..eb75070 100644 +index c51f7f5..59c70bf 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te -@@ -4,12 +4,13 @@ policy_module(miscfiles, 1.8.0) +@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.8.1) # # Declarations # -+attribute cert_type; +- + attribute cert_type; # - # cert_t is the type of files in the system certs directories. +@@ -12,6 +11,7 @@ attribute cert_type; # type cert_t; --files_type(cert_t) -+miscfiles_cert_type(cert_t) - + miscfiles_cert_type(cert_t) ++ # # fonts_t is the type of various font + # files in /usr diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 9c0faab..def8d5a 100644 --- a/policy/modules/system/modutils.if @@ -32649,7 +32835,7 @@ index 8b5c196..3490497 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index fca6947..a2f7102 100644 +index fca6947..1f8fee9 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,8 +17,15 @@ type mount_exec_t; @@ -32758,7 +32944,7 @@ index fca6947..a2f7102 100644 files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -81,25 +127,32 @@ files_read_isid_type_files(mount_t) +@@ -81,25 +127,34 @@ files_read_isid_type_files(mount_t) files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -32779,6 +32965,8 @@ index fca6947..a2f7102 100644 +fs_read_fusefs_files(mount_t) +fs_manage_nfs_dirs(mount_t) +fs_read_nfs_symlinks(mount_t) ++fs_manage_cgroup_dirs(mount_t) ++fs_manage_cgroup_files(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) @@ -32794,7 +32982,7 @@ index fca6947..a2f7102 100644 term_use_all_terms(mount_t) -@@ -108,6 +161,8 @@ auth_use_nsswitch(mount_t) +@@ -108,6 +163,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -32803,7 +32991,7 @@ index fca6947..a2f7102 100644 logging_send_syslog_msg(mount_t) -@@ -118,6 +173,12 @@ sysnet_use_portmap(mount_t) +@@ -118,6 +175,12 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -32816,7 +33004,7 @@ index fca6947..a2f7102 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -133,10 +194,17 @@ ifdef(`distro_ubuntu',` +@@ -133,10 +196,17 @@ ifdef(`distro_ubuntu',` ') ') @@ -32834,7 +33022,7 @@ index fca6947..a2f7102 100644 ') optional_policy(` -@@ -166,6 +234,8 @@ optional_policy(` +@@ -166,6 +236,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -32843,7 +33031,7 @@ index fca6947..a2f7102 100644 ') optional_policy(` -@@ -173,6 +243,25 @@ optional_policy(` +@@ -173,6 +245,25 @@ optional_policy(` ') optional_policy(` @@ -32869,7 +33057,7 @@ index fca6947..a2f7102 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -180,6 +269,15 @@ optional_policy(` +@@ -180,6 +271,15 @@ optional_policy(` ') ') @@ -32885,7 +33073,7 @@ index fca6947..a2f7102 100644 # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -187,6 +285,19 @@ optional_policy(` +@@ -187,6 +287,19 @@ optional_policy(` optional_policy(` samba_domtrans_smbmount(mount_t) @@ -32905,7 +33093,7 @@ index fca6947..a2f7102 100644 ') ######################################## -@@ -195,6 +306,42 @@ optional_policy(` +@@ -195,6 +308,42 @@ optional_policy(` # optional_policy(` @@ -32949,22 +33137,53 @@ index fca6947..a2f7102 100644 +sysnet_dns_name_resolve(showmount_t) + +userdom_use_user_terminals(showmount_t) +diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc +index ed9c70d..42d3890 100644 +--- a/policy/modules/system/raid.fc ++++ b/policy/modules/system/raid.fc +@@ -1,4 +1,5 @@ +-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0) ++/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0) ++/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) + + /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) + /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te -index 09845c4..2fe5969 100644 +index 09845c4..6500830 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te -@@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms; - allow mdadm_t mdadm_map_t:file manage_file_perms; - dev_filetrans(mdadm_t, mdadm_map_t, file) +@@ -10,11 +10,9 @@ type mdadm_exec_t; + init_daemon_domain(mdadm_t, mdadm_exec_t) + role system_r types mdadm_t; +-type mdadm_map_t; +-files_type(mdadm_map_t) +- +-type mdadm_var_run_t; ++type mdadm_var_run_t alias mdadm_map_t; + files_pid_file(mdadm_var_run_t) ++dev_associate(mdadm_var_run_t) + + ######################################## + # +@@ -26,12 +24,11 @@ dontaudit mdadm_t self:capability sys_tty_config; + allow mdadm_t self:process { sigchld sigkill sigstop signull signal }; + allow mdadm_t self:fifo_file rw_fifo_file_perms; + +-# create .mdadm files in /dev +-allow mdadm_t mdadm_map_t:file manage_file_perms; +-dev_filetrans(mdadm_t, mdadm_map_t, file) +- +manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) -files_pid_filetrans(mdadm_t, mdadm_var_run_t, file) ++manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t) +files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir }) ++dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file }) kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) -@@ -52,13 +53,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) +@@ -52,13 +49,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: dev_read_raw_memory(mdadm_t) @@ -35447,7 +35666,7 @@ index db75976..61db6da 100644 +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 8b4f6d8..e1da594 100644 +index 2aa8928..c67c8e8 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -35461,7 +35680,7 @@ index 8b4f6d8..e1da594 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,92 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,95 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -35592,20 +35811,21 @@ index 8b4f6d8..e1da594 100644 - libs_exec_ld_so($1_t) + init_stream_connect($1_usertype) - -- miscfiles_read_localization($1_t) -- miscfiles_read_certs($1_t) ++ + libs_exec_ld_so($1_usertype) + miscfiles_read_localization($1_t) + miscfiles_read_generic_certs($1_t) + - sysnet_read_config($1_t) -+ miscfiles_read_certs($1_usertype) ++ miscfiles_read_all_certs($1_usertype) + miscfiles_read_localization($1_usertype) + miscfiles_read_man_pages($1_usertype) + miscfiles_read_public_files($1_usertype) tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +140,16 @@ template(`userdom_base_user_template',` +@@ -116,6 +143,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -35622,7 +35842,7 @@ index 8b4f6d8..e1da594 100644 ') ####################################### -@@ -149,6 +183,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +186,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -35631,7 +35851,7 @@ index 8b4f6d8..e1da594 100644 ############################## # # Domain access to home dir -@@ -166,27 +202,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +205,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -35659,7 +35879,7 @@ index 8b4f6d8..e1da594 100644 ') ####################################### -@@ -218,8 +233,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +236,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -35671,7 +35891,7 @@ index 8b4f6d8..e1da594 100644 ############################## # # Domain access to home dir -@@ -228,17 +246,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +249,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -35703,7 +35923,7 @@ index 8b4f6d8..e1da594 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +268,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +271,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -35733,7 +35953,7 @@ index 8b4f6d8..e1da594 100644 ') ') -@@ -289,6 +309,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +312,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -35742,7 +35962,7 @@ index 8b4f6d8..e1da594 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +319,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +322,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -35788,7 +36008,7 @@ index 8b4f6d8..e1da594 100644 ') ####################################### -@@ -316,6 +377,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +380,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -35796,7 +36016,7 @@ index 8b4f6d8..e1da594 100644 files_search_tmp($1) ') -@@ -350,6 +412,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +415,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -35805,7 +36025,7 @@ index 8b4f6d8..e1da594 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +424,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +427,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -35874,7 +36094,7 @@ index 8b4f6d8..e1da594 100644 ') ####################################### -@@ -430,6 +489,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +492,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -35882,7 +36102,7 @@ index 8b4f6d8..e1da594 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +550,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +553,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -35891,7 +36111,7 @@ index 8b4f6d8..e1da594 100644 ############################## # -@@ -500,73 +560,78 @@ template(`userdom_common_user_template',` +@@ -500,73 +563,78 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -35912,27 +36132,27 @@ index 8b4f6d8..e1da594 100644 + kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: - kernel_read_device_sysctls($1_t) -- -- corecmd_exec_bin($1_t) + kernel_read_device_sysctls($1_usertype) + kernel_request_load_module($1_usertype) -- corenet_udp_bind_generic_node($1_t) -- corenet_udp_bind_generic_port($1_t) +- corecmd_exec_bin($1_t) + corenet_udp_bind_generic_node($1_usertype) + corenet_udp_bind_generic_port($1_usertype) -- dev_read_rand($1_t) -- dev_write_sound($1_t) -- dev_read_sound($1_t) -- dev_read_sound_mixer($1_t) -- dev_write_sound_mixer($1_t) +- corenet_udp_bind_generic_node($1_t) +- corenet_udp_bind_generic_port($1_t) + dev_read_rand($1_usertype) + dev_write_sound($1_usertype) + dev_read_sound($1_usertype) + dev_read_sound_mixer($1_usertype) + dev_write_sound_mixer($1_usertype) +- dev_read_rand($1_t) +- dev_write_sound($1_t) +- dev_read_sound($1_t) +- dev_read_sound_mixer($1_t) +- dev_write_sound_mixer($1_t) +- - files_exec_etc_files($1_t) - files_search_locks($1_t) + files_exec_etc_files($1_usertype) @@ -36009,7 +36229,7 @@ index 8b4f6d8..e1da594 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,65 +639,108 @@ template(`userdom_common_user_template',` +@@ -574,65 +642,108 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -36021,19 +36241,19 @@ index 8b4f6d8..e1da594 100644 # Allow graphical boot to check battery lifespan - apm_stream_connect($1_t) + apm_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ canna_stream_connect($1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ canna_stream_connect($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) -+ chrome_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -36060,47 +36280,47 @@ index 8b4f6d8..e1da594 100644 + devicekit_dbus_chat_power($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + ') -+ -+ optional_policy(` -+ evolution_dbus_chat($1_usertype) -+ evolution_alarm_dbus_chat($1_usertype) -+ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ evolution_dbus_chat($1_usertype) ++ evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ vpn_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ') ++ ++ optional_policy(` ++ vpn_dbus_chat($1_usertype) ++ ') ++ ') ++ ++ optional_policy(` ++ git_session_role($1_r, $1_usertype) ') optional_policy(` - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) -+ git_session_role($1_r, $1_usertype) -+ ') -+ -+ optional_policy(` + inetd_use_fds($1_usertype) + inetd_rw_tcp_sockets($1_usertype) ') @@ -36136,7 +36356,7 @@ index 8b4f6d8..e1da594 100644 ') optional_policy(` -@@ -643,41 +751,50 @@ template(`userdom_common_user_template',` +@@ -643,41 +754,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -36163,33 +36383,33 @@ index 8b4f6d8..e1da594 100644 optional_policy(` - resmgr_stream_connect($1_t) + resmgr_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` ++ rpc_dontaudit_getattr_exports($1_usertype) ++ rpc_manage_nfs_rw_content($1_usertype) ') optional_policy(` - rpc_dontaudit_getattr_exports($1_t) - rpc_manage_nfs_rw_content($1_t) -+ rpc_dontaudit_getattr_exports($1_usertype) -+ rpc_manage_nfs_rw_content($1_usertype) ++ rpcbind_stream_connect($1_usertype) ') optional_policy(` - samba_stream_connect_winbind($1_t) -+ rpcbind_stream_connect($1_usertype) ++ samba_stream_connect_winbind($1_usertype) ') optional_policy(` - slrnpull_search_spool($1_t) -+ samba_stream_connect_winbind($1_usertype) ++ sandbox_transition($1_usertype, $1_r) ') optional_policy(` - usernetctl_run($1_t,$1_r) -+ sandbox_transition($1_usertype, $1_r) - ') -+ -+ optional_policy(` + seunshare_role_template($1, $1_r, $1_t) -+ ') + ') + + optional_policy(` + slrnpull_search_spool($1_usertype) @@ -36198,23 +36418,23 @@ index 8b4f6d8..e1da594 100644 ') ####################################### -@@ -705,13 +822,26 @@ template(`userdom_login_user_template', ` +@@ -705,13 +825,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) -+ -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ ifelse(`$1',`unconfined',`',` -+ gen_tunable(allow_$1_exec_content, true) ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_exec_user_tmp_files($1_t) - userdom_exec_user_home_content_files($1_t) ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -36230,7 +36450,7 @@ index 8b4f6d8..e1da594 100644 userdom_change_password_template($1) -@@ -729,72 +859,74 @@ template(`userdom_login_user_template', ` +@@ -729,72 +862,74 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -36298,49 +36518,49 @@ index 8b4f6d8..e1da594 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) - seutil_read_config($1_t) -+ optional_policy(` -+ cups_read_config($1_usertype) -+ cups_stream_connect($1_usertype) -+ cups_stream_connect_ptal($1_usertype) -+ ') ++ seutil_read_config($1_usertype) optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ kerberos_use($1_usertype) -+ kerberos_connect_524($1_usertype) ++ cups_read_config($1_usertype) ++ cups_stream_connect($1_usertype) ++ cups_stream_connect_ptal($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ kerberos_use($1_usertype) ++ kerberos_connect_524($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ++ ') ++ ++ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) ') ') -@@ -826,6 +958,9 @@ template(`userdom_restricted_user_template',` +@@ -826,6 +961,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -36350,7 +36570,7 @@ index 8b4f6d8..e1da594 100644 ############################## # # Local policy -@@ -867,45 +1002,103 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -867,45 +1005,103 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -36465,7 +36685,7 @@ index 8b4f6d8..e1da594 100644 ') ') -@@ -940,7 +1133,7 @@ template(`userdom_unpriv_user_template', ` +@@ -940,7 +1136,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -36474,7 +36694,7 @@ index 8b4f6d8..e1da594 100644 userdom_common_user_template($1) ############################## -@@ -949,54 +1142,77 @@ template(`userdom_unpriv_user_template', ` +@@ -949,54 +1145,77 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -36582,7 +36802,7 @@ index 8b4f6d8..e1da594 100644 ') ') -@@ -1032,7 +1248,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1032,7 +1251,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -36591,7 +36811,7 @@ index 8b4f6d8..e1da594 100644 ') ############################## -@@ -1067,6 +1283,9 @@ template(`userdom_admin_user_template',` +@@ -1067,6 +1286,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -36601,7 +36821,7 @@ index 8b4f6d8..e1da594 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1081,6 +1300,7 @@ template(`userdom_admin_user_template',` +@@ -1081,6 +1303,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -36609,7 +36829,7 @@ index 8b4f6d8..e1da594 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1112,10 +1332,13 @@ template(`userdom_admin_user_template',` +@@ -1112,10 +1335,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -36623,7 +36843,7 @@ index 8b4f6d8..e1da594 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1135,6 +1358,7 @@ template(`userdom_admin_user_template',` +@@ -1135,6 +1361,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -36631,7 +36851,7 @@ index 8b4f6d8..e1da594 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1203,6 +1427,8 @@ template(`userdom_security_admin_template',` +@@ -1203,6 +1430,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -36640,7 +36860,7 @@ index 8b4f6d8..e1da594 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1230,6 +1456,7 @@ template(`userdom_security_admin_template',` +@@ -1230,6 +1459,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -36648,7 +36868,7 @@ index 8b4f6d8..e1da594 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1268,12 +1495,15 @@ template(`userdom_security_admin_template',` +@@ -1268,12 +1498,15 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -36665,7 +36885,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1384,6 +1614,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1384,6 +1617,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -36673,7 +36893,7 @@ index 8b4f6d8..e1da594 100644 files_search_home($1) ') -@@ -1430,6 +1661,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1430,6 +1664,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -36688,7 +36908,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1445,9 +1684,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1445,9 +1687,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -36700,7 +36920,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1504,6 +1745,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1504,6 +1748,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -36743,7 +36963,7 @@ index 8b4f6d8..e1da594 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1578,6 +1855,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1578,6 +1858,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -36752,7 +36972,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1592,10 +1871,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1592,10 +1874,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -36767,7 +36987,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1638,6 +1919,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1638,6 +1922,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -36793,7 +37013,7 @@ index 8b4f6d8..e1da594 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1689,13 +1989,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1689,13 +1992,33 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -36806,29 +37026,6 @@ index 8b4f6d8..e1da594 100644 ## -## Do not audit attempts to read user home files. +## Do not audit attempts to getattr user home files. - ## - ## - ## -@@ -1703,13 +2004,35 @@ interface(`userdom_read_user_home_content_files',` - ## - ## - # --interface(`userdom_dontaudit_read_user_home_content_files',` -+interface(`userdom_dontaudit_getattr_user_home_content',` - gen_require(` -- type user_home_t; -+ attribute user_home_type; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; -+ dontaudit $1 user_home_type:dir getattr; -+ dontaudit $1 user_home_type:file getattr; -+') -+ -+######################################## -+## -+## Do not audit attempts to read user home files. +## +## +## @@ -36836,12 +37033,32 @@ index 8b4f6d8..e1da594 100644 +## +## +# -+interface(`userdom_dontaudit_read_user_home_content_files',` ++interface(`userdom_dontaudit_getattr_user_home_content',` + gen_require(` + attribute user_home_type; -+ type user_home_dir_t; + ') + ++ dontaudit $1 user_home_type:dir getattr; ++ dontaudit $1 user_home_type:file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to read user home files. + ## + ## + ## +@@ -1705,11 +2028,14 @@ interface(`userdom_read_user_home_content_files',` + # + interface(`userdom_dontaudit_read_user_home_content_files',` + gen_require(` +- type user_home_t; ++ attribute user_home_type; ++ type user_home_dir_t; + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -36849,7 +37066,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1799,8 +2122,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1799,8 +2125,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -36859,7 +37076,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -1816,20 +2138,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1816,21 +2141,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -36873,18 +37090,19 @@ index 8b4f6d8..e1da594 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -2171,7 +2487,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` + ## Do not audit attempts to execute user home files. +@@ -2171,7 +2490,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -36893,7 +37111,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -2424,13 +2740,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2424,13 +2743,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -36909,7 +37127,7 @@ index 8b4f6d8..e1da594 100644 ## ## ## -@@ -2451,26 +2768,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2451,26 +2771,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -36936,7 +37154,7 @@ index 8b4f6d8..e1da594 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2804,7 +3101,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2804,7 +3104,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -36945,7 +37163,7 @@ index 8b4f6d8..e1da594 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2820,11 +3117,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2820,11 +3120,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -36961,7 +37179,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -2906,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2906,7 +3208,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -36970,7 +37188,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -2961,7 +3260,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2961,7 +3263,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -37017,7 +37235,7 @@ index 8b4f6d8..e1da594 100644 ') ######################################## -@@ -2998,6 +3335,7 @@ interface(`userdom_read_all_users_state',` +@@ -2998,6 +3338,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -37025,7 +37243,7 @@ index 8b4f6d8..e1da594 100644 kernel_search_proc($1) ') -@@ -3128,3 +3466,854 @@ interface(`userdom_dbus_send_all_users',` +@@ -3128,3 +3469,854 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -38018,7 +38236,7 @@ index 77d41b6..4af4e6b 100644 ') diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te -index f661f5a..ff472d0 100644 +index f661f5a..600d43f 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -4,6 +4,7 @@ policy_module(xen, 1.10.0) @@ -38049,7 +38267,33 @@ index f661f5a..ff472d0 100644 ####################################### # # evtchnd local policy -@@ -317,9 +314,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) +@@ -113,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir }) + # xend local policy + # + +-allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw }; ++allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw }; + dontaudit xend_t self:capability { sys_ptrace }; + allow xend_t self:process { signal sigkill }; + dontaudit xend_t self:process ptrace; +@@ -228,6 +225,7 @@ logging_send_syslog_msg(xend_t) + lvm_domtrans(xend_t) + + miscfiles_read_localization(xend_t) ++miscfiles_read_hwdata(xend_t) + + mount_domtrans(xend_t) + +@@ -245,6 +243,8 @@ xen_stream_connect_xenstore(xend_t) + + netutils_domtrans(xend_t) + ++virt_read_config(xend_t) ++ + optional_policy(` + brctl_domtrans(xend_t) + ') +@@ -317,9 +317,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t) files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir }) # pid file @@ -38061,7 +38305,7 @@ index f661f5a..ff472d0 100644 # log files manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t) -@@ -346,6 +344,7 @@ dev_read_sysfs(xenstored_t) +@@ -346,6 +347,7 @@ dev_read_sysfs(xenstored_t) files_read_usr_files(xenstored_t) @@ -38069,7 +38313,7 @@ index f661f5a..ff472d0 100644 fs_manage_xenfs_files(xenstored_t) storage_raw_read_fixed_disk(xenstored_t) -@@ -353,6 +352,7 @@ storage_raw_write_fixed_disk(xenstored_t) +@@ -353,6 +355,7 @@ storage_raw_write_fixed_disk(xenstored_t) storage_raw_read_removable_device(xenstored_t) term_use_generic_ptys(xenstored_t) @@ -38077,7 +38321,7 @@ index f661f5a..ff472d0 100644 init_use_fds(xenstored_t) init_use_script_ptys(xenstored_t) -@@ -365,98 +365,9 @@ xen_append_log(xenstored_t) +@@ -365,98 +368,9 @@ xen_append_log(xenstored_t) ######################################## # @@ -38176,7 +38420,7 @@ index f661f5a..ff472d0 100644 #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) -@@ -469,8 +380,4 @@ optional_policy(` +@@ -469,8 +383,4 @@ optional_policy(` fs_manage_nfs_files(xend_t) fs_read_nfs_symlinks(xend_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8974d7b..4954b17 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.9.3 -Release: 3%{?dist} +Version: 3.9.4 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Thu Sep 8 2010 Dan Walsh 3.9.4-1 +- Update to upstream + +* Thu Sep 8 2010 Dan Walsh 3.9.3-4 +- Allow mdadm_t to create files and sock files in /dev/md/ + * Thu Sep 8 2010 Dan Walsh 3.9.3-3 - Add policy for ajaxterm diff --git a/sources b/sources index 3c4a5ef..11bf11d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2330fe4b7094df0e0a453856db12e3a4 serefpolicy-3.9.3.tgz +c610a100e8448f4fdc2559d1e509494c serefpolicy-3.9.4.tgz