From c8df556a5f689ea52ee718df37e9a9723b2ce5f1 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Jan 24 2014 16:20:15 +0000 Subject: Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy --- diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 4c7f533..f5b9b72 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2471,3 +2471,10 @@ snapper = module # pcp policy # pcp = module + +# Layer: contrib +# Module: geoclue +# +# Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +# +geoclue = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0a4d2b3..862c780 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5819,7 +5819,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..53df7ae 100644 +index b31c054..5d200ef 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5867,7 +5867,7 @@ index b31c054..53df7ae 100644 ') +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) -+/dev/vfio/vfio -c gen_context(system_u:object_r:vfio_device_t,s0) ++/dev/vfio/(vfio)?[0-9]+ -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) @@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..4182845 100644 +index cf04cb5..628d039 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8842,7 +8842,7 @@ index cf04cb5..4182845 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,318 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8893,6 +8893,14 @@ index cf04cb5..4182845 100644 + init_filetrans_named_content(named_filetrans_domain) +') + ++# Allow manage transient unit files ++optional_policy(` ++ init_start_transient_unit(unconfined_domain_type) ++ init_stop_transient_unit(unconfined_domain_type) ++ init_status_transient_unit(unconfined_domain_type) ++ init_reload_transient_unit(unconfined_domain_type) ++') ++ +optional_policy(` + auth_filetrans_named_content(named_filetrans_domain) + auth_filetrans_admin_home_content(named_filetrans_domain) @@ -8947,6 +8955,10 @@ index cf04cb5..4182845 100644 +') + +optional_policy(` ++ docker_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + dnsmasq_filetrans_named_content(named_filetrans_domain) +') + @@ -9412,7 +9424,7 @@ index b876c48..27f60c6 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..68d8f79 100644 +index f962f76..1a11674 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10575,20 +10587,39 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3256,10 +3867,10 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3867,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir { search_dir_perms mounton }; ++') ++ ++######################################## ++## ++## Mount a filesystem on a new chr_file ++## that has not yet been labeled. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_isid_type_chr_file',` ++ gen_require(` ++ type unlabeled_t; ') - allow $1 file_t:dir { search_dir_perms mounton }; -+ allow $1 unlabeled_t:dir { search_dir_perms mounton }; ++ allow $1 unlabeled_t:chr_file mounton; ') ######################################## -@@ -3275,10 +3886,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +3905,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10601,7 +10632,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3294,10 +3905,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +3924,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10614,7 +10645,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3313,10 +3924,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +3943,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10627,7 +10658,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3332,10 +3943,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +3962,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10640,7 +10671,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3351,10 +3962,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +3981,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10653,7 +10684,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3370,10 +3981,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4000,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10666,7 +10697,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3389,10 +4000,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4019,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10679,7 +10710,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3408,10 +4019,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4038,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10692,7 +10723,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3427,10 +4038,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4057,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10705,7 +10736,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3446,10 +4057,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4076,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10718,7 +10749,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3465,10 +4076,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4095,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -10750,7 +10781,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3484,10 +4114,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4133,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -10763,7 +10794,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3503,10 +4133,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4152,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -10776,7 +10807,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -3814,20 +4444,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4463,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10820,7 +10851,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -4217,6 +4865,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +4884,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10993,7 +11024,7 @@ index f962f76..68d8f79 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5053,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5072,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -11020,7 +11051,7 @@ index f962f76..68d8f79 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5086,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11059,7 +11090,7 @@ index f962f76..68d8f79 100644 ## ## # -@@ -4289,6 +5143,7 @@ interface(`files_search_tmp',` +@@ -4289,6 +5162,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11067,7 +11098,7 @@ index f962f76..68d8f79 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5180,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5199,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11075,7 +11106,7 @@ index f962f76..68d8f79 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5190,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5209,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11084,7 +11115,7 @@ index f962f76..68d8f79 100644 ## ## # -@@ -4346,6 +5202,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -11110,7 +11141,7 @@ index f962f76..68d8f79 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5236,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -11118,7 +11149,7 @@ index f962f76..68d8f79 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5278,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5297,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -11151,7 +11182,7 @@ index f962f76..68d8f79 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,7 +5358,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,7 +5377,7 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11160,7 +11191,7 @@ index f962f76..68d8f79 100644 ## ## ## -@@ -4464,17 +5366,17 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4464,17 +5385,17 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -11182,7 +11213,7 @@ index f962f76..68d8f79 100644 ## ## ## -@@ -4482,59 +5384,149 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4482,18 +5403,108 @@ interface(`files_setattr_all_tmp_dirs',` ## ## # @@ -11202,54 +11233,6 @@ index f962f76..68d8f79 100644 -## Relabel to and from all temporary -## directory types. +## Set the attributes of all tmp directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_dirs',` -+interface(`files_setattr_all_tmp_dirs',` - gen_require(` - attribute tmpfile; -- type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) -+ allow $1 tmpfile:dir { search_dir_perms setattr }; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp files. -+## Allow caller to read inherited tmp files. - ## - ## - ## --## Domain not to audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -+interface(`files_read_inherited_tmp_files',` - gen_require(` - attribute tmpfile; - ') - -- dontaudit $1 tmpfile:file getattr; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. -+## Allow caller to append inherited tmp files. +## +## +## @@ -11257,17 +11240,17 @@ index f962f76..68d8f79 100644 +## +## +# -+interface(`files_append_inherited_tmp_files',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:file append_inherited_file_perms; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; +') + +######################################## +## -+## Allow caller to read and write inherited tmp files. ++## Allow caller to read inherited tmp files. +## +## +## @@ -11275,17 +11258,17 @@ index f962f76..68d8f79 100644 +## +## +# -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; +') + +######################################## +## -+## List all tmp directories. ++## Allow caller to append inherited tmp files. +## +## +## @@ -11293,63 +11276,58 @@ index f962f76..68d8f79 100644 +## +## +# -+interface(`files_list_all_tmp',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:dir list_dir_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; +') + +######################################## +## -+## Relabel to and from all temporary -+## directory types. ++## Allow caller to read and write inherited tmp files. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` + attribute tmpfile; -+ type var_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to get the attributes -+## of all tmp files. ++## List all tmp directories. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_list_all_tmp',` + gen_require(` + attribute tmpfile; + ') + -+ dontaudit $1 tmpfile:file getattr; ++ allow $1 tmpfile:dir list_dir_perms; +') + +######################################## +## -+## Allow attempts to get the attributes -+## of all tmp files. ++## Relabel to and from all temporary ++## directory types. ## ## ## -@@ -4579,7 +5571,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4519,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11358,7 +11336,16 @@ index f962f76..68d8f79 100644 ## ## # -@@ -4611,6 +5603,44 @@ interface(`files_read_all_tmp_files',` +@@ -4579,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +@@ -4611,6 +5622,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11403,7 +11390,7 @@ index f962f76..68d8f79 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5694,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5713,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11420,7 +11407,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -5241,6 +6281,24 @@ interface(`files_list_var',` +@@ -5241,6 +6300,24 @@ interface(`files_list_var',` ######################################## ## @@ -11445,7 +11432,7 @@ index f962f76..68d8f79 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5527,6 +6585,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6604,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -11471,7 +11458,7 @@ index f962f76..68d8f79 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6673,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6692,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11497,7 +11484,7 @@ index f962f76..68d8f79 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6737,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6756,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11506,7 +11493,7 @@ index f962f76..68d8f79 100644 ## ## ## -@@ -5649,12 +6745,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6764,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11522,7 +11509,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -5672,6 +6769,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6788,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11530,7 +11517,7 @@ index f962f76..68d8f79 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6796,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6815,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11558,7 +11545,7 @@ index f962f76..68d8f79 100644 ## ## ## -@@ -5706,13 +6823,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6842,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11575,7 +11562,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -5731,7 +6847,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6866,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11584,7 +11571,7 @@ index f962f76..68d8f79 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6880,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6899,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11592,7 +11579,7 @@ index f962f76..68d8f79 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6894,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6913,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11601,7 +11588,7 @@ index f962f76..68d8f79 100644 ## ## ## -@@ -5787,13 +6902,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6921,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11636,7 +11623,7 @@ index f962f76..68d8f79 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +6944,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +6963,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11654,7 +11641,7 @@ index f962f76..68d8f79 100644 ') ######################################## -@@ -5834,9 +6968,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +6987,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11665,7 +11652,7 @@ index f962f76..68d8f79 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7010,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7029,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11675,7 +11662,7 @@ index f962f76..68d8f79 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7032,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7051,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11685,7 +11672,7 @@ index f962f76..68d8f79 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7069,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7088,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11695,7 +11682,7 @@ index f962f76..68d8f79 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7108,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7127,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11704,7 +11691,7 @@ index f962f76..68d8f79 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7128,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7147,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11753,7 +11740,7 @@ index f962f76..68d8f79 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,21 +7192,40 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,27 +7211,27 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11777,13 +11764,36 @@ index f962f76..68d8f79 100644 ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) + dontaudit $1 pidfile:dir search_dir_perms; + ') + + ######################################## + ## +-## Read generic process ID files. ++## List the contents of the runtime process ++## ID directories (/var/run). + ## + ## + ## +@@ -6053,12 +7239,31 @@ interface(`files_list_pids',` + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_list_pids',` + gen_require(` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) +') + +######################################## +## -+## List the contents of the runtime process -+## ID directories (/var/run). ++## Read generic process ID files. +## +## +## @@ -11791,25 +11801,16 @@ index f962f76..68d8f79 100644 +## +## +# -+interface(`files_list_pids',` ++interface(`files_read_generic_pids',` + gen_require(` + type var_t, var_run_t; + ') + + files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) - ') - -@@ -6058,7 +7244,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7264,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7283,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11818,7 +11819,7 @@ index f962f76..68d8f79 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7326,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7345,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11826,7 +11827,7 @@ index f962f76..68d8f79 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7354,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7373,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11851,7 +11852,7 @@ index f962f76..68d8f79 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7385,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7404,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11860,337 +11861,236 @@ index f962f76..68d8f79 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7452,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,6 +7471,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. +## Relable all pid directories - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_read_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_dirs',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + relabel_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## Delete all pid sockets - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Create all pid sockets - ## - ## - ## -@@ -6305,42 +7496,35 @@ interface(`files_delete_all_pids',` - ## - ## - # --interface(`files_delete_all_pid_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## Create all pid named pipes - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` ++## ++## ++# +interface(`files_create_all_pid_pipes',` - gen_require(` - attribute pidfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:fifo_file create_fifo_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Delete all pid named pipes - ## - ## - ## -@@ -6348,18 +7532,18 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_pipes',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + allow $1 pidfile:fifo_file delete_fifo_file_perms; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## manage all pidfile directories +## in the /var/run directory. - ## - ## - ## -@@ -6367,37 +7551,40 @@ interface(`files_mounton_all_poly_members',` - ## - ## - # --interface(`files_search_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pid_dirs',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + manage_dirs_pattern($1,pidfile,pidfile) - ') - ++') + - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. -+## Read all process ID files. ++ ++######################################## ++## + ## Read all process ID files. ## ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_search_spool',` -+interface(`files_read_all_pids',` +@@ -6261,12 +7593,86 @@ interface(`files_dontaudit_ioctl_all_pids',` + interface(`files_read_all_pids',` gen_require(` -- type var_spool_t; -+ attribute pidfile; + attribute pidfile; +- type var_t, var_run_t; + type var_t; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++') ++ ++######################################## ++## +## Relable all pid files - ## - ## - ## -@@ -6405,18 +7592,17 @@ interface(`files_dontaudit_search_spool',` - ## - ## - # --interface(`files_list_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + relabel_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Execute generic programs in /var/run in the caller domain. - ## - ## - ## -@@ -6424,18 +7610,18 @@ interface(`files_list_spool',` - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_exec_generic_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + exec_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. - ## - ## - ## -@@ -6443,19 +7629,18 @@ interface(`files_manage_generic_spool_dirs',` - ## - ## - # --interface(`files_read_generic_spool',` -+interface(`files_manage_all_pids',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) -+ manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. -+## Mount filesystems on all polyinstantiation -+## member directories. - ## - ## - ## -@@ -6463,55 +7648,130 @@ interface(`files_read_generic_spool',` - ## - ## - # --interface(`files_manage_generic_spool',` -+interface(`files_mounton_all_poly_members',` - gen_require(` -- type var_t, var_spool_t; -+ attribute polymember; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) -+ allow $1 polymember:dir mounton; - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. -+## Delete all process IDs. - ## - ## - ## - ## Domain allowed access. - ## - ## --## -+## ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+interface(`files_delete_all_pids',` ++interface(`files_manage_all_pids',` + gen_require(` + attribute pidfile; -+ type var_t, var_run_t; + ') + -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ manage_files_pattern($1,pidfile,pidfile) +') + +######################################## +## -+## Delete all process ID directories. ++## Mount filesystems on all polyinstantiation ++## member directories. +## +## - ## --## Type to which the created node will be transitioned. ++## +## Domain allowed access. - ## - ## --## ++## ++## +# -+interface(`files_delete_all_pid_dirs',` ++interface(`files_mounton_all_poly_members',` + gen_require(` -+ attribute pidfile; -+ type var_t, var_run_t; ++ attribute polymember; + ') + ++ allow $1 polymember:dir mounton; + ') + + ######################################## +@@ -6286,8 +7692,8 @@ interface(`files_delete_all_pids',` + type var_t, var_run_t; + ') + + files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) +@@ -6311,36 +7717,80 @@ interface(`files_delete_all_pid_dirs',` + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Make the specified type a file +## used for spool files. +## @@ -12221,14 +12121,11 @@ index f962f76..68d8f79 100644 +##

+## +## - ## --## Object class(es) (single or set including {}) for which this --## the transition will occur. ++## +## Type of the file to be used as a +## spool file. - ## - ## --## ++## ++## +## +# +interface(`files_spool_file',` @@ -12243,334 +12140,76 @@ index f962f76..68d8f79 100644 +######################################## +## +## Create all spool sockets -+## -+## + ## + ## ## --## The name of the object being created. +-## Domain alloed access. +## Domain allowed access. ## ## # --interface(`files_spool_filetrans',` +-interface(`files_manage_all_pids',` +interface(`files_create_all_spool_sockets',` gen_require(` -- type var_t, var_spool_t; +- attribute pidfile; + attribute spoolfile; ') -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all spool sockets ## ## ## -@@ -6519,64 +7779,767 @@ interface(`files_spool_filetrans',` +@@ -6348,12 +7798,33 @@ interface(`files_manage_all_pids',` ## ## # --interface(`files_polyinstantiate_all',` +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_spool_sockets',` gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; +- attribute polymember; + attribute spoolfile; ') -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) -- -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') +- allow $1 polymember:dir mounton; + allow $1 spoolfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Unconfined access to files. -+## Relabel to and from all spool -+## directory types. - ## - ## - ## - ## Domain allowed access. - ## - ## -+## - # --interface(`files_unconfined',` -+interface(`files_relabel_all_spool_dirs',` - gen_require(` -- attribute files_unconfined_type; -+ attribute spoolfile; -+ type var_t; - ') - -- typeattribute $1 files_unconfined_type; -+ relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+## -+## Search the contents of generic spool -+## directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search generic -+## spool directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+ -+ dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of generic spool -+## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool_dirs',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create objects in the spool directory -+## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_spool_filetrans',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` -+ gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; -+ ') -+ -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') +') + +######################################## +## -+## Unconfined access to files. ++## Relabel to and from all spool ++## directory types. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_unconfined',` ++interface(`files_relabel_all_spool_dirs',` + gen_require(` -+ attribute files_unconfined_type; ++ attribute spoolfile; ++ type var_t; + ') + -+ typeattribute $1 files_unconfined_type; -+') ++ relabel_dirs_pattern($1, spoolfile, spoolfile) + ') + + ######################################## +@@ -6580,3 +8051,514 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## @@ -13081,7 +12720,7 @@ index f962f76..68d8f79 100644 + ') + + allow $1 etc_t:service status; - ') ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..dfcd2ad 100644 --- a/policy/modules/kernel/files.te @@ -14897,7 +14536,7 @@ index 7be4ddf..d5ef507 100644 +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) +/sys/kernel/uevent_helper -- gen_context(system_u:object_r:usermodehelper_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..3910ec4 100644 +index e100d88..6f745f0 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -15312,7 +14951,7 @@ index e100d88..3910ec4 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3151,525 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3151,565 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -15660,12 +15299,8 @@ index e100d88..3910ec4 100644 +## +## +##

-+## Allow the specified domain to read the securitying -+## state information. This includes several pieces -+## of securitying information, such as security interface -+## names, securityfilter (iptables) statistics, protocol -+## information, routes, and remote procedure call (RPC) -+## information. ++## Allow the specified domain to read the security ++## state information. +##

+## +## @@ -15689,22 +15324,28 @@ index e100d88..3910ec4 100644 + +######################################## +## -+## Allow caller to read the security state symbolic links. ++## Write the security state information. +## ++## ++##

++## Allow the specified domain to write the security ++## state information. ++##

++## +## +## +## Domain allowed access. +## +## ++## ++## +# -+interface(`kernel_read_security_state_symlinks',` ++interface(`kernel_write_security_state',` + gen_require(` + type proc_t, proc_security_t; + ') + -+ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) -+ -+ list_dirs_pattern($1, proc_t, proc_security_t) ++ write_files_pattern($1, { proc_t proc_security_t }, proc_security_t) +') + +######################################## @@ -15717,35 +15358,34 @@ index e100d88..3910ec4 100644 +## +## +# -+interface(`kernel_rw_security_state',` ++interface(`kernel_read_security_state_symlinks',` + gen_require(` + type proc_t, proc_security_t; + ') + -+ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) + + list_dirs_pattern($1, proc_t, proc_security_t) +') + +######################################## +## -+## Read and write usermodehelper state ++## Allow caller to read the security state symbolic links. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`kernel_rw_usermodehelper_state',` ++interface(`kernel_rw_security_state',` + gen_require(` -+ type proc_t, usermodehelper_t; ++ type proc_t, proc_security_t; + ') + -+ dev_search_sysfs($1) -+ rw_files_pattern($1, proc_t, usermodehelper_t) -+ list_dirs_pattern($1, proc_t, usermodehelper_t) ++ rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t) ++ ++ list_dirs_pattern($1, proc_t, proc_security_t) +') + +######################################## @@ -15838,6 +15478,45 @@ index e100d88..3910ec4 100644 + read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) + + list_dirs_pattern($1, proc_t, usermodehelper_t) ++') ++ ++######################################## ++## ++## Read and write usermodehelper state ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`kernel_rw_usermodehelper_state',` ++ gen_require(` ++ type proc_t, usermodehelper_t; ++ ') ++ ++ dev_search_sysfs($1) ++ rw_files_pattern($1, proc_t, usermodehelper_t) ++ list_dirs_pattern($1, proc_t, usermodehelper_t) ++') ++ ++######################################## ++## ++## Relabel to usermodehelper context . ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_relabelto_usermodehelper',` ++ gen_require(` ++ type usermodehelper_t; ++ ') ++ ++ allow $1 usermodehelper_t:file relabelto; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 8dbab4c..4b6c9ad 100644 @@ -19235,11 +18914,11 @@ index 0000000..0e8654b +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..cf6582f +index 0000000..b1163a6 --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,613 @@ -+## Unconfiend user role +@@ -0,0 +1,637 @@ ++## Unconfined user role + +######################################## +## @@ -19852,12 +19531,36 @@ index 0000000..cf6582f + allow $1 self:tun_socket relabelto; +') + ++######################################## ++## ++## Allow domain to transition to unconfined_t user ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_transition',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ domtrans_pattern($1,$2,unconfined_t) ++ allow unconfined_t $2:file entrypoint; ++ allow $1 unconfined_t:process signal_perms; ++') diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..ca62aef +index 0000000..dbb8afa --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,339 @@ +@@ -0,0 +1,332 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -20153,7 +19856,6 @@ index 0000000..ca62aef +') + +optional_policy(` -+# rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t, unconfined_r) + rpm_dbus_chat(unconfined_t) @@ -20186,15 +19888,9 @@ index 0000000..ca62aef +optional_policy(` + xserver_run(unconfined_t, unconfined_r) + xserver_manage_home_fonts(unconfined_t) ++ xserver_xsession_entry_type(unconfined_t) +') + -+ -+gen_require(` -+ attribute_role rpm_script_roles; -+') -+ -+roleattribute unconfined_r rpm_script_roles; -+ +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if @@ -27754,7 +27450,7 @@ index bc0ffc8..8de430d 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..e1589ac 100644 +index 79a45f6..9a14d49 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28736,7 +28432,7 @@ index 79a45f6..e1589ac 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1840,3 +2359,360 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1840,3 +2359,432 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -29078,6 +28774,78 @@ index 79a45f6..e1589ac 100644 + +######################################## +## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_start_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service start; ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_stop_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service stop; ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_reload_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service reload; ++') ++ ++######################################## ++## ++## Tell init to do an unknown access. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_status_transient_unit',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:service status; ++') ++ ++######################################## ++## +## Transition to init named content +## +## @@ -38962,10 +38730,10 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..2109915 +index 0000000..e9b0d55 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,653 @@ +@@ -0,0 +1,659 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -39234,6 +39002,7 @@ index 0000000..2109915 + +kernel_read_network_state(systemd_tmpfiles_t) +kernel_request_load_module(systemd_tmpfiles_t) ++kernel_relabelto_usermodehelper(systemd_tmpfiles_t) + +dev_write_kmsg(systemd_tmpfiles_t) +dev_rw_sysfs(systemd_tmpfiles_t) @@ -39583,6 +39352,7 @@ index 0000000..2109915 + +kernel_dgram_send(systemd_sysctl_t) +kernel_rw_all_sysctls(systemd_sysctl_t) ++kernel_write_security_state(systemd_sysctl_t) + +files_read_system_conf_files(systemd_sysctl_t) + @@ -39607,6 +39377,10 @@ index 0000000..2109915 +files_read_usr_files(systemd_domain) + +init_search_pid_dirs(systemd_domain) ++init_start_transient_unit(systemd_domain) ++init_stop_transient_unit(systemd_domain) ++init_status_transient_unit(systemd_domain) ++init_reload_transient_unit(systemd_domain) + +logging_stream_connect_syslog(systemd_domain) + diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 4487f6f..589f30d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -531,7 +531,7 @@ index 058d908..70eb89d 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..84c5ad6 100644 +index eb50f07..517116e 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -672,7 +672,7 @@ index eb50f07..84c5ad6 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,23 +132,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,41 +132,47 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -702,9 +702,12 @@ index eb50f07..84c5ad6 100644 -kernel_read_system_state(abrt_t) +kernel_read_network_state(abrt_t) kernel_request_load_module(abrt_t) ++kernel_rw_usermodehelper_state(abrt_t) kernel_rw_kernel_sysctl(abrt_t) ++kernel_rw_usermodehelper_state(abrt_t) -@@ -150,16 +163,14 @@ corecmd_exec_shell(abrt_t) + corecmd_exec_bin(abrt_t) + corecmd_exec_shell(abrt_t) corecmd_read_all_executables(abrt_t) corenet_all_recvfrom_netlabel(abrt_t) @@ -723,7 +726,7 @@ index eb50f07..84c5ad6 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +187,40 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +189,40 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -767,7 +770,7 @@ index eb50f07..84c5ad6 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +228,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +230,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -784,7 +787,7 @@ index eb50f07..84c5ad6 100644 ') optional_policy(` -@@ -222,6 +240,20 @@ optional_policy(` +@@ -222,6 +242,20 @@ optional_policy(` ') optional_policy(` @@ -805,7 +808,7 @@ index eb50f07..84c5ad6 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -233,6 +265,7 @@ optional_policy(` +@@ -233,6 +267,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -813,7 +816,7 @@ index eb50f07..84c5ad6 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -243,6 +276,7 @@ optional_policy(` +@@ -243,6 +278,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -821,7 +824,7 @@ index eb50f07..84c5ad6 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +287,17 @@ optional_policy(` +@@ -253,9 +289,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -840,7 +843,7 @@ index eb50f07..84c5ad6 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +308,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +310,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -855,7 +858,7 @@ index eb50f07..84c5ad6 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +327,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +329,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -863,7 +866,7 @@ index eb50f07..84c5ad6 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +336,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +338,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -884,7 +887,7 @@ index eb50f07..84c5ad6 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +357,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +359,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -911,7 +914,7 @@ index eb50f07..84c5ad6 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +393,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +395,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -925,7 +928,7 @@ index eb50f07..84c5ad6 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +411,11 @@ optional_policy(` +@@ -343,10 +413,11 @@ optional_policy(` ####################################### # @@ -939,7 +942,7 @@ index eb50f07..84c5ad6 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +434,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +436,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -991,7 +994,7 @@ index eb50f07..84c5ad6 100644 ####################################### # -@@ -404,7 +483,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +485,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1000,7 +1003,7 @@ index eb50f07..84c5ad6 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +492,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +494,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1044,7 +1047,7 @@ index eb50f07..84c5ad6 100644 ') ####################################### -@@ -430,10 +535,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +537,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -2984,10 +2987,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..3d2065e 100644 +index 7caefc3..536a4bd 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,196 @@ +@@ -1,162 +1,197 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3302,6 +3305,7 @@ index 7caefc3..3d2065e 100644 +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -14364,7 +14368,7 @@ index 5b830ec..0647a3b 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/consolekit.te b/consolekit.te -index bd18063..926e314 100644 +index bd18063..0957efc 100644 --- a/consolekit.te +++ b/consolekit.te @@ -19,12 +19,16 @@ type consolekit_var_run_t; @@ -14384,6 +14388,15 @@ index bd18063..926e314 100644 allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket { accept listen }; +@@ -33,7 +37,7 @@ create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) + append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) + read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) + setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t) +-logging_log_filetrans(consolekit_t, consolekit_log_t, file) ++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file }) + + manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) + manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t) @@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t) domain_read_all_domains_state(consolekit_t) @@ -22827,10 +22840,10 @@ index c7bb4e7..e6fe2f40 100644 sysnet_etc_filetrans_config(dnssec_triggerd_t) diff --git a/docker.fc b/docker.fc new file mode 100644 -index 0000000..b24266e +index 0000000..1c4ac02 --- /dev/null +++ b/docker.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,17 @@ +/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0) + +/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0) @@ -22844,13 +22857,16 @@ index 0000000..b24266e + +/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0) + -+ ++/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0) ++/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..c77a25f +index 0000000..3061ae5 --- /dev/null +++ b/docker.if -@@ -0,0 +1,257 @@ +@@ -0,0 +1,323 @@ + +## The open-source application container engine. + @@ -22932,6 +22948,25 @@ index 0000000..c77a25f + +######################################## +## ++## Read docker share files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_read_share_files',` ++ gen_require(` ++ type docker_share_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, docker_share_t, docker_share_t) ++') ++ ++######################################## ++## +## Manage docker lib files. +## +## @@ -23064,6 +23099,53 @@ index 0000000..c77a25f + allow $1 docker_t:sem rw_sem_perms; +') + ++####################################### ++## ++## Read and write the docker pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_use_ptys',` ++ gen_require(` ++ type docker_devpts_t; ++ ') ++ ++ allow $1 docker_devpts_t:chr_file rw_inherited_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to create docker content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_filetrans_named_content',` ++ ++ gen_require(` ++ type docker_var_lib_t; ++ type docker_share_t; ++ type docker_log_t; ++ type docker_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, docker_var_run_t, file, "docker.pid") ++ files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock") ++ logging_log_filetrans($1, docker_log_t, dir, "lxc") ++ files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname") ++ filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init") ++') ++ +######################################## +## +## All of the rules required to administrate @@ -23110,20 +23192,28 @@ index 0000000..c77a25f +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..68c225c +index 0000000..236e417 --- /dev/null +++ b/docker.te -@@ -0,0 +1,172 @@ +@@ -0,0 +1,218 @@ +policy_module(docker, 1.0.0) + +######################################## +# +# Declarations +# ++## ++##

++## Allow docker to transition to unconfined conateiners ++##

++## ++gen_tunable(docker_transition_unconfined, false) + +type docker_t; +type docker_exec_t; +init_daemon_domain(docker_t, docker_exec_t) ++domain_subj_id_change_exemption(docker_t) ++domain_role_change_exemption(docker_t) + +type docker_var_lib_t; +files_type(docker_var_lib_t) @@ -23143,14 +23233,22 @@ index 0000000..68c225c +type docker_unit_file_t; +systemd_unit_file(docker_unit_file_t) + ++type docker_devpts_t; ++term_pty(docker_devpts_t) ++ ++type docker_share_t; ++files_type(docker_share_t) ++ +######################################## +# +# docker local policy +# -+allow docker_t self:capability { chown fowner fsetid mknod net_admin }; ++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service }; +allow docker_t self:process { getattr signal_perms }; +allow docker_t self:fifo_file rw_fifo_file_perms; +allow docker_t self:unix_stream_socket create_stream_socket_perms; ++allow docker_t self:tcp_socket create_stream_socket_perms; ++allow docker_t self:udp_socket create_socket_perms; +allow docker_t self:capability2 block_suspend; + +manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t) @@ -23167,6 +23265,12 @@ index 0000000..68c225c +manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t) +files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file }) + ++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t) ++manage_files_pattern(docker_t, docker_share_t, docker_share_t) ++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t) ++can_exec(docker_t, docker_share_t) ++docker_filetrans_named_content(docker_t) ++ +manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) +manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t) @@ -23180,6 +23284,9 @@ index 0000000..68c225c +manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t) +files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file }) + ++allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; ++term_create_pty(docker_t, docker_devpts_t) ++ +kernel_read_system_state(docker_t) +kernel_read_network_state(docker_t) +kernel_read_all_sysctls(docker_t) @@ -23190,7 +23297,16 @@ index 0000000..68c225c +corecmd_exec_shell(docker_t) + +corenet_tcp_bind_generic_node(docker_t) ++corenet_tcp_sendrecv_generic_if(docker_t) ++corenet_tcp_sendrecv_generic_node(docker_t) ++corenet_tcp_sendrecv_generic_port(docker_t) ++corenet_tcp_bind_all_ports(docker_t) +corenet_tcp_connect_http_port(docker_t) ++corenet_udp_sendrecv_generic_if(docker_t) ++corenet_udp_sendrecv_generic_node(docker_t) ++corenet_udp_sendrecv_all_ports(docker_t) ++corenet_udp_bind_generic_node(docker_t) ++corenet_udp_bind_all_ports(docker_t) + +files_read_etc_files(docker_t) + @@ -23209,6 +23325,8 @@ index 0000000..68c225c + +mount_domtrans(docker_t) + ++seutil_read_default_contexts(docker_t) ++ +sysnet_dns_name_resolve(docker_t) +sysnet_exec_ifconfig(docker_t) + @@ -23248,17 +23366,21 @@ index 0000000..68c225c +dev_rw_loop_control(docker_t) +dev_rw_lvm_control(docker_t) + ++files_getattr_isid_type_dirs(docker_t) +files_manage_isid_type_dirs(docker_t) +files_manage_isid_type_files(docker_t) +files_manage_isid_type_symlinks(docker_t) +files_manage_isid_type_chr_files(docker_t) ++files_manage_isid_type_blk_files(docker_t) +files_exec_isid_files(docker_t) +files_mounton_isid(docker_t) +files_mounton_non_security(docker_t) ++files_mounton_isid_type_chr_file(docker_t) + +fs_mount_all_fs(docker_t) +fs_unmount_all_fs(docker_t) +fs_remount_all_fs(docker_t) ++files_mounton_isid(docker_t) +fs_manage_cgroup_dirs(docker_t) +fs_manage_cgroup_files(docker_t) +fs_relabelfrom_xattr_fs(docker_t) @@ -23280,12 +23402,18 @@ index 0000000..68c225c + virt_exec(docker_t) + virt_stream_connect(docker_t) + virt_stream_connect_sandbox(docker_t) ++ virt_exec_sandbox_files(docker_t) + virt_manage_sandbox_files(docker_t) + virt_relabel_sandbox_filesystem(docker_t) + # for lxc + virt_transition_svirt_sandbox(docker_t, system_r) + virt_mounton_sandbox_file(docker_t) +') ++ ++tunable_policy(`docker_transition_unconfined',` ++ unconfined_transition(docker_t, docker_share_t) ++ unconfined_transition(docker_t, docker_var_lib_t) ++') diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc @@ -26769,6 +26897,224 @@ index 2820368..88c98f4 100644 sysnet_read_config(gatekeeper_t) userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +diff --git a/geoclue.fc b/geoclue.fc +new file mode 100644 +index 0000000..a97f14f +--- /dev/null ++++ b/geoclue.fc +@@ -0,0 +1,4 @@ ++ ++/usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) ++ ++/var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0) +diff --git a/geoclue.if b/geoclue.if +new file mode 100644 +index 0000000..9e17d3e +--- /dev/null ++++ b/geoclue.if +@@ -0,0 +1,158 @@ ++ ++## Geoclue is a D-Bus service that provides location information ++ ++######################################## ++## ++## Execute geoclue in the geoclue domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`geoclue_domtrans',` ++ gen_require(` ++ type geoclue_t, geoclue_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, geoclue_exec_t, geoclue_t) ++') ++ ++######################################## ++## ++## Search geoclue lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`geoclue_search_lib',` ++ gen_require(` ++ type geoclue_var_lib_t; ++ ') ++ ++ allow $1 geoclue_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read geoclue lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`geoclue_read_lib_files',` ++ gen_require(` ++ type geoclue_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t) ++') ++ ++######################################## ++## ++## Manage geoclue lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`geoclue_manage_lib_files',` ++ gen_require(` ++ type geoclue_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t) ++') ++ ++######################################## ++## ++## Manage geoclue lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`geoclue_manage_lib_dirs',` ++ gen_require(` ++ type geoclue_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t) ++') ++ ++######################################## ++## ++## Send and receive messages from ++## geoclue over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`geoclue_dbus_chat',` ++ gen_require(` ++ type geoclue_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 geoclue_t:dbus send_msg; ++ allow geoclue_t $1:dbus send_msg; ++ ps_process_pattern(geoclue_t, $1) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an geoclue environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`geoclue_admin',` ++ gen_require(` ++ type geoclue_t; ++ type geoclue_var_lib_t; ++ ') ++ ++ allow $1 geoclue_t:process { signal_perms }; ++ ps_process_pattern($1, geoclue_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 geoclue_t:process ptrace; ++ ') ++ ++ files_search_var_lib($1) ++ admin_pattern($1, geoclue_var_lib_t) ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/geoclue.te b/geoclue.te +new file mode 100644 +index 0000000..64faa9e +--- /dev/null ++++ b/geoclue.te +@@ -0,0 +1,38 @@ ++policy_module(geoclue, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type geoclue_t; ++type geoclue_exec_t; ++application_domain(geoclue_t, geoclue_exec_t) ++role system_r types geoclue_t; ++ ++type geoclue_var_lib_t; ++files_type(geoclue_var_lib_t) ++ ++######################################## ++# ++# geoclue local policy ++# ++ ++manage_dirs_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t) ++manage_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t) ++manage_lnk_files_pattern(geoclue_t, geoclue_var_lib_t, geoclue_var_lib_t) ++files_var_lib_filetrans(geoclue_t, geoclue_var_lib_t, { dir }) ++ ++corenet_tcp_connect_http_port(geoclue_t) ++ ++corecmd_exec_bin(geoclue_t) ++ ++dev_read_urand(geoclue_t) ++ ++miscfiles_read_certs(geoclue_t) ++ ++sysnet_dns_name_resolve(geoclue_t) ++ ++optional_policy(` ++ dbus_system_domain(geoclue_t, geoclue_exec_t) ++') diff --git a/gift.te b/gift.te index 8a820fa..996b30c 100644 --- a/gift.te @@ -34481,10 +34827,10 @@ index 3a00b3a..21efcc4 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index 715fc21..f6a381c 100644 +index 715fc21..1cbf3be 100644 --- a/kdump.te +++ b/kdump.te -@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t) +@@ -12,35 +12,56 @@ init_system_domain(kdump_t, kdump_exec_t) type kdump_etc_t; files_config_file(kdump_etc_t) @@ -34522,13 +34868,14 @@ index 715fc21..f6a381c 100644 +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash") -+ -+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) -allow kdump_t kdump_etc_t:file read_file_perms; ++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) ++ +manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t) +manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) -+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file }) ++manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) ++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file }) -files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) @@ -34545,7 +34892,7 @@ index 715fc21..f6a381c 100644 dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) -@@ -48,22 +68,32 @@ term_use_console(kdump_t) +@@ -48,22 +69,35 @@ term_use_console(kdump_t) ####################################### # @@ -34559,12 +34906,14 @@ index 715fc21..f6a381c 100644 + allow kdumpctl_t self:capability { dac_override sys_chroot }; allow kdumpctl_t self:process setfscreate; --allow kdumpctl_t self:fifo_file rw_fifo_file_perms; ++ + allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -allow kdumpctl_t self:unix_stream_socket { accept listen }; ++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; -allow kdumpctl_t kdump_etc_t:file read_file_perms; -+allow kdumpctl_t self:fifo_file rw_fifo_file_perms; -+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms; ++manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t) ++files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump") manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) +manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) @@ -34583,7 +34932,7 @@ index 715fc21..f6a381c 100644 kernel_read_system_state(kdumpctl_t) -@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +105,56 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -41876,7 +42225,7 @@ index b1ac8b5..9b22bea 100644 + ') +') diff --git a/modemmanager.te b/modemmanager.te -index d15eb5b..66a422b 100644 +index d15eb5b..6af07aa 100644 --- a/modemmanager.te +++ b/modemmanager.te @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) @@ -41889,9 +42238,12 @@ index d15eb5b..66a422b 100644 ######################################## # # Local policy -@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -24,15 +27,17 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; + kernel_read_system_state(modemmanager_t) ++corecmd_exec_bin(modemmanager_t) ++ dev_read_sysfs(modemmanager_t) +dev_read_urand(modemmanager_t) dev_rw_modem(modemmanager_t) @@ -42347,10 +42699,10 @@ index 0000000..b694afc +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..cb1e8b0 100644 +index 6ffaba2..7995fce 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,67 @@ +@@ -1,38 +1,68 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -42443,6 +42795,7 @@ index 6ffaba2..cb1e8b0 100644 +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/lib/firefox/plugin-container -- gen_context(system_u:object_r:mozilla_exec_t,s0) + +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) + @@ -47924,41 +48277,51 @@ index 0000000..0e585e3 + mysql_tcp_connect(mythtv_script_t) +') diff --git a/nagios.fc b/nagios.fc -index d78dfc3..24a2dec 100644 +index d78dfc3..02f18ac 100644 --- a/nagios.fc +++ b/nagios.fc -@@ -1,88 +1,97 @@ +@@ -1,88 +1,109 @@ -/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) -/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) ++/etc/icinga(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0) +/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0) +/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) +/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0) -+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) -+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) ++/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/bin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) -/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/sbin/icinga -- gen_context(system_u:object_r:nagios_exec_t,s0) ++/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0) -/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) ++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) ++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) ++/usr/lib/icinga/cgi(/.*)? gen_context(system_u:object_r:nagios_script_exec_t,s0) -/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0) -+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/icinga(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) ++/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) -/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) ++ ++/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++/var/spool/icinga(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) ++ +ifdef(`distro_debian',` +/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0) +') @@ -47978,9 +48341,9 @@ index d78dfc3..24a2dec 100644 -/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) +# mail plugins +/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0) -+ -+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) ++ +# system plugins /usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) /usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0) @@ -48071,10 +48434,11 @@ index d78dfc3..24a2dec 100644 -/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0) -/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0) -- --/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) +# eventhandlers +/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) ++/usr/lib/icinga/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0) + +-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if index 0641e97..d7d9a79 100644 --- a/nagios.if @@ -51219,7 +51583,7 @@ index 8f2ab09..6ab4ea1 100644 + allow $1 nscd_unit_file_t:service all_service_perms; ') diff --git a/nscd.te b/nscd.te -index bcd7d0a..3878d3c 100644 +index bcd7d0a..8cc5de9 100644 --- a/nscd.te +++ b/nscd.te @@ -4,33 +4,34 @@ gen_require(` @@ -51267,7 +51631,11 @@ index bcd7d0a..3878d3c 100644 type nscd_log_t; logging_log_file(nscd_log_t) -@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid }; +@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t) + # + + allow nscd_t self:capability { kill setgid setuid }; ++allow nscd_t self:capability2 block_suspend; dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr getcap setcap setsched signal_perms }; allow nscd_t self:fifo_file read_fifo_file_perms; @@ -51340,7 +51708,7 @@ index bcd7d0a..3878d3c 100644 corenet_rw_tun_tap_dev(nscd_t) selinux_get_fs_mount(nscd_t) -@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t) +@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t) selinux_compute_create_context(nscd_t) selinux_compute_relabel_context(nscd_t) selinux_compute_user_contexts(nscd_t) @@ -51365,7 +51733,7 @@ index bcd7d0a..3878d3c 100644 userdom_dontaudit_use_user_terminals(nscd_t) userdom_dontaudit_use_unpriv_user_fds(nscd_t) userdom_dontaudit_search_user_home_dirs(nscd_t) -@@ -121,20 +130,31 @@ optional_policy(` +@@ -121,20 +131,31 @@ optional_policy(` ') optional_policy(` @@ -78480,7 +78848,7 @@ index ef3b225..d248cd3 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..8c53520 100644 +index 6fc360e..13ae4ca 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -78820,7 +79188,7 @@ index 6fc360e..8c53520 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -78847,6 +79215,9 @@ index 6fc360e..8c53520 100644 +files_exec_usr_files(rpm_script_t) +files_relabel_all_files(rpm_script_t) + ++init_disable_services(rpm_script_t) ++init_enable_services(rpm_script_t) ++init_reload_services(rpm_script_t) init_domtrans_script(rpm_script_t) init_telinit(rpm_script_t) @@ -78878,7 +79249,7 @@ index 6fc360e..8c53520 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +379,63 @@ ifdef(`distro_redhat',` +@@ -363,41 +382,67 @@ ifdef(`distro_redhat',` ') ') @@ -78893,6 +79264,10 @@ index 6fc360e..8c53520 100644 +') + +optional_policy(` ++ bind_systemctl(rpm_script_t) ++') ++ ++optional_policy(` + certmonger_dbus_chat(rpm_script_t) +') + @@ -78953,7 +79328,7 @@ index 6fc360e..8c53520 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +447,6 @@ optional_policy(` +@@ -409,6 +454,6 @@ optional_policy(` ') optional_policy(` @@ -80919,7 +81294,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..a96f064 100644 +index 2b7c441..d06a165 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -81557,7 +81932,7 @@ index 2b7c441..a96f064 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +565,41 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +565,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -81620,10 +81995,11 @@ index 2b7c441..a96f064 100644 +optional_policy(` + ctdbd_stream_connect(nmbd_t) + ctdbd_manage_var_files(nmbd_t) ++ ctdbd_manage_lib_files(nmbd_t) ') optional_policy(` -@@ -606,16 +612,22 @@ optional_policy(` +@@ -606,16 +613,22 @@ optional_policy(` ######################################## # @@ -81650,7 +82026,7 @@ index 2b7c441..a96f064 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +639,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +640,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -81668,7 +82044,7 @@ index 2b7c441..a96f064 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +651,23 @@ optional_policy(` +@@ -644,22 +652,23 @@ optional_policy(` ######################################## # @@ -81700,7 +82076,7 @@ index 2b7c441..a96f064 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +676,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +677,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -81736,7 +82112,7 @@ index 2b7c441..a96f064 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +703,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +704,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -81828,7 +82204,7 @@ index 2b7c441..a96f064 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +782,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +783,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -81852,7 +82228,7 @@ index 2b7c441..a96f064 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +796,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +797,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -81895,7 +82271,7 @@ index 2b7c441..a96f064 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +826,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +827,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -81909,7 +82285,7 @@ index 2b7c441..a96f064 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +849,20 @@ optional_policy(` +@@ -840,17 +850,20 @@ optional_policy(` # Winbind local policy # @@ -81935,7 +82311,7 @@ index 2b7c441..a96f064 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +872,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +873,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -81946,7 +82322,7 @@ index 2b7c441..a96f064 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +883,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +884,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -81976,7 +82352,7 @@ index 2b7c441..a96f064 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +906,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +907,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -81997,7 +82373,7 @@ index 2b7c441..a96f064 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +924,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +925,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -82008,7 +82384,7 @@ index 2b7c441..a96f064 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +932,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +933,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -82050,7 +82426,7 @@ index 2b7c441..a96f064 100644 ') optional_policy(` -@@ -959,31 +980,29 @@ optional_policy(` +@@ -959,31 +981,29 @@ optional_policy(` # Winbind helper local policy # @@ -82088,7 +82464,7 @@ index 2b7c441..a96f064 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1016,38 @@ optional_policy(` +@@ -997,25 +1017,38 @@ optional_policy(` ######################################## # @@ -82352,7 +82728,7 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..e45c73a +index 0000000..e30b346 --- /dev/null +++ b/sandboxX.if @@ -0,0 +1,393 @@ @@ -82400,7 +82776,7 @@ index 0000000..e45c73a + dontaudit sandbox_x_domain $1:fifo_file { read write }; + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; -+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write }; ++ dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:process { signal sigkill }; + + allow $1 sandbox_tmpfs_type:file manage_file_perms; @@ -82751,7 +83127,7 @@ index 0000000..e45c73a +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..4566e9b +index 0000000..0161658 --- /dev/null +++ b/sandboxX.te @@ -0,0 +1,498 @@ @@ -83038,6 +83414,10 @@ index 0000000..4566e9b + fs_exec_fusefs_files(sandbox_x_domain) +') + ++optional_policy(` ++ networkmanager_dontaudit_dbus_chat(sandbox_x_domain) ++') ++ +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + @@ -83194,10 +83574,6 @@ index 0000000..4566e9b +') + +optional_policy(` -+ networkmanager_dontaudit_dbus_chat(sandbox_web_type) -+') -+ -+optional_policy(` + nsplugin_manage_rw(sandbox_web_type) + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) @@ -95763,7 +96139,7 @@ index a4f20bc..6351bcb 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..09db35b 100644 +index facdee8..15562ad 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -96778,7 +97154,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -860,74 +658,245 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,263 @@ interface(`virt_read_lib_files',` ## ## # @@ -96841,12 +97217,10 @@ index facdee8..09db35b 100644 + manage_dirs_pattern($1, virt_image_t, virt_image_t) + manage_files_pattern($1, virt_image_t, virt_image_t) + read_lnk_files_pattern($1, virt_image_t, virt_image_t) - ') - - ######################################## - ## --## Create objects in virt pid --## directories with a private type. ++') ++ ++######################################## ++## +## Execute virt server in the virt domain. +## +## @@ -96866,10 +97240,12 @@ index facdee8..09db35b 100644 + allow $1 virtd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, virtd_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in virt pid +-## directories with a private type. +## Ptrace the svirt domain +## +## @@ -96888,6 +97264,24 @@ index facdee8..09db35b 100644 + +####################################### +## ++## Execute Sandbox Files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_exec_sandbox_files',` ++ gen_require(` ++ type svirt_sandbox_file_t; ++ ') ++ ++ can_exec($1, svirt_sandbox_file_t) ++') ++ ++####################################### ++## +## Manage Sandbox Files ## ## @@ -97046,7 +97440,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -935,19 +904,17 @@ interface(`virt_read_log',` +@@ -935,19 +922,17 @@ interface(`virt_read_log',` ## ## # @@ -97070,7 +97464,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -955,20 +922,17 @@ interface(`virt_append_log',` +@@ -955,20 +940,17 @@ interface(`virt_append_log',` ## ## # @@ -97095,7 +97489,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -976,18 +940,17 @@ interface(`virt_manage_log',` +@@ -976,18 +958,17 @@ interface(`virt_manage_log',` ## ## # @@ -97118,7 +97512,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -995,36 +958,57 @@ interface(`virt_search_images',` +@@ -995,36 +976,57 @@ interface(`virt_search_images',` ## ## # @@ -97195,7 +97589,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -1032,20 +1016,28 @@ interface(`virt_read_images',` +@@ -1032,20 +1034,28 @@ interface(`virt_read_images',` ## ## # @@ -97231,7 +97625,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -1053,37 +1045,131 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,37 +1063,131 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -97255,7 +97649,7 @@ index facdee8..09db35b 100644 ## -## +## -+## + ## +## Prefix for the domain. +## +## @@ -97280,7 +97674,7 @@ index facdee8..09db35b 100644 +## Make the specified type usable as a lxc domain +## +## - ## ++## +## Type to be used as a lxc domain +## +## @@ -97362,7 +97756,7 @@ index facdee8..09db35b 100644 + attribute svirt_sandbox_domain; + ') + -+ allow $1 svirt_sandbox_domain:process transition; ++ allow $1 svirt_sandbox_domain:process { transition signal_perms }; + role $2 types svirt_sandbox_domain; + allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; + @@ -97377,7 +97771,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -1091,36 +1177,54 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1195,54 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -97451,7 +97845,7 @@ index facdee8..09db35b 100644 ## ## ## -@@ -1136,50 +1240,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1258,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -97524,7 +97918,7 @@ index facdee8..09db35b 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..2249f86 100644 +index f03dcf5..215ace6 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -97539,7 +97933,7 @@ index f03dcf5..2249f86 100644 +gen_require(` + class passwd rootok; + class passwd passwd; -+ ') ++') + +attribute virsh_transition_domain; +attribute virt_ptynode; @@ -97708,10 +98102,10 @@ index f03dcf5..2249f86 100644 + +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; ++ ++type qemu_exec_t, virt_file_type; -type virt_cache_t alias svirt_cache_t; -+type qemu_exec_t, virt_file_type; -+ +type virt_cache_t alias svirt_cache_t, virt_file_type; files_type(virt_cache_t) @@ -98225,17 +98619,17 @@ index f03dcf5..2249f86 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -98497,13 +98891,7 @@ index f03dcf5..2249f86 100644 -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +kernel_read_net_sysctls(virt_domain) - --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++ +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -98513,7 +98901,13 @@ index f03dcf5..2249f86 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) -+ + +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) @@ -98640,7 +99034,7 @@ index f03dcf5..2249f86 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') -+ + +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -98658,7 +99052,7 @@ index f03dcf5..2249f86 100644 + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') - ++ +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) @@ -98970,7 +99364,7 @@ index f03dcf5..2249f86 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1117,274 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1117,275 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -99003,12 +99397,12 @@ index f03dcf5..2249f86 100644 +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -99106,15 +99500,6 @@ index f03dcf5..2249f86 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') -+ -+optional_policy(` -+ docker_read_lib_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+') -+ -+optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -99199,17 +99584,27 @@ index f03dcf5..2249f86 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ ssh_use_ptys(svirt_sandbox_domain) ++ docker_read_share_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ') @@ -99237,6 +99632,10 @@ index f03dcf5..2249f86 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; ++ ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -99248,13 +99647,6 @@ index f03dcf5..2249f86 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') - --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -99263,13 +99655,16 @@ index f03dcf5..2249f86 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_client_packets(svirt_lxc_net_t) --corenet_tcp_connect_all_ports(svirt_lxc_net_t) +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; +-corenet_sendrecv_all_client_packets(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) -+ + +dev_read_sysfs(svirt_lxc_net_t) dev_getattr_mtrr_dev(svirt_lxc_net_t) dev_read_rand(svirt_lxc_net_t) @@ -99336,11 +99731,11 @@ index f03dcf5..2249f86 100644 +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) -+ -+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -allow svirt_prot_exec_t self:process { execmem execstack }; ++list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) ++ +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -99383,7 +99778,7 @@ index f03dcf5..2249f86 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1397,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1398,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -99398,7 +99793,7 @@ index f03dcf5..2249f86 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1415,8 @@ optional_policy(` +@@ -1192,9 +1416,8 @@ optional_policy(` ######################################## # @@ -99409,7 +99804,7 @@ index f03dcf5..2249f86 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1429,198 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1430,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a4d715c..38141db 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 15%{?dist} +Release: 17%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -456,7 +456,6 @@ Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 -Conflicts: pki-selinux < 10-0.0-0.45.b1 %description targeted SELinux Reference policy targeted base module. @@ -579,6 +578,38 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jan 23 2014 Miroslav Grepl 3.13.1-17 +- init calling needs to be optional in domain.te +- Allow docker and mount on devpts chr_file +- Allow docker to transition to unconfined_t if boolean set +- Label also /usr/libexec/WebKitPluginProcess as mozilla_plugin_exec_t +- Fix type in docker.te +- Add mozilla_plugin_exec_t labeling for /usr/lib/firefox/plugin-container +- Allow docker to use the network and build images +- Allow docker to read selinux files for labeling, and mount on devpts chr_file +- Allow domains that transition to svirt_sandbox to send it signals +- Allow docker to transition to unconfined_t if boolean set + +* Wed Jan 22 2014 Miroslav Grepl 3.13.1-16 +- New access needed to allow docker + lxc +SELinux to work together +- Allow apache to write to the owncloud data directory in /var/www/html... +- Cleanup sandbox X AVC's +- Allow consolekit to create log dir +- Add support for icinga CGI scripts +- Add support for icinga +- Allow kdumpctl_t to create kdump lock file +- Allow kdump to create lnk lock file +- Allow ABRT write core_pattern +- Allwo ABRT to read core_pattern +- Add policy for Geoclue. Geoclue is a D-Bus service that provides location information +- Allow nscd_t block_suspen capability +- Allow unconfined domain types to manage own transient unit file +- Allow systemd domains to handle transient init unit files +- No longer need the rpm_script_roles line since rpm_transition_script now does this for us +- Add/fix interfaces for usermodehelper_t +- Add interfaces to handle transient +- Fixes for new usermodehelper and proc_securit_t types, added to increase security on /proc and /sys file systems + * Mon Jan 20 2014 Miroslav Grepl 3.13.1-15 - Add cron unconfined role support for uncofined SELinux user - Call kernel_rw_usermodehelper_state() in init.te