From bfc280fd5bbab091e3fb0601d624105dc1efc2d9 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 15 2012 08:43:55 +0000 Subject: - Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Add policy for (u)mount.ecryptfs* - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage - Allow dovecot to manage Maildir content, fix transitions to Maildir - Allow postfix_local to transition to dovecot_deliver - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code - Cleanup interface definitions - Allow apmd to change with the logind daemon - Changes required for sanlock in rhel6 - Label /run/user/apache as httpd_tmp_t - Allow thumb to use lib_t as execmod if boolean turned on - Allow squid to create the squid directory in /var with the correct la - Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.co - Allow virtd to exec xend_exec_t without transition - Allow virtd_lxc_t to unmount all file systems --- diff --git a/modules-targeted.conf b/modules-targeted.conf index a2c7c8c..9c8cbc0 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2556,3 +2556,10 @@ svnserve = module # policy for man2html apps # man2html = module + +# Layer: contrib +# Module: glusterd +# +# policy for glusterd service +# +glusterd = module diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 8fb05e8..1bcf4e2 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -58218,7 +58218,7 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..cc2b436 100644 +index 4705ab6..8ba19a0 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,52 +6,59 @@ @@ -58307,10 +58307,17 @@ index 4705ab6..cc2b436 100644 ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -105,9 +103,17 @@ gen_tunable(use_samba_home_dirs,false) +@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false) ## ##

++## Support ecryptfs home directories ++##

++## ++gen_tunable(use_ecryptfs_home_dirs,false) ++ ++## ++##

+## Support fusefs home directories +##

+## @@ -58422,10 +58429,10 @@ index f477c7f..d80599b 100644 + ') dnl end enable_mcs diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 7a6f06f..530d2df 100644 +index 7a6f06f..48fc840 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc -@@ -1,9 +1,14 @@ +@@ -1,9 +1,16 @@ - +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) @@ -58437,6 +58444,8 @@ index 7a6f06f..530d2df 100644 /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/zipl -- gen_context(system_u:object_r:bootloader_exec_t,s0) ++ ++/var/run/blkid(/.*)? gen_context(system_u:object_r:bootloader_var_run_t,s0) -/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) @@ -58529,7 +58538,7 @@ index a778bb1..5e914db 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index ab0439a..e717a21 100644 +index ab0439a..4104b53 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) @@ -58543,13 +58552,16 @@ index ab0439a..e717a21 100644 # # boot_runtime_t is the type for /boot/kernel.h, -@@ -19,14 +19,15 @@ files_type(boot_runtime_t) +@@ -19,14 +19,18 @@ files_type(boot_runtime_t) type bootloader_t; type bootloader_exec_t; application_domain(bootloader_t, bootloader_exec_t) -role bootloader_roles types bootloader_t; +#role bootloader_roles types bootloader_t; +role system_r types bootloader_t; ++ ++type bootloader_var_run_t; ++files_pid_file(bootloader_var_run_t) # # bootloader_etc_t is the configuration file, @@ -58561,7 +58573,7 @@ index ab0439a..e717a21 100644 # # The temp file is used for initrd creation; -@@ -41,7 +42,7 @@ dev_node(bootloader_tmp_t) +@@ -41,7 +45,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # @@ -58570,7 +58582,18 @@ index ab0439a..e717a21 100644 allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -@@ -81,6 +82,7 @@ dev_rw_nvram(bootloader_t) +@@ -59,6 +63,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file + # for tune2fs (cjp: ?) + files_root_filetrans(bootloader_t, bootloader_tmp_t, file) + ++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) ++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t) ++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file }) ++ + kernel_getattr_core_if(bootloader_t) + kernel_read_network_state(bootloader_t) + kernel_read_system_state(bootloader_t) +@@ -81,6 +89,7 @@ dev_rw_nvram(bootloader_t) fs_getattr_xattr_fs(bootloader_t) fs_getattr_tmpfs(bootloader_t) @@ -58578,7 +58601,7 @@ index ab0439a..e717a21 100644 fs_read_tmpfs_symlinks(bootloader_t) #Needed for ia64 fs_manage_dos_files(bootloader_t) -@@ -89,6 +91,7 @@ mls_file_read_all_levels(bootloader_t) +@@ -89,6 +98,7 @@ mls_file_read_all_levels(bootloader_t) mls_file_write_all_levels(bootloader_t) term_getattr_all_ttys(bootloader_t) @@ -58586,7 +58609,7 @@ index ab0439a..e717a21 100644 term_dontaudit_manage_pty_dirs(bootloader_t) corecmd_exec_all_executables(bootloader_t) -@@ -98,12 +101,14 @@ domain_use_interactive_fds(bootloader_t) +@@ -98,12 +108,14 @@ domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) files_manage_boot_files(bootloader_t) files_manage_boot_symlinks(bootloader_t) @@ -58601,7 +58624,7 @@ index ab0439a..e717a21 100644 # for nscd files_dontaudit_search_pids(bootloader_t) # for blkid.tab -@@ -111,6 +116,7 @@ files_manage_etc_runtime_files(bootloader_t) +@@ -111,6 +123,7 @@ files_manage_etc_runtime_files(bootloader_t) files_etc_filetrans_etc_runtime(bootloader_t, file) files_dontaudit_search_home(bootloader_t) @@ -58609,7 +58632,7 @@ index ab0439a..e717a21 100644 init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) -@@ -118,8 +124,10 @@ init_rw_script_pipes(bootloader_t) +@@ -118,8 +131,10 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) @@ -58621,7 +58644,7 @@ index ab0439a..e717a21 100644 logging_rw_generic_logs(bootloader_t) miscfiles_read_localization(bootloader_t) -@@ -130,7 +138,8 @@ seutil_read_bin_policy(bootloader_t) +@@ -130,7 +145,8 @@ seutil_read_bin_policy(bootloader_t) seutil_read_loadpolicy(bootloader_t) seutil_dontaudit_search_config(bootloader_t) @@ -58631,7 +58654,7 @@ index ab0439a..e717a21 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -166,7 +175,8 @@ ifdef(`distro_redhat',` +@@ -166,7 +182,8 @@ ifdef(`distro_redhat',` files_manage_isid_type_chr_files(bootloader_t) # for mke2fs @@ -58641,7 +58664,7 @@ index ab0439a..e717a21 100644 optional_policy(` unconfined_domain(bootloader_t) -@@ -174,6 +184,10 @@ ifdef(`distro_redhat',` +@@ -174,6 +191,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -58652,7 +58675,7 @@ index ab0439a..e717a21 100644 fstools_exec(bootloader_t) ') -@@ -183,6 +197,10 @@ optional_policy(` +@@ -183,6 +204,10 @@ optional_policy(` ') optional_policy(` @@ -58663,7 +58686,7 @@ index ab0439a..e717a21 100644 kudzu_domtrans(bootloader_t) ') -@@ -195,15 +213,13 @@ optional_policy(` +@@ -195,15 +220,13 @@ optional_policy(` optional_policy(` modutils_exec_insmod(bootloader_t) @@ -66453,10 +66476,18 @@ index 1ce8aa0..24dfed0 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index cda5588..e89e4bf 100644 +index cda5588..91d1e25 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -14,3 +14,8 @@ +@@ -1,3 +1,7 @@ ++# ecryptfs does not support xattr ++HOME_DIR/\.ecryptfs(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) ++HOME_DIR/\.Private(/.*)? gen_context(system_u:object_r:ecryptfs_t,s0) ++ + /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) + /cgroup/.* <> + +@@ -14,3 +18,8 @@ # for systemd systems: /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup/.* <> @@ -66466,7 +66497,7 @@ index cda5588..e89e4bf 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..6d3f720 100644 +index 7c6b791..242bce2 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -66592,15 +66623,17 @@ index 7c6b791..6d3f720 100644 dev_search_sysfs($1) ') -@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',` +@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',` + ') ++ read_lnk_files_pattern($1, cgroup_t, cgroup_t) rw_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) dev_search_sysfs($1) ') -@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',` +@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -66609,7 +66642,7 @@ index 7c6b791..6d3f720 100644 dev_search_sysfs($1) ') -@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -66634,7 +66667,7 @@ index 7c6b791..6d3f720 100644 ## Do not audit attempts to read all ## noxattrfs files. ## -@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',` +@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',` ######################################## ## @@ -66643,7 +66676,7 @@ index 7c6b791..6d3f720 100644 ## on a CIFS filesystem. ## ## -@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -66686,7 +66719,7 @@ index 7c6b791..6d3f720 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -66695,7 +66728,7 @@ index 7c6b791..6d3f720 100644 ') ######################################## -@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',` +@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -66721,7 +66754,7 @@ index 7c6b791..6d3f720 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',` +@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',` ######################################## ## @@ -66746,7 +66779,7 @@ index 7c6b791..6d3f720 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -1679,6 +1839,25 @@ interface(`fs_relabelfrom_dos_fs',` +@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',` ######################################## ## @@ -66772,10 +66805,132 @@ index 7c6b791..6d3f720 100644 ## Search dosfs filesystem. ## ## -@@ -2025,6 +2204,68 @@ interface(`fs_read_fusefs_symlinks',` +@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',` + refpolicywarn(`$0($*) has been deprecated.') + ') - ######################################## - ## ++ ++####################################### ++## ++## Search directories ++## on a ecrypt filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_search_ecryptfs',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete directories ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_manage_ecryptfs_dirs',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) ++ allow $1 ecryptfs_t:dir manage_dir_perms; ++') ++ ++####################################### ++## ++## Create, read, write, and delete files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_read_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ read_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_manage_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ manage_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to create, ++## read, write, and delete files ++## on a FUSEFS filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_manage_ecryptfs_files',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ dontaudit $1 ecryptfs_t:file manage_file_perms; ++') ++ ++######################################## ++## ++## Read symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_ecryptfs_symlinks',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ++') ++ ++######################################## ++## +## Manage symbolic links on a FUSEFS filesystem. +## +## @@ -66784,12 +66939,12 @@ index 7c6b791..6d3f720 100644 +## +## +# -+interface(`fs_manage_fusefs_symlinks',` ++interface(`fs_manage_ecryptfs_symlinks',` + gen_require(` + type fusefs_t; + ') + -+ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) +') + +######################################## @@ -66827,21 +66982,108 @@ index 7c6b791..6d3f720 100644 +## +## +# -+interface(`fs_fusefs_domtrans',` ++interface(`fs_ecryptfs_domtrans',` ++ gen_require(` ++ type ecryptfs_t; ++ ') ++ ++ allow $1 ecryptfs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, ecryptfs_t, $2) ++') ++ + ######################################## + ## + ## Mount a FUSE filesystem. +@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',` + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. ++## Read symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_fusefs_symlinks',` + gen_require(` + type fusefs_t; + ') + -+ allow $1 fusefs_t:dir search_dir_perms; -+ domain_auto_transition_pattern($1, fusefs_t, $2) ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) +') + +######################################## +## - ## Get the attributes of an hugetlbfs - ## filesystem. ++## Manage symbolic links on a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Execute a file on a FUSE filesystem ++## in the specified domain. ## -@@ -2080,6 +2321,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ++## ++##

++## Execute a file on a FUSE filesystem ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. This is not suggested. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## home directories on FUSE filesystems, ++## in particular used by the ssh-agent policy. ++##

++## + ## + ## +-## Domain allowed access. ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. + ## + ## + # +-interface(`fs_read_fusefs_symlinks',` ++interface(`fs_fusefs_domtrans',` + gen_require(` + type fusefs_t; + ') + +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++ allow $1 fusefs_t:dir search_dir_perms; ++ domain_auto_transition_pattern($1, fusefs_t, $2) + ') + + ######################################## +@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## @@ -66866,7 +67108,7 @@ index 7c6b791..6d3f720 100644 ## Read and write hugetlbfs files. ## ## -@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',` +@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',` ') allow $1 inotifyfs_t:dir list_dir_perms; @@ -66880,7 +67122,7 @@ index 7c6b791..6d3f720 100644 ## ## ## -@@ -2485,6 +2745,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -66888,7 +67130,7 @@ index 7c6b791..6d3f720 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +2784,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -66896,7 +67138,7 @@ index 7c6b791..6d3f720 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +2811,25 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -66922,7 +67164,7 @@ index 7c6b791..6d3f720 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +2850,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -66931,7 +67173,7 @@ index 7c6b791..6d3f720 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +2870,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -66974,7 +67216,7 @@ index 7c6b791..6d3f720 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +2920,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -66983,7 +67225,7 @@ index 7c6b791..6d3f720 100644 ') ######################################## -@@ -2627,7 +2944,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -66992,7 +67234,7 @@ index 7c6b791..6d3f720 100644 ## ## ## -@@ -2741,7 +3058,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',` ## ## ## @@ -67001,7 +67243,7 @@ index 7c6b791..6d3f720 100644 ## ## # -@@ -2777,7 +3094,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -67010,7 +67252,7 @@ index 7c6b791..6d3f720 100644 ## ## # -@@ -2970,6 +3287,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -67018,7 +67260,7 @@ index 7c6b791..6d3f720 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3328,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -67026,7 +67268,7 @@ index 7c6b791..6d3f720 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3369,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -67034,7 +67276,7 @@ index 7c6b791..6d3f720 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3263,6 +3583,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -67059,7 +67301,7 @@ index 7c6b791..6d3f720 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3621,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -67084,7 +67326,7 @@ index 7c6b791..6d3f720 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +3748,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -67093,7 +67335,7 @@ index 7c6b791..6d3f720 100644 ## ## ## -@@ -3429,7 +3785,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -67102,7 +67344,7 @@ index 7c6b791..6d3f720 100644 ## ## ## -@@ -3447,7 +3803,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -67111,7 +67353,7 @@ index 7c6b791..6d3f720 100644 ## ## ## -@@ -3815,6 +4171,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -67136,7 +67378,7 @@ index 7c6b791..6d3f720 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3963,6 +4337,42 @@ interface(`fs_dontaudit_list_tmpfs',` +@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',` ######################################## ## @@ -67179,7 +67421,7 @@ index 7c6b791..6d3f720 100644 ## Create, read, write, and delete ## tmpfs directories ## -@@ -4069,7 +4479,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -67188,7 +67430,7 @@ index 7c6b791..6d3f720 100644 ') ######################################## -@@ -4129,6 +4539,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -67213,7 +67455,7 @@ index 7c6b791..6d3f720 100644 ## Read tmpfs link files. ## ## -@@ -4166,7 +4594,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -67222,7 +67464,7 @@ index 7c6b791..6d3f720 100644 ## ## ## -@@ -4185,6 +4613,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -67265,7 +67507,7 @@ index 7c6b791..6d3f720 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4242,6 +4706,24 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4242,6 +4889,24 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -67290,7 +67532,7 @@ index 7c6b791..6d3f720 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4261,6 +4743,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4261,6 +4926,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -67316,7 +67558,7 @@ index 7c6b791..6d3f720 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4467,6 +4968,8 @@ interface(`fs_mount_all_fs',` +@@ -4467,6 +5151,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -67325,7 +67567,7 @@ index 7c6b791..6d3f720 100644 ') ######################################## -@@ -4513,7 +5016,7 @@ interface(`fs_unmount_all_fs',` +@@ -4513,7 +5199,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -67334,7 +67576,7 @@ index 7c6b791..6d3f720 100644 ## Example attributes: ##

##
    -@@ -4876,3 +5379,24 @@ interface(`fs_unconfined',` +@@ -4876,3 +5562,24 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -69645,10 +69887,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index e5aee97..f373c8d 100644 +index e5aee97..3d10b66 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,52 @@ policy_module(staff, 2.3.0) +@@ -8,12 +8,57 @@ policy_module(staff, 2.3.0) role staff_r; userdom_unpriv_user_template(staff) @@ -69698,10 +69940,15 @@ index e5aee97..f373c8d 100644 + abrt_read_cache(staff_t) +') + ++optional_policy(` ++ accountsd_dbus_chat(staff_t) ++ accountsd_read_lib_files(staff_t) ++') ++ optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +63,99 @@ optional_policy(` +@@ -23,11 +68,98 @@ optional_policy(` ') optional_policy(` @@ -69713,21 +69960,20 @@ index e5aee97..f373c8d 100644 +') + +optional_policy(` - dbadm_role_change(staff_r) - ') - - optional_policy(` -- git_role(staff_r, staff_t) -+ accountsd_dbus_chat(staff_t) -+ accountsd_read_lib_files(staff_t) ++ chrome_role(staff_r, staff_t) +') + +optional_policy(` -+ chrome_role(staff_r, staff_t) ++ colord_dbus_chat(staff_t) +') + +optional_policy(` -+ colord_dbus_chat(staff_t) + dbadm_role_change(staff_r) + ') + + optional_policy(` +- git_role(staff_r, staff_t) ++ dnsmasq_read_pid_files(staff_t) +') + +optional_policy(` @@ -69802,7 +70048,7 @@ index e5aee97..f373c8d 100644 ') optional_policy(` -@@ -35,15 +163,23 @@ optional_policy(` +@@ -35,15 +167,27 @@ optional_policy(` ') optional_policy(` @@ -69814,6 +70060,10 @@ index e5aee97..f373c8d 100644 +') + +optional_policy(` ++ rwho_read_spool_files(staff_t) ++') ++ ++optional_policy(` secadm_role_change(staff_r) ') @@ -69828,7 +70078,7 @@ index e5aee97..f373c8d 100644 ') optional_policy(` -@@ -52,10 +188,59 @@ optional_policy(` +@@ -52,10 +196,59 @@ optional_policy(` ') optional_policy(` @@ -69888,7 +70138,7 @@ index e5aee97..f373c8d 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +250,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +258,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -69899,7 +70149,7 @@ index e5aee97..f373c8d 100644 cdrecord_role(staff_r, staff_t) ') -@@ -93,18 +274,10 @@ ifndef(`distro_redhat',` +@@ -93,18 +282,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -69918,7 +70168,7 @@ index e5aee97..f373c8d 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +298,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +306,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -69929,7 +70179,7 @@ index e5aee97..f373c8d 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +310,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +318,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -69940,7 +70190,7 @@ index e5aee97..f373c8d 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +341,7 @@ ifndef(`distro_redhat',` +@@ -176,3 +349,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -73043,10 +73293,10 @@ index b17e27a..f87cce0 100644 + ssh_rw_dgram_sockets(chroot_user_t) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index fc86b7c..cfe92e1 100644 +index fc86b7c..decae02 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc -@@ -2,13 +2,34 @@ +@@ -2,13 +2,35 @@ # HOME_DIR # HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:user_fonts_config_t,s0) @@ -73061,6 +73311,7 @@ index fc86b7c..cfe92e1 100644 HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) +HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) ++HOME_DIR/\.cache/gdm(/.*)? -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) + @@ -73081,7 +73332,7 @@ index fc86b7c..cfe92e1 100644 # # /dev -@@ -24,11 +45,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) /etc/init\.d/xfree86-common -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -73100,7 +73351,7 @@ index fc86b7c..cfe92e1 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,23 +74,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -73131,7 +73382,7 @@ index fc86b7c..cfe92e1 100644 /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -90,24 +119,43 @@ ifndef(`distro_debian',` +@@ -90,24 +120,43 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -73180,7 +73431,7 @@ index fc86b7c..cfe92e1 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..647cc5c 100644 +index 130ced9..173eaf5 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -73680,16 +73931,34 @@ index 130ced9..647cc5c 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +918,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') - allow $1 xdm_tmp_t:dir setattr; + allow $1 xdm_tmp_t:dir setattr_dir_perms; ++') ++ ++######################################## ++## ++## Dont audit attempts to set the attributes of XDM temporary directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`xserver_dontaudit_xdm_tmp_dirs',` ++ gen_require(` ++ type xdm_tmp_t; ++ ') ++ ++ dontaudit $1 xdm_tmp_t:dir setattr_dir_perms; ') ######################################## -@@ -805,7 +958,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -73717,7 +73986,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -828,6 +1000,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -73742,7 +74011,7 @@ index 130ced9..647cc5c 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1087,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1105,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -73751,7 +74020,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -916,7 +1106,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1124,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -73760,7 +74029,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -963,6 +1153,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1171,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -73806,7 +74075,7 @@ index 130ced9..647cc5c 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1205,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1223,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -73815,7 +74084,7 @@ index 130ced9..647cc5c 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1267,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1285,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -73858,7 +74127,7 @@ index 130ced9..647cc5c 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1317,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1335,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -73867,7 +74136,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -1070,8 +1335,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1353,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -73879,7 +74148,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -1185,6 +1452,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1470,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -73906,7 +74175,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -1210,7 +1497,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1515,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -73915,7 +74184,7 @@ index 130ced9..647cc5c 100644 ## ## ## -@@ -1220,13 +1507,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1525,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -73940,7 +74209,7 @@ index 130ced9..647cc5c 100644 ') ######################################## -@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -74477,7 +74746,7 @@ index 130ced9..647cc5c 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index c4f7c35..c221771 100644 +index c4f7c35..06c447c 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -75136,7 +75405,7 @@ index c4f7c35..c221771 100644 ') optional_policy(` -@@ -514,12 +723,63 @@ optional_policy(` +@@ -514,12 +723,64 @@ optional_policy(` ') optional_policy(` @@ -75194,13 +75463,14 @@ index c4f7c35..c221771 100644 + gnome_read_usr_config(xdm_t) + gnome_read_gconf_config(xdm_t) + gnome_transition_gkeyringd(xdm_t) ++ gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm") +') + +optional_policy(` hostname_exec(xdm_t) ') -@@ -537,28 +797,69 @@ optional_policy(` +@@ -537,28 +798,69 @@ optional_policy(` ') optional_policy(` @@ -75279,7 +75549,7 @@ index c4f7c35..c221771 100644 ') optional_policy(` -@@ -570,6 +871,14 @@ optional_policy(` +@@ -570,6 +872,14 @@ optional_policy(` ') optional_policy(` @@ -75294,7 +75564,7 @@ index c4f7c35..c221771 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -75304,7 +75574,7 @@ index c4f7c35..c221771 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -75320,7 +75590,7 @@ index c4f7c35..c221771 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -75342,7 +75612,7 @@ index c4f7c35..c221771 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,6 +965,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -75350,7 +75620,7 @@ index c4f7c35..c221771 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +993,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -75382,7 +75652,7 @@ index c4f7c35..c221771 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -75396,7 +75666,7 @@ index c4f7c35..c221771 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -708,8 +1043,6 @@ init_getpgid(xserver_t) +@@ -708,8 +1044,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -75405,7 +75675,7 @@ index c4f7c35..c221771 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t) +@@ -717,11 +1051,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -75420,7 +75690,7 @@ index c4f7c35..c221771 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,16 +1109,40 @@ optional_policy(` +@@ -775,16 +1110,40 @@ optional_policy(` ') optional_policy(` @@ -75462,7 +75732,7 @@ index c4f7c35..c221771 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1151,10 @@ optional_policy(` +@@ -793,6 +1152,10 @@ optional_policy(` ') optional_policy(` @@ -75473,7 +75743,7 @@ index c4f7c35..c221771 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -75487,7 +75757,7 @@ index c4f7c35..c221771 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -75496,7 +75766,7 @@ index c4f7c35..c221771 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1194,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1195,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -75531,7 +75801,7 @@ index c4f7c35..c221771 100644 ') optional_policy(` -@@ -859,6 +1216,10 @@ optional_policy(` +@@ -859,6 +1217,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -75542,7 +75812,7 @@ index c4f7c35..c221771 100644 ######################################## # # Rules common to all X window domains -@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -75551,7 +75821,7 @@ index c4f7c35..c221771 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1318,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -75583,7 +75853,7 @@ index c4f7c35..c221771 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1363,43 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1364,43 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -75801,7 +76071,7 @@ index 28ad538..82def3d 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 6ce867a..283f236 100644 +index 6ce867a..20a0b0a 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -75884,7 +76154,7 @@ index 6ce867a..283f236 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',` +@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',` manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) files_var_filetrans($1, auth_cache_t, dir) @@ -75912,10 +76182,12 @@ index 6ce867a..283f236 100644 fs_list_auto_mountpoints($1) + fs_manage_cgroup_dirs($1) + fs_manage_cgroup_files($1) ++ fs_read_ecryptfs_symlinks($1) ++ fs_read_ecryptfs_files($1) selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -75924,7 +76196,7 @@ index 6ce867a..283f236 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +198,84 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -75960,6 +76232,7 @@ index 6ce867a..283f236 100644 + corecmd_exec_bin($1) + storage_getattr_fixed_disk_dev($1) + mount_domtrans($1) ++ mount_domtrans_ecryptmount($1) + ') + + optional_policy(` @@ -76010,7 +76283,7 @@ index 6ce867a..283f236 100644 ') ######################################## -@@ -395,13 +510,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -395,13 +513,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -76027,7 +76300,7 @@ index 6ce867a..283f236 100644 ') ######################################## -@@ -448,6 +565,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +568,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -76053,7 +76326,7 @@ index 6ce867a..283f236 100644 ') ######################################## -@@ -467,7 +603,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +606,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -76061,7 +76334,7 @@ index 6ce867a..283f236 100644 ') ######################################## -@@ -664,6 +799,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +802,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -76072,7 +76345,7 @@ index 6ce867a..283f236 100644 ') ####################################### -@@ -763,7 +902,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +905,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -76124,7 +76397,7 @@ index 6ce867a..283f236 100644 ') ####################################### -@@ -959,9 +1141,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1144,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -76158,7 +76431,7 @@ index 6ce867a..283f236 100644 ') ######################################## -@@ -1040,6 +1243,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1246,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -76169,7 +76442,7 @@ index 6ce867a..283f236 100644 ') ######################################## -@@ -1157,6 +1364,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1157,6 +1367,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -76177,7 +76450,7 @@ index 6ce867a..283f236 100644 ') ####################################### -@@ -1526,6 +1734,25 @@ interface(`auth_setattr_login_records',` +@@ -1526,6 +1737,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -76203,7 +76476,7 @@ index 6ce867a..283f236 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,37 +1903,49 @@ interface(`auth_manage_login_records',` +@@ -1676,37 +1906,49 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -76263,7 +76536,7 @@ index 6ce867a..283f236 100644 ##

    ## ## -@@ -1714,87 +1953,206 @@ interface(`auth_relabel_login_records',` +@@ -1714,87 +1956,206 @@ interface(`auth_relabel_login_records',` ## Domain allowed access. ##     ## @@ -76521,7 +76794,7 @@ index 6ce867a..283f236 100644 + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index f12b8ff..b3e0efd 100644 +index f12b8ff..2293c1b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1) @@ -76630,7 +76903,7 @@ index f12b8ff..b3e0efd 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',` +@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -76651,7 +76924,6 @@ index f12b8ff..b3e0efd 100644 + ') +') + -+ +auth_read_passwd(nsswitch_domain) + +# read /etc/nsswitch.conf @@ -79852,7 +80124,7 @@ index 0646ee7..36e02fa 100644 ') diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc -index ef8bbaf..2c2e6f4 100644 +index ef8bbaf..6721637 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -28,14 +28,17 @@ ifdef(`distro_redhat',` @@ -79909,7 +80181,15 @@ index ef8bbaf..2c2e6f4 100644 /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,8 +158,8 @@ ifdef(`distro_redhat',` +@@ -140,6 +147,7 @@ ifdef(`distro_redhat',` + /usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libzvbi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -151,8 +159,8 @@ ifdef(`distro_redhat',` /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) @@ -79920,7 +80200,7 @@ index ef8bbaf..2c2e6f4 100644 /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -244,8 +251,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ +@@ -244,8 +252,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_ /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -79929,7 +80209,7 @@ index ef8bbaf..2c2e6f4 100644 /usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -299,17 +304,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te +@@ -299,17 +305,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te # /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0) @@ -82139,10 +82419,10 @@ index 560d5d9..86a7107 100644 ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index 72c746e..fa210cd 100644 +index 72c746e..f035d9f 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc -@@ -1,4 +1,21 @@ +@@ -1,4 +1,26 @@ +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -82165,8 +82445,13 @@ index 72c746e..fa210cd 100644 +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++ ++/usr/sbin/mount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) ++/usr/sbin/mount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) ++/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) ++/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..4881d86 100644 +index 4584457..5b041ee 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,12 @@ interface(`mount_domtrans',` @@ -82278,7 +82563,7 @@ index 4584457..4881d86 100644 ##
## # -@@ -131,45 +210,119 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +210,138 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -82413,12 +82698,31 @@ index 4584457..4881d86 100644 + + mount_domtrans_showmount($1) + role $2 types showmount_t; ++') ++ ++####################################### ++## ++## Transition to ecryptmount. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mount_domtrans_ecryptmount',` ++ gen_require(` ++ type mount_ecryptfs_t, mount_ecryptfs_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6d3b14b..3eddba2 100644 +index 6d3b14b..a810a6b 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -10,35 +10,52 @@ policy_module(mount, 1.14.2) +@@ -10,35 +10,60 @@ policy_module(mount, 1.14.2) ## Allow the mount command to mount any directory or file. ##

## @@ -82465,6 +82769,14 @@ index 6d3b14b..3eddba2 100644 +type showmount_exec_t; +application_domain(showmount_t, showmount_exec_t) +role system_r types showmount_t; ++ ++type mount_ecryptfs_t; ++type mount_ecryptfs_exec_t; ++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t) ++role system_r types mount_ecryptfs_t; ++ ++type mount_ecryptfs_tmpfs_t; ++files_tmpfs_file(mount_ecryptfs_tmpfs_t) ######################################## # @@ -82482,7 +82794,7 @@ index 6d3b14b..3eddba2 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -49,9 +66,24 @@ can_exec(mount_t, mount_exec_t) +@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -82508,7 +82820,7 @@ index 6d3b14b..3eddba2 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -60,31 +92,46 @@ kernel_request_load_module(mount_t) +@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -82558,7 +82870,7 @@ index 6d3b14b..3eddba2 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +139,39 @@ files_list_mnt(mount_t) +@@ -92,28 +147,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -82604,7 +82916,7 @@ index 6d3b14b..3eddba2 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,6 +179,8 @@ auth_use_nsswitch(mount_t) +@@ -121,6 +187,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -82613,16 +82925,17 @@ index 6d3b14b..3eddba2 100644 logging_send_syslog_msg(mount_t) -@@ -131,6 +191,8 @@ sysnet_use_portmap(mount_t) +@@ -131,6 +199,9 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) +userdom_manage_user_home_content_dirs(mount_t) +userdom_read_user_home_content_symlinks(mount_t) ++userdom_list_user_tmp(mount_t) ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +208,28 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +217,28 @@ ifdef(`distro_ubuntu',` ') ') @@ -82662,7 +82975,7 @@ index 6d3b14b..3eddba2 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +243,8 @@ optional_policy(` +@@ -179,6 +252,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -82671,7 +82984,7 @@ index 6d3b14b..3eddba2 100644 ') optional_policy(` -@@ -186,6 +252,28 @@ optional_policy(` +@@ -186,6 +261,28 @@ optional_policy(` ') optional_policy(` @@ -82700,7 +83013,7 @@ index 6d3b14b..3eddba2 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -193,21 +281,96 @@ optional_policy(` +@@ -193,21 +290,124 @@ optional_policy(` ') ') @@ -82753,12 +83066,10 @@ index 6d3b14b..3eddba2 100644 +optional_policy(` + ssh_exec(mount_t) +') - - optional_policy(` -- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) -- unconfined_domain(unconfined_mount_t) ++ ++optional_policy(` + usbmuxd_stream_connect(mount_t) - ') ++') + +optional_policy(` + userhelper_exec_console(mount_t) @@ -82767,10 +83078,12 @@ index 6d3b14b..3eddba2 100644 +optional_policy(` + virt_read_blk_images(mount_t) +') -+ -+optional_policy(` + + optional_policy(` +- files_etc_filetrans_etc_runtime(unconfined_mount_t, file) +- unconfined_domain(unconfined_mount_t) + vmware_exec_host(mount_t) -+') + ') + +###################################### +# @@ -82804,6 +83117,34 @@ index 6d3b14b..3eddba2 100644 +sysnet_dns_name_resolve(showmount_t) + +userdom_use_inherited_user_terminals(showmount_t) ++ ++####################################### ++# ++# mount_ecryptfs local policy ++# ++ ++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t) ++ ++allow mount_ecryptfs_t self:capability setgid; ++allow mount_ecryptfs_t self:capability { setuid sys_admin }; ++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms; ++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) ++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) ++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) ++userdom_rw_user_tmpfs_files(mount_ecryptfs_t) ++ ++domain_use_interactive_fds(mount_ecryptfs_t) ++ ++files_read_etc_files(mount_ecryptfs_t) ++ ++fs_read_ecryptfs_symlinks(mount_ecryptfs_t) ++fs_read_ecryptfs_files(mount_ecryptfs_t) ++ ++auth_use_nsswitch(mount_ecryptfs_t) ++ ++miscfiles_read_localization(mount_ecryptfs_t) diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc index b263a8a..9348c8c 100644 --- a/policy/modules/system/netlabel.fc @@ -87146,7 +87487,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e720dcd..3361868 100644 +index e720dcd..4272eef 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -89621,7 +89962,7 @@ index e720dcd..3361868 100644 ## Create keys for all user domains. ## ## -@@ -3296,3 +4106,1292 @@ interface(`userdom_dbus_send_all_users',` +@@ -3296,3 +4106,1282 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') @@ -89648,11 +89989,6 @@ index e720dcd..3361868 100644 +## +## Define this type as a Allow apps to set rlimits on userdomain +## -+## -+## -+## Domain allowed access. -+## -+## +## +## +## The prefix of the user domain (e.g., user @@ -89682,11 +90018,6 @@ index e720dcd..3361868 100644 +## +## Define this type as a Allow apps to set rlimits on userdomain +## -+## -+## -+## Domain allowed access. -+## -+## +## +## +## The prefix of the user domain (e.g., user @@ -90915,7 +91246,7 @@ index e720dcd..3361868 100644 + typeattribute $1 userdom_home_manager_type; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 47efe9a..4136fa9 100644 +index 47efe9a..1fa68b1 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2) @@ -90990,7 +91321,7 @@ index 47efe9a..4136fa9 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +102,121 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -91086,6 +91417,10 @@ index 47efe9a..4136fa9 100644 + fs_read_fusefs_files(userdom_home_reader_type) +') + ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_read_ecryptfs_files(userdom_home_reader_type) ++') ++ +tunable_policy(`use_nfs_home_dirs',` + fs_list_auto_mountpoints(userdom_home_manager_type) + fs_manage_nfs_dirs(userdom_home_manager_type) @@ -91105,6 +91440,11 @@ index 47efe9a..4136fa9 100644 + fs_manage_fusefs_symlinks(userdom_home_manager_type) +') + ++tunable_policy(`use_ecryptfs_home_dirs',` ++ fs_manage_ecryptfs_dirs(userdom_home_manager_type) ++ fs_manage_ecryptfs_files(userdom_home_manager_type) ++ fs_manage_ecryptfs_files(userdom_home_manager_type) ++') diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt index e79d545..101086d 100644 --- a/policy/support/misc_patterns.spt diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index a870673..8566bc4 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -745,7 +745,7 @@ index 1adca53..18e0e41 100644 /var/lib/AccountsService(/.*)? gen_context(system_u:object_r:accountsd_var_lib_t,s0) diff --git a/accountsd.if b/accountsd.if -index c0f858d..10a0cd6 100644 +index c0f858d..d75aae9 100644 --- a/accountsd.if +++ b/accountsd.if @@ -5,9 +5,9 @@ @@ -769,17 +769,21 @@ index c0f858d..10a0cd6 100644 ## ## # -@@ -118,6 +118,29 @@ interface(`accountsd_manage_lib_files',` +@@ -118,28 +118,54 @@ interface(`accountsd_manage_lib_files',` ######################################## ## +-## All of the rules required to administrate +-## an accountsd environment +## Execute accountsd server in the accountsd domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## + ## + ## +-## +# +interface(`accountsd_systemctl',` + gen_require(` @@ -796,10 +800,17 @@ index c0f858d..10a0cd6 100644 + +######################################## +## - ## All of the rules required to administrate - ## an accountsd environment - ## -@@ -136,10 +159,19 @@ interface(`accountsd_manage_lib_files',` ++## All of the rules required to administrate ++## an accountsd environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # interface(`accountsd_admin',` gen_require(` type accountsd_t; @@ -1549,7 +1560,7 @@ index e81bdbd..63ab279 100644 optional_policy(` diff --git a/apache.fc b/apache.fc -index fd9fa07..84bc8d6 100644 +index fd9fa07..2679748 100644 --- a/apache.fc +++ b/apache.fc @@ -1,39 +1,54 @@ @@ -1640,7 +1651,7 @@ index fd9fa07..84bc8d6 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,25 +92,36 @@ ifdef(`distro_suse', ` +@@ -73,31 +92,43 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -1681,7 +1692,14 @@ index fd9fa07..84bc8d6 100644 /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -109,3 +139,25 @@ ifdef(`distro_debian', ` + /var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) + /var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) + + /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0) +@@ -109,3 +140,25 @@ ifdef(`distro_debian', ` /var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) /var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) @@ -1708,7 +1726,7 @@ index fd9fa07..84bc8d6 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index 6480167..d0bf548 100644 +index 6480167..d30bdbf 100644 --- a/apache.if +++ b/apache.if @@ -13,62 +13,46 @@ @@ -2353,7 +2371,7 @@ index 6480167..d0bf548 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1349,93 @@ interface(`apache_admin',` +@@ -1205,14 +1349,88 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -2376,13 +2394,6 @@ index 6480167..d0bf548 100644 + admin_pattern($1, httpd_unit_file_t) + allow $1 httpd_unit_file_t:service all_service_perms; + -+ ifdef(`TODO',` -+ apache_set_booleans($1, $2, $3, httpd_bool_t) -+ seutil_setsebool_role_template($1, $3, $2) -+ allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms; -+ allow httpd_setsebool_t httpd_bool_t:file rw_file_perms; -+ ') -+ + apache_filetrans_named_content($1) +') + @@ -2422,11 +2433,13 @@ index 6480167..d0bf548 100644 +interface(`apache_filetrans_named_content',` + gen_require(` + type httpd_sys_content_t, httpd_sys_rw_content_t; ++ type httpd_tmp_t; + ') + + + apache_filetrans_home_content($1) + filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") ++ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache") +') + +######################################## @@ -2453,7 +2466,7 @@ index 6480167..d0bf548 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index a36a01d..f6aad32 100644 +index a36a01d..bde887f 100644 --- a/apache.te +++ b/apache.te @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2) @@ -2772,7 +2785,7 @@ index a36a01d..f6aad32 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -336,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -2780,10 +2793,11 @@ index a36a01d..f6aad32 100644 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file }) +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) ++userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -346,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) +@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) @@ -2794,7 +2808,7 @@ index a36a01d..f6aad32 100644 setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -362,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -362,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -2804,7 +2818,7 @@ index a36a01d..f6aad32 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -372,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -2825,7 +2839,7 @@ index a36a01d..f6aad32 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t) +@@ -385,9 +557,14 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -2840,7 +2854,7 @@ index a36a01d..f6aad32 100644 # execute perl corecmd_exec_bin(httpd_t) corecmd_exec_shell(httpd_t) -@@ -398,6 +574,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -398,6 +575,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -2848,7 +2862,7 @@ index a36a01d..f6aad32 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -409,48 +586,101 @@ files_read_etc_files(httpd_t) +@@ -409,48 +587,101 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -2954,7 +2968,7 @@ index a36a01d..f6aad32 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -461,27 +692,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -3018,7 +3032,7 @@ index a36a01d..f6aad32 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',` +@@ -491,7 +756,22 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -3041,7 +3055,7 @@ index a36a01d..f6aad32 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -511,9 +791,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -3062,7 +3076,7 @@ index a36a01d..f6aad32 100644 ') optional_policy(` -@@ -525,6 +814,9 @@ optional_policy(` +@@ -525,6 +815,9 @@ optional_policy(` ') optional_policy(` @@ -3072,7 +3086,7 @@ index a36a01d..f6aad32 100644 cobbler_search_lib(httpd_t) ') -@@ -540,6 +832,24 @@ optional_policy(` +@@ -540,6 +833,24 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -3097,7 +3111,7 @@ index a36a01d..f6aad32 100644 optional_policy(` dbus_system_bus_client(httpd_t) -@@ -549,12 +859,21 @@ optional_policy(` +@@ -549,13 +860,24 @@ optional_policy(` ') optional_policy(` @@ -3118,9 +3132,12 @@ index a36a01d..f6aad32 100644 + +optional_policy(` kerberos_keytab_template(httpd, httpd_t) ++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23") ++ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48") ') -@@ -568,7 +887,21 @@ optional_policy(` + optional_policy(` +@@ -568,7 +890,21 @@ optional_policy(` ') optional_policy(` @@ -3142,7 +3159,7 @@ index a36a01d..f6aad32 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -579,6 +912,7 @@ optional_policy(` +@@ -579,6 +915,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3150,7 +3167,7 @@ index a36a01d..f6aad32 100644 ') optional_policy(` -@@ -589,6 +923,33 @@ optional_policy(` +@@ -589,6 +926,33 @@ optional_policy(` ') optional_policy(` @@ -3184,7 +3201,7 @@ index a36a01d..f6aad32 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -603,6 +964,11 @@ optional_policy(` +@@ -603,6 +967,11 @@ optional_policy(` ') optional_policy(` @@ -3196,7 +3213,7 @@ index a36a01d..f6aad32 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -615,6 +981,12 @@ optional_policy(` +@@ -615,6 +984,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3209,7 +3226,7 @@ index a36a01d..f6aad32 100644 ######################################## # # Apache helper local policy -@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -628,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3222,7 +3239,7 @@ index a36a01d..f6aad32 100644 ######################################## # -@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -666,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3266,7 +3283,7 @@ index a36a01d..f6aad32 100644 ') ######################################## -@@ -697,6 +1075,7 @@ optional_policy(` +@@ -697,6 +1078,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3274,7 +3291,7 @@ index a36a01d..f6aad32 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -711,14 +1093,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3298,7 +3315,7 @@ index a36a01d..f6aad32 100644 # for shell scripts corecmd_exec_bin(httpd_suexec_t) corecmd_exec_shell(httpd_suexec_t) -@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -752,13 +1143,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3331,7 +3348,7 @@ index a36a01d..f6aad32 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -781,6 +1187,25 @@ optional_policy(` +@@ -781,6 +1190,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3357,7 +3374,7 @@ index a36a01d..f6aad32 100644 ######################################## # # Apache system script local policy -@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -801,12 +1229,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -3375,7 +3392,7 @@ index a36a01d..f6aad32 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -815,18 +1248,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -3432,7 +3449,7 @@ index a36a01d..f6aad32 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -834,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -3473,7 +3490,7 @@ index a36a01d..f6aad32 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,10 +1341,20 @@ optional_policy(` +@@ -854,10 +1344,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -3494,7 +3511,7 @@ index a36a01d..f6aad32 100644 ') ######################################## -@@ -903,11 +1400,146 @@ optional_policy(` +@@ -903,11 +1403,146 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -3823,7 +3840,7 @@ index 1ea99b2..0b668ae 100644 + ps_process_pattern($1, apmd_t) ') diff --git a/apm.te b/apm.te -index 1c8c27e..13a6f08 100644 +index 1c8c27e..35d798f 100644 --- a/apm.te +++ b/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -3931,14 +3948,18 @@ index 1c8c27e..13a6f08 100644 dbus_system_bus_client(apmd_t) optional_policy(` -@@ -209,8 +233,9 @@ optional_policy(` +@@ -209,8 +233,13 @@ optional_policy(` pcmcia_domtrans_cardctl(apmd_t) ') + ++optional_policy(` ++ shutdown_domtrans(apmd_t) ++') ++ optional_policy(` - seutil_sigchld_newrole(apmd_t) -+ shutdown_domtrans(apmd_t) ++ systemd_dbus_chat_logind(apmd_t) ') optional_policy(` @@ -5912,19 +5933,27 @@ index 2c2cdb6..73b3814 100644 + role $2 types brctl_t; +') diff --git a/bugzilla.if b/bugzilla.if -index de89d0f..954e726 100644 +index de89d0f..86e4ee7 100644 --- a/bugzilla.if +++ b/bugzilla.if -@@ -58,13 +58,20 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` +@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',` + ## Domain allowed access. + ## + ## +-## +-## +-## The role to be allowed to manage the bugzilla domain. +-## +-## +-## + # interface(`bugzilla_admin',` gen_require(` type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t; -- type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; + type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; - type httpd_bugzilla_htaccess_t; -- ') -+ type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t; -+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; -+ ') ++ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t; + ') - allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms }; + allow $1 httpd_bugzilla_script_t:process signal_perms; @@ -10819,10 +10848,10 @@ index 0000000..196461b +/var/run/couchdb(/.*)? gen_context(system_u:object_r:couchdb_var_run_t,s0) diff --git a/couchdb.if b/couchdb.if new file mode 100644 -index 0000000..31692fb +index 0000000..3e17383 --- /dev/null +++ b/couchdb.if -@@ -0,0 +1,249 @@ +@@ -0,0 +1,244 @@ + +## policy for couchdb + @@ -11034,11 +11063,6 @@ index 0000000..31692fb +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`couchdb_admin',` @@ -12947,7 +12971,7 @@ index 305ddf4..3629b92 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/cups.te b/cups.te -index 6e7f1b6..f7dabbe 100644 +index 6e7f1b6..a699948 100644 --- a/cups.te +++ b/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -13063,10 +13087,11 @@ index 6e7f1b6..f7dabbe 100644 ') ') -@@ -311,10 +319,22 @@ optional_policy(` +@@ -311,10 +319,23 @@ optional_policy(` ') optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0") + kerberos_manage_host_rcache(cupsd_t) +') + @@ -13086,7 +13111,7 @@ index 6e7f1b6..f7dabbe 100644 mta_send_mail(cupsd_t) ') -@@ -322,6 +342,8 @@ optional_policy(` +@@ -322,6 +343,8 @@ optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) @@ -13095,7 +13120,7 @@ index 6e7f1b6..f7dabbe 100644 ') optional_policy(` -@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -13106,7 +13131,7 @@ index 6e7f1b6..f7dabbe 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -425,11 +448,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -13120,7 +13145,7 @@ index 6e7f1b6..f7dabbe 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +476,10 @@ optional_policy(` +@@ -453,6 +477,10 @@ optional_policy(` ') optional_policy(` @@ -13131,7 +13156,7 @@ index 6e7f1b6..f7dabbe 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +494,10 @@ optional_policy(` +@@ -467,6 +495,10 @@ optional_policy(` ') optional_policy(` @@ -13142,7 +13167,7 @@ index 6e7f1b6..f7dabbe 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -537,6 +568,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) +@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t) corenet_tcp_bind_generic_node(cupsd_lpd_t) corenet_udp_bind_generic_node(cupsd_lpd_t) corenet_tcp_connect_ipp_port(cupsd_lpd_t) @@ -13150,7 +13175,7 @@ index 6e7f1b6..f7dabbe 100644 dev_read_urand(cupsd_lpd_t) dev_read_rand(cupsd_lpd_t) -@@ -587,23 +619,22 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -13183,7 +13208,7 @@ index 6e7f1b6..f7dabbe 100644 ') ######################################## -@@ -661,10 +692,10 @@ corenet_tcp_bind_generic_node(hplip_t) +@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t) corenet_udp_bind_generic_node(hplip_t) corenet_tcp_bind_hplip_port(hplip_t) corenet_tcp_connect_hplip_port(hplip_t) @@ -13197,7 +13222,7 @@ index 6e7f1b6..f7dabbe 100644 dev_read_sysfs(hplip_t) dev_rw_printer(hplip_t) -@@ -685,6 +716,9 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -13207,7 +13232,7 @@ index 6e7f1b6..f7dabbe 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) @@ -15728,10 +15753,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..71f225b +index 0000000..4409b7d --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,194 @@ +@@ -0,0 +1,197 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -15869,6 +15894,9 @@ index 0000000..71f225b + +optional_policy(` + kerberos_use(dirsrv_t) ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0") ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487") ++ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55") +') + +# FIPS mode @@ -15983,7 +16011,7 @@ index b886676..3d5ca2b 100644 /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 9bd812b..9b48f71 100644 +index 9bd812b..53f895e 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -16049,7 +16077,7 @@ index 9bd812b..9b48f71 100644 ## Send dnsmasq a signal ## ## -@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',` +@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',` ## ## # @@ -16063,11 +16091,36 @@ index 9bd812b..9b48f71 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',` + ######################################## + ## +-## Read dnsmasq pid files ++## Manage dnsmasq pid files + ## + ## + ## +@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',` ## ## # --# ++interface(`dnsmasq_manage_pid_files',` ++ gen_require(` ++ type dnsmasq_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ++') ++ ++######################################## ++## ++## Read dnsmasq pid files ++## ++## ++## ++## Domain allowed access. ++## ++## + # interface(`dnsmasq_read_pid_files',` gen_require(` type dnsmasq_var_run_t; @@ -16145,7 +16198,7 @@ index 9bd812b..9b48f71 100644 ## All of the rules required to administrate ## an dnsmasq environment ## -@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',` +@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; type dnsmasq_initrc_exec_t; @@ -16161,7 +16214,7 @@ index 9bd812b..9b48f71 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) -@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',` +@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',` files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) @@ -16249,10 +16302,10 @@ index 0000000..9e231a8 +/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0) diff --git a/dnssec.if b/dnssec.if new file mode 100755 -index 0000000..a9dbcf2 +index 0000000..a952041 --- /dev/null +++ b/dnssec.if -@@ -0,0 +1,70 @@ +@@ -0,0 +1,64 @@ + +## policy for dnssec_trigger + @@ -16304,12 +16357,6 @@ index 0000000..a9dbcf2 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`dnssec_trigger_admin',` + gen_require(` @@ -16531,7 +16578,7 @@ index e1d7dc5..df96c0d 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/dovecot.te b/dovecot.te -index 2df7766..53efc0b 100644 +index 2df7766..0e55b6d 100644 --- a/dovecot.te +++ b/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -16623,8 +16670,11 @@ index 2df7766..53efc0b 100644 userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_manage_user_home_content_dirs(dovecot_t) userdom_manage_user_home_content_files(dovecot_t) -@@ -154,16 +164,31 @@ userdom_manage_user_home_content_sockets(dovecot_t) +@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t) + userdom_manage_user_home_content_pipes(dovecot_t) + userdom_manage_user_home_content_sockets(dovecot_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file }) ++mta_manage_home_rw(dovecot_t) mta_manage_spool(dovecot_t) +mta_read_home_rw(dovecot_t) @@ -16655,7 +16705,7 @@ index 2df7766..53efc0b 100644 seutil_sigchld_newrole(dovecot_t) ') -@@ -180,8 +205,8 @@ optional_policy(` +@@ -180,8 +206,8 @@ optional_policy(` # dovecot auth local policy # @@ -16666,7 +16716,7 @@ index 2df7766..53efc0b 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -16676,7 +16726,7 @@ index 2df7766..53efc0b 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -16689,7 +16739,7 @@ index 2df7766..53efc0b 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t) +@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t) files_read_usr_symlinks(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) @@ -16699,7 +16749,7 @@ index 2df7766..53efc0b 100644 init_rw_utmp(dovecot_auth_t) -@@ -236,6 +268,8 @@ optional_policy(` +@@ -236,6 +269,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -16708,7 +16758,7 @@ index 2df7766..53efc0b 100644 ') optional_policy(` -@@ -243,6 +277,8 @@ optional_policy(` +@@ -243,6 +278,8 @@ optional_policy(` ') optional_policy(` @@ -16717,7 +16767,7 @@ index 2df7766..53efc0b 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +286,42 @@ optional_policy(` +@@ -250,23 +287,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -16762,7 +16812,7 @@ index 2df7766..53efc0b 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) +@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t) userdom_manage_user_home_content_sockets(dovecot_deliver_t) userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file }) @@ -18942,7 +18992,7 @@ index 9d3201b..6e75e3d 100644 + allow $1 ftpd_unit_file_t:service all_service_perms; ') diff --git a/ftp.te b/ftp.te -index 4285c83..2edc3a2 100644 +index 4285c83..d1b00d0 100644 --- a/ftp.te +++ b/ftp.te @@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1) @@ -19181,7 +19231,7 @@ index 4285c83..2edc3a2 100644 ') tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` -@@ -309,10 +353,34 @@ optional_policy(` +@@ -309,10 +353,35 @@ optional_policy(` ') optional_policy(` @@ -19195,6 +19245,7 @@ index 4285c83..2edc3a2 100644 - kerberos_manage_host_rcache(ftpd_t) + # this part of auth_use_pam + #kerberos_manage_host_rcache(ftpd_t) ++ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0") +') + +optional_policy(` @@ -19217,7 +19268,7 @@ index 4285c83..2edc3a2 100644 ') optional_policy(` -@@ -347,16 +415,17 @@ optional_policy(` +@@ -347,16 +416,17 @@ optional_policy(` # Allow ftpdctl to talk to ftpd over a socket connection stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -19237,7 +19288,7 @@ index 4285c83..2edc3a2 100644 ######################################## # -@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t) +@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t) files_read_etc_files(sftpd_t) @@ -19274,7 +19325,7 @@ index 4285c83..2edc3a2 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -20117,6 +20168,290 @@ index 4afb81f..842165a 100644 fs_getattr_xattr_fs(glance_api_t) - -libs_exec_ldconfig(glance_api_t) +diff --git a/glusterd.fc b/glusterd.fc +new file mode 100644 +index 0000000..6418e39 +--- /dev/null ++++ b/glusterd.fc +@@ -0,0 +1,16 @@ ++ ++/etc/rc\.d/init\.d/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++ ++/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0) ++/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_etc_t,s0) ++ ++/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) ++/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) ++ ++/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) ++ ++/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) ++/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) ++ +diff --git a/glusterd.if b/glusterd.if +new file mode 100644 +index 0000000..e15bbb0 +--- /dev/null ++++ b/glusterd.if +@@ -0,0 +1,146 @@ ++ ++## policy for glusterd ++ ++ ++######################################## ++## ++## Transition to glusterd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`glusterd_domtrans',` ++ gen_require(` ++ type glusterd_t, glusterd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, glusterd_exec_t, glusterd_t) ++') ++ ++ ++######################################## ++## ++## Execute glusterd server in the glusterd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_initrc_domtrans',` ++ gen_require(` ++ type glusterd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, glusterd_initrc_exec_t) ++') ++ ++ ++######################################## ++## ++## Read glusterd's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`glusterd_read_log',` ++ gen_require(` ++ type glusterd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, glusterd_log_t, glusterd_log_t) ++') ++ ++######################################## ++## ++## Append to glusterd log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_append_log',` ++ gen_require(` ++ type glusterd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, glusterd_log_t, glusterd_log_t) ++') ++ ++######################################## ++## ++## Manage glusterd log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`glusterd_manage_log',` ++ gen_require(` ++ type glusterd_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) ++ manage_files_pattern($1, glusterd_log_t, glusterd_log_t) ++ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an glusterd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`glusterd_admin',` ++ gen_require(` ++ type glusterd_t; ++ type glusterd_initrc_exec_t; ++ type glusterd_log_t; ++ type glusterd_tmp_t; ++ type glusterd_etc_t; ++ ') ++ ++ allow $1 glusterd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, glusterd_t) ++ ++ glusterd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 glusterd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ logging_search_logs($1) ++ admin_pattern($1, glusterd_log_t) ++ ++ admin_pattern($1, glusterd_tmp_t) ++ ++ admin_pattern($1, glusterd_etc_t) ++ ++') ++ +diff --git a/glusterd.te b/glusterd.te +new file mode 100644 +index 0000000..8dfb74a +--- /dev/null ++++ b/glusterd.te +@@ -0,0 +1,104 @@ ++policy_module(glusterd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type glusterd_t; ++type glusterd_exec_t; ++init_daemon_domain(glusterd_t, glusterd_exec_t) ++ ++type glusterd_etc_t; ++files_type(glusterd_etc_t) ++ ++type glusterd_tmp_t; ++files_tmp_file(glusterd_tmp_t) ++ ++type glusterd_initrc_exec_t; ++init_script_file(glusterd_initrc_exec_t) ++ ++type glusterd_log_t; ++logging_log_file(glusterd_log_t) ++ ++type glusterd_var_run_t; ++files_pid_file(glusterd_var_run_t) ++ ++type glusterd_var_lib_t; ++files_type(glusterd_var_lib_t); ++ ++ ++######################################## ++# ++# glusterd local policy ++# ++ ++allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner }; ++allow glusterd_t self:process { setrlimit signal }; ++allow glusterd_t self:capability sys_resource; ++ ++allow glusterd_t self:fifo_file rw_fifo_file_perms; ++allow glusterd_t self:netlink_route_socket r_netlink_socket_perms; ++allow glusterd_t self:tcp_socket create_stream_socket_perms; ++allow glusterd_t self:udp_socket create_socket_perms; ++allow glusterd_t self:unix_stream_socket create_stream_socket_perms; ++allow glusterd_t self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) ++userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) ++ ++manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) ++logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file }) ++ ++manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) ++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) ++ ++manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) ++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file }) ++ ++manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t) ++manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t) ++files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs") ++ ++can_exec(glusterd_t, glusterd_exec_t) ++ ++kernel_read_system_state(glusterd_t) ++ ++corecmd_exec_bin(glusterd_t) ++corecmd_exec_shell(glusterd_t) ++ ++domain_use_interactive_fds(glusterd_t) ++ ++corenet_tcp_bind_generic_node(glusterd_t) ++corenet_tcp_bind_generic_port(glusterd_t) ++corenet_tcp_bind_all_reserved_ports(glusterd_t) ++corenet_udp_bind_all_rpc_ports(glusterd_t) ++corenet_tcp_connect_unreserved_ports(glusterd_t) ++corenet_udp_bind_generic_node(glusterd_t) ++corenet_udp_bind_ipp_port(glusterd_t) ++ ++dev_read_sysfs(glusterd_t) ++dev_read_urand(glusterd_t) ++ ++files_read_etc_files(glusterd_t) ++files_read_usr_files(glusterd_t) ++files_rw_pid_dirs(glusterd_t) ++ ++# Why is this needed ++#files_manage_urandom_seed(glusterd_t) ++ ++auth_use_nsswitch(glusterd_t) ++ ++logging_send_syslog_msg(glusterd_t) ++ ++miscfiles_read_localization(glusterd_t) ++ ++sysnet_read_config(glusterd_t) ++ ++userdom_manage_user_home_dirs(glusterd_t) diff --git a/gnome.fc b/gnome.fc index 00a19e3..17006fc 100644 --- a/gnome.fc @@ -20179,7 +20514,7 @@ index 00a19e3..17006fc 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index f5afe78..e283f63 100644 +index f5afe78..8da3abc 100644 --- a/gnome.if +++ b/gnome.if @@ -1,44 +1,937 @@ @@ -21179,10 +21514,11 @@ index f5afe78..e283f63 100644 + list_dirs_pattern($1, config_home_t, config_home_t) + read_files_pattern($1, config_home_t, config_home_t) + read_lnk_files_pattern($1, config_home_t, config_home_t) -+') -+ -+####################################### -+## + ') + + ####################################### + ## +-## Create, read, write, and delete gconf config files. +## delete gnome homedir content (.config) +## +## @@ -21197,11 +21533,10 @@ index f5afe78..e283f63 100644 + ') + + delete_files_pattern($1, config_home_t, config_home_t) - ') - - ####################################### - ## --## Create, read, write, and delete gconf config files. ++') ++ ++####################################### ++## +## setattr gnome homedir content (.config) +## +## @@ -21374,7 +21709,7 @@ index f5afe78..e283f63 100644 ## ## ## -@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +1149,302 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -21551,11 +21886,6 @@ index f5afe78..e283f63 100644 +## Domain allowed access +## +## -+## -+## -+## The role to be allowed the gkeyring domain. -+## -+## +# +interface(`gnome_transition_gkeyringd',` + gen_require(` @@ -24086,10 +24416,10 @@ index 0000000..1725b7e + diff --git a/jetty.if b/jetty.if new file mode 100644 -index 0000000..9f09101 +index 0000000..2abc285 --- /dev/null +++ b/jetty.if -@@ -0,0 +1,273 @@ +@@ -0,0 +1,268 @@ + +## policy for jetty + @@ -24336,11 +24666,6 @@ index 0000000..9f09101 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`jetty_admin',` @@ -24408,10 +24733,10 @@ index 0000000..274cdec +/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0) diff --git a/jockey.if b/jockey.if new file mode 100644 -index 0000000..fb58f33 +index 0000000..868c7d0 --- /dev/null +++ b/jockey.if -@@ -0,0 +1,132 @@ +@@ -0,0 +1,126 @@ + +## policy for jockey + @@ -24521,12 +24846,6 @@ index 0000000..fb58f33 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`jockey_admin',` + gen_require(` @@ -24873,7 +25192,7 @@ index 3525d24..ee0a3d5 100644 +/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) +/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --git a/kerberos.if b/kerberos.if -index 604f67b..8714225 100644 +index 604f67b..ebebcd5 100644 --- a/kerberos.if +++ b/kerberos.if @@ -84,7 +84,7 @@ interface(`kerberos_use',` @@ -24926,7 +25245,7 @@ index 604f67b..8714225 100644 ## Create a derived type for kerberos keytab ## ## -@@ -282,38 +302,25 @@ interface(`kerberos_manage_host_rcache',` +@@ -282,42 +302,21 @@ interface(`kerberos_manage_host_rcache',` # does not work in conditionals domain_obj_id_change_exemption($1) @@ -24943,10 +25262,10 @@ index 604f67b..8714225 100644 + manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) files_search_tmp($1) ') --') + ') --######################################## --## + ######################################## + ## -## Connect to krb524 service -## -## @@ -24965,17 +25284,14 @@ index 604f67b..8714225 100644 - corenet_udp_sendrecv_kerberos_master_port($1) - corenet_sendrecv_kerberos_master_client_packets($1) - ') -+ kerberos_tmp_filetrans_host_rcache($1, "host_0") -+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23") -+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48") -+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0") -+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") -+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487") -+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55") - ') - - ######################################## -@@ -338,18 +345,22 @@ interface(`kerberos_admin',` +-') +- +-######################################## +-## + ## All of the rules required to administrate + ## an kerberos environment + ## +@@ -338,18 +337,22 @@ interface(`kerberos_admin',` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; @@ -25003,7 +25319,7 @@ index 604f67b..8714225 100644 ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) -@@ -378,3 +389,113 @@ interface(`kerberos_admin',` +@@ -378,3 +381,114 @@ interface(`kerberos_admin',` admin_pattern($1, krb5kdc_var_run_t) ') @@ -25024,6 +25340,7 @@ index 604f67b..8714225 100644 + type krb5_host_rcache_t; + ') + ++ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) + files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) +') + @@ -25384,10 +25701,10 @@ index 0000000..408d6c0 +/var/log/keystone(/.*)? gen_context(system_u:object_r:keystone_log_t,s0) diff --git a/keystone.if b/keystone.if new file mode 100644 -index 0000000..c7a5aeb +index 0000000..f20248c --- /dev/null +++ b/keystone.if -@@ -0,0 +1,224 @@ +@@ -0,0 +1,218 @@ + +## policy for keystone + @@ -25580,12 +25897,6 @@ index 0000000..c7a5aeb +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`keystone_admin',` + gen_require(` @@ -26336,7 +26647,7 @@ index 3aa8fa7..9539b76 100644 + allow $1 ldap_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 64fd1ff..0f5d0b7 100644 +index 64fd1ff..47c43ab 100644 --- a/ldap.te +++ b/ldap.te @@ -10,7 +10,7 @@ type slapd_exec_t; @@ -26404,6 +26715,16 @@ index 64fd1ff..0f5d0b7 100644 logging_send_syslog_msg(slapd_t) +@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t) + + optional_policy(` + kerberos_keytab_template(slapd, slapd_t) ++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0") ++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487") ++ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55") + ') + + optional_policy(` diff --git a/likewise.fc b/likewise.fc index 057a4e4..57491fc 100644 --- a/likewise.fc @@ -27795,10 +28116,10 @@ index 0000000..2907017 +/var/cache/man2html(/.*)? gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0) diff --git a/man2html.if b/man2html.if new file mode 100644 -index 0000000..68fddff +index 0000000..050157a --- /dev/null +++ b/man2html.if -@@ -0,0 +1,133 @@ +@@ -0,0 +1,127 @@ + +## policy for httpd_man2html_script + @@ -27909,12 +28230,6 @@ index 0000000..68fddff +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`httpd_man2html_script_admin',` + gen_require(` @@ -28811,10 +29126,10 @@ index 0000000..8d0e473 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/mock.if b/mock.if new file mode 100644 -index 0000000..1d76fb8 +index 0000000..7f6f2d6 --- /dev/null +++ b/mock.if -@@ -0,0 +1,313 @@ +@@ -0,0 +1,307 @@ +## policy for mock + +######################################## @@ -29096,12 +29411,6 @@ index 0000000..1d76fb8 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`mock_admin',` + gen_require(` @@ -29438,10 +29747,19 @@ index b3ace16..83392b6 100644 optional_policy(` udev_read_db(modemmanager_t) diff --git a/mojomojo.if b/mojomojo.if -index 657a9fc..0b9bf04 100644 +index 657a9fc..6be094b 100644 --- a/mojomojo.if +++ b/mojomojo.if -@@ -19,18 +19,23 @@ +@@ -10,27 +10,26 @@ + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## # interface(`mojomojo_admin',` gen_require(` @@ -29828,7 +30146,7 @@ index b397fde..30bfefb 100644 +') + diff --git a/mozilla.te b/mozilla.te -index 0724816..7ccc738 100644 +index 0724816..c1fa8ea 100644 --- a/mozilla.te +++ b/mozilla.te @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) @@ -30129,7 +30447,7 @@ index 0724816..7ccc738 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -422,35 +463,134 @@ optional_policy(` +@@ -422,35 +463,135 @@ optional_policy(` optional_policy(` dbus_system_bus_client(mozilla_plugin_t) dbus_session_bus_client(mozilla_plugin_t) @@ -30188,6 +30506,7 @@ index 0724816..7ccc738 100644 +optional_policy(` + xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) + xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t) ++ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t) xserver_read_xdm_pid(mozilla_plugin_t) xserver_stream_connect(mozilla_plugin_t) xserver_use_user_fonts(mozilla_plugin_t) @@ -30664,7 +30983,7 @@ index afa18c8..f6e2bb8 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/mta.if b/mta.if -index 4e2a5ba..12b951c 100644 +index 4e2a5ba..d5a1725 100644 --- a/mta.if +++ b/mta.if @@ -37,6 +37,7 @@ interface(`mta_stub',` @@ -31071,7 +31390,7 @@ index 4e2a5ba..12b951c 100644 ## Read sendmail binary. ## ## -@@ -901,3 +983,143 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -901,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -31146,6 +31465,32 @@ index 4e2a5ba..12b951c 100644 + ') +') + ++#################################### ++## ++## Allow domain to manage mail content in the homedir ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mta_manage_home_rw',` ++ gen_require(` ++ type mail_home_rw_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ ++ ifdef(`distro_redhat',` ++ userdom_search_admin_dir($1) ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ++ ') ++') ++ +######################################## +## +## create mail content in the in the /root directory @@ -31166,7 +31511,7 @@ index 4e2a5ba..12b951c 100644 + userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter") + userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc") + userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward") -+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir") ++ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") +') + @@ -31189,7 +31534,7 @@ index 4e2a5ba..12b951c 100644 + userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc") + userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter") + userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward") -+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir") ++ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") + userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") +') + @@ -35642,10 +35987,10 @@ index 0000000..be6fcb0 +/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0) diff --git a/numad.if b/numad.if new file mode 100644 -index 0000000..77a3112 +index 0000000..709dda1 --- /dev/null +++ b/numad.if -@@ -0,0 +1,78 @@ +@@ -0,0 +1,72 @@ + +## policy for numad + @@ -35702,12 +36047,6 @@ index 0000000..77a3112 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`numad_admin',` + gen_require(` @@ -37891,7 +38230,7 @@ index 5702ca4..498d856 100644 /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0) /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 9759ed8..f8d254a 100644 +index 9759ed8..17c097d 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', ` @@ -37903,10 +38242,12 @@ index 9759ed8..f8d254a 100644 gen_require(` type plymouthd_spool_t; ') -@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', ` +@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', ` ######################################## ## +-## All of the rules required to administrate +-## an plymouthd environment +## Allow the specified domain to read +## to plymouthd log files. +## @@ -37929,12 +38270,13 @@ index 9759ed8..f8d254a 100644 +## +## Allow the specified domain to manage +## to plymouthd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`plymouthd_manage_log',` + gen_require(` @@ -37949,10 +38291,20 @@ index 9759ed8..f8d254a 100644 + +######################################## +## - ## All of the rules required to administrate - ## an plymouthd environment - ## -@@ -249,12 +291,17 @@ interface(`plymouthd_admin', ` ++## All of the rules required to administrate ++## an plymouthd environment ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## +-## + # + interface(`plymouthd_admin', ` + gen_require(` +@@ -249,12 +285,17 @@ interface(`plymouthd_admin', ` type plymouthd_var_run_t; ') @@ -38243,7 +38595,7 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policykit.te b/policykit.te -index 44db896..11800bb 100644 +index 44db896..9e61080 100644 --- a/policykit.te +++ b/policykit.te @@ -1,51 +1,73 @@ @@ -38298,7 +38650,7 @@ index 44db896..11800bb 100644 +# policykit_domain local policy +# + -+allow policykit_domain self:process getattr; ++allow policykit_domain self:process { execmem getattr }; +allow policykit_domain self:fifo_file rw_fifo_file_perms; + +dev_read_sysfs(policykit_domain) @@ -38333,7 +38685,7 @@ index 44db896..11800bb 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -38377,6 +38729,7 @@ index 44db896..11800bb 100644 +') + +optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0") + kerberos_manage_host_rcache(policykit_t) +') + @@ -38457,11 +38810,12 @@ index 44db896..11800bb 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +195,25 @@ optional_policy(` +@@ -118,14 +196,26 @@ optional_policy(` hal_read_state(policykit_auth_t) ') +optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0") + kerberos_manage_host_rcache(policykit_auth_t) +') + @@ -38485,7 +38839,7 @@ index 44db896..11800bb 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t +@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t files_read_etc_files(policykit_grant_t) files_read_usr_files(policykit_grant_t) @@ -38510,7 +38864,7 @@ index 44db896..11800bb 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +254,8 @@ optional_policy(` +@@ -167,9 +256,8 @@ optional_policy(` # polkit_resolve local policy # @@ -38522,7 +38876,7 @@ index 44db896..11800bb 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t) +@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t) files_read_etc_files(policykit_resolve_t) files_read_usr_files(policykit_resolve_t) @@ -38537,7 +38891,7 @@ index 44db896..11800bb 100644 userdom_read_all_users_state(policykit_resolve_t) optional_policy(` -@@ -207,4 +287,3 @@ optional_policy(` +@@ -207,4 +289,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -39740,7 +40094,7 @@ index 46bee12..99499ef 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index 69cbd06..c990292 100644 +index 69cbd06..2f19c1c 100644 --- a/postfix.te +++ b/postfix.te @@ -1,10 +1,19 @@ @@ -39955,10 +40309,14 @@ index 69cbd06..c990292 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +334,10 @@ optional_policy(` +@@ -297,6 +334,14 @@ optional_policy(` ') optional_policy(` ++ dovecot_domtrans_deliver(postfix_local_t) ++') ++ ++optional_policy(` + dspam_domtrans(postfix_local_t) +') + @@ -39966,7 +40324,7 @@ index 69cbd06..c990292 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +345,22 @@ optional_policy(` +@@ -304,9 +349,22 @@ optional_policy(` ') optional_policy(` @@ -39989,7 +40347,7 @@ index 69cbd06..c990292 100644 ######################################## # # Postfix map local policy -@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +437,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -40015,7 +40373,7 @@ index 69cbd06..c990292 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +465,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -40024,7 +40382,7 @@ index 69cbd06..c990292 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +482,7 @@ optional_policy(` +@@ -420,6 +486,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -40032,7 +40390,7 @@ index 69cbd06..c990292 100644 ') optional_policy(` -@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +503,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -40050,7 +40408,7 @@ index 69cbd06..c990292 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +560,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -40061,7 +40419,7 @@ index 69cbd06..c990292 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -40074,7 +40432,7 @@ index 69cbd06..c990292 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -40085,7 +40443,7 @@ index 69cbd06..c990292 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +637,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -40094,7 +40452,7 @@ index 69cbd06..c990292 100644 files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +642,14 @@ optional_policy(` +@@ -565,6 +646,14 @@ optional_policy(` ') optional_policy(` @@ -40109,7 +40467,7 @@ index 69cbd06..c990292 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +670,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -40136,7 +40494,7 @@ index 69cbd06..c990292 100644 ') optional_policy(` -@@ -599,6 +692,12 @@ optional_policy(` +@@ -599,6 +696,12 @@ optional_policy(` ') optional_policy(` @@ -40149,7 +40507,7 @@ index 69cbd06..c990292 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +710,6 @@ optional_policy(` +@@ -611,7 +714,6 @@ optional_policy(` # Postfix virtual local policy # @@ -40157,7 +40515,7 @@ index 69cbd06..c990292 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +732,75 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -43277,10 +43635,10 @@ index 0000000..9108437 +/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0) diff --git a/quantum.if b/quantum.if new file mode 100644 -index 0000000..89e4bc5 +index 0000000..010b2be --- /dev/null +++ b/quantum.if -@@ -0,0 +1,224 @@ +@@ -0,0 +1,218 @@ +## Quantum is a virtual network service for Openstack + +######################################## @@ -43473,12 +43831,6 @@ index 0000000..89e4bc5 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`quantum_admin',` + gen_require(` @@ -46426,7 +46778,7 @@ index 63e78c6..fdd8228 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d654552..49dbcc4 100644 +index d654552..706700d 100644 --- a/rlogin.te +++ b/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -46466,7 +46818,7 @@ index d654552..49dbcc4 100644 files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t) +@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -46493,6 +46845,7 @@ index d654552..49dbcc4 100644 - fs_read_cifs_symlinks(rlogind_t) +optional_policy(` + kerberos_keytab_template(rlogind, rlogind_t) ++ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0") + #part of auth_use_pam + #kerberos_manage_host_rcache(rlogind_t) ') @@ -49899,7 +50252,7 @@ index cfe3172..3eb745d 100644 + ') diff --git a/sanlock.te b/sanlock.te -index e02eb6c..d5d96e7 100644 +index e02eb6c..f1314b0 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -49931,15 +50284,27 @@ index e02eb6c..d5d96e7 100644 ## gen_tunable(sanlock_use_samba, false) -@@ -46,6 +46,7 @@ ifdef(`enable_mls',` +@@ -44,8 +44,9 @@ ifdef(`enable_mls',` # - allow sanlock_t self:capability { sys_nice ipc_lock }; - allow sanlock_t self:process { setsched signull }; + # sanlock local policy + # +-allow sanlock_t self:capability { sys_nice ipc_lock }; +-allow sanlock_t self:process { setsched signull }; ++allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice }; ++allow sanlock_t self:process { setsched signull signal }; + allow sanlock_t self:fifo_file rw_fifo_file_perms; allow sanlock_t self:unix_stream_socket create_stream_socket_perms; -@@ -67,6 +68,8 @@ storage_raw_rw_fixed_disk(sanlock_t) +@@ -58,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) + files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) + + kernel_read_system_state(sanlock_t) ++kernel_read_kernel_sysctls(sanlock_t) + + domain_use_interactive_fds(sanlock_t) + +@@ -67,6 +69,8 @@ storage_raw_rw_fixed_disk(sanlock_t) dev_read_urand(sanlock_t) @@ -49948,7 +50313,7 @@ index e02eb6c..d5d96e7 100644 init_read_utmp(sanlock_t) init_dontaudit_write_utmp(sanlock_t) -@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t) +@@ -75,19 +79,25 @@ logging_send_syslog_msg(sanlock_t) miscfiles_read_localization(sanlock_t) tunable_policy(`sanlock_use_nfs',` @@ -50014,7 +50379,7 @@ index f1aea88..3e6a93f 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/sasl.te b/sasl.te -index 9d9f8ce..15569f0 100644 +index 9d9f8ce..637b67c 100644 --- a/sasl.te +++ b/sasl.te @@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0) @@ -50036,15 +50401,14 @@ index 9d9f8ce..15569f0 100644 type saslauthd_var_run_t; files_pid_file(saslauthd_var_run_t) -@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; +@@ -38,16 +35,17 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms; allow saslauthd_t self:unix_stream_socket create_stream_socket_perms; allow saslauthd_t self:tcp_socket create_socket_perms; -allow saslauthd_t saslauthd_tmp_t:dir setattr; -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t) -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file) -+kerberos_tmp_filetrans_host_rcache(saslauthd_t) - +- +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t) @@ -50060,7 +50424,7 @@ index 9d9f8ce..15569f0 100644 corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) -@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t) +@@ -55,6 +53,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t) corenet_tcp_sendrecv_generic_node(saslauthd_t) corenet_tcp_sendrecv_all_ports(saslauthd_t) corenet_tcp_connect_pop_port(saslauthd_t) @@ -50068,7 +50432,7 @@ index 9d9f8ce..15569f0 100644 corenet_sendrecv_pop_client_packets(saslauthd_t) dev_read_urand(saslauthd_t) -@@ -88,12 +89,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) +@@ -88,11 +87,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t) # cjp: typeattribute doesnt work in conditionals auth_can_read_shadow_passwords(saslauthd_t) @@ -50078,11 +50442,10 @@ index 9d9f8ce..15569f0 100644 ') optional_policy(` ++ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0") kerberos_keytab_template(saslauthd, saslauthd_t) -+ #kerberos_manage_host_rcache(saslauthd_t) ') - optional_policy(` diff --git a/sblim.if b/sblim.if index fa24879..fdb665a 100644 --- a/sblim.if @@ -52805,7 +53168,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/squid.te b/squid.te -index d24bd07..e5f4599 100644 +index d24bd07..daf200c 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -52827,7 +53190,15 @@ index d24bd07..e5f4599 100644 type squid_var_run_t; files_pid_file(squid_var_run_t) -@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) +@@ -69,6 +72,7 @@ allow squid_t self:udp_socket create_socket_perms; + manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) + manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) + manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t) ++files_var_filetrans(squid_t, squid_cache_t, dir, "squid") + + allow squid_t squid_conf_t:dir list_dir_perms; + read_files_pattern(squid_t, squid_conf_t, squid_conf_t) +@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir }) manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) @@ -52844,7 +53215,7 @@ index d24bd07..e5f4599 100644 files_dontaudit_getattr_boot_dirs(squid_t) -@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) +@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t) tunable_policy(`squid_connect_any',` corenet_tcp_connect_all_ports(squid_t) corenet_tcp_bind_all_ports(squid_t) @@ -52854,7 +53225,7 @@ index d24bd07..e5f4599 100644 ') tunable_policy(`squid_use_tproxy',` -@@ -185,6 +194,7 @@ optional_policy(` +@@ -185,6 +195,7 @@ optional_policy(` corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_connect_http_cache_port(httpd_squid_script_t) @@ -52862,13 +53233,13 @@ index d24bd07..e5f4599 100644 sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -206,3 +216,7 @@ optional_policy(` +@@ -206,3 +217,7 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') + +optional_policy(` -+ kerberos_manage_host_rcache(squid_t) ++ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0") +') diff --git a/sssd.fc b/sssd.fc index 4271815..4bc00ea 100644 @@ -52969,7 +53340,7 @@ index 941380a..e1095f0 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/sssd.te b/sssd.te -index 8ffa257..1dfa5ce 100644 +index 8ffa257..20d8944 100644 --- a/sssd.te +++ b/sssd.te @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t) @@ -53061,10 +53432,11 @@ index 8ffa257..1dfa5ce 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +108,18 @@ optional_policy(` +@@ -87,4 +108,19 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) ++ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0") + kerberos_read_home_content(sssd_t) +') + @@ -53119,10 +53491,10 @@ index 0000000..5ab0840 +/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0) diff --git a/svnserve.if b/svnserve.if new file mode 100644 -index 0000000..bab5617 +index 0000000..19d13a7 --- /dev/null +++ b/svnserve.if -@@ -0,0 +1,125 @@ +@@ -0,0 +1,119 @@ + +## policy for svnserve + @@ -53219,12 +53591,6 @@ index 0000000..bab5617 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## -+## +# +interface(`svnserve_admin',` + gen_require(` @@ -53896,7 +54262,7 @@ index 58e7ec0..e4119f7 100644 + allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; +') diff --git a/telnet.te b/telnet.te -index f40e67b..3519e88 100644 +index f40e67b..0634c00 100644 --- a/telnet.te +++ b/telnet.te @@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t) @@ -53942,13 +54308,14 @@ index f40e67b..3519e88 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -98,3 +92,13 @@ tunable_policy(`use_nfs_home_dirs',` tunable_policy(`use_samba_home_dirs',` fs_search_cifs(telnetd_t) ') + +optional_policy(` + kerberos_keytab_template(telnetd, telnetd_t) ++ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") + kerberos_manage_host_rcache(telnetd_t) +') + @@ -54378,10 +54745,10 @@ index 0000000..9127cec +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..7eea9cd +index 0000000..e379b1b --- /dev/null +++ b/thumb.te -@@ -0,0 +1,105 @@ +@@ -0,0 +1,109 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -54456,6 +54823,10 @@ index 0000000..7eea9cd + +auth_use_nsswitch(thumb_t) + ++tunable_policy(`selinuxuser_execmod',` ++ libs_legacy_use_shared_libs(thumb_t) ++') ++ +miscfiles_read_fonts(thumb_t) +miscfiles_read_localization(thumb_t) + @@ -56612,7 +56983,7 @@ index 7c5d8d8..85b7d8b 100644 + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ') diff --git a/virt.te b/virt.te -index ad3068a..5759ef5 100644 +index ad3068a..55dd15c 100644 --- a/virt.te +++ b/virt.te @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2) @@ -56888,7 +57259,7 @@ index ad3068a..5759ef5 100644 +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code -+ dontaudit virtd_t self:capability sys_module; ++ dontaudit virtd_t self:capability { sys_module sys_ptrace }; +') -allow virtd_t self:fifo_file rw_fifo_file_perms; @@ -57079,7 +57450,7 @@ index ad3068a..5759ef5 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -335,6 +506,14 @@ optional_policy(` +@@ -335,19 +506,30 @@ optional_policy(` optional_policy(` hal_dbus_chat(virtd_t) ') @@ -57094,12 +57465,14 @@ index ad3068a..5759ef5 100644 ') optional_policy(` -@@ -343,11 +522,14 @@ optional_policy(` + dnsmasq_domtrans(virtd_t) + dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) - dnsmasq_read_pid_files(virtd_t) +- dnsmasq_read_pid_files(virtd_t) dnsmasq_signull(virtd_t) + dnsmasq_create_pid_dirs(virtd_t) + dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t); ++ dnsmasq_manage_pid_files(virtd_t) ') optional_policy(` @@ -57139,7 +57512,15 @@ index ad3068a..5759ef5 100644 ') optional_policy(` -@@ -403,20 +591,36 @@ optional_policy(` +@@ -384,6 +572,7 @@ optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + ++ xen_exec(virtd_t) + xen_stream_connect(virtd_t) + xen_stream_connect_xenstore(virtd_t) + xen_read_image_files(virtd_t) +@@ -403,20 +592,36 @@ optional_policy(` # virtual domains common policy # @@ -57179,7 +57560,7 @@ index ad3068a..5759ef5 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -427,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -57193,7 +57574,7 @@ index ad3068a..5759ef5 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -438,10 +644,12 @@ dev_write_sound(virt_domain) +@@ -438,10 +645,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -57206,7 +57587,7 @@ index ad3068a..5759ef5 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,25 +657,430 @@ files_search_all(virt_domain) +@@ -449,25 +658,429 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -57428,8 +57809,7 @@ index ad3068a..5759ef5 100644 +fs_mounton_tmpfs(virtd_lxc_t) +fs_remount_all_fs(virtd_lxc_t) +fs_rw_cgroup_files(virtd_lxc_t) -+fs_unmount_xattr_fs(virtd_lxc_t) -+fs_unmount_configfs(virtd_lxc_t) ++fs_unmount_all_fs(virtd_lxc_t) +fs_relabelfrom_tmpfs(virtd_lxc_t) + +selinux_mount_fs(virtd_lxc_t) @@ -57714,10 +58094,22 @@ index f21389b..482db56 100644 # cjp: why? userdom_read_user_home_content_files(vmware_t) diff --git a/vnstatd.if b/vnstatd.if -index 727fe95..958de01 100644 +index 727fe95..47ec114 100644 --- a/vnstatd.if +++ b/vnstatd.if -@@ -135,8 +135,11 @@ interface(`vnstatd_admin',` +@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',` + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## +-## + # + interface(`vnstatd_admin',` + gen_require(` type vnstatd_t, vnstatd_var_lib_t; ') @@ -58127,10 +58519,31 @@ index 9d24449..2666317 100644 /opt/picasa/wine/bin/wine.* -- gen_context(system_u:object_r:wine_exec_t,s0) diff --git a/wine.if b/wine.if -index f9a73d0..00a98f1 100644 +index f9a73d0..4b83bb0 100644 --- a/wine.if +++ b/wine.if -@@ -29,12 +29,16 @@ +@@ -10,10 +10,9 @@ + ## for wine applications. + ##

+ ## +-## ++## + ## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). ++## The role associated with the user domain. + ## + ## + ## +@@ -21,20 +20,19 @@ + ## The type of the user domain. + ## + ## +-## +-## +-## The role associated with the user domain. +-## +-## # template(`wine_role',` gen_require(` @@ -58147,7 +58560,7 @@ index f9a73d0..00a98f1 100644 allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; -@@ -44,8 +48,7 @@ template(`wine_role',` +@@ -44,8 +42,7 @@ template(`wine_role',` allow $2 wine_t:process signal_perms; allow $2 wine_t:fd use; @@ -58157,7 +58570,7 @@ index f9a73d0..00a98f1 100644 allow $2 wine_t:unix_stream_socket connectto; # X access, Home files -@@ -86,6 +89,7 @@ template(`wine_role',` +@@ -86,6 +83,7 @@ template(`wine_role',` # template(`wine_role_template',` gen_require(` @@ -58165,7 +58578,7 @@ index f9a73d0..00a98f1 100644 type wine_exec_t; ') -@@ -96,12 +100,12 @@ template(`wine_role_template',` +@@ -96,12 +94,12 @@ template(`wine_role_template',` role $2 types $1_wine_t; allow $1_wine_t self:process { execmem execstack }; @@ -58180,7 +58593,7 @@ index f9a73d0..00a98f1 100644 domain_mmap_low($1_wine_t) -@@ -109,6 +113,10 @@ template(`wine_role_template',` +@@ -109,6 +107,10 @@ template(`wine_role_template',` dontaudit $1_wine_t self:memprotect mmap_zero; ') @@ -58326,10 +58739,36 @@ index 1a1b374..f22f770 100644 ') diff --git a/xen.if b/xen.if -index 77d41b6..138efd8 100644 +index 77d41b6..cc73c96 100644 --- a/xen.if +++ b/xen.if -@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',` +@@ -20,6 +20,25 @@ interface(`xen_domtrans',` + + ######################################## + ## ++## Allow the specified domain to execute xend ++## in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xen_exec',` ++ gen_require(` ++ type xend_exec_t; ++ ') ++ ++ can_exec($1, xend_exec_t) ++') ++ ++######################################## ++## + ## Inherit and use xen file descriptors. + ## + ## +@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',` dontaudit $1 xend_t:fd use; ') @@ -58356,7 +58795,7 @@ index 77d41b6..138efd8 100644 ######################################## ## ## Read xend image files. -@@ -87,6 +107,26 @@ interface(`xen_read_image_files',` +@@ -87,6 +126,26 @@ interface(`xen_read_image_files',` ## ## # @@ -58383,7 +58822,7 @@ index 77d41b6..138efd8 100644 interface(`xen_rw_image_files',` gen_require(` type xen_image_t, xend_var_lib_t; -@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` +@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',` ######################################## ## @@ -58392,7 +58831,7 @@ index 77d41b6..138efd8 100644 ## ## ## -@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',` +@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',` ######################################## ## @@ -58401,7 +58840,7 @@ index 77d41b6..138efd8 100644 ## ## ## -@@ -213,14 +253,15 @@ interface(`xen_stream_connect',` +@@ -213,14 +272,15 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; @@ -58419,7 +58858,7 @@ index 77d41b6..138efd8 100644 ## ## ## -@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',` +@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 39f7985..5059ec6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.11.0 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,25 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jun 15 2012 Miroslav Grepl 3.11.0-4 +- Add support for ecryptfs + * ecryptfs does not support xattr + * we need labeling for HOMEDIR +- Add policy for (u)mount.ecryptfs* +- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache +- Allow dovecot to manage Maildir content, fix transitions to Maildir +- Allow postfix_local to transition to dovecot_deliver +- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code +- Cleanup interface definitions +- Allow apmd to change with the logind daemon +- Changes required for sanlock in rhel6 +- Label /run/user/apache as httpd_tmp_t +- Allow thumb to use lib_t as execmod if boolean turned on +- Allow squid to create the squid directory in /var with the correct labe +- Add a new policy for glusterd from Bryan Bickford (bbickfor@redhat.com) +- Allow virtd to exec xend_exec_t without transition +- Allow virtd_lxc_t to unmount all file systems + * Tue Jun 12 2012 Miroslav Grepl 3.11.0-3 - PolicyKit path has changed - Allow httpd connect to dirsrv socket