From d9444b18fb3910c4c94536c4504f76ce8027e201 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 02 2013 12:31:42 +0000 Subject: - Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t - Allow adcli running as realmd_t to connect to ldap port - Allow NetworkManager to transition to ipsec_t, for running strongswan - Make openshift_initrc_t an lxc_domain - Allow gssd to manage user_tmp_t files - Fix handling of irclogs in users homedir - Fix labeling for drupal an wp-content in subdirs of /var/www/html - Allow abrt to read utmp_t file - Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a - fix labeling for (oo|rhc)-restorer-wrapper.sh - firewalld needs to be able to write to network sysctls - Fix mozilla_plugin_dontaudit_rw_sem() interface - Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains - Add mozilla_plugin_dontaudit_rw_sem() interface - Allow svirt_lxc_t to transition to openshift domains - Allow condor domains block_suspend and dac_override caps - Allow condor_master to read passd - Allow condor_master to read system state - Allow NetworkManager to transition to ipsec_t, for running strongswan - Lots of access required by lvm_t to created encrypted usb device - Allow xdm_t to dbus communicate with systemd_localed_t - Label strongswan content as ipsec_exec_mgmt_t for now - Allow users to dbus chat with systemd_localed - Fix handling of .xsession-errors in xserver.if, so kde will work - Might be a bug but we are seeing avc's about people status on init_t:service - Make sure we label content under /var/run/lock as <> - Allow daemon and systemprocesses to search init_var_run_t directory - Add boolean to allow xdm to write xauth data to the home directory - Allow mount to write keys for the unconfined domain --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 699d224..0b14445 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8084,7 +8084,7 @@ index cf04cb5..274ef6d 100644 + ') +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c2c6e05..96aeeef 100644 +index c2c6e05..be423a7 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -8305,7 +8305,14 @@ index c2c6e05..96aeeef 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -262,6 +279,7 @@ ifndef(`distro_redhat',` +@@ -256,12 +273,14 @@ ifndef(`distro_redhat',` + /var/run -l gen_context(system_u:object_r:var_run_t,s0) + /var/run/.* gen_context(system_u:object_r:var_run_t,s0) + /var/run/.*\.*pid <> ++/var/run/lock/.* <> + + /var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0) + /var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) @@ -8313,7 +8320,7 @@ index c2c6e05..96aeeef 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -270,3 +288,5 @@ ifndef(`distro_redhat',` +@@ -270,3 +289,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -15169,18 +15176,20 @@ index 8416beb..60b2ce1 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..97dbeb4 100644 +index 9e603f5..2b79004 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); +@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem -@@ -53,6 +54,7 @@ type anon_inodefs_t; +@@ -53,6 +55,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -15188,7 +15197,7 @@ index 9e603f5..97dbeb4 100644 type bdev_t; fs_type(bdev_t) -@@ -68,7 +70,7 @@ fs_type(capifs_t) +@@ -68,7 +71,7 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -15197,7 +15206,7 @@ index 9e603f5..97dbeb4 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -89,6 +91,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -15209,7 +15218,7 @@ index 9e603f5..97dbeb4 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -97,6 +104,7 @@ type hugetlbfs_t; +@@ -97,6 +105,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -15217,7 +15226,7 @@ index 9e603f5..97dbeb4 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -125,6 +133,10 @@ type oprofilefs_t; +@@ -125,6 +134,10 @@ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -15228,7 +15237,7 @@ index 9e603f5..97dbeb4 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +157,6 @@ fs_type(spufs_t) +@@ -145,11 +158,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -15240,7 +15249,7 @@ index 9e603f5..97dbeb4 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +174,8 @@ type vxfs_t; +@@ -167,6 +175,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -15249,7 +15258,7 @@ index 9e603f5..97dbeb4 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +185,8 @@ fs_type(tmpfs_t) +@@ -176,6 +186,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -15258,7 +15267,7 @@ index 9e603f5..97dbeb4 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -15267,7 +15276,7 @@ index 9e603f5..97dbeb4 100644 files_mountpoint(removable_t) # -@@ -274,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -18984,10 +18993,10 @@ index 0000000..0e8654b +/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if new file mode 100644 -index 0000000..bac0dc0 +index 0000000..cf6582f --- /dev/null +++ b/policy/modules/roles/unconfineduser.if -@@ -0,0 +1,595 @@ +@@ -0,0 +1,613 @@ +## Unconfiend user role + +######################################## @@ -19415,6 +19424,24 @@ index 0000000..bac0dc0 + +######################################## +## ++## Write keys for the unconfined domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_write_keys',` ++ gen_require(` ++ type unconfined_t; ++ ') ++ ++ allow $1 unconfined_t:key write; ++') ++ ++######################################## ++## +## Send messages to the unconfined domain over dbus. +## +## @@ -22072,7 +22099,7 @@ index d1f64a0..3be3d00 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..d4ed029 100644 +index 6bf0ecc..ad955d5 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -22320,32 +22347,11 @@ index 6bf0ecc..d4ed029 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,13 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP") -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority") -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c") -+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c") -+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old") -+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc") ++ xserver_filetrans_home_content($2) + # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; @@ -22357,7 +22363,7 @@ index 6bf0ecc..d4ed029 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +513,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -22387,7 +22393,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +564,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -22395,7 +22401,7 @@ index 6bf0ecc..d4ed029 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',` +@@ -547,6 +595,42 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) ') @@ -22438,7 +22444,7 @@ index 6bf0ecc..d4ed029 100644 ######################################## ## ## Create a Xauthority file in the user home directory. -@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -22446,7 +22452,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -22455,7 +22461,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -638,6 +744,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +723,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -22481,7 +22487,7 @@ index 6bf0ecc..d4ed029 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -22490,7 +22496,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -22499,7 +22505,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -22508,7 +22514,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -22522,7 +22528,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -22596,7 +22602,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -22622,7 +22628,7 @@ index 6bf0ecc..d4ed029 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -22649,7 +22655,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -22677,7 +22683,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -22702,7 +22708,7 @@ index 6bf0ecc..d4ed029 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -22730,7 +22736,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -22739,7 +22745,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -22785,7 +22791,7 @@ index 6bf0ecc..d4ed029 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -22794,7 +22800,7 @@ index 6bf0ecc..d4ed029 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -22837,7 +22843,7 @@ index 6bf0ecc..d4ed029 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -22846,7 +22852,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -22858,7 +22864,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -22885,7 +22891,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -22894,7 +22900,7 @@ index 6bf0ecc..d4ed029 100644 ## ## ## -@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -22919,7 +22925,7 @@ index 6bf0ecc..d4ed029 100644 ') ######################################## -@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -23412,14 +23418,28 @@ index 6bf0ecc..d4ed029 100644 + ') + + userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") -+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") -+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") ++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") + userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") ++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") + userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") @@ -23448,6 +23468,18 @@ index 6bf0ecc..d4ed029 100644 + + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") + userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") ++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") + userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") + userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") @@ -23459,6 +23491,7 @@ index 6bf0ecc..d4ed029 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") + userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") ++ + optional_policy(` + gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") + ') @@ -23500,7 +23533,7 @@ index 6bf0ecc..d4ed029 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..8ac9130 100644 +index 2696452..0881350 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -24065,7 +24098,7 @@ index 2696452..8ac9130 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -24106,10 +24139,11 @@ index 2696452..8ac9130 100644 -sysnet_read_config(xdm_t) +systemd_write_inhibit_pipes(xdm_t) ++systemd_dbus_chat_localed(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24159,7 +24193,7 @@ index 2696452..8ac9130 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -24186,7 +24220,7 @@ index 2696452..8ac9130 100644 ') optional_policy(` -@@ -514,12 +739,72 @@ optional_policy(` +@@ -514,12 +740,72 @@ optional_policy(` ') optional_policy(` @@ -24259,7 +24293,7 @@ index 2696452..8ac9130 100644 hostname_exec(xdm_t) ') -@@ -537,28 +822,78 @@ optional_policy(` +@@ -537,28 +823,78 @@ optional_policy(` ') optional_policy(` @@ -24347,7 +24381,7 @@ index 2696452..8ac9130 100644 ') optional_policy(` -@@ -570,6 +905,14 @@ optional_policy(` +@@ -570,6 +906,14 @@ optional_policy(` ') optional_policy(` @@ -24362,7 +24396,7 @@ index 2696452..8ac9130 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24375,7 +24409,7 @@ index 2696452..8ac9130 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24391,7 +24425,7 @@ index 2696452..8ac9130 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +970,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -24402,7 +24436,7 @@ index 2696452..8ac9130 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +985,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24424,7 +24458,7 @@ index 2696452..8ac9130 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1005,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -24438,7 +24472,7 @@ index 2696452..8ac9130 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1031,27 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -24469,7 +24503,7 @@ index 2696452..8ac9130 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1062,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24487,7 +24521,7 @@ index 2696452..8ac9130 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1085,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1086,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -24511,7 +24545,7 @@ index 2696452..8ac9130 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1104,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -24520,7 +24554,7 @@ index 2696452..8ac9130 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1148,44 @@ optional_policy(` +@@ -775,16 +1149,44 @@ optional_policy(` ') optional_policy(` @@ -24566,7 +24600,7 @@ index 2696452..8ac9130 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1194,10 @@ optional_policy(` +@@ -793,6 +1195,10 @@ optional_policy(` ') optional_policy(` @@ -24577,7 +24611,7 @@ index 2696452..8ac9130 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -24591,7 +24625,7 @@ index 2696452..8ac9130 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -24600,7 +24634,7 @@ index 2696452..8ac9130 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1237,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1238,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24635,7 +24669,7 @@ index 2696452..8ac9130 100644 ') optional_policy(` -@@ -902,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24644,7 +24678,7 @@ index 2696452..8ac9130 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1356,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -24676,7 +24710,7 @@ index 2696452..8ac9130 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1402,40 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -26735,7 +26769,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..f03be17 100644 +index 24e7804..1894886 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -27620,7 +27654,7 @@ index 24e7804..f03be17 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -27847,6 +27881,7 @@ index 24e7804..f03be17 100644 + ') + + allow $1 init_t:system status; ++ allow $1 init_t:service status; +') + +######################################## @@ -27905,7 +27940,7 @@ index 24e7804..f03be17 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..8913598 100644 +index dd3be8d..99c538c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -28177,9 +28212,9 @@ index dd3be8d..8913598 100644 - auth_rw_login_records(init_t) + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_aliases(init_t) @@ -28303,9 +28338,9 @@ index dd3be8d..8913598 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) +') + @@ -28313,18 +28348,18 @@ index dd3be8d..8913598 100644 + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') @@ -28967,7 +29002,7 @@ index dd3be8d..8913598 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1353,185 @@ optional_policy(` +@@ -896,3 +1353,187 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -29018,6 +29053,8 @@ index dd3be8d..8913598 100644 +allow initrc_t daemon:process siginh; +allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms; +allow daemon initrc_transition_domain:fd use; ++allow daemon init_var_run_t:dir search_dir_perms; ++allow systemprocess init_var_run_t:dir search_dir_perms; + +allow init_t daemon:unix_stream_socket create_stream_socket_perms; +allow init_t daemon:unix_dgram_socket create_socket_perms; @@ -29154,7 +29191,7 @@ index dd3be8d..8913598 100644 + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..a452892 100644 +index 662e79b..626a689 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc @@ -1,6 +1,8 @@ @@ -29179,7 +29216,7 @@ index 662e79b..a452892 100644 /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -+/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) @@ -29189,7 +29226,7 @@ index 662e79b..a452892 100644 /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..ac0a652 100644 +index 0d4c8d3..3375525 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if @@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',` @@ -29216,7 +29253,68 @@ index 0d4c8d3..ac0a652 100644 interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',` +@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',` + allow $1 ipsec_mgmt_t:process sigkill; + ') + ++######################################## ++## ++## Send ipsec a general signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_signal',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process signal; ++') ++ ++######################################## ++## ++## Send ipsec a null signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_signull',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process signull; ++') ++ ++######################################## ++## ++## Send ipsec a kill signal. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_kill',` ++ gen_require(` ++ type ipsec_t; ++ ') ++ ++ allow $1 ipsec_t:process sigkill; ++') ++ + ###################################### + ## + ## Send and receive messages from +@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; @@ -29224,7 +29322,7 @@ index 0d4c8d3..ac0a652 100644 ') ######################################## -@@ -369,3 +367,26 @@ interface(`ipsec_run_setkey',` +@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -31599,7 +31697,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..ea56d23 100644 +index e8c59a5..df70cac 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -31621,7 +31719,7 @@ index e8c59a5..ea56d23 100644 type lvm_lock_t; files_lock_file(lvm_lock_t) -@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t) +@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t) allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod }; dontaudit clvmd_t self:capability sys_tty_config; allow clvmd_t self:process { signal_perms setsched }; @@ -31636,10 +31734,14 @@ index e8c59a5..ea56d23 100644 +manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) +fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) + ++manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) - files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) +-files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) ++files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir }) + + read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t) -@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) +@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t) corecmd_exec_shell(clvmd_t) corecmd_getattr_bin_files(clvmd_t) @@ -31647,7 +31749,7 @@ index e8c59a5..ea56d23 100644 corenet_all_recvfrom_netlabel(clvmd_t) corenet_tcp_sendrecv_generic_if(clvmd_t) corenet_udp_sendrecv_generic_if(clvmd_t) -@@ -120,9 +125,7 @@ init_dontaudit_getattr_initctl(clvmd_t) +@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t) logging_send_syslog_msg(clvmd_t) @@ -31657,7 +31759,7 @@ index e8c59a5..ea56d23 100644 seutil_sigchld_newrole(clvmd_t) seutil_read_config(clvmd_t) seutil_read_file_contexts(clvmd_t) -@@ -141,6 +144,11 @@ ifdef(`distro_redhat',` +@@ -141,6 +145,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31669,7 +31771,7 @@ index e8c59a5..ea56d23 100644 ccs_stream_connect(clvmd_t) ') -@@ -170,6 +178,7 @@ dontaudit lvm_t self:capability sys_tty_config; +@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config; allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -31677,7 +31779,7 @@ index e8c59a5..ea56d23 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,10 +200,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -31690,7 +31792,7 @@ index e8c59a5..ea56d23 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -31698,10 +31800,11 @@ index e8c59a5..ea56d23 100644 manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) +files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) ++init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +232,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -31709,7 +31812,7 @@ index e8c59a5..ea56d23 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -31724,7 +31827,7 @@ index e8c59a5..ea56d23 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -31732,7 +31835,7 @@ index e8c59a5..ea56d23 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -31755,7 +31858,7 @@ index e8c59a5..ea56d23 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -31764,15 +31867,15 @@ index e8c59a5..ea56d23 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) +logging_stream_connect_syslog(lvm_t) -+ -+authlogin_rw_pipes(lvm_t) -miscfiles_read_localization(lvm_t) ++authlogin_rw_pipes(lvm_t) ++auth_use_nsswitch(lvm_t) seutil_read_config(lvm_t) seutil_read_file_contexts(lvm_t) @@ -31783,10 +31886,12 @@ index e8c59a5..ea56d23 100644 userdom_use_user_terminals(lvm_t) +userdom_rw_semaphores(lvm_t) +userdom_search_user_home_dirs(lvm_t) ++ ++usermanage_read_crack_db(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +338,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +342,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -31798,7 +31903,7 @@ index e8c59a5..ea56d23 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +363,26 @@ optional_policy(` +@@ -333,14 +367,26 @@ optional_policy(` ') optional_policy(` @@ -32797,7 +32902,7 @@ index 4584457..0755e25 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..ac90315 100644 +index 6a50270..2fc14cd 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -33104,7 +33209,7 @@ index 6a50270..ac90315 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +298,124 @@ optional_policy(` +@@ -194,24 +298,128 @@ optional_policy(` ') optional_policy(` @@ -33164,16 +33269,20 @@ index 6a50270..ac90315 100644 +optional_policy(` + usbmuxd_stream_connect(mount_t) +') ++ ++optional_policy(` ++ userhelper_exec_console(mount_t) ++') ++ ++optional_policy(` ++ unconfined_write_keys(mount_t) ++') optional_policy(` - files_etc_filetrans_etc_runtime(unconfined_mount_t, file) - unconfined_domain(unconfined_mount_t) -+ userhelper_exec_console(mount_t) - ') -+ -+optional_policy(` + virt_read_blk_images(mount_t) -+') + ') + +optional_policy(` + vmware_exec_host(mount_t) @@ -35451,10 +35560,10 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..ab20e2f +index 0000000..2927875 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1081 @@ +@@ -0,0 +1,1103 @@ +## SELinux policy for systemd components + +###################################### @@ -36518,7 +36627,7 @@ index 0000000..ab20e2f +######################################## +## +## Send and receive messages from -+## systemd timedated over dbus. ++## systemd hostnamed over dbus. +## +## +## @@ -36536,6 +36645,28 @@ index 0000000..ab20e2f + allow systemd_hostnamed_t $1:dbus send_msg; + ps_process_pattern(systemd_hostnamed_t, $1) +') ++ ++######################################## ++## ++## Send and receive messages from ++## systemd localed over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_dbus_chat_localed',` ++ gen_require(` ++ type systemd_localed_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 systemd_localed_t:dbus send_msg; ++ allow systemd_localed_t $1:dbus send_msg; ++ ps_process_pattern(systemd_localed_t, $1) ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 index 0000000..4d56107 @@ -38554,7 +38685,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..05bc969 100644 +index 3c5dba7..9799799 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39816,7 +39947,7 @@ index 3c5dba7..05bc969 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -39863,6 +39994,7 @@ index 3c5dba7..05bc969 100644 + optional_policy(` + systemd_dbus_chat_timedated($1_t) + systemd_dbus_chat_hostnamed($1_t) ++ systemd_dbus_chat_localed($1_t) + ') + + optional_policy(` @@ -39886,7 +40018,7 @@ index 3c5dba7..05bc969 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -39897,7 +40029,7 @@ index 3c5dba7..05bc969 100644 ') ') -@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -39906,7 +40038,7 @@ index 3c5dba7..05bc969 100644 ') ############################## -@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -39914,7 +40046,7 @@ index 3c5dba7..05bc969 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -39924,7 +40056,7 @@ index 3c5dba7..05bc969 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -39932,7 +40064,7 @@ index 3c5dba7..05bc969 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -39947,7 +40079,7 @@ index 3c5dba7..05bc969 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -39990,7 +40122,7 @@ index 3c5dba7..05bc969 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -39999,7 +40131,7 @@ index 3c5dba7..05bc969 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40018,7 +40150,7 @@ index 3c5dba7..05bc969 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40027,7 +40159,7 @@ index 3c5dba7..05bc969 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40039,7 +40171,7 @@ index 3c5dba7..05bc969 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40082,7 +40214,7 @@ index 3c5dba7..05bc969 100644 ') optional_policy(` -@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40101,7 +40233,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40153,7 +40285,7 @@ index 3c5dba7..05bc969 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40185,7 +40317,7 @@ index 3c5dba7..05bc969 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40200,7 +40332,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40212,7 +40344,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40255,7 +40387,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40264,7 +40396,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40279,7 +40411,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2247,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40288,7 +40420,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2255,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -40312,7 +40444,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2273,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -40352,7 +40484,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2321,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -40378,7 +40510,7 @@ index 3c5dba7..05bc969 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2370,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -40416,7 +40548,7 @@ index 3c5dba7..05bc969 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2410,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -40434,7 +40566,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2458,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -40461,7 +40593,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2486,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -40482,7 +40614,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2502,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -40533,7 +40665,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2579,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -40543,7 +40675,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2595,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -40568,7 +40700,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## -@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2685,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -40577,7 +40709,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2693,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -40601,7 +40733,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2711,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -40617,7 +40749,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2953,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -40632,7 +40764,7 @@ index 3c5dba7..05bc969 100644 files_search_tmp($1) ') -@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2977,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -40641,7 +40773,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3224,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -40667,7 +40799,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3259,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -40683,7 +40815,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3287,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -40692,7 +40824,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3295,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -40715,7 +40847,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',` +@@ -2735,25 +3313,43 @@ interface(`userdom_manage_user_tmpfs_files',` ## ## # @@ -40765,7 +40897,7 @@ index 3c5dba7..05bc969 100644 gen_require(` type user_tty_device_t; ') -@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3413,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -40790,7 +40922,7 @@ index 3c5dba7..05bc969 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3449,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -40833,7 +40965,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3485,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -40871,7 +41003,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3530,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -40901,7 +41033,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3622,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41002,7 +41134,7 @@ index 3c5dba7..05bc969 100644 ## ## ## -@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3691,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41017,7 +41149,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3760,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41026,7 +41158,7 @@ index 3c5dba7..05bc969 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3776,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41060,7 +41192,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41069,7 +41201,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41135,7 +41267,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -41144,7 +41276,7 @@ index 3c5dba7..05bc969 100644 ') ######################################## -@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -41152,7 +41284,7 @@ index 3c5dba7..05bc969 100644 kernel_search_proc($1) ') -@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41195,7 +41327,7 @@ index 3c5dba7..05bc969 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -41220,7 +41352,7 @@ index 3c5dba7..05bc969 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4196,1357 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fe16da6..ab50247 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -516,7 +516,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..0842350 100644 +index cc43d25..563c773 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -732,7 +732,7 @@ index cc43d25..0842350 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -756,13 +756,14 @@ index cc43d25..0842350 100644 fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) --auth_use_nsswitch(abrt_t) -- - logging_read_generic_logs(abrt_t) ++logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) - -+auth_use_nsswitch(abrt_t) + + auth_use_nsswitch(abrt_t) + +-logging_read_generic_logs(abrt_t) ++init_read_utmp(abrt_t) + +miscfiles_read_generic_certs(abrt_t) miscfiles_read_public_files(abrt_t) @@ -771,7 +772,7 @@ index cc43d25..0842350 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -788,7 +789,7 @@ index cc43d25..0842350 100644 ') optional_policy(` -@@ -209,6 +220,12 @@ optional_policy(` +@@ -209,6 +222,12 @@ optional_policy(` ') optional_policy(` @@ -801,7 +802,7 @@ index cc43d25..0842350 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +237,7 @@ optional_policy(` +@@ -220,6 +239,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -809,7 +810,7 @@ index cc43d25..0842350 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +248,7 @@ optional_policy(` +@@ -230,6 +250,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -817,7 +818,7 @@ index cc43d25..0842350 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +259,17 @@ optional_policy(` +@@ -240,9 +261,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -836,7 +837,7 @@ index cc43d25..0842350 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -851,7 +852,7 @@ index cc43d25..0842350 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +299,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -859,7 +860,7 @@ index cc43d25..0842350 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -880,7 +881,7 @@ index cc43d25..0842350 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -907,7 +908,7 @@ index cc43d25..0842350 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +365,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -921,7 +922,7 @@ index cc43d25..0842350 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +383,11 @@ optional_policy(` +@@ -330,10 +385,11 @@ optional_policy(` ####################################### # @@ -935,7 +936,7 @@ index cc43d25..0842350 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -977,7 +978,7 @@ index cc43d25..0842350 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) +@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) @@ -995,7 +996,7 @@ index cc43d25..0842350 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -2721,7 +2722,7 @@ index 0000000..b334e9a + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 550a69e..e714059 100644 +index 550a69e..78579c0 100644 --- a/apache.fc +++ b/apache.fc @@ -1,161 +1,184 @@ @@ -3018,12 +3019,12 @@ index 550a69e..e714059 100644 -/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) + -+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) -+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) ++/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) + +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + -+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) + @@ -12410,7 +12411,7 @@ index 3fe3cb8..684b700 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..22ddc47 100644 +index 3f2b672..2af6e1e 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -12423,8 +12424,13 @@ index 3f2b672..22ddc47 100644 condor_domain_template(collector) condor_domain_template(negotiator) condor_domain_template(procd) -@@ -59,8 +62,9 @@ condor_domain_template(startd) +@@ -57,10 +60,14 @@ condor_domain_template(startd) + # Global local policy + # ++allow condor_domain self:capability dac_override; ++allow condor_domain self:capability2 block_suspend; ++ allow condor_domain self:process signal_perms; allow condor_domain self:fifo_file rw_fifo_file_perms; -allow condor_domain self:tcp_socket { accept listen }; @@ -12435,7 +12441,7 @@ index 3f2b672..22ddc47 100644 manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t) append_files_pattern(condor_domain, condor_log_t, condor_log_t) -@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; +@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr; kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) @@ -12449,7 +12455,7 @@ index 3f2b672..22ddc47 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,9 +107,7 @@ dev_read_rand(condor_domain) +@@ -106,9 +110,7 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -12460,16 +12466,36 @@ index 3f2b672..22ddc47 100644 tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) -@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) +@@ -125,7 +127,7 @@ optional_policy(` + # Master local policy + # + +-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace }; ++allow condor_master_t self:capability { setuid setgid sys_ptrace }; + + allow condor_master_t condor_domain:process { sigkill signal }; + +@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) + manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) + files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) + ++can_exec(condor_master_t, condor_master_exec_t) ++ ++kernel_read_system_state(condor_master_tmp_t) ++ + corenet_udp_sendrecv_generic_if(condor_master_t) + corenet_udp_sendrecv_generic_node(condor_master_t) + corenet_tcp_bind_generic_node(condor_master_t) +@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) domain_read_all_domains_state(condor_master_t) -auth_use_nsswitch(condor_master_t) -- ++auth_read_passwd(condor_master_t) + optional_policy(` mta_send_mail(condor_master_t) - mta_read_config(condor_master_t) -@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -12478,7 +12504,16 @@ index 3f2b672..22ddc47 100644 ###################################### # # Procd local policy -@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; + + allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; + ++allow condor_schedd_t condor_master_tmp_t:dir getattr; ++ + domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) + domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) + +@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -12487,7 +12522,7 @@ index 3f2b672..22ddc47 100644 ##################################### # # Startd local policy -@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -12500,7 +12535,7 @@ index 3f2b672..22ddc47 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +249,7 @@ optional_policy(` +@@ -249,3 +260,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -18739,7 +18774,7 @@ index d294865..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index ff933af..41ca7ce 100644 +index ff933af..fc9d3f4 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) @@ -18842,18 +18877,19 @@ index ff933af..41ca7ce 100644 ') optional_policy(` -@@ -180,6 +184,10 @@ optional_policy(` +@@ -180,6 +184,11 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_sessions_files(devicekit_disk_t) ++ systemd_write_inhibit_pipes(devicekit_disk_t) +') + +optional_policy(` udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -188,12 +196,19 @@ optional_policy(` +@@ -188,12 +197,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -18874,7 +18910,7 @@ index ff933af..41ca7ce 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -18885,7 +18921,7 @@ index ff933af..41ca7ce 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t) +@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -18905,7 +18941,7 @@ index ff933af..41ca7ce 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -269,9 +281,11 @@ optional_policy(` +@@ -269,9 +282,11 @@ optional_policy(` optional_policy(` cron_initrc_domtrans(devicekit_power_t) @@ -18917,7 +18953,7 @@ index ff933af..41ca7ce 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -302,8 +316,11 @@ optional_policy(` +@@ -302,8 +317,11 @@ optional_policy(` ') optional_policy(` @@ -18930,7 +18966,7 @@ index ff933af..41ca7ce 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -341,3 +358,9 @@ optional_policy(` +@@ -341,3 +359,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -22546,7 +22582,7 @@ index 5cf6ac6..839999e 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..02de884 100644 +index c8014f8..d84522b 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -22571,7 +22607,7 @@ index c8014f8..02de884 100644 dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; -@@ -40,8 +49,17 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; +@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms; allow firewalld_t firewalld_var_log_t:file setattr_file_perms; logging_log_filetrans(firewalld_t, firewalld_var_log_t, file) @@ -22589,7 +22625,11 @@ index c8014f8..02de884 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -53,20 +71,17 @@ dev_read_urand(firewalld_t) ++kernel_rw_net_sysctls(firewalld_t) + + corecmd_exec_bin(firewalld_t) + corecmd_exec_shell(firewalld_t) +@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -22615,7 +22655,7 @@ index c8014f8..02de884 100644 optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -85,6 +100,10 @@ optional_policy(` +@@ -85,6 +101,10 @@ optional_policy(` ') optional_policy(` @@ -28148,8 +28188,20 @@ index 94ec5f8..801417b 100644 logging_send_syslog_msg(iodined_t) +diff --git a/irc.fc b/irc.fc +index 48e7739..c3285c2 100644 +--- a/irc.fc ++++ b/irc.fc +@@ -1,6 +1,6 @@ + HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0) + HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0) +-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0) ++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0) + + /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0) + diff --git a/irc.if b/irc.if -index ac00fb0..06cb083 100644 +index ac00fb0..53e4fc7 100644 --- a/irc.if +++ b/irc.if @@ -20,6 +20,7 @@ interface(`irc_role',` @@ -28160,7 +28212,7 @@ index ac00fb0..06cb083 100644 ') ######################################## -@@ -39,10 +40,33 @@ interface(`irc_role',` +@@ -39,10 +40,34 @@ interface(`irc_role',` ps_process_pattern($2, irc_t) allow $2 irc_t:process { ptrace signal_perms }; @@ -28195,16 +28247,23 @@ index ac00fb0..06cb083 100644 +interface(`irc_filetrans_home_content',` + gen_require(` + type irc_home_t; ++ type irssi_home_t; + ') + userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") + userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") -+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs") ++ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") ') diff --git a/irc.te b/irc.te -index ecad9c7..56e2b35 100644 +index ecad9c7..86d790f 100644 --- a/irc.te +++ b/irc.te -@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t) +@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t + typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t }; + userdom_user_home_content(irc_home_t) + +-type irc_log_home_t; +-userdom_user_home_content(irc_log_home_t) +- type irc_tmp_t; typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t }; typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t }; @@ -28233,12 +28292,12 @@ index ecad9c7..56e2b35 100644 +type irssi_etc_t; +files_config_file(irssi_etc_t) + -+type irssi_home_t; ++type irssi_home_t alias irc_log_home_t; +userdom_user_home_content(irssi_home_t) ######################################## # -@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms; +@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms; manage_dirs_pattern(irc_t, irc_home_t, irc_home_t) manage_files_pattern(irc_t, irc_home_t, irc_home_t) manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t) @@ -28253,7 +28312,7 @@ index ecad9c7..56e2b35 100644 manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t) manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t) -@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) +@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file }) kernel_read_system_state(irc_t) @@ -28261,7 +28320,7 @@ index ecad9c7..56e2b35 100644 corenet_all_recvfrom_netlabel(irc_t) corenet_tcp_sendrecv_generic_if(irc_t) corenet_tcp_sendrecv_generic_node(irc_t) -@@ -93,7 +111,6 @@ dev_read_rand(irc_t) +@@ -93,7 +108,6 @@ dev_read_rand(irc_t) domain_use_interactive_fds(irc_t) @@ -28269,7 +28328,7 @@ index ecad9c7..56e2b35 100644 fs_getattr_all_fs(irc_t) fs_search_auto_mountpoints(irc_t) -@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t) +@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) @@ -28287,7 +28346,7 @@ index ecad9c7..56e2b35 100644 tunable_policy(`irc_use_any_tcp_ports',` corenet_sendrecv_all_server_packets(irc_t) -@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',` +@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',` corenet_tcp_sendrecv_all_ports(irc_t) ') @@ -36110,7 +36169,7 @@ index 6ffaba2..18e3a70 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..648d041 100644 +index 6194b80..116d9d2 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -36273,14 +36332,14 @@ index 6194b80..648d041 100644 - allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; - allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; -+ mozilla_filetrans_home_content($2) - +- - allow $2 mozilla_plugin_rw_t:dir list_dir_perms; - allow $2 mozilla_plugin_rw_t:file read_file_perms; - allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; - - can_exec($2, mozilla_plugin_rw_t) -- ++ mozilla_filetrans_home_content($2) + - optional_policy(` - mozilla_dbus_chat_plugin($2) - ') @@ -36586,7 +36645,7 @@ index 6194b80..648d041 100644 ## ## ## -@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -36654,6 +36713,24 @@ index 6194b80..648d041 100644 - libs_search_lib($1) - manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) + allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; ++') ++ ++####################################### ++## ++## Dontaudit generict ipc read/write to a mozilla_plugin ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`mozilla_plugin_dontaudit_rw_sem',` ++ gen_require(` ++ type mozilla_plugin_t; ++ ') ++ ++ allow $1 mozilla_plugin_t:sem { unix_read unix_write }; ') ######################################## @@ -36706,7 +36783,7 @@ index 6194b80..648d041 100644 ## ## ## -@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -36731,7 +36808,7 @@ index 6194b80..648d041 100644 ## ## ## -@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -42641,7 +42718,7 @@ index 0e8508c..b9c69d2 100644 + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..0c6cd41 100644 +index 0b48a30..57fe60f 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -42672,7 +42749,7 @@ index 0b48a30..0c6cd41 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,24 +42,41 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -42699,6 +42776,7 @@ index 0b48a30..0c6cd41 100644 +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms }; +allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms; allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms; ++allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms; allow NetworkManager_t self:netlink_socket create_socket_perms; allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms; -allow NetworkManager_t self:tcp_socket { accept listen }; @@ -42723,7 +42801,7 @@ index 0b48a30..0c6cd41 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) -@@ -68,6 +88,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -42731,7 +42809,7 @@ index 0b48a30..0c6cd41 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,9 +102,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -42741,7 +42819,7 @@ index 0b48a30..0c6cd41 100644 kernel_read_system_state(NetworkManager_t) kernel_read_network_state(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t) -@@ -91,7 +109,6 @@ kernel_request_load_module(NetworkManager_t) +@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t) kernel_read_debugfs(NetworkManager_t) kernel_rw_net_sysctls(NetworkManager_t) @@ -42749,7 +42827,7 @@ index 0b48a30..0c6cd41 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +119,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -42775,7 +42853,7 @@ index 0b48a30..0c6cd41 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +135,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -42789,7 +42867,7 @@ index 0b48a30..0c6cd41 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +143,16 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -42806,7 +42884,7 @@ index 0b48a30..0c6cd41 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +161,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -42819,7 +42897,7 @@ index 0b48a30..0c6cd41 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +180,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -42856,7 +42934,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -196,10 +221,6 @@ optional_policy(` +@@ -196,10 +222,6 @@ optional_policy(` ') optional_policy(` @@ -42867,7 +42945,7 @@ index 0b48a30..0c6cd41 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +231,11 @@ optional_policy(` +@@ -210,16 +232,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -42886,7 +42964,7 @@ index 0b48a30..0c6cd41 100644 ') ') -@@ -231,18 +247,19 @@ optional_policy(` +@@ -231,18 +248,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -42909,7 +42987,18 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -257,11 +274,7 @@ optional_policy(` +@@ -250,6 +268,10 @@ optional_policy(` + ipsec_kill_mgmt(NetworkManager_t) + ipsec_signal_mgmt(NetworkManager_t) + ipsec_signull_mgmt(NetworkManager_t) ++ ipsec_domtrans(NetworkManager_t) ++ ipsec_kill(NetworkManager_t) ++ ipsec_signal(NetworkManager_t) ++ ipsec_signull(NetworkManager_t) + ') + + optional_policy(` +@@ -257,11 +279,7 @@ optional_policy(` ') optional_policy(` @@ -42922,7 +43011,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -274,10 +287,17 @@ optional_policy(` +@@ -274,10 +292,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -42940,7 +43029,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -289,6 +309,7 @@ optional_policy(` +@@ -289,6 +314,7 @@ optional_policy(` ') optional_policy(` @@ -42948,7 +43037,7 @@ index 0b48a30..0c6cd41 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +317,7 @@ optional_policy(` +@@ -296,7 +322,7 @@ optional_policy(` ') optional_policy(` @@ -42957,7 +43046,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -307,6 +328,7 @@ optional_policy(` +@@ -307,6 +333,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -42965,7 +43054,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -320,13 +342,15 @@ optional_policy(` +@@ -320,13 +347,15 @@ optional_policy(` ') optional_policy(` @@ -42985,7 +43074,7 @@ index 0b48a30..0c6cd41 100644 ') optional_policy(` -@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -47541,7 +47630,7 @@ index 0000000..a437f80 +files_read_config_files(openshift_domain) diff --git a/openshift.fc b/openshift.fc new file mode 100644 -index 0000000..e108d48 +index 0000000..f2d6119 --- /dev/null +++ b/openshift.fc @@ -0,0 +1,26 @@ @@ -47565,7 +47654,7 @@ index 0000000..e108d48 +/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0) + +/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) -+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0) ++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0) +/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) +/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0) + @@ -48225,10 +48314,10 @@ index 0000000..407386d +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..894ce1c +index 0000000..3c311bb --- /dev/null +++ b/openshift.te -@@ -0,0 +1,530 @@ +@@ -0,0 +1,535 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -48325,6 +48414,8 @@ index 0000000..894ce1c +unconfined_domain_noaudit(openshift_initrc_t) +mcs_process_set_categories(openshift_initrc_t) + ++virt_lxc_domain(openshift_initrc_t) ++ +systemd_dbus_chat_logind(openshift_initrc_t) + +manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t) @@ -48393,7 +48484,10 @@ index 0000000..894ce1c + +manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) +manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) -+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file }) ++manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t) ++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file }) +can_exec(openshift_domain, openshift_tmpfs_t) + +manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t) @@ -63150,7 +63244,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..727d60a 100644 +index 9a8f052..9817f00 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -63159,7 +63253,7 @@ index 9a8f052..727d60a 100644 ######################################## # -@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2) +@@ -7,29 +7,37 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; @@ -63167,6 +63261,9 @@ index 9a8f052..727d60a 100644 +application_domain(realmd_t, realmd_exec_t) +role system_r types realmd_t; + ++type realmd_tmp_t; ++files_tmp_file(realmd_tmp_t) ++ +type realmd_var_cache_t; +files_type(realmd_var_cache_t) @@ -63179,6 +63276,10 @@ index 9a8f052..727d60a 100644 allow realmd_t self:capability sys_nice; allow realmd_t self:process setsched; ++manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) ++manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t) ++files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file }) ++ +manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) +manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t) + @@ -63195,17 +63296,16 @@ index 9a8f052..727d60a 100644 -corenet_sendrecv_http_client_packets(realmd_t) corenet_tcp_connect_http_port(realmd_t) -corenet_tcp_sendrecv_http_port(realmd_t) ++corenet_tcp_connect_ldap_port(realmd_t) domain_use_interactive_fds(realmd_t) - dev_read_rand(realmd_t) - dev_read_urand(realmd_t) +@@ -38,12 +46,20 @@ dev_read_urand(realmd_t) --fs_getattr_all_fs(realmd_t) + fs_getattr_all_fs(realmd_t) -files_read_usr_files(realmd_t) -+fs_getattr_all_fs(realmd_t) - +- auth_use_nsswitch(realmd_t) logging_send_syslog_msg(realmd_t) @@ -63223,7 +63323,7 @@ index 9a8f052..727d60a 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +76,25 @@ optional_policy(` +@@ -67,17 +83,25 @@ optional_policy(` optional_policy(` nis_exec_ypbind(realmd_t) @@ -63252,13 +63352,13 @@ index 9a8f052..727d60a 100644 ') optional_policy(` -@@ -86,5 +103,26 @@ optional_policy(` +@@ -86,5 +110,26 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) - sssd_initrc_domtrans(realmd_t) + sssd_systemctl(realmd_t) - ') ++') + +optional_policy(` + xserver_read_state_xdm(realmd_t) @@ -63277,7 +63377,7 @@ index 9a8f052..727d60a 100644 + oddjob_systemctl(realmd_consolehelper_t) + + unconfined_domain_noaudit(realmd_consolehelper_t) -+') + ') + + diff --git a/remotelogin.fc b/remotelogin.fc @@ -67080,7 +67180,7 @@ index 3bd6446..a61764b 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index e5212e6..699925d 100644 +index e5212e6..427ea8c 100644 --- a/rpc.te +++ b/rpc.te @@ -1,4 +1,4 @@ @@ -67412,7 +67512,7 @@ index e5212e6..699925d 100644 userdom_list_user_tmp(gssd_t) userdom_read_user_tmp_files(gssd_t) userdom_read_user_tmp_symlinks(gssd_t) -+ userdom_write_user_tmp_files(gssd_t) ++ userdom_manage_user_tmp_files(gssd_t) + files_read_generic_tmp_files(gssd_t) ') @@ -72221,10 +72321,10 @@ index 0000000..1b21b7b +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..449a87c +index 0000000..5a3d049 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,462 @@ +@@ -0,0 +1,463 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -72685,6 +72785,7 @@ index 0000000..449a87c + mozilla_dontaudit_rw_user_home_files(sandbox_x_t) + mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t) + mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) ++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain) + mozilla_plugin_dontaudit_leaks(sandbox_x_domain) +') diff --git a/sanlock.fc b/sanlock.fc @@ -84087,7 +84188,7 @@ index c30da4c..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..b991ec7 100644 +index 9dec06c..8f6d2a3 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -85492,7 +85593,7 @@ index 9dec06c..b991ec7 100644 ## ## ## -@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +943,150 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -85511,16 +85612,16 @@ index 9dec06c..b991ec7 100644 - manage_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - rw_blk_files_pattern($1, virt_image_type, virt_image_type) -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") -+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") -+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") - +- - tunable_policy(`virt_use_nfs',` - fs_manage_nfs_dirs($1) - fs_manage_nfs_files($1) - fs_read_nfs_symlinks($1) - ') -- ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") ++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") ++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") + - tunable_policy(`virt_use_samba',` - fs_manage_cifs_files($1) - fs_manage_cifs_files($1) @@ -85585,14 +85686,6 @@ index 9dec06c..b991ec7 100644 - allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t }) - ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }) -- -- init_labeled_script_domtrans($1, virtd_initrc_exec_t) -- domain_system_change_exemption($1) -- role_transition $2 virtd_initrc_exec_t system_r; -- allow $2 system_r; -- -- fs_search_tmpfs($1) -- admin_pattern($1, virt_tmpfs_type) + type $1_t, svirt_lxc_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) @@ -85600,9 +85693,33 @@ index 9dec06c..b991ec7 100644 + mcs_constrained($1_t) + role system_r types $1_t; +- init_labeled_script_domtrans($1, virtd_initrc_exec_t) +- domain_system_change_exemption($1) +- role_transition $2 virtd_initrc_exec_t system_r; +- allow $2 system_r; ++ kernel_read_system_state($1_t) ++') + +- fs_search_tmpfs($1) +- admin_pattern($1, virt_tmpfs_type) ++######################################## ++## ++## Make the specified type usable as a lxc domain ++## ++## ++## ++## Type to be used as a lxc domain ++## ++## ++# ++template(`virt_lxc_domain',` ++ gen_require(` ++ attribute svirt_lxc_domain; ++ ') + - files_search_tmp($1) - admin_pattern($1, { virt_tmp_type virt_tmp_t }) -+ kernel_read_system_state($1_t) ++ typeattribute $1 svirt_lxc_domain; +') - files_search_etc($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2989464..a6980b9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,38 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 2 2013 Miroslav Grepl 3.12.1-25 +- Allow realmd to create tmp files +- FIx ircssi_home_t type to irssi_home_t +- Allow adcli running as realmd_t to connect to ldap port +- Allow NetworkManager to transition to ipsec_t, for running strongswan +- Make openshift_initrc_t an lxc_domain +- Allow gssd to manage user_tmp_t files +- Fix handling of irclogs in users homedir +- Fix labeling for drupal an wp-content in subdirs of /var/www/html +- Allow abrt to read utmp_t file +- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6 +- fix labeling for (oo|rhc)-restorer-wrapper.sh +- firewalld needs to be able to write to network sysctls +- Fix mozilla_plugin_dontaudit_rw_sem() interface +- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains +- Add mozilla_plugin_dontaudit_rw_sem() interface +- Allow svirt_lxc_t to transition to openshift domains +- Allow condor domains block_suspend and dac_override caps +- Allow condor_master to read passd +- Allow condor_master to read system state +- Allow NetworkManager to transition to ipsec_t, for running strongswan +- Lots of access required by lvm_t to created encrypted usb device +- Allow xdm_t to dbus communicate with systemd_localed_t +- Label strongswan content as ipsec_exec_mgmt_t for now +- Allow users to dbus chat with systemd_localed +- Fix handling of .xsession-errors in xserver.if, so kde will work +- Might be a bug but we are seeing avc's about people status on init_t:service +- Make sure we label content under /var/run/lock as <> +- Allow daemon and systemprocesses to search init_var_run_t directory +- Add boolean to allow xdm to write xauth data to the home directory +- Allow mount to write keys for the unconfined domain + * Tue Mar 26 2013 Miroslav Grepl 3.12.1-24 - Add labeling for /usr/share/pki - Allow programs that read var_run_t symlinks also read var_t symlinks