From dfee3bea844674392b0786842d96388e683d772a Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: May 12 2017 15:03:36 +0000 Subject: * Fri May 12 2017 Lukas Vrabec - 3.13.1-253 - auth_use_nsswitch can call only domain not attribute - Dontaudit net_admin cap for winbind_t - Allow tlp_t domain to stream connect to system bus - Allow tomcat_t domain read pki_common_t files - Add interface pki_read_common_files() - Fix broken cermonger module - Fix broken apache module - Allow hypervkvp_t domain execute hostname - Dontaudit sssd_selinux_manager_t use of net_admin capability - Allow tomcat_t stream connect to pki_common_t - Dontaudit xguest_t's attempts to listen to its tcp_socket - Allow sssd_selinux_manager_t to ioctl init_t sockets - Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. - Allow pki_tomcat_t domain read /etc/passwd. - Allow tomcat_t domain read ipa_tmp_t files - Label new path for ipa-otpd - Allow radiusd_t domain stream connect to postgresql_t - Allow rhsmcertd_t to execute hostname_exec_t binaries. - Allow virtlogd to append nfs_t files when virt_use_nfs=1 - Allow httpd_t domain read also httpd_user_content_type lnk_files. - Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t - Dontaudit _gkeyringd_t stream connect to system_dbusd_t - Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t - Add interface ipa_filetrans_named_content() - Allow tomcat use nsswitch - Allow certmonger_t start/status generic services - Allow dirsrv read cgroup files. - Allow ganesha_t domain read/write infiniband devices. - Allow sendmail_t domain sysctl_net_t files - Allow targetd_t domain read network state and getattr on loop_control_device_t - Allow condor_schedd_t domain send mails. - Allow ntpd to creating sockets. BZ(1434395) - Alow certmonger to create own systemd unit files. - Add kill namespace capability to xdm_t domain - Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization." - Revert "Allow _su_t to create netlink_selinux_socket" - Allow _su_t to create netlink_selinux_socket - Allow unconfined_t to module_load any file - Allow staff to systemctl virt server when staff_use_svirt=1 - Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context - Allow netutils setpcap capability - Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124) --- diff --git a/container-selinux.tgz b/container-selinux.tgz index 19e9920..5ebf455 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0738e94..adcd569 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2117,7 +2117,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..a3d4e61 100644 +index c44c359..5038ed0 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2138,7 +2138,7 @@ index c44c359..a3d4e61 100644 # Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; -+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot }; ++allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; dontaudit netutils_t self:capability { dac_override sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; @@ -2328,10 +2328,18 @@ index 688abc2..3d89250 100644 /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0) +/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index 03ec5ca..102ccff 100644 +index 03ec5ca..1ed2cd4 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if -@@ -58,6 +58,7 @@ template(`su_restricted_domain_template', ` +@@ -48,6 +48,7 @@ template(`su_restricted_domain_template', ` + allow $1_su_t self:fifo_file rw_fifo_file_perms; + allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + allow $1_su_t self:unix_stream_socket create_stream_socket_perms; ++ allow $1_su_t self:netlink_selinux_socket create_socket_perms; + + # Transition from the user domain to this domain. + domtrans_pattern($2, su_exec_t, $1_su_t) +@@ -58,6 +59,7 @@ template(`su_restricted_domain_template', ` allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; @@ -2339,7 +2347,7 @@ index 03ec5ca..102ccff 100644 kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) kernel_search_key($1_su_t) -@@ -86,10 +87,10 @@ template(`su_restricted_domain_template', ` +@@ -86,10 +88,10 @@ template(`su_restricted_domain_template', ` # Write to utmp. init_rw_utmp($1_su_t) init_search_script_keys($1_su_t) @@ -2351,7 +2359,7 @@ index 03ec5ca..102ccff 100644 ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora -@@ -119,11 +120,6 @@ template(`su_restricted_domain_template', ` +@@ -119,11 +121,6 @@ template(`su_restricted_domain_template', ` userdom_spec_domtrans_unpriv_users($1_su_t) ') @@ -2363,7 +2371,7 @@ index 03ec5ca..102ccff 100644 optional_policy(` cron_read_pipes($1_su_t) ') -@@ -172,15 +168,8 @@ template(`su_role_template',` +@@ -172,14 +169,6 @@ template(`su_role_template',` role $2 types $1_su_t; allow $3 $1_su_t:process signal; @@ -2376,10 +2384,8 @@ index 03ec5ca..102ccff 100644 - allow $1_su_t self:key { search write }; - allow $1_su_t $3:key search; -+ allow $1_su_t self:netlink_selinux_socket create_socket_perms; # Transition from the user domain to this domain. - domtrans_pattern($3, su_exec_t, $1_su_t) @@ -194,125 +183,16 @@ template(`su_role_template',` allow $3 $1_su_t:process sigchld; @@ -10268,7 +10274,7 @@ index 6a1e4d1..4b87be8 100644 + allow $1 domain:process rlimitinh; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..1de3267 100644 +index cf04cb5..ac8eab0 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,17 +4,49 @@ policy_module(domain, 1.11.0) @@ -10436,7 +10442,7 @@ index cf04cb5..1de3267 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -160,11 +249,388 @@ allow unconfined_domain_type domain:msg { send receive }; +@@ -160,11 +249,392 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid allow unconfined_domain_type domain:dir list_dir_perms; @@ -10472,6 +10478,10 @@ index cf04cb5..1de3267 100644 +') + +optional_policy(` ++ ipa_filetrans_named_content(named_filetrans_domain) ++') ++ ++optional_policy(` + locallogin_filetrans_home_content(named_filetrans_domain) +') + @@ -23229,7 +23239,7 @@ index 234a940..a92415a 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fc..aea97fa 100644 +index 0fef1fc..c3c0f6d 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,73 @@ policy_module(staff, 2.4.0) @@ -23588,7 +23598,7 @@ index 0fef1fc..aea97fa 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +400,23 @@ ifndef(`distro_redhat',` +@@ -176,3 +400,24 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -23608,6 +23618,7 @@ index 0fef1fc..aea97fa 100644 + dev_rw_kvm(staff_t) + virt_manage_images(staff_t) + virt_stream_connect_svirt(staff_t) ++ virt_systemctl(staff_t) + virt_rw_stream_sockets_svirt(staff_t) + virt_exec(staff_t) + ') @@ -25103,10 +25114,10 @@ index 0000000..f730286 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..60c3f9d +index 0000000..89f4076 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,358 @@ +@@ -0,0 +1,360 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -25169,6 +25180,8 @@ index 0000000..60c3f9d +allow unconfined_t self:system syslog_read; +dontaudit unconfined_t self:capability sys_module; + ++allow unconfined_t file_type:system module_load; ++ +kernel_rw_unlabeled_socket(unconfined_t) +kernel_rw_unlabeled_rawip_socket(unconfined_t) + @@ -29671,7 +29684,7 @@ index 6bf0ecc..e6be63a 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..a55ca15 100644 +index 8b40377..da86a8e 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -30030,7 +30043,7 @@ index 8b40377..a55ca15 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +420,106 @@ optional_policy(` +@@ -300,64 +420,107 @@ optional_policy(` # XDM Local policy # @@ -30038,6 +30051,7 @@ index 8b40377..a55ca15 100644 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate }; +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace }; +allow xdm_t self:capability2 { block_suspend }; ++allow xdm_t self:cap_userns { kill }; +dontaudit xdm_t self:capability sys_admin; +dontaudit xdm_t self:capability2 wake_alarm; +tunable_policy(`deny_ptrace',`',` @@ -30150,7 +30164,7 @@ index 8b40377..a55ca15 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +528,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +529,31 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -30184,7 +30198,7 @@ index 8b40377..a55ca15 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +562,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +563,51 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -30240,7 +30254,7 @@ index 8b40377..a55ca15 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +617,30 @@ files_list_mnt(xdm_t) +@@ -431,9 +618,30 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -30271,7 +30285,7 @@ index 8b40377..a55ca15 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +649,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +650,46 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -30322,7 +30336,7 @@ index 8b40377..a55ca15 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +697,163 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +698,163 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -30492,7 +30506,7 @@ index 8b40377..a55ca15 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,12 +866,31 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,12 +867,31 @@ tunable_policy(`xdm_sysadm_login',` # allow xserver_t xdm_tmpfs_t:file rw_file_perms; ') @@ -30524,7 +30538,7 @@ index 8b40377..a55ca15 100644 ') optional_policy(` -@@ -518,8 +901,36 @@ optional_policy(` +@@ -518,8 +902,36 @@ optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -30562,7 +30576,7 @@ index 8b40377..a55ca15 100644 ') ') -@@ -530,6 +941,20 @@ optional_policy(` +@@ -530,6 +942,20 @@ optional_policy(` ') optional_policy(` @@ -30583,7 +30597,7 @@ index 8b40377..a55ca15 100644 hostname_exec(xdm_t) ') -@@ -547,28 +972,78 @@ optional_policy(` +@@ -547,28 +973,78 @@ optional_policy(` ') optional_policy(` @@ -30671,7 +30685,7 @@ index 8b40377..a55ca15 100644 ') optional_policy(` -@@ -580,6 +1055,14 @@ optional_policy(` +@@ -580,6 +1056,14 @@ optional_policy(` ') optional_policy(` @@ -30686,7 +30700,7 @@ index 8b40377..a55ca15 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1077,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1078,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -30695,7 +30709,7 @@ index 8b40377..a55ca15 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1087,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1088,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -30708,7 +30722,7 @@ index 8b40377..a55ca15 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1104,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1105,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -30724,7 +30738,7 @@ index 8b40377..a55ca15 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1120,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1121,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -30735,7 +30749,7 @@ index 8b40377..a55ca15 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1135,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1136,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -30777,7 +30791,7 @@ index 8b40377..a55ca15 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1186,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1187,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -30809,7 +30823,7 @@ index 8b40377..a55ca15 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1219,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1220,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -30824,7 +30838,7 @@ index 8b40377..a55ca15 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1240,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1241,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -30848,7 +30862,7 @@ index 8b40377..a55ca15 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1259,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1260,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -30857,7 +30871,7 @@ index 8b40377..a55ca15 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1303,54 @@ optional_policy(` +@@ -785,17 +1304,54 @@ optional_policy(` ') optional_policy(` @@ -30914,7 +30928,7 @@ index 8b40377..a55ca15 100644 ') optional_policy(` -@@ -803,6 +1358,10 @@ optional_policy(` +@@ -803,6 +1359,10 @@ optional_policy(` ') optional_policy(` @@ -30925,7 +30939,7 @@ index 8b40377..a55ca15 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1377,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1378,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -30950,7 +30964,7 @@ index 8b40377..a55ca15 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1400,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1401,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -30985,7 +30999,7 @@ index 8b40377..a55ca15 100644 ') optional_policy(` -@@ -912,7 +1465,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1466,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -30994,7 +31008,7 @@ index 8b40377..a55ca15 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1519,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1520,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -31026,7 +31040,7 @@ index 8b40377..a55ca15 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1565,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1566,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -33598,7 +33612,7 @@ index bc0ffc8..37b8ea5 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..e90f7a4 100644 +index 79a45f6..2dad865 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -34582,10 +34596,28 @@ index 79a45f6..e90f7a4 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1605,6 +2057,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1605,6 +2057,42 @@ interface(`init_rw_script_tmp_files',` ######################################## ## ++## Do not audit attempts to read initrc_tmp_t files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`init_dontaudit_write_initrc_tmp',` ++ gen_require(` ++ type initrc_tmp_t; ++ ') ++ ++ dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms; ++') ++ ++######################################## ++## +## Read and write init script inherited temporary data. +## +## @@ -34607,7 +34639,7 @@ index 79a45f6..e90f7a4 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1677,6 +2147,43 @@ interface(`init_read_utmp',` +@@ -1677,6 +2165,43 @@ interface(`init_read_utmp',` ######################################## ## @@ -34651,7 +34683,7 @@ index 79a45f6..e90f7a4 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1765,7 +2272,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1765,7 +2290,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -34660,7 +34692,7 @@ index 79a45f6..e90f7a4 100644 ') ######################################## -@@ -1806,37 +2313,744 @@ interface(`init_pid_filetrans_utmp',` +@@ -1806,27 +2331,154 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file, "utmp") ') @@ -34697,21 +34729,13 @@ index 79a45f6..e90f7a4 100644 ## -## Allow the specified domain to connect to daemon with a udp socket +## Allow listing of the /run/systemd directory. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`init_udp_recvfrom_all_daemons',` -- gen_require(` -- attribute daemon; -- ') -- corenet_udp_recvfrom_labeled($1, daemon) ++## ++# +interface(`init_list_pid_dirs',` + gen_require(` + type init_var_run_t; @@ -34832,19 +34856,13 @@ index 79a45f6..e90f7a4 100644 +######################################## +## +## Allow the specified domain to connect to daemon with a udp socket -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_udp_recvfrom_all_daemons',` -+ gen_require(` -+ attribute daemon; -+ ') -+ corenet_udp_recvfrom_labeled($1, daemon) -+') + ## + ## + ## +@@ -1840,3 +2492,583 @@ interface(`init_udp_recvfrom_all_daemons',` + ') + corenet_udp_recvfrom_labeled($1, daemon) + ') + +######################################## +## @@ -35424,7 +35442,7 @@ index 79a45f6..e90f7a4 100644 + + files_search_var_lib($1) + allow $1 init_var_lib_t:dir search_dir_perms; - ') ++') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 17eda24..fa4ad6a 100644 --- a/policy/modules/system/init.te @@ -43322,7 +43340,7 @@ index 3822072..d358162 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc46420..a86e9eb 100644 +index dc46420..67f4de1 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -43857,7 +43875,7 @@ index dc46420..a86e9eb 100644 ') ######################################## -@@ -522,111 +597,202 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +597,203 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -44036,6 +44054,7 @@ index dc46420..a86e9eb 100644 +init_use_script_fds(setfiles_domain) +init_use_script_ptys(setfiles_domain) +init_exec_script_files(setfiles_domain) ++init_dontaudit_write_initrc_tmp(setfiles_domain) + +userdom_use_all_users_fds(setfiles_domain) # for config files in a home directory diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 62ea368..3e40862 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3521,10 +3521,10 @@ index 0000000..c679dd3 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..dac9ad5 100644 +index 7caefc3..966c2f3 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,217 @@ +@@ -1,162 +1,218 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3861,6 +3861,7 @@ index 7caefc3..dac9ad5 100644 +/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html/nextcloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -5536,7 +5537,7 @@ index f6eb485..fe461a3 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..1cbf151 100644 +index 6649962..371039c 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6865,7 +6866,7 @@ index 6649962..1cbf151 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1026,30 @@ optional_policy(` +@@ -822,8 +1026,31 @@ optional_policy(` ') optional_policy(` @@ -6878,6 +6879,7 @@ index 6649962..1cbf151 100644 + tunable_policy(`httpd_run_ipa',` + ipa_domtrans_helper(httpd_t) + ') ++ ipa_cert_filetrans_named_content(httpd_t) +') + +optional_policy(` @@ -6896,7 +6898,7 @@ index 6649962..1cbf151 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1058,8 @@ optional_policy(` +@@ -832,6 +1059,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6905,7 +6907,7 @@ index 6649962..1cbf151 100644 ') optional_policy(` -@@ -842,20 +1070,44 @@ optional_policy(` +@@ -842,20 +1071,44 @@ optional_policy(` ') optional_policy(` @@ -6956,7 +6958,7 @@ index 6649962..1cbf151 100644 ') optional_policy(` -@@ -863,16 +1115,31 @@ optional_policy(` +@@ -863,16 +1116,31 @@ optional_policy(` ') optional_policy(` @@ -6990,7 +6992,7 @@ index 6649962..1cbf151 100644 ') optional_policy(` -@@ -883,65 +1150,189 @@ optional_policy(` +@@ -883,65 +1151,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7202,7 +7204,7 @@ index 6649962..1cbf151 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1341,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1342,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7356,7 +7358,7 @@ index 6649962..1cbf151 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1426,107 @@ optional_policy(` +@@ -1083,172 +1427,107 @@ optional_policy(` ') ') @@ -7594,7 +7596,7 @@ index 6649962..1cbf151 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1534,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1535,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7691,7 +7693,7 @@ index 6649962..1cbf151 100644 ######################################## # -@@ -1321,8 +1609,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1610,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7708,7 +7710,7 @@ index 6649962..1cbf151 100644 ') ######################################## -@@ -1330,49 +1625,40 @@ optional_policy(` +@@ -1330,49 +1626,41 @@ optional_policy(` # User content local policy # @@ -7747,6 +7749,7 @@ index 6649962..1cbf151 100644 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_user_script_t) + read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) ++ read_lnk_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) ') tunable_policy(`httpd_read_user_content',` @@ -7774,7 +7777,7 @@ index 6649962..1cbf151 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1668,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1670,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -12336,10 +12339,14 @@ index 4a87873..113f3b3 100644 + +mta_send_mail(certmaster_t) diff --git a/certmonger.fc b/certmonger.fc -index ed298d8..cd8eb4d 100644 +index ed298d8..c887648 100644 --- a/certmonger.fc +++ b/certmonger.fc -@@ -2,6 +2,8 @@ +@@ -1,7 +1,12 @@ ++/etc/systemd/system/dirsrv.target.wants(/.*)? gen_context(system_u:object_r:certmonger_unit_file_t,s0) ++/usr/lib/systemd/system/certmonger.* gen_context(system_u:object_r:certmonger_unit_file_t,s0) ++ + /etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0) /usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0) @@ -12377,16 +12384,19 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..e799a42 100644 +index 550b287..b4565e3 100644 --- a/certmonger.te +++ b/certmonger.te -@@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t) +@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t) type certmonger_var_run_t; files_pid_file(certmonger_var_run_t) +type certmonger_unconfined_exec_t; +application_executable_file(certmonger_unconfined_exec_t) + ++type certmonger_unit_file_t; ++systemd_unit_file(certmonger_unit_file_t) ++ ######################################## # # Local policy @@ -12408,7 +12418,7 @@ index 550b287..e799a42 100644 manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t) -@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) +@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file }) kernel_read_kernel_sysctls(certmonger_t) kernel_read_system_state(certmonger_t) @@ -12416,7 +12426,7 @@ index 550b287..e799a42 100644 corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) +@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) @@ -12444,7 +12454,7 @@ index 550b287..e799a42 100644 fs_search_cgroup_dirs(certmonger_t) -@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t) +@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t) init_getattr_all_script_files(certmonger_t) @@ -12458,6 +12468,8 @@ index 550b287..e799a42 100644 + +systemd_exec_systemctl(certmonger_t) +systemd_manage_all_unit_files(certmonger_t) ++systemd_start_systemd_services(certmonger_t) ++systemd_status_all_unit_files(certmonger_t) userdom_search_user_home_content(certmonger_t) @@ -12470,7 +12482,7 @@ index 550b287..e799a42 100644 ') optional_policy(` -@@ -92,11 +111,66 @@ optional_policy(` +@@ -92,11 +116,73 @@ optional_policy(` ') optional_policy(` @@ -12514,6 +12526,13 @@ index 550b287..e799a42 100644 + sssd_delete_public_files(certmonger_t) +') + ++optional_policy(` ++ allow certmonger_t certmonger_unit_file_t:service manage_service_perms; ++ allow certmonger_t certmonger_unit_file_t:file manage_file_perms; ++ allow certmonger_t certmonger_unit_file_t:dir manage_dir_perms; ++ systemd_unit_file_filetrans(certmonger_t, certmonger_unit_file_t, dir) ++') ++ +######################################## +# +# certmonger_unconfined_script_t local policy @@ -16514,7 +16533,7 @@ index 881d92f..a2d588a 100644 + ') ') diff --git a/condor.te b/condor.te -index ce9f040..320d6e8 100644 +index ce9f040..bd8d855 100644 --- a/condor.te +++ b/condor.te @@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t) @@ -16557,15 +16576,17 @@ index ce9f040..320d6e8 100644 rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t) -@@ -86,16 +97,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) +@@ -86,16 +97,15 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file }) allow condor_domain condor_master_t:process signull; allow condor_domain condor_master_t:tcp_socket getattr; +allow condor_domain condor_master_t:udp_socket { read write }; - kernel_read_kernel_sysctls(condor_domain) +-kernel_read_kernel_sysctls(condor_domain) kernel_read_network_state(condor_domain) -kernel_read_system_state(condor_domain) ++kernel_rw_kernel_sysctl(condor_domain) ++kernel_search_network_sysctl(condor_domain) corecmd_exec_bin(condor_domain) corecmd_exec_shell(condor_domain) @@ -16575,7 +16596,7 @@ index ce9f040..320d6e8 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -109,9 +118,9 @@ dev_read_rand(condor_domain) +@@ -109,9 +119,9 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) @@ -16587,7 +16608,7 @@ index ce9f040..320d6e8 100644 sysnet_dns_name_resolve(condor_domain) -@@ -130,7 +139,7 @@ optional_policy(` +@@ -130,7 +140,7 @@ optional_policy(` # Master local policy # @@ -16596,7 +16617,7 @@ index ce9f040..320d6e8 100644 allow condor_master_t condor_domain:process { sigkill signal }; -@@ -138,6 +147,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) +@@ -138,6 +148,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t) files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir }) @@ -16607,7 +16628,7 @@ index ce9f040..320d6e8 100644 corenet_udp_sendrecv_generic_if(condor_master_t) corenet_udp_sendrecv_generic_node(condor_master_t) corenet_tcp_bind_generic_node(condor_master_t) -@@ -157,6 +170,8 @@ domain_read_all_domains_state(condor_master_t) +@@ -157,6 +171,8 @@ domain_read_all_domains_state(condor_master_t) auth_use_nsswitch(condor_master_t) @@ -16616,7 +16637,7 @@ index ce9f040..320d6e8 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -174,6 +189,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; +@@ -174,6 +190,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms; kernel_read_network_state(condor_collector_t) @@ -16625,7 +16646,7 @@ index ce9f040..320d6e8 100644 ##################################### # # Negotiator local policy -@@ -183,12 +200,15 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -183,12 +201,15 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -16641,7 +16662,7 @@ index ce9f040..320d6e8 100644 allow condor_procd_t condor_domain:process sigkill; -@@ -206,6 +226,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; +@@ -206,6 +227,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr; allow condor_schedd_t condor_var_lock_t:dir manage_file_perms; @@ -16650,16 +16671,21 @@ index ce9f040..320d6e8 100644 domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t) domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t) -@@ -214,6 +236,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -214,6 +237,13 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) +corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t) + ++optional_policy(` ++ mta_send_mail(condor_schedd_t) ++ mta_read_config(condor_schedd_t) ++') ++ ##################################### # # Startd local policy -@@ -238,11 +262,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -238,11 +268,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -16672,7 +16698,7 @@ index ce9f040..320d6e8 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -254,3 +277,7 @@ optional_policy(` +@@ -254,3 +283,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -25510,10 +25536,10 @@ index 0000000..b3784d8 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..f9f9806 +index 0000000..fa74f85 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,203 @@ +@@ -0,0 +1,204 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25635,6 +25661,7 @@ index 0000000..f9f9806 +files_read_usr_symlinks(dirsrv_t) + +fs_getattr_all_fs(dirsrv_t) ++fs_read_cgroup_files(dirsrv_t) + +auth_use_pam(dirsrv_t) + @@ -31118,7 +31145,7 @@ index 0000000..d9ba5fa +') diff --git a/ganesha.te b/ganesha.te new file mode 100644 -index 0000000..fe7b5d7 +index 0000000..9542305 --- /dev/null +++ b/ganesha.te @@ -0,0 +1,72 @@ @@ -31172,7 +31199,7 @@ index 0000000..fe7b5d7 +corenet_tcp_bind_mountd_port(ganesha_t) +corenet_udp_bind_mountd_port(ganesha_t) + -+dev_read_infiniband_dev(ganesha_t) ++dev_rw_infiniband_dev(ganesha_t) +dev_read_gpfs(ganesha_t) + +logging_send_syslog_msg(ganesha_t) @@ -33396,7 +33423,7 @@ index e39de43..5edcb83 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..1a07290 100644 +index ab09d61..72d67c2 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,76 @@ @@ -33520,7 +33547,7 @@ index ab09d61..1a07290 100644 ######################################## # # Gkeyringd policy -@@ -89,37 +110,92 @@ template(`gnome_role_template',` +@@ -89,37 +110,86 @@ template(`gnome_role_template',` domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) @@ -33571,6 +33598,7 @@ index ab09d61..1a07290 100644 optional_policy(` - dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) ++ dbus_dontaudit_stream_connect_system_dbusd($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) + gnome_read_generic_data_home_files($1_gkeyringd_t) + gnome_read_generic_data_home_dirs($1_gkeyringd_t) @@ -33579,17 +33607,10 @@ index ab09d61..1a07290 100644 - gnome_dbus_chat_gkeyringd($1, $3) + telepathy_mission_control_read_state($1_gkeyringd_t) + telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) -+ ') -+ ') -+ -+ optional_policy(` -+ gen_require(` -+ type xguest_gkeyringd_t; ') -+ dbus_dontaudit_stream_connect_session_bus(xguest_gkeyringd_t) -+ ') -+') -+ + ') + ') + +####################################### +## +## Allow domain to run gkeyring in the $1_gkeyringd_t domain. @@ -33614,11 +33635,11 @@ index ab09d61..1a07290 100644 + gen_require(` + type $1_gkeyringd_t; + type gkeyringd_exec_t; - ') ++ ') + role $2 types $1_gkeyringd_t; + domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) - ') - ++') ++ ######################################## ## -## Execute gconf in the caller domain. @@ -33626,7 +33647,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -127,18 +203,18 @@ template(`gnome_role_template',` +@@ -127,18 +197,18 @@ template(`gnome_role_template',` ## ## # @@ -33650,7 +33671,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -146,119 +222,114 @@ interface(`gnome_exec_gconf',` +@@ -146,119 +216,114 @@ interface(`gnome_exec_gconf',` ## ## # @@ -33807,7 +33828,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -266,15 +337,21 @@ interface(`gnome_create_generic_home_dirs',` +@@ -266,15 +331,21 @@ interface(`gnome_create_generic_home_dirs',` ## ## # @@ -33834,7 +33855,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -282,57 +359,89 @@ interface(`gnome_setattr_config_dirs',` +@@ -282,57 +353,89 @@ interface(`gnome_setattr_config_dirs',` ## ## # @@ -33942,7 +33963,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -340,15 +449,18 @@ interface(`gnome_read_generic_home_content',` +@@ -340,15 +443,18 @@ interface(`gnome_read_generic_home_content',` ## ## # @@ -33966,7 +33987,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -356,22 +468,18 @@ interface(`gnome_manage_config',` +@@ -356,22 +462,18 @@ interface(`gnome_manage_config',` ## ## # @@ -33994,7 +34015,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -379,53 +487,37 @@ interface(`gnome_manage_generic_home_content',` +@@ -379,53 +481,37 @@ interface(`gnome_manage_generic_home_content',` ## ## # @@ -34056,7 +34077,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -433,17 +525,18 @@ interface(`gnome_home_filetrans',` +@@ -433,17 +519,18 @@ interface(`gnome_home_filetrans',` ## ## # @@ -34079,7 +34100,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -451,23 +544,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` +@@ -451,23 +538,18 @@ interface(`gnome_create_generic_gconf_home_dirs',` ## ## # @@ -34107,7 +34128,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -475,22 +563,18 @@ interface(`gnome_read_generic_gconf_home_content',` +@@ -475,22 +557,18 @@ interface(`gnome_read_generic_gconf_home_content',` ## ## # @@ -34134,7 +34155,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -498,79 +582,59 @@ interface(`gnome_manage_generic_gconf_home_content',` +@@ -498,79 +576,59 @@ interface(`gnome_manage_generic_gconf_home_content',` ## ## # @@ -34232,7 +34253,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -579,12 +643,12 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -579,12 +637,12 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## ## @@ -34247,7 +34268,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -593,18 +657,18 @@ interface(`gnome_home_filetrans_gnome_home',` +@@ -593,18 +651,18 @@ interface(`gnome_home_filetrans_gnome_home',` ## ## # @@ -34272,7 +34293,7 @@ index ab09d61..1a07290 100644 ## ## ## -@@ -612,46 +676,58 @@ interface(`gnome_gconf_home_filetrans',` +@@ -612,46 +670,80 @@ interface(`gnome_gconf_home_filetrans',` ## ## # @@ -34297,15 +34318,11 @@ index ab09d61..1a07290 100644 +## Read generic data home dirs. ## -## --## --## The prefix of the user domain (e.g., user --## is the prefix for user_t). --## +## +## +## Domain allowed access. +## - ## ++## +# +interface(`gnome_read_generic_data_home_dirs',` + gen_require(` @@ -34319,6 +34336,30 @@ index ab09d61..1a07290 100644 +## +## Manage gconf data home files +## ++## + ## +-## The prefix of the user domain (e.g., user +-## is the prefix for user_t). ++## Domain allowed access. + ## + ## ++# ++interface(`gnome_manage_data',` ++ gen_require(` ++ type data_home_t; ++ type gconf_home_t; ++ ') ++ ++ allow $1 gconf_home_t:dir search_dir_perms; ++ manage_dirs_pattern($1, data_home_t, data_home_t) ++ manage_files_pattern($1, data_home_t, data_home_t) ++ manage_lnk_files_pattern($1, data_home_t, data_home_t) ++') ++ ++######################################## ++## ++## Read icc data home content. ++## ## ## ## Domain allowed access. @@ -34326,146 +34367,122 @@ index ab09d61..1a07290 100644 ## # -interface(`gnome_dbus_chat_gkeyringd',` -+interface(`gnome_manage_data',` ++interface(`gnome_read_home_icc_data_content',` gen_require(` - type $1_gkeyringd_t; - class dbus send_msg; -+ type data_home_t; -+ type gconf_home_t; ++ type icc_data_home_t, gconf_home_t, data_home_t; ') - allow $2 $1_gkeyringd_t:dbus send_msg; - allow $1_gkeyringd_t $2:dbus send_msg; -+ allow $1 gconf_home_t:dir search_dir_perms; -+ manage_dirs_pattern($1, data_home_t, data_home_t) -+ manage_files_pattern($1, data_home_t, data_home_t) -+ manage_lnk_files_pattern($1, data_home_t, data_home_t) ++ userdom_search_user_home_dirs($1) ++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; ++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_files_pattern($1, icc_data_home_t, icc_data_home_t) ++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ') ######################################## ## -## Send and receive messages from all -## gnome keyring daemon over dbus. -+## Read icc data home content. ++## Read inherited icc data home files. ## ## ## -@@ -659,59 +735,1090 @@ interface(`gnome_dbus_chat_gkeyringd',` +@@ -659,46 +751,64 @@ interface(`gnome_dbus_chat_gkeyringd',` ## ## # -interface(`gnome_dbus_chat_all_gkeyringd',` -+interface(`gnome_read_home_icc_data_content',` ++interface(`gnome_read_inherited_home_icc_data_files',` gen_require(` - attribute gkeyringd_domain; - class dbus send_msg; -+ type icc_data_home_t, gconf_home_t, data_home_t; ++ type icc_data_home_t; ') - allow $1 gkeyringd_domain:dbus send_msg; - allow gkeyringd_domain $1:dbus send_msg; -+ userdom_search_user_home_dirs($1) -+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; -+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) -+ read_files_pattern($1, icc_data_home_t, icc_data_home_t) -+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) ++ allow $1 icc_data_home_t:file read_inherited_file_perms; ') ######################################## ## -## Connect to gnome keyring daemon -## with a unix stream socket. -+## Read inherited icc data home files. ++## Create gconf_home_t objects in the /root directory ## -## +## ++## ++## Domain allowed access. ++## ++## ++## ## -## The prefix of the user domain (e.g., user -## is the prefix for user_t). -+## Domain allowed access. ++## The class of the object to be created. ## ## ++## ++## ++## The name of the object being created. ++## ++## +# -+interface(`gnome_read_inherited_home_icc_data_files',` ++interface(`gnome_admin_home_gconf_filetrans',` + gen_require(` -+ type icc_data_home_t; ++ type gconf_home_t; + ') + -+ allow $1 icc_data_home_t:file read_inherited_file_perms; ++ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) +') + +######################################## +## -+## Create gconf_home_t objects in the /root directory ++## Do not audit attempts to read ++## inherited gconf config files. +## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -+## -+## -+## The class of the object to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## # -interface(`gnome_stream_connect_gkeyringd',` -+interface(`gnome_admin_home_gconf_filetrans',` ++interface(`gnome_dontaudit_read_inherited_gconf_config_files',` gen_require(` - type $1_gkeyringd_t, gnome_keyring_tmp_t; -+ type gconf_home_t; ++ type gconf_etc_t; ') - files_search_tmp($2) - stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t) -+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) ++ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; ') ######################################## ## -## Connect to all gnome keyring daemon -## with a unix stream socket. -+## Do not audit attempts to read -+## inherited gconf config files. ++## read gconf config files ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -706,12 +816,1003 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # -interface(`gnome_stream_connect_all_gkeyringd',` -+interface(`gnome_dontaudit_read_inherited_gconf_config_files',` ++interface(`gnome_read_gconf_config',` gen_require(` - attribute gkeyringd_domain; - type gnome_keyring_tmp_t; + type gconf_etc_t; - ') - -- files_search_tmp($1) -- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) -+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## -+## read gconf config files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`gnome_read_gconf_config',` -+ gen_require(` -+ type gconf_etc_t; + ') + + allow $1 gconf_etc_t:dir list_dir_perms; @@ -34608,9 +34625,10 @@ index ab09d61..1a07290 100644 +interface(`gnome_list_gkeyringd_tmp_dirs',` + gen_require(` + type gkeyringd_tmp_t; -+ ') -+ -+ files_search_tmp($1) + ') + + files_search_tmp($1) +- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) + allow $1 gkeyringd_tmp_t:dir list_dir_perms; +') + @@ -38169,10 +38187,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..b205df0 100644 +index 4eb7041..ea3c933 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,154 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,158 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -38224,10 +38242,12 @@ index 4eb7041..b205df0 100644 +dev_read_sysfs(hyperv_domain) + +######################################## -+# + # +# hypervkvp local policy -+# -+ + # + +-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +allow hypervkvp_t self:capability sys_ptrace; +allow hypervkvp_t self:process setfscreate; +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms; @@ -38301,6 +38321,10 @@ index 4eb7041..b205df0 100644 +') + +optional_policy(` ++ hostname_exec(hypervkvp_t) ++') ++ ++optional_policy(` + netutils_domtrans_ping(hypervkvp_t) + netutils_domtrans(hypervkvp_t) +') @@ -38318,12 +38342,10 @@ index 4eb7041..b205df0 100644 +') + +######################################## - # ++# +# hypervvssd local policy - # - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++# ++ +allow hypervvssd_t self:capability sys_admin; + +dev_rw_hypervvssd(hypervvssd_t) @@ -39043,10 +39065,12 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..419d280 +index 0000000..74206ed --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,25 @@ +@@ -0,0 +1,29 @@ ++/etc/httpd/alias/ipasession.key -- gen_context(system_u:object_r:ipa_cert_t,s0) ++ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) @@ -39054,6 +39078,8 @@ index 0000000..419d280 +/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0) + +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) ++/usr/libexec/ipa/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) ++ + +/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0) + @@ -39074,10 +39100,10 @@ index 0000000..419d280 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..ddbc007 +index 0000000..d611c53 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,252 @@ +@@ -0,0 +1,309 @@ +## Policy for IPA services. + +######################################## @@ -39330,12 +39356,69 @@ index 0000000..ddbc007 + + logging_log_named_filetrans($1, ipa_log_t, dir, "ipa") +') ++ ++####################################### ++## ++## Allow domain to create /tmp/ca.p12 ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_filetrans_named_content',` ++ ++ gen_require(` ++ type ipa_tmp_t; ++ ') ++ ++ files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12") ++') ++ ++######################################## ++## ++## Create file ipasession.key in cert_t dir ++## with ipa_cert_t type ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_cert_filetrans_named_content',` ++ gen_require(` ++ type ipa_cert_t; ++ ') ++ ++ filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key") ++ manage_files_pattern($1, ipa_cert_t, ipa_cert_t) ++') ++ ++######################################## ++## ++## Allow domain to read ipa tmp files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_read_tmp',` ++ gen_require(` ++ type ipa_tmp_t; ++ ') ++ ++ read_files_pattern($1, ipa_tmp_t, ipa_tmp_t) ++') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..55e151e +index 0000000..d806e25 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,264 @@ +@@ -0,0 +1,273 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -39385,6 +39468,9 @@ index 0000000..55e151e +init_system_domain(ipa_helper_t, ipa_helper_exec_t) +role ipa_helper_roles types ipa_helper_t; + ++type ipa_cert_t; ++miscfiles_cert_type(ipa_cert_t) ++ +type ipa_tmp_t; +files_tmp_file(ipa_tmp_t) + @@ -39398,6 +39484,9 @@ index 0000000..55e151e +allow ipa_otpd_t self:fifo_file rw_fifo_file_perms; +allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms; + ++read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t) ++read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t) ++ +manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t) +manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t) +files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file) @@ -39502,6 +39591,9 @@ index 0000000..55e151e +allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms; +allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read }; + ++read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t) ++read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t) ++ +manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) +setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) +list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) @@ -63569,7 +63661,7 @@ index e96a309..4245308 100644 +') + diff --git a/ntp.te b/ntp.te -index f81b113..76db00a 100644 +index f81b113..6d039fb 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -63582,7 +63674,11 @@ index f81b113..76db00a 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -53,6 +56,8 @@ allow ntpd_t self:tcp_socket { accept listen }; +@@ -50,9 +53,12 @@ allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; + allow ntpd_t self:fifo_file rw_fifo_file_perms; + allow ntpd_t self:shm create_shm_perms; + allow ntpd_t self:tcp_socket { accept listen }; ++allow ntpd_t self:socket create_socket_perms; manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) @@ -63591,7 +63687,7 @@ index f81b113..76db00a 100644 allow ntpd_t ntp_conf_t:file read_file_perms; -@@ -60,9 +65,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +@@ -60,9 +66,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr_dir_perms; @@ -63602,7 +63698,7 @@ index f81b113..76db00a 100644 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +86,16 @@ kernel_read_system_state(ntpd_t) +@@ -83,21 +87,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -63626,7 +63722,7 @@ index f81b113..76db00a 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +109,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -63643,7 +63739,7 @@ index f81b113..76db00a 100644 auth_use_nsswitch(ntpd_t) -@@ -124,12 +124,14 @@ init_exec_script_files(ntpd_t) +@@ -124,12 +125,14 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -63660,7 +63756,7 @@ index f81b113..76db00a 100644 cron_system_entry(ntpd_t, ntpdate_exec_t) ') -@@ -152,9 +154,18 @@ optional_policy(` +@@ -152,9 +155,18 @@ optional_policy(` ') optional_policy(` @@ -72167,10 +72263,10 @@ index 0000000..47cd0f8 +/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0) diff --git a/pki.if b/pki.if new file mode 100644 -index 0000000..5c7f232 +index 0000000..efe3ad3 --- /dev/null +++ b/pki.if -@@ -0,0 +1,404 @@ +@@ -0,0 +1,442 @@ + +## policy for pki + @@ -72575,12 +72671,50 @@ index 0000000..5c7f232 + + list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) +') ++ ++######################################## ++## ++## Allow read pki_common_t files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_read_common_files',` ++ gen_require(` ++ type pki_common_t; ++ ') ++ ++ read_files_pattern($1, pki_common_t, pki_common_t) ++') ++ ++######################################## ++## ++## Connect to pki over an unix ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pki_stream_connect',` ++ gen_require(` ++ type pki_tomcat_t, pki_common_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t) ++') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..bdeebb9 +index 0000000..555b44a --- /dev/null +++ b/pki.te -@@ -0,0 +1,281 @@ +@@ -0,0 +1,283 @@ +policy_module(pki,10.0.11) + +######################################## @@ -72693,6 +72827,8 @@ index 0000000..bdeebb9 +can_exec(pki_tomcat_t, pki_common_t) +init_stream_connect_script(pki_tomcat_t) + ++auth_read_passwd(pki_tomcat_t) ++ +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) + +kernel_read_kernel_sysctls(pki_tomcat_t) @@ -84546,7 +84682,7 @@ index 4460582..4c66c25 100644 + ') diff --git a/radius.te b/radius.te -index 403a4fe..95b5e45 100644 +index 403a4fe..b1668fa 100644 --- a/radius.te +++ b/radius.te @@ -5,6 +5,13 @@ policy_module(radius, 1.13.0) @@ -84669,7 +84805,18 @@ index 403a4fe..95b5e45 100644 logrotate_exec(radiusd_t) ') -@@ -140,5 +167,10 @@ optional_policy(` +@@ -132,6 +159,10 @@ optional_policy(` + ') + + optional_policy(` ++ postgresql_tcp_connect(radiusd_t) ++') ++ ++optional_policy(` + samba_domtrans_winbind_helper(radiusd_t) + ') + +@@ -140,5 +171,10 @@ optional_policy(` ') optional_policy(` @@ -89923,7 +90070,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..7239c98 100644 +index d32e1a2..75b615f 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -89962,7 +90109,7 @@ index d32e1a2..7239c98 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,90 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,94 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -90030,6 +90177,10 @@ index d32e1a2..7239c98 100644 +') + +optional_policy(` ++ hostname_exec(rhsmcertd_t) ++') ++ ++optional_policy(` + rhnsd_manage_config(rhsmcertd_t) +') + @@ -95735,7 +95886,7 @@ index 50d07fb..a34db48 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..efe3f59 100644 +index 2b7c441..c3db0c7 100644 --- a/samba.te +++ b/samba.te @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3) @@ -96834,9 +96985,10 @@ index 2b7c441..efe3f59 100644 # -allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +-dontaudit winbind_t self:capability sys_tty_config; +allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice }; +allow winbind_t self:capability2 block_suspend; - dontaudit winbind_t self:capability sys_tty_config; ++dontaudit winbind_t self:capability { net_admin sys_tty_config }; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -allow winbind_t self:unix_stream_socket { accept listen }; @@ -100220,7 +100372,7 @@ index 35ad2a7..afdc7da 100644 + admin_pattern($1, mail_spool_t) ') diff --git a/sendmail.te b/sendmail.te -index 12700b4..3a32af4 100644 +index 12700b4..2ede411 100644 --- a/sendmail.te +++ b/sendmail.te @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t; @@ -100255,7 +100407,7 @@ index 12700b4..3a32af4 100644 logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir }) manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) -@@ -63,33 +65,23 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) +@@ -63,33 +65,24 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) kernel_read_network_state(sendmail_t) kernel_read_kernel_sysctls(sendmail_t) @@ -100263,6 +100415,7 @@ index 12700b4..3a32af4 100644 kernel_read_system_state(sendmail_t) +kernel_search_network_sysctl(sendmail_t) +kernel_read_kernel_sysctls(sendmail_t) ++kernel_read_net_sysctls(sendmail_t) -corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) @@ -100295,7 +100448,7 @@ index 12700b4..3a32af4 100644 fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) -@@ -98,35 +90,49 @@ fs_rw_anon_inodefs_files(sendmail_t) +@@ -98,35 +91,49 @@ fs_rw_anon_inodefs_files(sendmail_t) term_dontaudit_use_console(sendmail_t) term_dontaudit_use_generic_ptys(sendmail_t) @@ -100351,7 +100504,7 @@ index 12700b4..3a32af4 100644 ') optional_policy(` -@@ -134,8 +140,8 @@ optional_policy(` +@@ -134,8 +141,8 @@ optional_policy(` ') optional_policy(` @@ -100362,7 +100515,7 @@ index 12700b4..3a32af4 100644 ') optional_policy(` -@@ -164,6 +170,10 @@ optional_policy(` +@@ -164,6 +171,10 @@ optional_policy(` ') optional_policy(` @@ -100373,7 +100526,7 @@ index 12700b4..3a32af4 100644 milter_stream_connect_all(sendmail_t) ') -@@ -172,6 +182,11 @@ optional_policy(` +@@ -172,6 +183,11 @@ optional_policy(` ') optional_policy(` @@ -100385,7 +100538,7 @@ index 12700b4..3a32af4 100644 postfix_domtrans_postdrop(sendmail_t) postfix_domtrans_master(sendmail_t) postfix_domtrans_postqueue(sendmail_t) -@@ -193,6 +208,10 @@ optional_policy(` +@@ -193,6 +209,10 @@ optional_policy(` ') optional_policy(` @@ -100396,7 +100549,7 @@ index 12700b4..3a32af4 100644 udev_read_db(sendmail_t) ') -@@ -206,8 +225,6 @@ optional_policy(` +@@ -206,8 +226,6 @@ optional_policy(` # optional_policy(` @@ -105930,7 +106083,7 @@ index a240455..277f8f2 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..6efbaac 100644 +index 2d8db1f..d4fee07 100644 --- a/sssd.te +++ b/sssd.te @@ -28,19 +28,31 @@ logging_log_file(sssd_var_log_t) @@ -106048,7 +106201,7 @@ index 2d8db1f..6efbaac 100644 init_read_utmp(sssd_t) -@@ -112,18 +131,64 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +131,67 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -106076,7 +106229,7 @@ index 2d8db1f..6efbaac 100644 + kerberos_read_home_content(sssd_t) + kerberos_rw_config(sssd_t) + kerberos_rw_keytab(sssd_t) - ') ++') + +optional_policy(` + dirsrv_stream_connect(sssd_t) @@ -106094,7 +106247,7 @@ index 2d8db1f..6efbaac 100644 + +optional_policy(` + systemd_login_read_pid_files(sssd_t) -+') + ') + +######################################## +# @@ -106102,9 +106255,12 @@ index 2d8db1f..6efbaac 100644 +# + +allow sssd_selinux_manager_t self:capability { setgid setuid }; ++dontaudit sssd_selinux_manager_t self:capability net_admin; + +domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t) + ++init_ioctl_stream_sockets(sssd_selinux_manager_t) ++ +logging_send_audit_msgs(sssd_selinux_manager_t) + +seutil_semanage_policy(sssd_selinux_manager_t) @@ -107417,10 +107573,10 @@ index 0000000..a6e216c + diff --git a/targetd.te b/targetd.te new file mode 100644 -index 0000000..7f28cdd +index 0000000..e187320 --- /dev/null +++ b/targetd.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,68 @@ +policy_module(targetd, 1.0.0) + +######################################## @@ -107446,6 +107602,7 @@ index 0000000..7f28cdd +allow targetd_t self:capability { sys_admin }; +allow targetd_t self:fifo_file rw_fifo_file_perms; +allow targetd_t self:unix_stream_socket create_stream_socket_perms; ++allow targetd_t self:unix_dgram_socket create_socket_perms; +allow targetd_t self:tcp_socket listen; +allow targetd_t self:netlink_route_socket r_netlink_socket_perms; +allow targetd_t self:process setfscreate; @@ -107455,6 +107612,7 @@ index 0000000..7f28cdd +files_etc_filetrans(targetd_t, targetd_etc_rw_t, { dir file }) + +kernel_read_system_state(targetd_t) ++kernel_read_network_state(targetd_t) + +auth_use_nsswitch(targetd_t) + @@ -107467,6 +107625,7 @@ index 0000000..7f28cdd +dev_read_sysfs(targetd_t) +dev_read_urand(targetd_t) +dev_rw_lvm_control(targetd_t) ++dev_getattr_loop_control(targetd_t) + +libs_exec_ldconfig(targetd_t) + @@ -110041,10 +110200,10 @@ index 0000000..46f12a4 +') diff --git a/tlp.te b/tlp.te new file mode 100644 -index 0000000..ae69138 +index 0000000..f31ed95 --- /dev/null +++ b/tlp.te -@@ -0,0 +1,70 @@ +@@ -0,0 +1,74 @@ +policy_module(tlp, 1.0.0) + +######################################## @@ -110109,6 +110268,10 @@ index 0000000..ae69138 +sysnet_exec_ifconfig(tlp_t) + +optional_policy(` ++ dbus_stream_connect_system_dbusd(tlp_t) ++') ++ ++optional_policy(` + fstools_exec(tlp_t) +') + @@ -110687,10 +110850,10 @@ index 0000000..e5cec8f +') diff --git a/tomcat.te b/tomcat.te new file mode 100644 -index 0000000..1aa150f +index 0000000..71e14ac --- /dev/null +++ b/tomcat.te -@@ -0,0 +1,85 @@ +@@ -0,0 +1,86 @@ +policy_module(tomcat, 1.0.0) + +######################################## @@ -110710,6 +110873,7 @@ index 0000000..1aa150f +# tomcat local policy +# + ++auth_use_nsswitch(tomcat_t) + +optional_policy(` + pki_manage_tomcat_cert(tomcat_t) @@ -110718,6 +110882,8 @@ index 0000000..1aa150f + pki_manage_tomcat_etc_rw(tomcat_t) + pki_search_log_dirs(tomcat_t) + pki_manage_tomcat_log(tomcat_t) ++ pki_read_common_files(tomcat_t) ++ pki_stream_connect(tomcat_t) +') + +optional_policy(` @@ -110726,6 +110892,7 @@ index 0000000..1aa150f + +optional_policy(` + ipa_read_lib(tomcat_t) ++ ipa_read_tmp(tomcat_t) +') + +######################################## @@ -110768,9 +110935,6 @@ index 0000000..1aa150f +fs_getattr_all_fs(tomcat_domain) +fs_read_hugetlbfs_files(tomcat_domain) + -+ -+auth_read_passwd(tomcat_domain) -+ +sysnet_dns_name_resolve(tomcat_domain) + +optional_policy(` @@ -115377,7 +115541,7 @@ index facdee8..487857a 100644 + dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; ') diff --git a/virt.te b/virt.te -index f03dcf5..006d4b5 100644 +index f03dcf5..fee0027 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,413 @@ @@ -116401,7 +116565,7 @@ index f03dcf5..006d4b5 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +718,341 @@ optional_policy(` +@@ -746,44 +718,344 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -116479,6 +116643,9 @@ index f03dcf5..006d4b5 100644 +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + ++tunable_policy(`virt_use_nfs',` ++ fs_append_nfs_files(virtlogd_t) ++') + +######################################## +# @@ -116551,7 +116718,7 @@ index f03dcf5..006d4b5 100644 +dontaudit virt_domain virt_tmpfs_type:file { read write }; + +append_files_pattern(virt_domain, virt_log_t, virt_log_t) - ++ +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) @@ -116672,7 +116839,7 @@ index f03dcf5..006d4b5 100644 + fs_read_nfs_symlinks(virt_domain) + fs_getattr_nfs(virt_domain) +') -+ + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_dirs(virt_domain) + fs_manage_cifs_files(virt_domain) @@ -116765,7 +116932,7 @@ index f03dcf5..006d4b5 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1063,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1066,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -116792,7 +116959,7 @@ index f03dcf5..006d4b5 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1083,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1086,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -116809,10 +116976,10 @@ index f03dcf5..006d4b5 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -116826,7 +116993,7 @@ index f03dcf5..006d4b5 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1120,20 @@ optional_policy(` +@@ -856,14 +1123,20 @@ optional_policy(` ') optional_policy(` @@ -116848,7 +117015,7 @@ index f03dcf5..006d4b5 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1158,66 @@ optional_policy(` +@@ -888,49 +1161,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -116933,7 +117100,7 @@ index f03dcf5..006d4b5 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1229,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1232,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -116953,7 +117120,7 @@ index f03dcf5..006d4b5 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1250,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1253,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -116977,7 +117144,7 @@ index f03dcf5..006d4b5 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1275,296 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1278,296 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -117140,13 +117307,6 @@ index f03dcf5..006d4b5 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+tunable_policy(`virt_sandbox_share_apache_content',` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+ ') -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -117231,17 +117391,24 @@ index f03dcf5..006d4b5 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++tunable_policy(`virt_sandbox_share_apache_content',` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++ ') +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -117395,10 +117562,10 @@ index f03dcf5..006d4b5 100644 +term_pty(container_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) -+ -+rpm_read_db(svirt_qemu_net_t) -allow svirt_prot_exec_t self:process { execmem execstack }; ++rpm_read_db(svirt_qemu_net_t) ++ +logging_send_syslog_msg(svirt_qemu_net_t) + +tunable_policy(`virt_sandbox_use_audit',` @@ -117421,7 +117588,7 @@ index f03dcf5..006d4b5 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1577,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1580,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -117436,7 +117603,7 @@ index f03dcf5..006d4b5 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1595,7 @@ optional_policy(` +@@ -1192,7 +1598,7 @@ optional_policy(` ######################################## # @@ -117445,7 +117612,7 @@ index f03dcf5..006d4b5 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1604,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1607,262 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; @@ -120542,10 +120709,10 @@ index 0928c5d..d270a72 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index a64aad3..d923154 100644 +index a64aad3..12dc86b 100644 --- a/xguest.te +++ b/xguest.te -@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0) +@@ -6,46 +6,49 @@ policy_module(xguest, 1.2.0) # ## @@ -120599,7 +120766,8 @@ index a64aad3..d923154 100644 # -kernel_dontaudit_request_load_module(xguest_t) -- ++dontaudit xguest_t xguest_t : tcp_socket { listen }; + ifndef(`enable_mls',` fs_exec_noxattr(xguest_t) @@ -120611,7 +120779,7 @@ index a64aad3..d923154 100644 storage_raw_read_removable_device(xguest_t) storage_raw_write_removable_device(xguest_t) ',` -@@ -54,9 +55,25 @@ ifndef(`enable_mls',` +@@ -54,9 +57,25 @@ ifndef(`enable_mls',` ') optional_policy(` @@ -120638,7 +120806,7 @@ index a64aad3..d923154 100644 files_dontaudit_getattr_boot_dirs(xguest_t) files_search_mnt(xguest_t) -@@ -65,10 +82,9 @@ optional_policy(` +@@ -65,10 +84,9 @@ optional_policy(` fs_manage_noxattr_fs_dirs(xguest_t) fs_getattr_noxattr_fs(xguest_t) fs_read_noxattr_fs_symlinks(xguest_t) @@ -120650,7 +120818,7 @@ index a64aad3..d923154 100644 ') ') -@@ -84,12 +100,25 @@ optional_policy(` +@@ -84,12 +102,25 @@ optional_policy(` ') ') @@ -120662,23 +120830,23 @@ index a64aad3..d923154 100644 + +optional_policy(` + colord_dbus_chat(xguest_t) - ') - - optional_policy(` -- gnomeclock_dontaudit_dbus_chat(xguest_t) -+ chrome_role(xguest_r, xguest_t) +') + +optional_policy(` -+ thumb_role(xguest_r, xguest_t) ++ chrome_role(xguest_r, xguest_t) +') + +optional_policy(` ++ thumb_role(xguest_r, xguest_t) + ') + + optional_policy(` +- gnomeclock_dontaudit_dbus_chat(xguest_t) + dbus_dontaudit_chat_system_bus(xguest_t) ') optional_policy(` -@@ -97,75 +126,78 @@ optional_policy(` +@@ -97,75 +128,78 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 614a27f..aeab6e6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 252%{?dist} +Release: 253%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -689,6 +689,50 @@ exit 0 %endif %changelog +* Fri May 12 2017 Lukas Vrabec - 3.13.1-253 +- auth_use_nsswitch can call only domain not attribute +- Dontaudit net_admin cap for winbind_t +- Allow tlp_t domain to stream connect to system bus +- Allow tomcat_t domain read pki_common_t files +- Add interface pki_read_common_files() +- Fix broken cermonger module +- Fix broken apache module +- Allow hypervkvp_t domain execute hostname +- Dontaudit sssd_selinux_manager_t use of net_admin capability +- Allow tomcat_t stream connect to pki_common_t +- Dontaudit xguest_t's attempts to listen to its tcp_socket +- Allow sssd_selinux_manager_t to ioctl init_t sockets +- Improve ipa_cert_filetrans_named_content() interface to also allow caller domain manage ipa_cert_t type. +- Allow pki_tomcat_t domain read /etc/passwd. +- Allow tomcat_t domain read ipa_tmp_t files +- Label new path for ipa-otpd +- Allow radiusd_t domain stream connect to postgresql_t +- Allow rhsmcertd_t to execute hostname_exec_t binaries. +- Allow virtlogd to append nfs_t files when virt_use_nfs=1 +- Allow httpd_t domain read also httpd_user_content_type lnk_files. +- Allow httpd_t domain create /etc/httpd/alias/ipaseesion.key with label ipa_cert_t +- Dontaudit _gkeyringd_t stream connect to system_dbusd_t +- Label /var/www/html/nextcloud/data as httpd_sys_rw_content_t +- Add interface ipa_filetrans_named_content() +- Allow tomcat use nsswitch +- Allow certmonger_t start/status generic services +- Allow dirsrv read cgroup files. +- Allow ganesha_t domain read/write infiniband devices. +- Allow sendmail_t domain sysctl_net_t files +- Allow targetd_t domain read network state and getattr on loop_control_device_t +- Allow condor_schedd_t domain send mails. +- Allow ntpd to creating sockets. BZ(1434395) +- Alow certmonger to create own systemd unit files. +- Add kill namespace capability to xdm_t domain +- Revert "su using libselinux and creating netlink_selinux socket is needed to allow libselinux initialization." +- Revert "Allow _su_t to create netlink_selinux_socket" +- Allow _su_t to create netlink_selinux_socket +- Allow unconfined_t to module_load any file +- Allow staff to systemctl virt server when staff_use_svirt=1 +- Allow unconfined_t create /tmp/ca.p12 file with ipa_tmp_t context +- Allow netutils setpcap capability +- Dontaudit leaked file descriptor happening in setfiles_t domain BZ(1388124) + * Thu Apr 20 2017 Michael Scherer - 3.13.1-252 - fix #1380325, selinux-policy-sandbox always removing sandbox module on upgrade