From a56fb9fa8f07c4208edc9dad7897c884d6988c34 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 02 2011 13:16:46 +0000 Subject: - Fixes for sanlock policy - Fixes for colord policy - Other fixes * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log --- diff --git a/policy-F16.patch b/policy-F16.patch index fe58b0c..9de84fb 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1585,7 +1585,7 @@ index c633aea..d1e56f6 100644 ifdef(`hide_broken_symptoms',` diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..6059aed 100644 +index af55369..9301e42 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1638,12 +1638,13 @@ index af55369..6059aed 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,13 +115,21 @@ optional_policy(` +@@ -109,13 +115,22 @@ optional_policy(` ') optional_policy(` - rpm_manage_tmp_files(prelink_t) + gnome_dontaudit_read_config(prelink_t) ++ gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) ') optional_policy(` @@ -1662,7 +1663,7 @@ index af55369..6059aed 100644 ######################################## # # Prelink Cron system Policy -@@ -129,6 +143,7 @@ optional_policy(` +@@ -129,6 +144,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -1670,7 +1671,7 @@ index af55369..6059aed 100644 domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) allow prelink_cron_system_t prelink_t:process noatsecure; -@@ -148,17 +163,28 @@ optional_policy(` +@@ -148,17 +164,28 @@ optional_policy(` files_read_etc_files(prelink_cron_system_t) files_search_var_lib(prelink_cron_system_t) @@ -1700,6 +1701,47 @@ index af55369..6059aed 100644 + dbus_read_config(prelink_t) + ') +') +diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if +index bf75d99..1698e8f 100644 +--- a/policy/modules/admin/quota.if ++++ b/policy/modules/admin/quota.if +@@ -83,3 +83,36 @@ interface(`quota_manage_flags',` + files_search_var_lib($1) + manage_files_pattern($1, quota_flag_t, quota_flag_t) + ') ++ ++######################################## ++## ++## Transition to quota named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`quota_filetrans_named_content',` ++ gen_require(` ++ type quota_db_t; ++ ') ++ ++ files_root_filetrans($1, quota_db_t, file, "aquota.user") ++ files_root_filetrans($1, quota_db_t, file, "aquota.group") ++ files_boot_filetrans($1, quota_db_t, file, "aquota.user") ++ files_boot_filetrans($1, quota_db_t, file, "aquota.group") ++ files_etc_filetrans($1, quota_db_t, file, "aquota.user") ++ files_etc_filetrans($1, quota_db_t, file, "aquota.group") ++ files_tmp_filetrans($1, quota_db_t, file, "aquota.user") ++ files_tmp_filetrans($1, quota_db_t, file, "aquota.group") ++ files_home_filetrans($1, quota_db_t, file, "aquota.user") ++ files_home_filetrans($1, quota_db_t, file, "aquota.group") ++ files_usr_filetrans($1, quota_db_t, file, "aquota.user") ++ files_usr_filetrans($1, quota_db_t, file, "aquota.group") ++ files_var_filetrans($1, quota_db_t, file, "aquota.user") ++ files_var_filetrans($1, quota_db_t, file, "aquota.group") ++ files_spool_filetrans($1, quota_db_t, file, "aquota.user") ++ files_spool_filetrans($1, quota_db_t, file, "aquota.group") ++') diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te index 5dd42f5..f13ac41 100644 --- a/policy/modules/admin/quota.te @@ -1858,7 +1900,7 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index b206bf6..48922c9 100644 +index b206bf6..bbd902f 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc @@ -7,6 +7,7 @@ @@ -1869,7 +1911,7 @@ index b206bf6..48922c9 100644 /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -25,6 +26,9 @@ ifdef(`distro_redhat', ` +@@ -25,8 +26,12 @@ ifdef(`distro_redhat', ` /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -1878,8 +1920,11 @@ index b206bf6..48922c9 100644 +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') ++/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -@@ -36,6 +40,8 @@ ifdef(`distro_redhat', ` + + /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +@@ -36,6 +41,8 @@ ifdef(`distro_redhat', ` /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -2065,7 +2110,7 @@ index d33daa8..c76708e 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te -index 47a8f7d..ba240df 100644 +index 47a8f7d..0b100a8 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,10 +1,11 @@ @@ -2108,16 +2153,26 @@ index 47a8f7d..ba240df 100644 corecmd_exec_all_executables(rpm_t) -@@ -127,6 +133,8 @@ corenet_sendrecv_all_client_packets(rpm_t) +@@ -127,6 +133,18 @@ corenet_sendrecv_all_client_packets(rpm_t) dev_list_sysfs(rpm_t) dev_list_usbfs(rpm_t) dev_read_urand(rpm_t) +dev_read_raw_memory(rpm_t) ++ +#devices_manage_all_device_types(rpm_t) ++dev_create_generic_blk_files(rpm_t) ++dev_create_generic_chr_files(rpm_t) ++dev_delete_all_blk_files(rpm_t) ++dev_delete_all_chr_files(rpm_t) ++dev_relabel_all_dev_nodes(rpm_t) ++dev_rename_generic_blk_files(rpm_t) ++dev_rename_generic_chr_files(rpm_t) ++dev_setattr_all_blk_files(rpm_t) ++dev_setattr_all_chr_files(rpm_t) fs_getattr_all_dirs(rpm_t) fs_list_inotifyfs(rpm_t) -@@ -173,11 +181,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) +@@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t) domain_dontaudit_getattr_all_raw_sockets(rpm_t) domain_dontaudit_getattr_all_stream_sockets(rpm_t) domain_dontaudit_getattr_all_dgram_sockets(rpm_t) @@ -2131,7 +2186,7 @@ index 47a8f7d..ba240df 100644 libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -189,7 +199,7 @@ logging_send_syslog_msg(rpm_t) +@@ -189,7 +209,7 @@ logging_send_syslog_msg(rpm_t) seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) @@ -2140,7 +2195,7 @@ index 47a8f7d..ba240df 100644 userdom_use_unpriv_users_fds(rpm_t) optional_policy(` -@@ -207,6 +217,7 @@ optional_policy(` +@@ -207,6 +227,7 @@ optional_policy(` optional_policy(` networkmanager_dbus_chat(rpm_t) ') @@ -2148,7 +2203,7 @@ index 47a8f7d..ba240df 100644 ') optional_policy(` -@@ -214,7 +225,7 @@ optional_policy(` +@@ -214,7 +235,7 @@ optional_policy(` ') optional_policy(` @@ -2157,7 +2212,7 @@ index 47a8f7d..ba240df 100644 # yum-updatesd requires this unconfined_dbus_chat(rpm_t) unconfined_dbus_chat(rpm_script_t) -@@ -261,6 +272,7 @@ kernel_read_crypto_sysctls(rpm_script_t) +@@ -261,6 +282,7 @@ kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -2165,7 +2220,7 @@ index 47a8f7d..ba240df 100644 kernel_read_software_raid_state(rpm_script_t) dev_list_sysfs(rpm_script_t) -@@ -299,7 +311,7 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -299,7 +321,7 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -2174,7 +2229,7 @@ index 47a8f7d..ba240df 100644 auth_dontaudit_getattr_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) -@@ -308,6 +320,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) +@@ -308,6 +330,8 @@ auth_manage_all_files_except_shadow(rpm_script_t) auth_relabel_shadow(rpm_script_t) corecmd_exec_all_executables(rpm_script_t) @@ -2183,7 +2238,7 @@ index 47a8f7d..ba240df 100644 domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -332,18 +346,18 @@ logging_send_syslog_msg(rpm_script_t) +@@ -332,18 +356,18 @@ logging_send_syslog_msg(rpm_script_t) miscfiles_read_localization(rpm_script_t) @@ -2205,7 +2260,7 @@ index 47a8f7d..ba240df 100644 ') ') -@@ -368,6 +382,11 @@ optional_policy(` +@@ -368,6 +392,11 @@ optional_policy(` ') optional_policy(` @@ -2217,7 +2272,7 @@ index 47a8f7d..ba240df 100644 tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -@@ -377,8 +396,9 @@ optional_policy(` +@@ -377,8 +406,9 @@ optional_policy(` ') optional_policy(` @@ -2958,10 +3013,36 @@ index c467144..fb794f9 100644 /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0) diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 81fb26f..e03c0fe 100644 +index 81fb26f..fa853d7 100644 --- a/policy/modules/admin/usermanage.if +++ b/policy/modules/admin/usermanage.if -@@ -170,6 +170,25 @@ interface(`usermanage_run_passwd',` +@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',` + + ######################################## + ## ++## Check access to the groupadd executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usermanage_access_check_groupadd',` ++ gen_require(` ++ type groupadd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 groupadd_exec_t:file { getattr_file_perms audit_access }; ++') ++ ++######################################## ++## + ## Execute groupadd in the groupadd domain, and + ## allow the specified role the groupadd domain. + ## +@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',` ######################################## ## @@ -2979,7 +3060,7 @@ index 81fb26f..e03c0fe 100644 + ') + + corecmd_search_bin($1) -+ allow $1 passwd_exec_t:file audit_access; ++ allow $1 passwd_exec_t:file { getattr_file_perms audit_access }; +') + +######################################## @@ -2987,7 +3068,7 @@ index 81fb26f..e03c0fe 100644 ## Execute password admin functions in ## the admin passwd domain. ## -@@ -285,6 +304,9 @@ interface(`usermanage_run_useradd',` +@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',` usermanage_domtrans_useradd($1) role $2 types useradd_t; @@ -2997,7 +3078,7 @@ index 81fb26f..e03c0fe 100644 seutil_run_semanage(useradd_t, $2) optional_policy(` -@@ -294,6 +316,25 @@ interface(`usermanage_run_useradd',` +@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',` ######################################## ## @@ -3015,7 +3096,7 @@ index 81fb26f..e03c0fe 100644 + ') + + corecmd_search_bin($1) -+ allow $1 useradd_exec_t:file audit_access; ++ allow $1 useradd_exec_t:file { getattr_file_perms audit_access }; +') + +######################################## @@ -3955,10 +4036,10 @@ index 00a19e3..55075f9 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..f816c8d 100644 +index f5afe78..93aa20f 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,623 @@ +@@ -1,44 +1,699 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -4459,6 +4540,25 @@ index f5afe78..f816c8d 100644 + +######################################## +## ++## Do not audit attempts to read ++## inherited gconf config files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`gnome_dontaudit_read_inherited_gconf_config_files',` ++ gen_require(` ++ type gconf_etc_t; ++ ') ++ ++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## +## read gconf config files +## +## @@ -4520,11 +4620,10 @@ index f5afe78..f816c8d 100644 +## Execute gnome keyringd in the caller domain. +## +## - ## --## Role allowed access ++## +## Domain allowed access. - ## - ## ++## ++## +# +interface(`gnome_exec_keyringd',` + gen_require(` @@ -4539,6 +4638,51 @@ index f5afe78..f816c8d 100644 +## +## Read gconf home files +## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gconf_home_files',` ++ gen_require(` ++ type gconf_home_t; ++ type data_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ allow $1 data_home_t:dir list_dir_perms; ++ read_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_files_pattern($1, data_home_t, data_home_t) ++ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) ++ read_lnk_files_pattern($1, data_home_t, data_home_t) ++') ++ ++######################################## ++## ++## Search gkeyringd temporary directories. ++## ++## + ## +-## Role allowed access ++## Domain allowed access. + ## + ## ++# ++interface(`gnome_search_gkeyringd_tmp_dirs',` ++ gen_require(` ++ type gkeyringd_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 gkeyringd_tmp_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## search gconf homedir (.local) ++## ## ## -## User domain for the role @@ -4547,33 +4691,45 @@ index f5afe78..f816c8d 100644 ## # -interface(`gnome_role',` -+interface(`gnome_read_gconf_home_files',` ++interface(`gnome_search_gconf',` gen_require(` - type gconfd_t, gconfd_exec_t; - type gconf_tmp_t; + type gconf_home_t; -+ type data_home_t; ') - role $1 types gconfd_t; -- ++ allow $1 gconf_home_t:dir search_dir_perms; ++ userdom_search_user_home_dirs($1) ++') ++ ++######################################## ++## ++## Set attributes of Gnome config dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_setattr_config_dirs',` ++ gen_require(` ++ type gnome_home_t; ++ ') + - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; - allow gconfd_t $2:unix_stream_socket connectto; -+ userdom_search_user_home_dirs($1) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ allow $1 data_home_t:dir list_dir_perms; -+ read_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_files_pattern($1, data_home_t, data_home_t) -+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) -+ read_lnk_files_pattern($1, data_home_t, data_home_t) ++ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) ++ files_search_home($1) +') - ps_process_pattern($2, gconfd_t) +######################################## +## -+## Search gkeyringd temporary directories. ++## Manage generic gnome home files. +## +## +## @@ -4581,46 +4737,46 @@ index f5afe78..f816c8d 100644 +## +## +# -+interface(`gnome_search_gkeyringd_tmp_dirs',` ++interface(`gnome_manage_generic_home_files',` + gen_require(` -+ type gkeyringd_tmp_t; ++ type gnome_home_t; + ') - #gnome_stream_connect_gconf_template($1, $2) - read_files_pattern($2, gconf_tmp_t, gconf_tmp_t) - allow $2 gconfd_t:unix_stream_socket connectto; -+ files_search_tmp($1) -+ allow $1 gkeyringd_tmp_t:dir search_dir_perms; ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, gnome_home_t, gnome_home_t) ') ######################################## ## -## Execute gconf programs in -## in the caller domain. -+## search gconf homedir (.local) ++## Manage generic gnome home directories. ## ## ## -@@ -46,37 +625,37 @@ interface(`gnome_role',` +@@ -46,37 +701,36 @@ interface(`gnome_role',` ## ## # -interface(`gnome_exec_gconf',` -+interface(`gnome_search_gconf',` ++interface(`gnome_manage_generic_home_dirs',` gen_require(` - type gconfd_exec_t; -+ type gconf_home_t; ++ type gnome_home_t; ') - can_exec($1, gconfd_exec_t) -+ allow $1 gconf_home_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) ++ allow $1 gnome_home_t:dir manage_dir_perms; ') ######################################## ## -## Read gconf config files. -+## Set attributes of Gnome config dirs. ++## Append gconf home files ## -## +## @@ -4630,48 +4786,47 @@ index f5afe78..f816c8d 100644 ## # -template(`gnome_read_gconf_config',` -+interface(`gnome_setattr_config_dirs',` ++interface(`gnome_append_gconf_home_files',` gen_require(` - type gconf_etc_t; -+ type gnome_home_t; ++ type gconf_home_t; ') - allow $1 gconf_etc_t:dir list_dir_perms; - read_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) -+ files_search_home($1) ++ append_files_pattern($1, gconf_home_t, gconf_home_t) ') -####################################### +######################################## ## -## Create, read, write, and delete gconf config files. -+## Manage generic gnome home files. ++## manage gconf home files ## ## ## -@@ -84,37 +663,37 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +738,42 @@ template(`gnome_read_gconf_config',` ## ## # -interface(`gnome_manage_gconf_config',` -+interface(`gnome_manage_generic_home_files',` ++interface(`gnome_manage_gconf_home_files',` gen_require(` - type gconf_etc_t; -+ type gnome_home_t; ++ type gconf_home_t; ') - manage_files_pattern($1, gconf_etc_t, gconf_etc_t) - files_search_etc($1) -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, gnome_home_t, gnome_home_t) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ manage_files_pattern($1, gconf_home_t, gconf_home_t) ') ######################################## ## -## gconf connection template. -+## Manage generic gnome home directories. ++## Connect to gnome over an unix stream socket. ## -## +## @@ -4679,143 +4834,88 @@ index f5afe78..f816c8d 100644 ## Domain allowed access. ## ## ++## ++## ++## The type of the user domain. ++## ++## # -interface(`gnome_stream_connect_gconf',` -+interface(`gnome_manage_generic_home_dirs',` ++interface(`gnome_stream_connect',` gen_require(` - type gconfd_t, gconf_tmp_t; -+ type gnome_home_t; ++ attribute gnome_home_type; ') - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -+ userdom_search_user_home_dirs($1) -+ allow $1 gnome_home_t:dir manage_dir_perms; ++ # Connect to pulseaudit server ++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ') ######################################## ## -## Run gconfd in gconfd domain. -+## Append gconf home files ++## list gnome homedir content (.config) ## ## ## -@@ -122,17 +701,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +781,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # -interface(`gnome_domtrans_gconfd',` -+interface(`gnome_append_gconf_home_files',` ++interface(`gnome_list_home_config',` gen_require(` - type gconfd_t, gconfd_exec_t; -+ type gconf_home_t; ++ type config_home_t; ') - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -+ append_files_pattern($1, gconf_home_t, gconf_home_t) ++ allow $1 config_home_t:dir list_dir_perms; ') ######################################## ## -## Set attributes of Gnome config dirs. -+## manage gconf home files ++## Set attributes of gnome homedir content (.config) ## ## ## -@@ -140,51 +719,378 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +799,353 @@ interface(`gnome_domtrans_gconfd',` ## ## # -interface(`gnome_setattr_config_dirs',` -+interface(`gnome_manage_gconf_home_files',` ++template(`gnome_setattr_home_config',` gen_require(` - type gnome_home_t; -+ type gconf_home_t; ++ type config_home_t; ') - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -+ allow $1 gconf_home_t:dir list_dir_perms; -+ manage_files_pattern($1, gconf_home_t, gconf_home_t) ++ setattr_dirs_pattern($1, config_home_t, config_home_t) ++ userdom_search_user_home_dirs($1) ') ######################################## ## -## Read gnome homedir content (.config) -+## Connect to gnome over an unix stream socket. ++## read gnome homedir content (.config) ## +-## +## -+## -+## Domain allowed access. -+## -+## - ## ## -+## The type of the user domain. -+## -+## -+# -+interface(`gnome_stream_connect',` -+ gen_require(` -+ attribute gnome_home_type; -+ ') -+ -+ # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) -+') -+ -+######################################## -+## -+## list gnome homedir content (.config) -+## -+## -+## ## Domain allowed access. ## ## # -template(`gnome_read_config',` -+interface(`gnome_list_home_config',` ++interface(`gnome_read_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; -+ ') -+ -+ allow $1 config_home_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Set attributes of gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+template(`gnome_setattr_home_config',` -+ gen_require(` -+ type config_home_t; -+ ') -+ -+ setattr_dirs_pattern($1, config_home_t, config_home_t) -+ userdom_search_user_home_dirs($1) -+') -+ -+######################################## -+## -+## read gnome homedir content (.config) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_home_config',` -+ gen_require(` -+ type config_home_t; ') - list_dirs_pattern($1, gnome_home_t, gnome_home_t) @@ -4913,6 +5013,42 @@ index f5afe78..f816c8d 100644 + +######################################## +## ++## Send signull signal to gkeyringd processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_signull_gkeyringd',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ ') ++ ++ allow $1 gkeyringd_domain:process signull; ++') ++ ++######################################## ++## ++## Allow the domain to read gkeyringd state files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_gkeyringd_state',` ++ gen_require(` ++ attribute gkeyringd_domain; ++ ') ++ ++ ps_process_pattern($1, gkeyringd_domain) ++') ++ ++######################################## ++## +## Create directories in user home directories +## with the gnome home file type. +## @@ -6318,7 +6454,7 @@ index 93ac529..35b51ab 100644 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..ceeb3e7 100644 +index 9a6d67d..aa29dee 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -6458,7 +6594,7 @@ index 9a6d67d..ceeb3e7 100644 ## Send and receive messages from ## mozilla over dbus. ## -@@ -204,3 +304,39 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -204,3 +304,57 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -6483,6 +6619,24 @@ index 9a6d67d..ceeb3e7 100644 + +######################################## +## ++## Read mozilla_plugin tmpfs files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`mozilla_plugin_read_inherited_tmpfs_files',` ++ gen_require(` ++ type mozilla_plugin_tmpfs_t; ++ ') ++ ++ allow $1 mozilla_plugin_tmpfs_t:file read_inherited_file_perms; ++') ++ ++######################################## ++## +## Dontaudit read/write to a mozilla_plugin leaks +## +## @@ -8060,7 +8214,7 @@ index 2ba7787..9f12b51 100644 ') diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te -index c2d20a2..ae14a7d 100644 +index c2d20a2..77178ab 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -8105,10 +8259,23 @@ index c2d20a2..ae14a7d 100644 optional_policy(` bluetooth_stream_connect(pulseaudio_t) -@@ -131,6 +131,10 @@ optional_policy(` +@@ -127,10 +127,23 @@ optional_policy(` ') optional_policy(` ++ gnome_read_gkeyringd_state(pulseaudio_t) ++ gnome_signull_gkeyringd(pulseaudio_t) ++') ++ ++optional_policy(` + rtkit_scheduled(pulseaudio_t) + ') + + optional_policy(` ++ mozilla_plugin_read_inherited_tmpfs_files(pulseaudio_t) ++') ++ ++optional_policy(` + mpd_read_tmpfs_files(pulseaudio_t) +') + @@ -8116,7 +8283,7 @@ index c2d20a2..ae14a7d 100644 policykit_domtrans_auth(pulseaudio_t) policykit_read_lib(pulseaudio_t) policykit_read_reload(pulseaudio_t) -@@ -148,3 +152,7 @@ optional_policy(` +@@ -148,3 +161,7 @@ optional_policy(` xserver_read_xdm_pid(pulseaudio_t) xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t) ') @@ -8570,10 +8737,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if new file mode 100644 -index 0000000..0fedd57 +index 0000000..3b6af20 --- /dev/null +++ b/policy/modules/apps/sandbox.if -@@ -0,0 +1,305 @@ +@@ -0,0 +1,341 @@ + +## policy for sandbox + @@ -8809,6 +8976,42 @@ index 0000000..0fedd57 + +######################################## +## ++## Delete sandbox symbolic links ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_lnk_files',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## ++## Delete sandbox fifo files ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`sandbox_delete_pipes',` ++ gen_require(` ++ type sandbox_file_t; ++ ') ++ ++ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) ++') ++ ++######################################## ++## +## Delete sandbox sock files +## +## @@ -8846,7 +9049,7 @@ index 0000000..0fedd57 + +######################################## +## -+## allow domain to delete sandbox files ++## Delete sandbox directories +## +## +## @@ -9442,7 +9645,7 @@ index 320df26..bd8db22 100644 files_search_tmp($1_screen_t) diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..787df80 100644 +index 1dc7a85..9342572 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -53,8 +53,14 @@ interface(`seunshare_run',` @@ -9461,7 +9664,7 @@ index 1dc7a85..787df80 100644 ## ## ## Role allowed access. -@@ -66,15 +72,31 @@ interface(`seunshare_run',` +@@ -66,15 +72,32 @@ interface(`seunshare_run',` ## ## # @@ -9488,6 +9691,7 @@ index 1dc7a85..787df80 100644 + + ps_process_pattern($3, $1_seunshare_t) + allow $3 $1_seunshare_t:process signal_perms; ++ allow $3 $1_seunshare_t:fd use; + + allow $1_seunshare_t $3:process transition; + dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; @@ -9895,10 +10099,10 @@ index 0000000..1d0f110 +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..16b228e +index 0000000..e2c8015 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,388 @@ +@@ -0,0 +1,390 @@ + +policy_module(telepathy, 1.0.0) + @@ -9955,6 +10159,8 @@ index 0000000..16b228e +telepathy_domain_template(stream_engine) +telepathy_domain_template(sunshine) +telepathy_domain_template(logger) ++# New in F16 ++permissive telepathy_logger_t; + +####################################### +# @@ -12158,7 +12364,7 @@ index 5a07a43..eb5f76e 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 0757523..16e8123 100644 +index 0757523..599c3e6 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -16,6 +16,7 @@ attribute rpc_port_type; @@ -12267,7 +12473,7 @@ index 0757523..16e8123 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,2712,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -12429,7 +12635,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..dda5e2f 100644 +index e9313fb..8695196 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -12518,10 +12724,28 @@ index e9313fb..dda5e2f 100644 ######################################## ## ## Read and write generic files in /dev. -@@ -444,6 +499,24 @@ interface(`dev_getattr_generic_blk_files',` +@@ -444,6 +499,42 @@ interface(`dev_getattr_generic_blk_files',` ######################################## ## ++## Rename generic block device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rename_generic_blk_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ rename_blk_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## +## write generic sock files in /dev. +## +## @@ -12543,7 +12767,32 @@ index e9313fb..dda5e2f 100644 ## Dontaudit getattr on generic block devices. ## ## -@@ -628,7 +701,7 @@ interface(`dev_rw_generic_blk_files',` +@@ -552,6 +643,24 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` + + ######################################## + ## ++## Rename generic character device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rename_generic_chr_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ rename_chr_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## + ## Dontaudit setattr for generic character device files. + ## + ## +@@ -628,7 +737,7 @@ interface(`dev_rw_generic_blk_files',` ## ## ## @@ -12552,7 +12801,7 @@ index e9313fb..dda5e2f 100644 ## ## # -@@ -715,7 +788,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` +@@ -715,7 +824,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` ######################################## ## @@ -12561,7 +12810,7 @@ index e9313fb..dda5e2f 100644 ## ## ## -@@ -723,17 +796,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` +@@ -723,17 +832,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',` ## ## # @@ -12582,7 +12831,7 @@ index e9313fb..dda5e2f 100644 ## ## ## -@@ -741,17 +814,17 @@ interface(`dev_read_generic_symlinks',` +@@ -741,17 +850,17 @@ interface(`dev_read_generic_symlinks',` ## ## # @@ -12603,7 +12852,7 @@ index e9313fb..dda5e2f 100644 ## ## ## -@@ -759,12 +832,12 @@ interface(`dev_create_generic_symlinks',` +@@ -759,12 +868,12 @@ interface(`dev_create_generic_symlinks',` ## ## # @@ -12618,7 +12867,7 @@ index e9313fb..dda5e2f 100644 ') ######################################## -@@ -920,7 +993,7 @@ interface(`dev_filetrans',` +@@ -920,7 +1029,7 @@ interface(`dev_filetrans',` type device_t; ') @@ -12627,7 +12876,7 @@ index e9313fb..dda5e2f 100644 dev_associate($2) files_associate_tmp($2) -@@ -1006,6 +1079,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` +@@ -1006,6 +1115,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; @@ -12635,7 +12884,7 @@ index e9313fb..dda5e2f 100644 ') getattr_chr_files_pattern($1, device_t, device_node) -@@ -1178,6 +1252,42 @@ interface(`dev_create_all_chr_files',` +@@ -1178,6 +1288,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -12678,7 +12927,7 @@ index e9313fb..dda5e2f 100644 ## Delete all block device files. ## ## -@@ -2663,7 +2773,7 @@ interface(`dev_write_misc',` +@@ -2663,7 +2809,7 @@ interface(`dev_write_misc',` ## ## ## @@ -12687,7 +12936,7 @@ index e9313fb..dda5e2f 100644 ## ## # -@@ -3192,24 +3302,6 @@ interface(`dev_rw_printer',` +@@ -3192,24 +3338,6 @@ interface(`dev_rw_printer',` ######################################## ## @@ -12712,7 +12961,7 @@ index e9313fb..dda5e2f 100644 ## Get the attributes of the QEMU ## microcode and id interfaces. ## -@@ -3793,6 +3885,24 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3793,6 +3921,24 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -12737,7 +12986,7 @@ index e9313fb..dda5e2f 100644 ## Search the sysfs directories. ## ## -@@ -3884,25 +3994,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3884,25 +4030,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -12763,7 +13012,7 @@ index e9313fb..dda5e2f 100644 ## Read hardware state information. ## ## -@@ -3954,6 +4045,42 @@ interface(`dev_rw_sysfs',` +@@ -3954,6 +4081,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -12806,7 +13055,7 @@ index e9313fb..dda5e2f 100644 ## Read and write the TPM device. ## ## -@@ -4477,6 +4604,24 @@ interface(`dev_rw_vhost',` +@@ -4477,6 +4640,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -12831,7 +13080,7 @@ index e9313fb..dda5e2f 100644 ## Read and write VMWare devices. ## ## -@@ -4514,6 +4659,24 @@ interface(`dev_rwx_vmware',` +@@ -4514,6 +4695,24 @@ interface(`dev_rwx_vmware',` ######################################## ## @@ -12856,7 +13105,7 @@ index e9313fb..dda5e2f 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +4911,772 @@ interface(`dev_unconfined',` +@@ -4748,3 +4947,772 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -14118,7 +14367,7 @@ index 16108f6..de3c68f 100644 + +/usr/lib/debug(/.*)? <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 958ca84..1204be0 100644 +index 958ca84..811174e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',` @@ -14254,6 +14503,15 @@ index 958ca84..1204be0 100644 ######################################## ## ## Create directories in /boot +@@ -1794,7 +1882,7 @@ interface(`files_boot_filetrans',` + type boot_t; + ') + +- filetrans_pattern($1, boot_t, $2, $3) ++ filetrans_pattern($1, boot_t, $2, $3, $4) + ') + + ######################################## @@ -1854,6 +1942,25 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -14421,6 +14679,15 @@ index 958ca84..1204be0 100644 ') ######################################## +@@ -3247,7 +3435,7 @@ interface(`files_home_filetrans',` + type home_root_t; + ') + +- filetrans_pattern($1, home_root_t, $2, $3) ++ filetrans_pattern($1, home_root_t, $2, $3, $4) + ') + + ######################################## @@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',` dontaudit $1 lost_found_t:dir getattr; ') @@ -14864,6 +15131,15 @@ index 958ca84..1204be0 100644 ') ######################################## +@@ -4466,7 +4951,7 @@ interface(`files_usr_filetrans',` + type usr_t; + ') + +- filetrans_pattern($1, usr_t, $2, $3) ++ filetrans_pattern($1, usr_t, $2, $3, $4) + ') + + ######################################## @@ -4736,6 +5221,24 @@ interface(`files_read_var_files',` ######################################## @@ -14889,6 +15165,24 @@ index 958ca84..1204be0 100644 ## Read and write files in the /var directory. ## ## +@@ -4851,7 +5354,7 @@ interface(`files_var_filetrans',` + type var_t; + ') + +- filetrans_pattern($1, var_t, $2, $3) ++ filetrans_pattern($1, var_t, $2, $3, $4) + ') + + ######################################## +@@ -4986,7 +5489,7 @@ interface(`files_var_lib_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_lib_t, $2, $3) ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## @@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',` ######################################## @@ -15064,15 +15358,17 @@ index 958ca84..1204be0 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5275,7 +5860,7 @@ interface(`files_lock_filetrans',` +@@ -5275,8 +5860,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') - allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_lock_t, $2, $3) + files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3) ++ filetrans_pattern($1, var_lock_t, $2, $3, $4) ') + ######################################## @@ -5332,9 +5917,47 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -15121,6 +15417,15 @@ index 958ca84..1204be0 100644 ######################################## ## ## Do not audit attempts to search +@@ -5463,7 +6086,7 @@ interface(`files_pid_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_run_t, $2, $3) ++ filetrans_pattern($1, var_run_t, $2, $3, $4) + ') + + ######################################## @@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## @@ -15229,6 +15534,15 @@ index 958ca84..1204be0 100644 ') ######################################## +@@ -5769,7 +6486,7 @@ interface(`files_spool_filetrans',` + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3) ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) + ') + + ######################################## @@ -5844,3 +6561,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; @@ -15579,10 +15893,38 @@ index 59bae6a..2e55e71 100644 +/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/dev/hugepages(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index dfe361a..1c83074 100644 +index dfe361a..7484288 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if -@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',` +@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` + + ######################################## + ## ++## Get attributes of cgroup files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_cgroup_files',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ getattr_files_pattern($1, cgroup_t, cgroup_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## + ## Search cgroup directories. + ## + ## +@@ -646,11 +667,31 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15614,7 +15956,7 @@ index dfe361a..1c83074 100644 ## list cgroup directories. ## ## -@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', ` +@@ -665,9 +706,29 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15644,7 +15986,7 @@ index dfe361a..1c83074 100644 ######################################## ## ## Delete cgroup directories. -@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', ` +@@ -684,6 +745,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15652,7 +15994,7 @@ index dfe361a..1c83074 100644 dev_search_sysfs($1) ') -@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',` +@@ -704,6 +766,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) @@ -15660,7 +16002,7 @@ index dfe361a..1c83074 100644 dev_search_sysfs($1) ') -@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',` +@@ -724,6 +787,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) @@ -15668,7 +16010,7 @@ index dfe361a..1c83074 100644 dev_search_sysfs($1) ') -@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', ` +@@ -743,6 +807,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) @@ -15676,7 +16018,7 @@ index dfe361a..1c83074 100644 dev_search_sysfs($1) ') -@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',` +@@ -763,6 +828,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -15684,7 +16026,7 @@ index dfe361a..1c83074 100644 dev_search_sysfs($1) ') -@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',` +@@ -803,6 +869,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -15692,7 +16034,7 @@ index dfe361a..1c83074 100644 dev_search_sysfs($1) ') -@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',` +@@ -1052,6 +1119,24 @@ interface(`fs_list_noxattr_fs',` ######################################## ## @@ -15717,7 +16059,7 @@ index dfe361a..1c83074 100644 ## Create, read, write, and delete all noxattrfs directories. ## ## -@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1088,6 +1173,42 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -15760,7 +16102,7 @@ index dfe361a..1c83074 100644 ## Dont audit attempts to write to noxattrfs files. ## ## -@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1227,6 +1348,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -15803,7 +16145,7 @@ index dfe361a..1c83074 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1241,7 +1398,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -15812,7 +16154,7 @@ index dfe361a..1c83074 100644 ') ######################################## -@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',` +@@ -1504,6 +1661,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -15838,7 +16180,7 @@ index dfe361a..1c83074 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',` +@@ -1659,6 +1835,25 @@ interface(`fs_search_dos',` ######################################## ## @@ -15864,7 +16206,7 @@ index dfe361a..1c83074 100644 ## Create, read, write, and delete dirs ## on a DOS filesystem. ## -@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',` +@@ -1774,6 +1969,24 @@ interface(`fs_unmount_fusefs',` ######################################## ## @@ -15889,7 +16231,7 @@ index dfe361a..1c83074 100644 ## Search directories ## on a FUSEFS filesystem. ## -@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',` +@@ -1892,6 +2105,26 @@ interface(`fs_manage_fusefs_files',` ######################################## ## @@ -15916,7 +16258,7 @@ index dfe361a..1c83074 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. -@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1931,7 +2164,26 @@ interface(`fs_read_fusefs_symlinks',` ######################################## ## @@ -15944,7 +16286,7 @@ index dfe361a..1c83074 100644 ## ## ## -@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',` +@@ -1946,6 +2198,41 @@ interface(`fs_rw_hugetlbfs_files',` rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') @@ -15986,7 +16328,7 @@ index dfe361a..1c83074 100644 ######################################## ## -@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',` +@@ -1999,6 +2286,7 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -15994,7 +16336,7 @@ index dfe361a..1c83074 100644 ') ######################################## -@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',` +@@ -2331,6 +2619,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -16002,7 +16344,7 @@ index dfe361a..1c83074 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',` +@@ -2369,6 +2658,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -16010,7 +16352,7 @@ index dfe361a..1c83074 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',` +@@ -2395,6 +2685,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -16036,7 +16378,7 @@ index dfe361a..1c83074 100644 ## Append files ## on a NFS filesystem. ## -@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2435,6 +2744,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -16079,7 +16421,7 @@ index dfe361a..1c83074 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2449,7 +2794,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -16088,7 +16430,7 @@ index dfe361a..1c83074 100644 ') ######################################## -@@ -2587,7 +2911,7 @@ interface(`fs_search_removable',` +@@ -2587,7 +2932,7 @@ interface(`fs_search_removable',` ## ## ## @@ -16097,7 +16439,7 @@ index dfe361a..1c83074 100644 ## ## # -@@ -2623,7 +2947,7 @@ interface(`fs_read_removable_files',` +@@ -2623,7 +2968,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -16106,7 +16448,7 @@ index dfe361a..1c83074 100644 ## ## # -@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',` +@@ -2637,6 +2982,24 @@ interface(`fs_dontaudit_read_removable_files',` ######################################## ## @@ -16131,7 +16473,7 @@ index dfe361a..1c83074 100644 ## Read removable storage symbolic links. ## ## -@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',` +@@ -2653,6 +3016,25 @@ interface(`fs_read_removable_symlinks',` read_lnk_files_pattern($1, removable_t, removable_t) ') @@ -16157,7 +16499,7 @@ index dfe361a..1c83074 100644 ######################################## ## ## Read and write block nodes on removable filesystems. -@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2779,6 +3161,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -16165,7 +16507,7 @@ index dfe361a..1c83074 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',` +@@ -2819,6 +3202,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -16173,7 +16515,7 @@ index dfe361a..1c83074 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',` +@@ -2845,7 +3229,7 @@ interface(`fs_dontaudit_manage_nfs_files',` ######################################### ## ## Create, read, write, and delete symbolic links @@ -16182,7 +16524,7 @@ index dfe361a..1c83074 100644 ## ## ## -@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -2859,6 +3243,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -16190,7 +16532,7 @@ index dfe361a..1c83074 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3772,6 +4157,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -16233,7 +16575,7 @@ index dfe361a..1c83074 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -3989,6 +4410,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -16258,7 +16600,7 @@ index dfe361a..1c83074 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',` +@@ -4271,6 +4710,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -16267,7 +16609,7 @@ index dfe361a..1c83074 100644 ') ######################################## -@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',` +@@ -4317,7 +4758,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -16276,7 +16618,7 @@ index dfe361a..1c83074 100644 ## Example attributes: ##

##
    -@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',` +@@ -4681,3 +5122,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -18094,7 +18436,7 @@ index 1cb7311..1de82b2 100644 + +gen_user(guest_u, user, guest_r, s0, s0) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index be4de58..2efb6e9 100644 +index be4de58..cce681a 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -9,6 +9,8 @@ role secadm_r; @@ -18106,21 +18448,11 @@ index be4de58..2efb6e9 100644 ######################################## # -@@ -39,6 +41,9 @@ logging_read_audit_log(secadm_t) - logging_read_generic_logs(secadm_t) - logging_read_audit_config(secadm_t) - -+seutil_rw_config(secadm_t) -+seutil_rw_default_contexts(secadm_t) -+ - optional_policy(` - aide_run(secadm_t, secadm_r) - ') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..9482840 100644 +index 2be17d2..3664943 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) +@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0) role staff_r; userdom_unpriv_user_template(staff) @@ -18140,6 +18472,8 @@ index 2be17d2..9482840 100644 +kernel_read_software_raid_state(staff_usertype) +kernel_read_fs_sysctls(staff_usertype) + ++dev_read_cpuid(staff_usertype) ++ +domain_read_all_domains_state(staff_usertype) +domain_getattr_all_domains(staff_usertype) +domain_obj_id_change_exemption(staff_t) @@ -18172,7 +18506,7 @@ index 2be17d2..9482840 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,19 +66,95 @@ optional_policy(` +@@ -27,19 +68,95 @@ optional_policy(` ') optional_policy(` @@ -18270,7 +18604,7 @@ index 2be17d2..9482840 100644 ') optional_policy(` -@@ -48,10 +163,48 @@ optional_policy(` +@@ -48,10 +165,48 @@ optional_policy(` ') optional_policy(` @@ -18319,7 +18653,7 @@ index 2be17d2..9482840 100644 xserver_role(staff_r, staff_t) ') -@@ -89,10 +242,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +244,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18330,7 +18664,7 @@ index 2be17d2..9482840 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +286,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +288,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18341,7 +18675,7 @@ index 2be17d2..9482840 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +317,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +319,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -18350,7 +18684,7 @@ index 2be17d2..9482840 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 4a8d146..df78564 100644 +index 4a8d146..7072611 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,55 @@ ifndef(`enable_mls',` @@ -18521,7 +18855,7 @@ index 4a8d146..df78564 100644 ') optional_policy(` -@@ -225,6 +274,10 @@ optional_policy(` +@@ -225,12 +274,20 @@ optional_policy(` ') optional_policy(` @@ -18532,7 +18866,17 @@ index 4a8d146..df78564 100644 netutils_run(sysadm_t, sysadm_r) netutils_run_ping(sysadm_t, sysadm_r) netutils_run_traceroute(sysadm_t, sysadm_r) -@@ -253,19 +306,19 @@ optional_policy(` + ') + + optional_policy(` ++ networkmanager_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` + ntp_stub() + corenet_udp_bind_ntp_port(sysadm_t) + ') +@@ -253,19 +310,19 @@ optional_policy(` ') optional_policy(` @@ -18556,7 +18900,7 @@ index 4a8d146..df78564 100644 ') optional_policy(` -@@ -274,10 +327,7 @@ optional_policy(` +@@ -274,10 +331,7 @@ optional_policy(` optional_policy(` rpm_run(sysadm_t, sysadm_r) @@ -18568,7 +18912,7 @@ index 4a8d146..df78564 100644 ') optional_policy(` -@@ -302,12 +352,18 @@ optional_policy(` +@@ -302,12 +356,18 @@ optional_policy(` ') optional_policy(` @@ -18588,7 +18932,7 @@ index 4a8d146..df78564 100644 ') optional_policy(` -@@ -332,10 +388,6 @@ optional_policy(` +@@ -332,10 +392,6 @@ optional_policy(` ') optional_policy(` @@ -18599,7 +18943,7 @@ index 4a8d146..df78564 100644 tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r) -@@ -343,19 +395,15 @@ optional_policy(` +@@ -343,19 +399,15 @@ optional_policy(` ') optional_policy(` @@ -18621,7 +18965,7 @@ index 4a8d146..df78564 100644 ') optional_policy(` -@@ -367,45 +415,45 @@ optional_policy(` +@@ -367,45 +419,45 @@ optional_policy(` ') optional_policy(` @@ -18678,7 +19022,7 @@ index 4a8d146..df78564 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,6 +487,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +491,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -18686,7 +19030,7 @@ index 4a8d146..df78564 100644 ') optional_policy(` -@@ -452,5 +501,60 @@ ifndef(`distro_redhat',` +@@ -452,5 +505,60 @@ ifndef(`distro_redhat',` optional_policy(` java_role(sysadm_r, sysadm_t) ') @@ -19457,10 +19801,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..25eea4a +index 0000000..168668b --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,527 @@ +@@ -0,0 +1,528 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19651,6 +19995,7 @@ index 0000000..25eea4a + + optional_policy(` + networkmanager_dbus_chat(unconfined_usertype) ++ networkmanager_filetrans_named_content(unconfined_usertype) + ') + + optional_policy(` @@ -19878,7 +20223,7 @@ index 0000000..25eea4a +') + +optional_policy(` -+ quota_run(unconfined_t, unconfined_r) ++ quota_filetrans_named_content(unconfined_t) +') + +optional_policy(` @@ -21482,7 +21827,7 @@ index c3a1903..19fb14a 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..ec27284 100644 +index 9e39aa5..7bace76 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u @@ -21536,15 +21881,16 @@ index 9e39aa5..ec27284 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -86,7 +87,6 @@ ifdef(`distro_suse', ` +@@ -86,7 +87,7 @@ ifdef(`distro_suse', ` /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -109,3 +109,22 @@ ifdef(`distro_debian', ` +@@ -109,3 +110,22 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -22181,7 +22527,7 @@ index 6480167..63822c0 100644 + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..0321283 100644 +index 3136c6a..d7d9be2 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -22518,15 +22864,16 @@ index 3136c6a..0321283 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +441,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +441,8 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) ++kernel_read_network_state(httpd_t) +kernel_search_network_sysctl(httpd_t) corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,8 +452,11 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,8 +453,11 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -22538,7 +22885,7 @@ index 3136c6a..0321283 100644 corenet_sendrecv_http_server_packets(httpd_t) # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) -@@ -378,12 +468,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +469,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -22554,7 +22901,7 @@ index 3136c6a..0321283 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +481,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +482,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -22562,7 +22909,7 @@ index 3136c6a..0321283 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +493,13 @@ files_read_etc_files(httpd_t) +@@ -402,6 +494,13 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -22576,7 +22923,7 @@ index 3136c6a..0321283 100644 libs_read_lib_files(httpd_t) -@@ -416,34 +514,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +515,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -22653,7 +23000,7 @@ index 3136c6a..0321283 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +594,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +595,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -22664,7 +23011,7 @@ index 3136c6a..0321283 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +608,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +609,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -22694,7 +23041,7 @@ index 3136c6a..0321283 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +638,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +639,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -22711,7 +23058,7 @@ index 3136c6a..0321283 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +662,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +663,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -22732,7 +23079,7 @@ index 3136c6a..0321283 100644 ') optional_policy(` -@@ -513,7 +686,13 @@ optional_policy(` +@@ -513,7 +687,13 @@ optional_policy(` ') optional_policy(` @@ -22747,7 +23094,7 @@ index 3136c6a..0321283 100644 ') optional_policy(` -@@ -528,7 +707,18 @@ optional_policy(` +@@ -528,7 +708,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -22767,7 +23114,7 @@ index 3136c6a..0321283 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +727,13 @@ optional_policy(` +@@ -537,8 +728,13 @@ optional_policy(` ') optional_policy(` @@ -22782,7 +23129,7 @@ index 3136c6a..0321283 100644 ') ') -@@ -556,7 +751,13 @@ optional_policy(` +@@ -556,7 +752,13 @@ optional_policy(` ') optional_policy(` @@ -22796,7 +23143,7 @@ index 3136c6a..0321283 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +768,7 @@ optional_policy(` +@@ -567,6 +769,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -22804,7 +23151,7 @@ index 3136c6a..0321283 100644 ') optional_policy(` -@@ -577,6 +779,16 @@ optional_policy(` +@@ -577,6 +780,16 @@ optional_policy(` ') optional_policy(` @@ -22821,7 +23168,7 @@ index 3136c6a..0321283 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +803,11 @@ optional_policy(` +@@ -591,6 +804,11 @@ optional_policy(` ') optional_policy(` @@ -22833,7 +23180,7 @@ index 3136c6a..0321283 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +820,11 @@ optional_policy(` +@@ -603,6 +821,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -22845,7 +23192,7 @@ index 3136c6a..0321283 100644 ######################################## # # Apache helper local policy -@@ -616,7 +838,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +839,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -22858,7 +23205,7 @@ index 3136c6a..0321283 100644 ######################################## # -@@ -654,28 +880,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +881,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -22902,7 +23249,7 @@ index 3136c6a..0321283 100644 ') ######################################## -@@ -685,6 +913,8 @@ optional_policy(` +@@ -685,6 +914,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -22911,7 +23258,7 @@ index 3136c6a..0321283 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +929,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +930,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -22937,7 +23284,7 @@ index 3136c6a..0321283 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +975,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +976,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -22970,7 +23317,7 @@ index 3136c6a..0321283 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1022,25 @@ optional_policy(` +@@ -769,6 +1023,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -22996,7 +23343,7 @@ index 3136c6a..0321283 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1061,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1062,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -23014,7 +23361,7 @@ index 3136c6a..0321283 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1080,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1081,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -23071,7 +23418,7 @@ index 3136c6a..0321283 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1131,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1132,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -23102,7 +23449,7 @@ index 3136c6a..0321283 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1166,20 @@ optional_policy(` +@@ -842,10 +1167,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -23123,7 +23470,7 @@ index 3136c6a..0321283 100644 ') ######################################## -@@ -891,11 +1225,21 @@ optional_policy(` +@@ -891,11 +1226,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -25182,7 +25529,7 @@ index 6ee2cc8..3105b09 100644 # interface(`ccs_domtrans',` diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te -index 4c90b57..af806c2 100644 +index 4c90b57..418eb6b 100644 --- a/policy/modules/services/ccs.te +++ b/policy/modules/services/ccs.te @@ -10,7 +10,7 @@ type ccs_exec_t; @@ -25203,7 +25550,15 @@ index 4c90b57..af806c2 100644 manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t) logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir }) -@@ -107,7 +107,7 @@ sysnet_dns_name_resolve(ccs_t) +@@ -97,6 +97,7 @@ files_read_etc_files(ccs_t) + files_read_etc_runtime_files(ccs_t) + + init_rw_script_tmp_files(ccs_t) ++init_signal(ccs_t) + + logging_send_syslog_msg(ccs_t) + +@@ -107,7 +108,7 @@ sysnet_dns_name_resolve(ccs_t) userdom_manage_unpriv_user_shared_mem(ccs_t) userdom_manage_unpriv_user_semaphores(ccs_t) @@ -25212,7 +25567,7 @@ index 4c90b57..af806c2 100644 corecmd_dontaudit_write_bin_dirs(ccs_t) files_manage_isid_type_files(ccs_t) ') -@@ -118,5 +118,10 @@ optional_policy(` +@@ -118,5 +119,10 @@ optional_policy(` ') optional_policy(` @@ -26730,10 +27085,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..9d5aa88 +index 0000000..9d0208a --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,112 @@ +@@ -0,0 +1,117 @@ +policy_module(colord,1.0.0) + +######################################## @@ -26803,9 +27158,12 @@ index 0000000..9d5aa88 +files_read_usr_files(colord_t) + +fs_search_all(colord_t) ++fs_getattr_noxattr_fs(colord_t) ++fs_list_noxattr_fs(colord_t) +fs_read_noxattr_fs_files(colord_t) + +storage_getattr_fixed_disk_dev(colord_t) ++storage_getattr_removable_dev(colord_t) +storage_read_scsi_generic(colord_t) +storage_write_scsi_generic(colord_t) + @@ -26818,11 +27176,13 @@ index 0000000..9d5aa88 +userdom_read_inherited_user_home_content_files(colord_t) + +tunable_policy(`use_nfs_home_dirs',` -+ fs_read_nfs_files(colord_t) ++ fs_getattr_nfs(colord_t) ++ fs_read_nfs_files(colord_t) +') + +tunable_policy(`use_samba_home_dirs',` -+ fs_read_cifs_files(colord_t) ++ fs_getattr_cifs(colord_t) ++ fs_read_cifs_files(colord_t) +') + +optional_policy(` @@ -30453,7 +30813,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index cbe14e4..778b174 100644 +index cbe14e4..ce42295 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -30573,7 +30933,7 @@ index cbe14e4..778b174 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -249,23 +273,40 @@ optional_policy(` +@@ -249,23 +273,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -30588,8 +30948,6 @@ index cbe14e4..778b174 100644 +read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) +read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t) + - allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; - +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; + +append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) @@ -30598,8 +30956,12 @@ index cbe14e4..778b174 100644 +manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_tmp_t) +files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) + -+can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; ++read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t) ++dovecot_stream_connect(dovecot_deliver_t) + ++can_exec(dovecot_deliver_t, dovecot_deliver_exec_t) + kernel_read_all_sysctls(dovecot_deliver_t) kernel_read_system_state(dovecot_deliver_t) @@ -30616,7 +30978,7 @@ index cbe14e4..778b174 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -301,5 +342,15 @@ tunable_policy(`use_samba_home_dirs',` +@@ -301,5 +344,15 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -30785,12 +31147,11 @@ index 0000000..63f11d9 + diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te new file mode 100644 -index 0000000..1453c54 +index 0000000..3bca7b0 --- /dev/null +++ b/policy/modules/services/drbd.te -@@ -0,0 +1,55 @@ -+ -+policy_module(drbd,1.0.0) +@@ -0,0 +1,50 @@ ++policy_module(drbd, 1.0.0) + +######################################## +# @@ -30812,11 +31173,8 @@ index 0000000..1453c54 +# drbd local policy +# + -+allow drbd_t self:capability net_admin; -+ -+allow drbd_t self:capability { kill }; -+allow drbd_t self:process { fork }; -+ ++allow drbd_t self:capability { kill net_admin }; ++dontaudit drbd_t self:capability sys_tty_config; +allow drbd_t self:fifo_file rw_fifo_file_perms; +allow drbd_t self:unix_stream_socket create_stream_socket_perms; +allow drbd_t self:netlink_socket create_socket_perms; @@ -30843,7 +31201,6 @@ index 0000000..1453c54 +miscfiles_read_localization(drbd_t) + +sysnet_dns_name_resolve(drbd_t) -+ diff --git a/policy/modules/services/exim.fc b/policy/modules/services/exim.fc index 298f066..c2570df 100644 --- a/policy/modules/services/exim.fc @@ -33258,6 +33615,18 @@ index df48e5e..6985546 100644 gen_require(` type inetd_t; ') +diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te +index c51a7b2..de05a6f 100644 +--- a/policy/modules/services/inetd.te ++++ b/policy/modules/services/inetd.te +@@ -149,6 +149,7 @@ miscfiles_read_localization(inetd_t) + mls_fd_share_all_levels(inetd_t) + mls_socket_read_to_clearance(inetd_t) + mls_socket_write_to_clearance(inetd_t) ++mls_net_outbound_all_levels(inetd_t) + mls_process_set_level(inetd_t) + + sysnet_read_config(inetd_t) diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc index 8ca038d..8507ee2 100644 --- a/policy/modules/services/inn.fc @@ -33768,7 +34137,7 @@ index 3525d24..923e979 100644 /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if -index 604f67b..1692784 100644 +index 604f67b..b80c8f0 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -26,9 +26,9 @@ @@ -33979,7 +34348,7 @@ index 604f67b..1692784 100644 + +######################################## +## -+## Transition to apache named content ++## Transition to kerberos named content +## +## +## @@ -36481,7 +36850,7 @@ index 256166a..df99841 100644 /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..e836951 100644 +index 343cee3..fe40cce 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -36659,7 +37028,7 @@ index 343cee3..e836951 100644 + ') + + corecmd_search_bin($1) -+ allow $1 sendmail_exec_t:file audit_access; ++ allow $1 sendmail_exec_t:file { getattr_file_perms audit_access }; +') + +######################################## @@ -36677,7 +37046,15 @@ index 343cee3..e836951 100644 ') ######################################## -@@ -532,7 +590,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -494,6 +552,7 @@ interface(`mta_read_aliases',` + + files_search_etc($1) + allow $1 etc_aliases_t:file read_file_perms; ++ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -532,7 +591,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -36686,7 +37063,7 @@ index 343cee3..e836951 100644 ') ######################################## -@@ -552,7 +610,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -36695,7 +37072,7 @@ index 343cee3..e836951 100644 ') ####################################### -@@ -646,8 +704,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -36706,7 +37083,7 @@ index 343cee3..e836951 100644 ') ####################################### -@@ -697,8 +755,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +756,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -36717,7 +37094,7 @@ index 343cee3..e836951 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +896,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -36726,7 +37103,7 @@ index 343cee3..e836951 100644 ') ######################################## -@@ -899,3 +957,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +958,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -38012,7 +38389,7 @@ index 386543b..984eefc 100644 /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if -index 2324d9e..8069487 100644 +index 2324d9e..eebf5a7 100644 --- a/policy/modules/services/networkmanager.if +++ b/policy/modules/services/networkmanager.if @@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',` @@ -38057,7 +38434,7 @@ index 2324d9e..8069487 100644 ## Send a generic signal to NetworkManager ## ## -@@ -191,3 +213,50 @@ interface(`networkmanager_read_pid_files',` +@@ -191,3 +213,77 @@ interface(`networkmanager_read_pid_files',` files_search_pids($1) allow $1 NetworkManager_var_run_t:file read_file_perms; ') @@ -38108,6 +38485,33 @@ index 2324d9e..8069487 100644 + allow $1 NetworkManager_log_t:dir list_dir_perms; + append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) +') ++ ++######################################## ++## ++## Transition to networkmanager named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_filetrans_named_content',` ++ gen_require(` ++ type NetworkManager_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf") ++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf") ++') diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 0619395..863ba2d 100644 --- a/policy/modules/services/networkmanager.te @@ -40944,14 +41348,14 @@ index 55e62d2..6082184 100644 /var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if -index 46bee12..f064487 100644 +index 46bee12..b90c902 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -34,8 +34,9 @@ template(`postfix_domain_template',` domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; -+ allow postfix_$1_t self:capability sys_nice; ++ allow postfix_$1_t self:capability { sys_nice sys_chroot }; dontaudit postfix_$1_t self:capability sys_tty_config; - allow postfix_$1_t self:process { signal_perms setpgid }; + allow postfix_$1_t self:process { signal_perms setpgid setsched }; @@ -40975,6 +41379,15 @@ index 46bee12..f064487 100644 files_read_usr_symlinks(postfix_$1_t) files_search_spool(postfix_$1_t) files_getattr_tmp_dirs(postfix_$1_t) +@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',` + type postfix_$1_tmp_t; + files_tmp_file(postfix_$1_tmp_t) + +- allow postfix_$1_t self:capability { setuid setgid dac_override }; ++ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override }; + allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; + allow postfix_$1_t self:tcp_socket create_socket_perms; + allow postfix_$1_t self:udp_socket create_socket_perms; @@ -165,6 +167,8 @@ template(`postfix_user_domain_template',` domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) @@ -41846,6 +42259,18 @@ index ad15fde..6f55445 100644 ') allow $1 postgrey_t:process { ptrace signal_perms }; +diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc +index 2d82c6d..a41b55f 100644 +--- a/policy/modules/services/ppp.fc ++++ b/policy/modules/services/ppp.fc +@@ -34,5 +34,7 @@ + # Fix pptp sockets + /var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0) + ++/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0) ++ + /var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0) + /var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0) diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if index b524673..9d90fb3 100644 --- a/policy/modules/services/ppp.if @@ -42560,7 +42985,7 @@ index 2855a44..c71fa1e 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..401b511 100644 +index 64c5f95..7cdabb5 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0) @@ -42752,16 +43177,15 @@ index 64c5f95..401b511 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +329,10 @@ optional_policy(` +@@ -231,3 +329,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') + +optional_policy(` -+ usermanage_domtrans_groupadd(puppetmaster_t) -+ # Might in some cases actually run passwd but was only able to confirm open X_ok. ++ usermanage_access_check_groupadd(puppetmaster_t) + usermanage_access_check_passwd(puppetmaster_t) -+ usermanage_domtrans_useradd(puppetmaster_t) ++ usermanage_access_check_useradd(puppetmaster_t) +') diff --git a/policy/modules/services/pyzor.fc b/policy/modules/services/pyzor.fc index d4a7750..705196e 100644 @@ -46479,14 +46903,13 @@ index 0000000..19d7347 +/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0) diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if new file mode 100644 -index 0000000..21a17ce +index 0000000..6c62862 --- /dev/null +++ b/policy/modules/services/sanlock.if -@@ -0,0 +1,92 @@ +@@ -0,0 +1,91 @@ + +## policy for sanlock + -+ +######################################## +## +## Execute a domain transition to run sanlock. @@ -46577,10 +47000,10 @@ index 0000000..21a17ce +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..86d947e +index 0000000..030a8cd --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,54 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -46618,6 +47041,8 @@ index 0000000..86d947e + +files_read_etc_files(sanlock_t) + ++storage_raw_rw_fixed_disk(sanlock_t) ++ +logging_send_syslog_msg(sanlock_t) + +init_read_utmp(sanlock_t) @@ -46625,21 +47050,14 @@ index 0000000..86d947e + +miscfiles_read_localization(sanlock_t) + -+wdmd_stream_connect(sanlock_t) -+require { -+ type sanlock_t; -+} -+ -+#============= sanlock_t ============== -+storage_raw_rw_fixed_disk(sanlock_t) -+ -+gen_require(` -+ attribute virt_domain; ++optional_policy(` ++ wdmd_stream_connect(sanlock_t) +') + -+# virt_kill_svirt(sanlock_t) -+# virt_signal_svirt(sanlock_t) -+allow sanlock_t virt_domain:process { signal sigkill }; ++optional_policy(` ++ virt_kill_svirt(sanlock_t) ++ virt_signal_svirt(sanlock_t) ++') diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index f1aea88..a5a75a8 100644 --- a/policy/modules/services/sasl.if @@ -50497,7 +50915,7 @@ index 7c5d8d8..7e8e54f 100644 + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..9a96547 100644 +index 3eca020..4dec4ad 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,66 @@ policy_module(virt, 1.4.0) @@ -50698,7 +51116,7 @@ index 3eca020..9a96547 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +211,33 @@ optional_policy(` +@@ -174,21 +211,34 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -50727,6 +51145,7 @@ index 3eca020..9a96547 100644 allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virt_domain virtd_t:fd use; ++dontaudit virt_domain virtd_t:unix_stream_socket { read write }; + +allow virtd_t qemu_var_run_t:file relabel_file_perms; +manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t) @@ -50736,7 +51155,7 @@ index 3eca020..9a96547 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +250,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -50753,7 +51172,7 @@ index 3eca020..9a96547 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) +@@ -220,6 +276,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -50761,7 +51180,7 @@ index 3eca020..9a96547 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +296,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -50794,7 +51213,7 @@ index 3eca020..9a96547 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +328,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -50813,14 +51232,14 @@ index 3eca020..9a96547 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +363,29 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -50840,7 +51259,6 @@ index 3eca020..9a96547 100644 +manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t) +manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t) +userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file }) -+ tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) @@ -50866,16 +51284,20 @@ index 3eca020..9a96547 100644 dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) -@@ -365,6 +464,8 @@ optional_policy(` +@@ -365,6 +464,12 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) + qemu_entry_type(virt_domain) + qemu_exec(virt_domain) ++') ++ ++optional_policy(` ++ sanlock_stream_connect(virtd_t) ') optional_policy(` -@@ -385,23 +486,37 @@ optional_policy(` +@@ -385,23 +490,37 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -50918,7 +51340,7 @@ index 3eca020..9a96547 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -418,10 +533,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +537,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -50931,7 +51353,7 @@ index 3eca020..9a96547 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +545,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +549,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -50944,7 +51366,7 @@ index 3eca020..9a96547 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,8 +558,16 @@ files_search_all(virt_domain) +@@ -440,8 +562,16 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -50952,17 +51374,17 @@ index 3eca020..9a96547 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) -@@ -457,8 +583,117 @@ optional_policy(` +@@ -457,8 +587,117 @@ optional_policy(` ') optional_policy(` @@ -55024,6 +55446,36 @@ index 66d13c4..335900f 100644 + namespace_init_domtrans(polydomain) + ') +') +diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if +index e2f6d93..c78ccc6 100644 +--- a/policy/modules/system/clock.if ++++ b/policy/modules/system/clock.if +@@ -82,6 +82,25 @@ interface(`clock_dontaudit_write_adjtime',` + + ######################################## + ## ++## Read clock drift adjustments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_read_adjtime',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ allow $1 adjtime_t:file read_file_perms; ++ files_list_etc($1) ++') ++ ++######################################## ++## + ## Read and write clock drift adjustments. + ## + ## diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index b9ed25b..de3738c 100644 --- a/policy/modules/system/clock.te @@ -56254,7 +56706,7 @@ index cc83689..48662f1 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..353ef34 100644 +index ea29513..0eb1342 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -56349,7 +56801,7 @@ index ea29513..353ef34 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -114,11 +151,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -114,24 +151,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -56362,8 +56814,10 @@ index ea29513..353ef34 100644 +dev_read_urand(init_t) # Early devtmpfs dev_rw_generic_chr_files(init_t) ++dev_filetrans_all_named_dev(init_t) -@@ -127,11 +166,16 @@ domain_kill_all_domains(init_t) + domain_getpgid_all_domains(init_t) + domain_kill_all_domains(init_t) domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) @@ -56380,7 +56834,7 @@ index ea29513..353ef34 100644 files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: -@@ -151,10 +195,16 @@ mls_file_read_all_levels(init_t) +@@ -151,10 +196,16 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -56398,7 +56852,7 @@ index ea29513..353ef34 100644 # Run init scripts. init_domtrans_script(init_t) -@@ -162,12 +212,15 @@ init_domtrans_script(init_t) +@@ -162,12 +213,15 @@ init_domtrans_script(init_t) libs_rw_ld_so_cache(init_t) logging_send_syslog_msg(init_t) @@ -56414,7 +56868,7 @@ index ea29513..353ef34 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; ') -@@ -178,7 +231,7 @@ ifdef(`distro_redhat',` +@@ -178,7 +232,7 @@ ifdef(`distro_redhat',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ') @@ -56423,7 +56877,7 @@ index ea29513..353ef34 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +239,119 @@ tunable_policy(`init_upstart',` +@@ -186,12 +240,121 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -56503,6 +56957,8 @@ index ea29513..353ef34 100644 + auth_relabel_login_records(init_t) + auth_relabel_pam_console_data_dirs(init_t) + ++ clock_read_adjtime(init_t) ++ + init_read_script_state(init_t) + + seutil_read_file_contexts(init_t) @@ -56543,7 +56999,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -199,10 +359,26 @@ optional_policy(` +@@ -199,10 +362,26 @@ optional_policy(` ') optional_policy(` @@ -56570,7 +57026,7 @@ index ea29513..353ef34 100644 unconfined_domain(init_t) ') -@@ -212,7 +388,7 @@ optional_policy(` +@@ -212,7 +391,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -56579,7 +57035,7 @@ index ea29513..353ef34 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +417,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +420,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -56595,7 +57051,7 @@ index ea29513..353ef34 100644 init_write_initctl(initrc_t) -@@ -258,20 +437,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +440,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -56632,7 +57088,7 @@ index ea29513..353ef34 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +470,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +473,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -56640,7 +57096,7 @@ index ea29513..353ef34 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +481,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +484,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -56651,13 +57107,14 @@ index ea29513..353ef34 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +492,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +495,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) -# Early devtmpfs -dev_rw_generic_chr_files(initrc_t) +dev_rw_xserver_misc(initrc_t) ++dev_filetrans_all_named_dev(initrc_t) domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) @@ -56667,7 +57124,7 @@ index ea29513..353ef34 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +510,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +514,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -56675,7 +57132,7 @@ index ea29513..353ef34 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +518,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +522,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -56687,7 +57144,7 @@ index ea29513..353ef34 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +537,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +541,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -56701,7 +57158,7 @@ index ea29513..353ef34 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +552,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +556,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -56710,7 +57167,7 @@ index ea29513..353ef34 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +566,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +570,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -56718,7 +57175,7 @@ index ea29513..353ef34 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +578,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +582,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -56726,7 +57183,7 @@ index ea29513..353ef34 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +599,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +603,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -56748,7 +57205,7 @@ index ea29513..353ef34 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +662,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +666,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -56759,7 +57216,7 @@ index ea29513..353ef34 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +686,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +690,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -56768,7 +57225,7 @@ index ea29513..353ef34 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +701,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +705,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -56776,7 +57233,7 @@ index ea29513..353ef34 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +731,29 @@ ifdef(`distro_redhat',` +@@ -522,8 +735,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -56806,7 +57263,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -531,10 +761,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +765,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -56829,7 +57286,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -549,6 +791,39 @@ ifdef(`distro_suse',` +@@ -549,6 +795,39 @@ ifdef(`distro_suse',` ') ') @@ -56869,7 +57326,7 @@ index ea29513..353ef34 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +836,8 @@ optional_policy(` +@@ -561,6 +840,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -56878,7 +57335,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -577,6 +854,7 @@ optional_policy(` +@@ -577,6 +858,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -56886,7 +57343,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -589,6 +867,11 @@ optional_policy(` +@@ -589,6 +871,11 @@ optional_policy(` ') optional_policy(` @@ -56898,7 +57355,7 @@ index ea29513..353ef34 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +888,13 @@ optional_policy(` +@@ -605,9 +892,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -56912,7 +57369,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -649,6 +936,11 @@ optional_policy(` +@@ -649,6 +940,11 @@ optional_policy(` ') optional_policy(` @@ -56924,7 +57381,7 @@ index ea29513..353ef34 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +998,13 @@ optional_policy(` +@@ -706,7 +1002,13 @@ optional_policy(` ') optional_policy(` @@ -56938,7 +57395,7 @@ index ea29513..353ef34 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1027,10 @@ optional_policy(` +@@ -729,6 +1031,10 @@ optional_policy(` ') optional_policy(` @@ -56949,7 +57406,7 @@ index ea29513..353ef34 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1040,20 @@ optional_policy(` +@@ -738,10 +1044,20 @@ optional_policy(` ') optional_policy(` @@ -56970,7 +57427,7 @@ index ea29513..353ef34 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1062,10 @@ optional_policy(` +@@ -750,6 +1066,10 @@ optional_policy(` ') optional_policy(` @@ -56981,7 +57438,7 @@ index ea29513..353ef34 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1087,6 @@ optional_policy(` +@@ -771,8 +1091,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -56990,7 +57447,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -781,14 +1095,21 @@ optional_policy(` +@@ -781,14 +1099,21 @@ optional_policy(` ') optional_policy(` @@ -57012,7 +57469,7 @@ index ea29513..353ef34 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1121,6 @@ optional_policy(` +@@ -800,7 +1125,6 @@ optional_policy(` ') optional_policy(` @@ -57020,7 +57477,7 @@ index ea29513..353ef34 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1130,24 @@ optional_policy(` +@@ -810,11 +1134,24 @@ optional_policy(` ') optional_policy(` @@ -57046,7 +57503,7 @@ index ea29513..353ef34 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1157,25 @@ optional_policy(` +@@ -824,6 +1161,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -57072,7 +57529,7 @@ index ea29513..353ef34 100644 ') optional_policy(` -@@ -849,3 +1201,42 @@ optional_policy(` +@@ -849,3 +1205,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -58265,7 +58722,7 @@ index d97d16d..ed84884 100644 ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index bf416a4..18c1561 100644 +index bf416a4..91f5506 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -58295,10 +58752,11 @@ index bf416a4..18c1561 100644 userdom_use_all_users_fds(ldconfig_t) ifdef(`distro_ubuntu',` -@@ -103,6 +105,10 @@ ifdef(`distro_ubuntu',` +@@ -103,6 +105,11 @@ ifdef(`distro_ubuntu',` ') ') ++userdom_list_user_home_dirs(ldconfig_t) +userdom_manage_user_home_content_files(ldconfig_t) +userdom_manage_user_tmp_files(ldconfig_t) +userdom_manage_user_tmp_symlinks(ldconfig_t) @@ -58306,7 +58764,7 @@ index bf416a4..18c1561 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -131,6 +137,10 @@ optional_policy(` +@@ -131,6 +138,10 @@ optional_policy(` ') optional_policy(` @@ -58317,7 +58775,7 @@ index bf416a4..18c1561 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +151,7 @@ optional_policy(` +@@ -141,6 +152,7 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -62076,10 +62534,10 @@ index 0000000..c59c37c +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..13b7617 +index 0000000..0fc12cc --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,185 @@ +@@ -0,0 +1,189 @@ + +policy_module(systemd, 1.0.0) + @@ -62240,6 +62698,8 @@ index 0000000..13b7617 + sandbox_list(systemd_tmpfiles_t) + sandbox_delete_dirs(systemd_tmpfiles_t) + sandbox_delete_files(systemd_tmpfiles_t) ++ sandbox_delete_lnk_files(systemd_tmpfiles_t) ++ sandbox_delete_pipes(systemd_tmpfiles_t) + sandbox_delete_sock_files(systemd_tmpfiles_t) + sandbox_setattr_dirs(systemd_tmpfiles_t) +') @@ -62258,6 +62718,8 @@ index 0000000..13b7617 + +files_read_etc_files(systemd_notify_t) + ++fs_getattr_cgroup_files(systemd_notify_t) ++ +auth_use_nsswitch(systemd_notify_t) + +miscfiles_read_localization(systemd_notify_t) @@ -62487,7 +62949,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..1b1d6a2 100644 +index d88f7c3..ca207d7 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -62569,7 +63031,14 @@ index d88f7c3..1b1d6a2 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these +@@ -105,21 +112,27 @@ dev_relabel_all_dev_nodes(udev_t) + # preserved, instead of short circuiting the relabel + dev_relabel_generic_symlinks(udev_t) + dev_manage_generic_symlinks(udev_t) ++dev_filetrans_all_named_dev(udev_t) + + domain_read_all_domains_state(udev_t) + domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) @@ -62591,7 +63060,7 @@ index d88f7c3..1b1d6a2 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -62599,7 +63068,7 @@ index d88f7c3..1b1d6a2 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +199,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +200,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -62620,7 +63089,7 @@ index d88f7c3..1b1d6a2 100644 ') optional_policy(` -@@ -216,11 +230,16 @@ optional_policy(` +@@ -216,11 +231,16 @@ optional_policy(` ') optional_policy(` @@ -62638,7 +63107,7 @@ index d88f7c3..1b1d6a2 100644 ') optional_policy(` -@@ -230,6 +249,15 @@ optional_policy(` +@@ -230,6 +250,15 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -62654,7 +63123,7 @@ index d88f7c3..1b1d6a2 100644 ') optional_policy(` -@@ -259,6 +287,10 @@ optional_policy(` +@@ -259,6 +288,10 @@ optional_policy(` ') optional_policy(` @@ -62665,7 +63134,7 @@ index d88f7c3..1b1d6a2 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +305,11 @@ optional_policy(` +@@ -273,6 +306,11 @@ optional_policy(` ') optional_policy(` @@ -63449,7 +63918,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..eba9213 100644 +index 28b88de..d7d8b53 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -64731,7 +65200,7 @@ index 28b88de..eba9213 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1234,9 +1512,14 @@ template(`userdom_security_admin_template',` +@@ -1234,11 +1512,22 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -64745,8 +65214,16 @@ index 28b88de..eba9213 100644 + seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) ++ seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) ++ optional_policy(` -@@ -1279,11 +1562,37 @@ template(`userdom_security_admin_template',` + aide_run($1,$2) + ') +@@ -1279,11 +1568,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -64784,7 +65261,7 @@ index 28b88de..eba9213 100644 ubac_constrained($1) ') -@@ -1395,6 +1704,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1710,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -64792,7 +65269,7 @@ index 28b88de..eba9213 100644 files_search_home($1) ') -@@ -1441,6 +1751,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1757,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -64807,7 +65284,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -1456,9 +1774,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1780,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -64819,7 +65296,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -1515,10 +1835,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1841,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -64832,7 +65309,7 @@ index 28b88de..eba9213 100644 ## ## ## -@@ -1526,19 +1846,55 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,17 +1852,53 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -64850,8 +65327,6 @@ index 28b88de..eba9213 100644 ######################################## ## -## Do a domain transition to the specified --## domain when executing a program in the --## user home directory. +## Relabel user home files. +## +## @@ -64890,12 +65365,10 @@ index 28b88de..eba9213 100644 +######################################## +## +## Do a domain transition to the specified -+## domain when executing a program in the -+## user home directory. + ## domain when executing a program in the + ## user home directory. ## - ## - ##

    -@@ -1589,6 +1945,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1951,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -64904,7 +65377,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -1603,10 +1961,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1967,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -64919,7 +65392,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -1649,6 +2009,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2015,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ##

    @@ -64945,7 +65418,7 @@ index 28b88de..eba9213 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2079,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2085,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -64978,7 +65451,7 @@ index 28b88de..eba9213 100644 ## Do not audit attempts to read user home files. ##
## -@@ -1716,11 +2115,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2121,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -64996,7 +65469,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -1779,6 +2181,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2187,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -65021,7 +65494,7 @@ index 28b88de..eba9213 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2230,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2236,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -65031,7 +65504,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -1827,20 +2246,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,21 +2252,15 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -65045,18 +65518,19 @@ index 28b88de..eba9213 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) -- ') -- -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') --') +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) +- ') +-') +- ######################################## ## -@@ -2008,7 +2421,7 @@ interface(`userdom_user_home_dir_filetrans',` + ## Do not audit attempts to execute user home files. +@@ -2008,7 +2427,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -65065,7 +65539,7 @@ index 28b88de..eba9213 100644 files_search_home($1) ') -@@ -2182,7 +2595,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2601,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -65074,7 +65548,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -2435,13 +2848,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2854,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -65090,7 +65564,7 @@ index 28b88de..eba9213 100644 ## ## ## -@@ -2462,26 +2876,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2882,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -65117,7 +65591,7 @@ index 28b88de..eba9213 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2966,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2972,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -65142,7 +65616,7 @@ index 28b88de..eba9213 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +3002,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +3008,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -65185,7 +65659,7 @@ index 28b88de..eba9213 100644 ## ## ## -@@ -2614,14 +3038,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3044,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -65223,7 +65697,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -2815,7 +3258,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3264,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -65232,7 +65706,7 @@ index 28b88de..eba9213 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3274,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3280,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -65248,7 +65722,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -2917,7 +3362,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3368,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -65257,7 +65731,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -2972,7 +3417,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3423,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -65304,7 +65778,7 @@ index 28b88de..eba9213 100644 ') ######################################## -@@ -3009,6 +3492,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3498,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -65312,7 +65786,7 @@ index 28b88de..eba9213 100644 kernel_search_proc($1) ') -@@ -3087,6 +3571,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3577,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -65337,7 +65811,7 @@ index 28b88de..eba9213 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3641,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3647,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 8cf0228..fb9c1a2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,12 @@ exit 0 %endif %changelog +* Jun 2 1 2011 Miroslav Grepl 3.9.16-25 +- Fixes for sanlock policy +- Fixes for colord policy +- Other fixes + * http://git.fedorahosted.org/git/?p=selinux-policy.git;a=log + * Thu May 26 2011 Miroslav Grepl 3.9.16-24 - Add rhev policy module to modules-targeted.conf