From f35d9026d65111bef19214e820ec46dd65006a93 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Aug 03 2015 23:19:35 +0000 Subject: * Tue Aug 04 2015 Lukas Vrabec 3.13.1-139 - Add header for sslh.if file - Fix sslh_admin() interface - Clean up sslh.if - Fix typo in pdns.if - Allow qpid to create lnk_files in qpid_var_lib_t. - Allow httpd_suexec_t to read and write Apache stream sockets - Merge pull request #21 from hogarthj/rawhide-contrib - Allow virt_qemu_ga_t domtrans to passwd_t. - use read and manage files_patterns and the description for the admin interface - Merge pull request #17 from rubenk/pdns-policy - Allow redis to read kernel parameters. - Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500) - Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343) - Allow bumblebee to seng kill signal to xserver - glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes. - Allow drbd to get attributes from filesystems. - Allow drbd to read configuration options used when loading modules. - fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface - Added Booleans: pcp_read_generic_logs. - Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs. - Allow glusterd to communicate with cluster domains over stream socket. - fix copy paste error with writing the admin interface - fix up the regex in sslh.fc, add sslh_admin() interface - adding selinux policy files for sslh - Remove diplicate sftpd_write_ssh_home boolean rule. - Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs." - gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te - Allow glusterd to manage nfsd and rpcd services. - Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode. - kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp - kdbusfs should not be accessible for now. - Add support for /sys/fs/kdbus and allow login_pgm domain to access it. - Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). - Label /usr/sbin/chpasswd as passwd_exec_t. - Allow audisp_remote_t to read/write user domain pty. - Allow audisp_remote_t to start power unit files domain to allow halt system. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 81fba31..469b4de 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2575,7 +2575,7 @@ index d9fce57..5c4a213 100644 + fprintd_dbus_chat(sudodomain) +') diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc -index f82f0ce..204bdc8 100644 +index f82f0ce..7b8915d 100644 --- a/policy/modules/admin/usermanage.fc +++ b/policy/modules/admin/usermanage.fc @@ -20,6 +20,7 @@ ifdef(`distro_gentoo',` @@ -2586,6 +2586,14 @@ index f82f0ce..204bdc8 100644 /usr/sbin/pwconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/pwunconv -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) /usr/sbin/useradd -- gen_context(system_u:object_r:useradd_exec_t,s0) +@@ -27,6 +28,7 @@ ifdef(`distro_gentoo',` + /usr/sbin/usermod -- gen_context(system_u:object_r:useradd_exec_t,s0) + /usr/sbin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) + /usr/sbin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0) ++/usr/sbin/chpasswd -- gen_context(system_u:object_r:passwd_exec_t,s0) + + /usr/share/cracklib(/.*)? gen_context(system_u:object_r:crack_db_t,s0) + diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if index 99e3903..fa68362 100644 --- a/policy/modules/admin/usermanage.if @@ -14447,7 +14455,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..a250b32 100644 +index 8416beb..cd82082 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15071,7 +15079,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -2014,19 +2218,313 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,19 +2218,440 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # @@ -15387,13 +15395,59 @@ index 8416beb..a250b32 100644 +## +## Get the attributes of an hugetlbfs +## filesystem. - ## - ## - ## -@@ -2080,6 +2578,24 @@ interface(`fs_manage_hugetlbfs_dirs',` - - ######################################## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:filesystem getattr; ++') ++ ++######################################## ++## ++## List hugetlbfs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Manage hugetlbfs dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_manage_hugetlbfs_dirs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## +## Read hugetlbfs files. +## +## @@ -15412,13 +15466,24 @@ index 8416beb..a250b32 100644 + +######################################## +## - ## Read and write hugetlbfs files. - ## - ## -@@ -2098,6 +2614,25 @@ interface(`fs_rw_hugetlbfs_files',` - - ######################################## - ## ++## Read and write hugetlbfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_hugetlbfs_files',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++') ++ ++######################################## ++## +## Execute hugetlbfs files. +## +## @@ -15438,24 +15503,633 @@ index 8416beb..a250b32 100644 + +######################################## +## - ## Allow the type to associate to hugetlbfs filesystems. ++## Allow the type to associate to hugetlbfs filesystems. ++## ++## ++## ++## The type of the object to be associated. ++## ++## ++# ++interface(`fs_associate_hugetlbfs',` ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ ++ allow $1 hugetlbfs_t:filesystem associate; ++') ++ ++######################################## ++## ++## Search inotifyfs filesystem. ## - ## -@@ -2148,11 +2683,12 @@ interface(`fs_list_inotifyfs',` + ## + ## +@@ -2034,17 +2659,17 @@ interface(`fs_read_fusefs_symlinks',` + ## + ## + # +-interface(`fs_getattr_hugetlbfs',` ++interface(`fs_search_inotifyfs',` + gen_require(` +- type hugetlbfs_t; ++ type inotifyfs_t; ') - allow $1 inotifyfs_t:dir list_dir_perms; +- allow $1 hugetlbfs_t:filesystem getattr; ++ allow $1 inotifyfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## List hugetlbfs. ++## List inotifyfs filesystem. + ## + ## + ## +@@ -2052,35 +2677,72 @@ interface(`fs_getattr_hugetlbfs',` + ## + ## + # +-interface(`fs_list_hugetlbfs',` ++interface(`fs_list_inotifyfs',` + gen_require(` +- type hugetlbfs_t; ++ type inotifyfs_t; + ') + +- allow $1 hugetlbfs_t:dir list_dir_perms; ++ allow $1 inotifyfs_t:dir list_dir_perms; + fs_read_anon_inodefs_files($1) ') ######################################## ## --## Dontaudit List inotifyfs filesystem. +-## Manage hugetlbfs dirs. +## Do not audit attempts to list inotifyfs filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_list_inotifyfs',` ++ gen_require(` ++ type inotifyfs_t; ++ ') ++ ++ dontaudit $1 inotifyfs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Create an object in a hugetlbfs filesystem, with a private ++## type using a type transition. ## ## ## -@@ -2398,6 +2934,24 @@ interface(`fs_getattr_nfs',` + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`fs_manage_hugetlbfs_dirs',` ++interface(`fs_hugetlbfs_filetrans',` + gen_require(` + type hugetlbfs_t; + ') + +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $2 hugetlbfs_t:filesystem associate; ++ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + ') + + ######################################## + ## +-## Read and write hugetlbfs files. ++## Mount an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +@@ -2088,35 +2750,38 @@ interface(`fs_manage_hugetlbfs_dirs',` + ## + ## + # +-interface(`fs_rw_hugetlbfs_files',` ++interface(`fs_mount_iso9660_fs',` + gen_require(` +- type hugetlbfs_t; ++ type iso9660_t; + ') + +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ allow $1 iso9660_t:filesystem mount; + ') + + ######################################## + ## +-## Allow the type to associate to hugetlbfs filesystems. ++## Remount an iso9660 filesystem, which ++## is usually used on CDs. This allows ++## some mount options to be changed. + ## +-## ++## + ## +-## The type of the object to be associated. ++## Domain allowed access. + ## + ## + # +-interface(`fs_associate_hugetlbfs',` ++interface(`fs_remount_iso9660_fs',` + gen_require(` +- type hugetlbfs_t; ++ type iso9660_t; + ') + +- allow $1 hugetlbfs_t:filesystem associate; ++ allow $1 iso9660_t:filesystem remount; + ') + + ######################################## + ## +-## Search inotifyfs filesystem. ++## Unmount an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +@@ -2124,89 +2789,250 @@ interface(`fs_associate_hugetlbfs',` + ## + ## + # +-interface(`fs_search_inotifyfs',` ++interface(`fs_unmount_iso9660_fs',` + gen_require(` +- type inotifyfs_t; ++ type iso9660_t; + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; ++ allow $1 iso9660_t:filesystem unmount; + ') + + ######################################## + ## +-## List inotifyfs filesystem. ++## Get the attributes of an iso9660 ++## filesystem, which is usually used on CDs. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_list_inotifyfs',` ++interface(`fs_getattr_iso9660_fs',` + gen_require(` +- type inotifyfs_t; ++ type iso9660_t; + ') + +- allow $1 inotifyfs_t:dir list_dir_perms; ++ allow $1 iso9660_t:filesystem getattr; + ') + + ######################################## + ## +-## Dontaudit List inotifyfs filesystem. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_list_inotifyfs',` ++interface(`fs_getattr_iso9660_files',` + gen_require(` +- type inotifyfs_t; ++ type iso9660_t; + ') + +- dontaudit $1 inotifyfs_t:dir list_dir_perms; ++ allow $1 iso9660_t:dir list_dir_perms; ++ allow $1 iso9660_t:file getattr; + ') + + ######################################## + ## +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. ++## Read files on an iso9660 filesystem, which ++## is usually used on CDs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_read_iso9660_files',` ++ gen_require(` ++ type iso9660_t; ++ ') ++ ++ allow $1 iso9660_t:dir list_dir_perms; ++ read_files_pattern($1, iso9660_t, iso9660_t) ++ read_lnk_files_pattern($1, iso9660_t, iso9660_t) ++') ++ ++ ++######################################## ++## ++## Mount kdbus filesystems. ++## ++## + ## +-## The type of the object to be created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_mount_kdbus', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ allow $1 kdbusfs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Remount kdbus filesystems. ++## ++## + ## +-## The object class of the object being created. ++## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_remount_kdbus', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ allow $1 kdbusfs_t:filesystem remount; ++') ++ ++######################################## ++## ++## Unmount kdbus filesystems. ++## ++## + ## +-## The name of the object being created. ++## Domain allowed access. ++## ++## ++# ++interface(`fs_unmount_kdbus', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ allow $1 kdbusfs_t:filesystem unmount; ++') ++ ++######################################## ++## ++## Get attributes of kdbus filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_kdbus',` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ allow $1 kdbusfs_t:filesystem getattr; ++') ++ ++######################################## ++## ++## Search kdbusfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_search_kdbus_dirs',` ++ gen_require(` ++ type kdbusfs_t; ++ ++ ') ++ ++ search_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++######################################## ++## ++## Relabel kdbusfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_relabel_kdbus_dirs',` ++ gen_require(` ++ type cgroup_t; ++ ++ ') ++ ++ relabel_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++') ++ ++######################################## ++## ++## List kdbusfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_kdbus_dirs',` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ list_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) ++') ++ ++####################################### ++## ++## Do not audit attempts to search kdbusfs directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_search_kdbus_dirs', ` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ dontaudit $1 kdbusfs_t:dir search_dir_perms; ++ dev_dontaudit_search_sysfs($1) ++') ++ ++######################################## ++## ++## Delete kdbusfs directories. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +-interface(`fs_hugetlbfs_filetrans',` ++interface(`fs_delete_kdbus_dirs', ` + gen_require(` +- type hugetlbfs_t; ++ type kdbusfs_t; + ') + +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++ delete_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. ++## Manage kdbusfs directories. + ## + ## + ## +@@ -2214,19 +3040,19 @@ interface(`fs_hugetlbfs_filetrans',` + ## + ## + # +-interface(`fs_mount_iso9660_fs',` ++interface(`fs_manage_kdbus_dirs',` + gen_require(` +- type iso9660_t; +- ') ++ type kdbusfs_t; + +- allow $1 iso9660_t:filesystem mount; ++ ') ++ manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. ++## Read kdbusfs files. + ## + ## + ## +@@ -2234,18 +3060,21 @@ interface(`fs_mount_iso9660_fs',` + ## + ## + # +-interface(`fs_remount_iso9660_fs',` ++interface(`fs_read_kdbus_files',` + gen_require(` +- type iso9660_t; ++ type cgroup_t; ++ + ') + +- allow $1 iso9660_t:filesystem remount; ++ read_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Unmount an iso9660 filesystem, which +-## is usually used on CDs. ++## Write kdbusfs files. + ## + ## + ## +@@ -2253,38 +3082,61 @@ interface(`fs_remount_iso9660_fs',` + ## + ## + # +-interface(`fs_unmount_iso9660_fs',` ++interface(`fs_write_kdbus_files', ` + gen_require(` +- type iso9660_t; ++ type kdbusfs_t; + ') + +- allow $1 iso9660_t:filesystem unmount; ++ write_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Get the attributes of an iso9660 +-## filesystem, which is usually used on CDs. ++## Read and write kdbusfs files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`fs_getattr_iso9660_fs',` ++interface(`fs_rw_kdbus_files',` + gen_require(` +- type iso9660_t; ++ type kdbusfs_t; ++ + ') + +- allow $1 iso9660_t:filesystem getattr; ++ read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ rw_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Read files on an iso9660 filesystem, which +-## is usually used on CDs. ++## Do not audit attempts to open, ++## get attributes, read and write ++## cgroup files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_rw_kdbus_files',` ++ gen_require(` ++ type kdbusfs_t; ++ ') ++ ++ dontaudit $1 kdbusfs_t:file rw_file_perms; ++') ++ ++######################################## ++## ++## Manage kdbusfs files. + ## + ## + ## +@@ -2292,19 +3144,21 @@ interface(`fs_getattr_iso9660_fs',` + ## + ## + # +-interface(`fs_getattr_iso9660_files',` ++interface(`fs_manage_kdbus_files',` + gen_require(` +- type iso9660_t; ++ type kdbusfs_t; ++ + ') + +- allow $1 iso9660_t:dir list_dir_perms; +- allow $1 iso9660_t:file getattr; ++ manage_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ manage_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) ++ fs_search_tmpfs($1) ++ dev_search_sysfs($1) + ') + + ######################################## + ## +-## Read files on an iso9660 filesystem, which +-## is usually used on CDs. ++## Mount on kdbusfs directories. + ## + ## + ## +@@ -2312,16 +3166,15 @@ interface(`fs_getattr_iso9660_files',` + ## + ## + # +-interface(`fs_read_iso9660_files',` ++interface(`fs_mounton_kdbus', ` + gen_require(` +- type iso9660_t; ++ type kdbusfs_t; + ') + +- allow $1 iso9660_t:dir list_dir_perms; +- read_files_pattern($1, iso9660_t, iso9660_t) +- read_lnk_files_pattern($1, iso9660_t, iso9660_t) ++ allow $1 kdbusfs_t:dir mounton; + ') + ++ + ######################################## + ## + ## Mount a NFS filesystem. +@@ -2398,6 +3251,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -15480,7 +16154,7 @@ index 8416beb..a250b32 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3039,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3356,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -15488,7 +16162,7 @@ index 8416beb..a250b32 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3078,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3395,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -15496,7 +16170,7 @@ index 8416beb..a250b32 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3105,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3422,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -15541,7 +16215,7 @@ index 8416beb..a250b32 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3163,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3480,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -15550,7 +16224,7 @@ index 8416beb..a250b32 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3183,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3500,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -15593,7 +16267,7 @@ index 8416beb..a250b32 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3233,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3550,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -15602,7 +16276,7 @@ index 8416beb..a250b32 100644 ') ######################################## -@@ -2627,7 +3257,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3574,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -15611,7 +16285,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -2719,6 +3349,47 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3666,47 @@ interface(`fs_search_rpc',` ######################################## ## @@ -15659,7 +16333,7 @@ index 8416beb..a250b32 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3412,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3729,7 @@ interface(`fs_search_removable',` ## ## ## @@ -15668,7 +16342,7 @@ index 8416beb..a250b32 100644 ## ## # -@@ -2777,7 +3448,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3765,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -15677,7 +16351,7 @@ index 8416beb..a250b32 100644 ## ## # -@@ -2970,6 +3641,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +3958,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -15685,7 +16359,7 @@ index 8416beb..a250b32 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +3682,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +3999,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -15693,7 +16367,7 @@ index 8416beb..a250b32 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +3723,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4040,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -15701,7 +16375,7 @@ index 8416beb..a250b32 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +3811,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4128,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -15726,7 +16400,7 @@ index 8416beb..a250b32 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,6 +3955,24 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,6 +4272,24 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -15751,7 +16425,7 @@ index 8416beb..a250b32 100644 ######################################## ## ## Read and write NFS server files. -@@ -3283,6 +3993,24 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +4310,24 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -15776,7 +16450,7 @@ index 8416beb..a250b32 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +4120,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4437,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -15785,7 +16459,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3429,7 +4157,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4474,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -15794,7 +16468,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3447,7 +4175,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4492,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -15803,7 +16477,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3743,25 +4471,61 @@ interface(`fs_getattr_rpc_pipefs',` +@@ -3743,25 +4788,61 @@ interface(`fs_getattr_rpc_pipefs',` ######################################### ## @@ -15871,7 +16545,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3769,17 +4533,17 @@ interface(`fs_rw_rpc_named_pipes',` +@@ -3769,17 +4850,17 @@ interface(`fs_rw_rpc_named_pipes',` ## ## # @@ -15892,7 +16566,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3787,17 +4551,17 @@ interface(`fs_mount_tmpfs',` +@@ -3787,17 +4868,17 @@ interface(`fs_mount_tmpfs',` ## ## # @@ -15913,7 +16587,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3805,12 +4569,12 @@ interface(`fs_remount_tmpfs',` +@@ -3805,12 +4886,12 @@ interface(`fs_remount_tmpfs',` ## ## # @@ -15928,7 +16602,7 @@ index 8416beb..a250b32 100644 ') ######################################## -@@ -3908,7 +4672,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +4989,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -15937,7 +16611,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3916,17 +4680,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +4997,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -15958,7 +16632,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3934,17 +4698,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5015,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -15979,7 +16653,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3952,17 +4716,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5033,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -16019,7 +16693,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -3970,31 +4753,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5070,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -16075,7 +16749,7 @@ index 8416beb..a250b32 100644 ') ######################################## -@@ -4105,7 +4905,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5222,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -16084,7 +16758,7 @@ index 8416beb..a250b32 100644 ') ######################################## -@@ -4165,6 +4965,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5282,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -16109,7 +16783,7 @@ index 8416beb..a250b32 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5020,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5337,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -16118,7 +16792,7 @@ index 8416beb..a250b32 100644 ## ## ## -@@ -4221,6 +5039,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5356,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -16179,7 +16853,7 @@ index 8416beb..a250b32 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5150,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5467,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -16224,7 +16898,7 @@ index 8416beb..a250b32 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5207,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5524,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -16250,7 +16924,7 @@ index 8416beb..a250b32 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5432,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5749,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -16259,7 +16933,7 @@ index 8416beb..a250b32 100644 ') ######################################## -@@ -4549,7 +5480,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5797,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -16268,7 +16942,7 @@ index 8416beb..a250b32 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5527,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5844,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -16295,7 +16969,7 @@ index 8416beb..a250b32 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +5622,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +5939,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -16321,7 +16995,7 @@ index 8416beb..a250b32 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +5882,43 @@ interface(`fs_unconfined',` +@@ -4912,3 +6199,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -16366,7 +17040,7 @@ index 8416beb..a250b32 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..6ac60c3 100644 +index e7d1738..3e3ed4e 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -16437,7 +17111,20 @@ index e7d1738..6ac60c3 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -118,13 +136,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -111,6 +129,12 @@ type inotifyfs_t; + fs_type(inotifyfs_t) + genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) + ++type kdbusfs_t; ++fs_type(kdbusfs_t) ++files_mountpoint(kdbusfs_t) ++dev_associate_sysfs(kdbusfs_t) ++genfscon kdbusfs / gen_context(system_u:object_r:kdbusfs_t,s0) ++ + type mvfs_t; + fs_noxattr_type(mvfs_t) + allow mvfs_t self:filesystem associate; +@@ -118,13 +142,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -16453,7 +17140,7 @@ index e7d1738..6ac60c3 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,11 +169,6 @@ fs_type(spufs_t) +@@ -150,11 +175,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -16465,7 +17152,7 @@ index e7d1738..6ac60c3 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -172,6 +186,8 @@ type vxfs_t; +@@ -172,6 +192,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -16474,7 +17161,7 @@ index e7d1738..6ac60c3 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +198,8 @@ fs_type(tmpfs_t) +@@ -182,6 +204,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -16483,7 +17170,7 @@ index e7d1738..6ac60c3 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +279,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +285,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -16492,7 +17179,7 @@ index e7d1738..6ac60c3 100644 files_mountpoint(removable_t) # -@@ -280,6 +300,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +306,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -16500,7 +17187,7 @@ index e7d1738..6ac60c3 100644 ######################################## # -@@ -301,9 +322,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +328,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -20759,7 +21446,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..3651c0c 100644 +index 2522ca6..85c5be2 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -20979,31 +21666,38 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -182,15 +263,20 @@ optional_policy(` +@@ -182,6 +263,15 @@ optional_policy(` ') optional_policy(` -- kudzu_run(sysadm_t, sysadm_r) + irc_role(sysadm_r, sysadm_t) - ') - - optional_policy(` -- libs_run_ldconfig(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) +') + +optional_policy(` -+ kudzu_run(sysadm_t, sysadm_r) + kudzu_run(sysadm_t, sysadm_r) + ') + +@@ -190,11 +280,12 @@ optional_policy(` ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ libs_run_ldconfig(sysadm_t, sysadm_r) ++ logrotate_run(sysadm_t, sysadm_r) + ') + + optional_policy(` +- logrotate_run(sysadm_t, sysadm_r) ++ corenet_tcp_bind_ldap_port(sysadm_t) ++ ldap_admin(sysadm_t, sysadm_r) ') optional_policy(` -@@ -210,22 +296,20 @@ optional_policy(` +@@ -210,22 +301,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21032,7 +21726,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -237,14 +321,28 @@ optional_policy(` +@@ -237,14 +326,28 @@ optional_policy(` ') optional_policy(` @@ -21061,7 +21755,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -252,10 +350,20 @@ optional_policy(` +@@ -252,10 +355,20 @@ optional_policy(` ') optional_policy(` @@ -21082,7 +21776,7 @@ index 2522ca6..3651c0c 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +374,41 @@ optional_policy(` +@@ -266,35 +379,41 @@ optional_policy(` ') optional_policy(` @@ -21131,7 +21825,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -308,6 +422,7 @@ optional_policy(` +@@ -308,6 +427,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -21139,7 +21833,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -315,12 +430,20 @@ optional_policy(` +@@ -315,12 +435,20 @@ optional_policy(` ') optional_policy(` @@ -21161,7 +21855,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -345,7 +468,18 @@ optional_policy(` +@@ -345,7 +473,18 @@ optional_policy(` ') optional_policy(` @@ -21181,7 +21875,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -356,19 +490,11 @@ optional_policy(` +@@ -356,19 +495,11 @@ optional_policy(` ') optional_policy(` @@ -21202,7 +21896,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -380,10 +506,6 @@ optional_policy(` +@@ -380,10 +511,6 @@ optional_policy(` ') optional_policy(` @@ -21213,7 +21907,7 @@ index 2522ca6..3651c0c 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +513,9 @@ optional_policy(` +@@ -391,6 +518,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -21223,7 +21917,7 @@ index 2522ca6..3651c0c 100644 ') optional_policy(` -@@ -398,31 +523,34 @@ optional_policy(` +@@ -398,31 +528,34 @@ optional_policy(` ') optional_policy(` @@ -21264,7 +21958,7 @@ index 2522ca6..3651c0c 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +563,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +568,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21275,7 +21969,7 @@ index 2522ca6..3651c0c 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +583,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +588,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -29212,7 +29906,7 @@ index 3efd5b6..9e85ea0 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..15dea9c 100644 +index 09b791d..fde4518 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -29536,7 +30230,7 @@ index 09b791d..15dea9c 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +520,156 @@ optional_policy(` +@@ -456,10 +520,159 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -29619,6 +30313,9 @@ index 09b791d..15dea9c 100644 +fs_read_ecryptfs_symlinks(login_pgm) +fs_read_ecryptfs_files(login_pgm) + ++#fs_manage_kdbus_files(login_pgm) ++#fs_manage_kdbus_dirs(login_pgm) ++ +selinux_validate_context(login_pgm) +selinux_compute_access_vector(login_pgm) +selinux_compute_create_context(login_pgm) @@ -34175,6 +34872,41 @@ index be8ed1e..750839c 100644 ') optional_policy(` +diff --git a/policy/modules/system/kdbus.fc b/policy/modules/system/kdbus.fc +new file mode 100644 +index 0000000..1bb8bf6 +--- /dev/null ++++ b/policy/modules/system/kdbus.fc +@@ -0,0 +1 @@ ++# empty +diff --git a/policy/modules/system/kdbus.if b/policy/modules/system/kdbus.if +new file mode 100644 +index 0000000..6a1c9ed +--- /dev/null ++++ b/policy/modules/system/kdbus.if +@@ -0,0 +1,2 @@ ++## Policy for kdbusfs. ++ +diff --git a/policy/modules/system/kdbus.te b/policy/modules/system/kdbus.te +new file mode 100644 +index 0000000..c814795 +--- /dev/null ++++ b/policy/modules/system/kdbus.te +@@ -0,0 +1,14 @@ ++policy_module(kdbus,1.0.0) ++ ++require { ++ attribute login_pgm; ++ type systemd_logind_t; ++ } ++ ++allow login_pgm self:capability ipc_owner; ++ ++fs_manage_kdbus_files(login_pgm) ++fs_manage_kdbus_dirs(login_pgm) ++ ++fs_manage_kdbus_dirs(systemd_logind_t) ++fs_manage_kdbus_files(systemd_logind_t) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 73bb3c0..4fef124 100644 --- a/policy/modules/system/libraries.fc @@ -35735,7 +36467,7 @@ index 4e94884..7ab6191 100644 + filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..75844b4 100644 +index 59b04c1..5ac28ce 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -35922,7 +36654,7 @@ index 59b04c1..75844b4 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,13 +325,23 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,13 +325,27 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -35942,12 +36674,16 @@ index 59b04c1..75844b4 100644 sysnet_dns_name_resolve(audisp_remote_t) ++systemd_start_power_services(audisp_remote_t) ++ +term_search_ptys(audisp_remote_t) + ++userdom_use_user_ptys(audisp_remote_t) ++ ######################################## # # klogd local policy -@@ -326,7 +381,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +385,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -35955,7 +36691,7 @@ index 59b04c1..75844b4 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +409,12 @@ optional_policy(` +@@ -355,13 +413,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -35972,7 +36708,7 @@ index 59b04c1..75844b4 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,11 +422,15 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,11 +426,15 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -35989,7 +36725,7 @@ index 59b04c1..75844b4 100644 files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. -@@ -389,30 +446,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +450,47 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -36040,7 +36776,7 @@ index 59b04c1..75844b4 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +496,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +500,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -36049,7 +36785,7 @@ index 59b04c1..75844b4 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +508,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +512,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -36083,7 +36819,7 @@ index 59b04c1..75844b4 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +547,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +551,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -36101,7 +36837,7 @@ index 59b04c1..75844b4 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +569,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +573,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -36117,7 +36853,7 @@ index 59b04c1..75844b4 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +601,7 @@ optional_policy(` +@@ -497,6 +605,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -36125,7 +36861,7 @@ index 59b04c1..75844b4 100644 ') optional_policy(` -@@ -507,15 +612,40 @@ optional_policy(` +@@ -507,15 +616,40 @@ optional_policy(` ') optional_policy(` @@ -36166,7 +36902,7 @@ index 59b04c1..75844b4 100644 ') optional_policy(` -@@ -526,3 +656,26 @@ optional_policy(` +@@ -526,3 +660,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 9331a4c..ccf332b 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3364,10 +3364,10 @@ index 0000000..6183b21 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..863bce5 100644 +index 7caefc3..3ef1de6 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,206 @@ +@@ -1,162 +1,207 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3397,6 +3397,7 @@ index 7caefc3..863bce5 100644 +/etc/glpi(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/rt(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) @@ -5208,7 +5209,7 @@ index f6eb485..164501c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..e98b712 100644 +index 6649962..d007ab0 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6859,7 +6860,7 @@ index 6649962..e98b712 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1337,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1337,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6992,8 +6993,10 @@ index 6649962..e98b712 100644 - fs_manage_nfs_dirs(httpd_suexec_t) - fs_manage_nfs_files(httpd_suexec_t) - fs_manage_nfs_symlinks(httpd_suexec_t) --') -- ++optional_policy(` ++ apache_rw_stream_sockets(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` - fs_exec_nfs_files(httpd_suexec_t) +optional_policy(` @@ -7003,9 +7006,6 @@ index 6649962..e98b712 100644 optional_policy(` - mailman_domtrans_cgi(httpd_suexec_t) + mta_stub(httpd_suexec_t) -+ -+ # apache should set close-on-exec -+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') optional_policy(` @@ -7014,7 +7014,7 @@ index 6649962..e98b712 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1421,107 @@ optional_policy(` +@@ -1083,172 +1422,107 @@ optional_policy(` ') ') @@ -7181,8 +7181,7 @@ index 6649962..e98b712 100644 -# -# System script local policy -# -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -allow httpd_sys_script_t self:tcp_socket { accept listen }; - -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; @@ -7198,7 +7197,8 @@ index 6649962..e98b712 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -7252,7 +7252,7 @@ index 6649962..e98b712 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1529,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1530,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7349,7 +7349,7 @@ index 6649962..e98b712 100644 ######################################## # -@@ -1321,8 +1604,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1605,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7366,7 +7366,7 @@ index 6649962..e98b712 100644 ') ######################################## -@@ -1330,49 +1620,38 @@ optional_policy(` +@@ -1330,49 +1621,38 @@ optional_policy(` # User content local policy # @@ -7431,7 +7431,7 @@ index 6649962..e98b712 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1661,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1662,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -11067,10 +11067,10 @@ index 0000000..2d2e60c +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..acaf519 +index 0000000..9aee6f3 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,63 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -11125,6 +11125,7 @@ index 0000000..acaf519 +sysnet_dns_name_resolve(bumblebee_t) + +xserver_domtrans(bumblebee_t) ++xserver_kill(bumblebee_t) +xserver_signal(bumblebee_t) +xserver_stream_connect(bumblebee_t) +xserver_manage_xkb_libs(bumblebee_t) @@ -26199,7 +26200,7 @@ index 9a21639..26c5986 100644 ') + diff --git a/drbd.te b/drbd.te -index f2516cc..b371be4 100644 +index f2516cc..0487894 100644 --- a/drbd.te +++ b/drbd.te @@ -18,17 +18,20 @@ files_type(drbd_var_lib_t) @@ -26225,7 +26226,7 @@ index f2516cc..b371be4 100644 manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) -@@ -38,18 +41,37 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) +@@ -38,18 +41,40 @@ files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) files_lock_filetrans(drbd_t, drbd_lock_t, file) @@ -26253,8 +26254,11 @@ index f2516cc..b371be4 100644 -storage_raw_read_fixed_disk(drbd_t) +logging_send_syslog_msg(drbd_t) ++ ++fs_getattr_xattr_fs(drbd_t) -miscfiles_read_localization(drbd_t) ++modutils_read_module_config(drbd_t) +modutils_exec_insmod(drbd_t) + +storage_raw_read_fixed_disk(drbd_t) @@ -28803,7 +28807,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..a09e8b2 100644 +index 36838c2..8bfc879 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -29080,7 +29084,7 @@ index 36838c2..a09e8b2 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +517,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -481,21 +517,8 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -29088,12 +29092,11 @@ index 36838c2..a09e8b2 100644 + files_manage_non_security_files(sftpd_t) ') +-tunable_policy(`sftpd_write_ssh_home',` +- ssh_manage_home_files(sftpd_t) +-') +userdom_home_reader(sftpd_t) -+ - tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) - ') -- + -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) @@ -30754,10 +30757,10 @@ index 0000000..fc9bf19 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..bd8ad23 +index 0000000..b974353 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,286 @@ +@@ -0,0 +1,295 @@ +policy_module(glusterfs, 1.1.2) + +## @@ -30918,6 +30921,7 @@ index 0000000..bd8ad23 +dev_read_rand(glusterd_t) + +domain_read_all_domains_state(glusterd_t) ++domain_getattr_all_sockets(glusterd_t) + +domain_use_interactive_fds(glusterd_t) + @@ -30927,6 +30931,9 @@ index 0000000..bd8ad23 + +files_mounton_non_security(glusterd_t) + ++files_dontaudit_read_security_files(glusterd_t) ++files_dontaudit_list_security_dirs(glusterd_t) ++ +storage_rw_fuse(glusterd_t) +#needed by /usr/sbin/xfs_db +storage_raw_read_fixed_disk(glusterd_t) @@ -30971,6 +30978,8 @@ index 0000000..bd8ad23 +tunable_policy(`gluster_export_all_ro',` + fs_read_noxattr_fs_files(glusterd_t) + files_read_non_security_files(glusterd_t) ++ files_getattr_all_pipes(glusterd_t) ++ files_getattr_all_sockets(glusterd_t) +') + +tunable_policy(`gluster_export_all_rw',` @@ -30978,6 +30987,8 @@ index 0000000..bd8ad23 + files_manage_non_security_dirs(glusterd_t) + files_manage_non_security_files(glusterd_t) + files_relabel_base_file_types(glusterd_t) ++ files_getattr_all_pipes(glusterd_t) ++ files_getattr_all_sockets(glusterd_t) +') + +optional_policy(` @@ -31039,6 +31050,7 @@ index 0000000..bd8ad23 + rhcs_dbus_chat_cluster(glusterd_t) + rhcs_domtrans_cluster(glusterd_t) + rhcs_systemctl_cluster(glusterd_t) ++ rhcs_stream_connect_cluster(glusterd_t) +') + +optional_policy(` @@ -35314,10 +35326,10 @@ index 0000000..d0016da +') diff --git a/hostapd.te b/hostapd.te new file mode 100644 -index 0000000..ef3f6a9 +index 0000000..54deae3 --- /dev/null +++ b/hostapd.te -@@ -0,0 +1,51 @@ +@@ -0,0 +1,52 @@ +policy_module(hostapd, 1.0.0) + +######################################## @@ -35339,7 +35351,7 @@ index 0000000..ef3f6a9 +# +# hostapd local policy +# -+allow hostapd_t self:capability { chown net_admin }; ++allow hostapd_t self:capability { fsetid chown net_admin net_raw }; +allow hostapd_t self:fifo_file rw_fifo_file_perms; +allow hostapd_t self:unix_stream_socket create_stream_socket_perms; +allow hostapd_t self:netlink_socket create_socket_perms; @@ -35349,7 +35361,8 @@ index 0000000..ef3f6a9 +manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) +manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) +manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) -+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file }) ++manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t) ++files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file }) + +kernel_read_system_state(hostapd_t) +kernel_read_network_state(hostapd_t) @@ -65118,10 +65131,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..15702ce +index 0000000..530fe1d --- /dev/null +++ b/pcp.te -@@ -0,0 +1,241 @@ +@@ -0,0 +1,258 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -65137,6 +65150,13 @@ index 0000000..15702ce +## +gen_tunable(pcp_bind_all_unreserved_ports, false) + ++## ++##

    ++## Allow pcp to read generic logs ++##

    ++##
    ++gen_tunable(pcp_read_generic_logs, false) ++ +attribute pcp_domain; + +pcp_domain_template(pmcd) @@ -65273,6 +65293,16 @@ index 0000000..15702ce + ') +') + ++optional_policy(` ++ postfix_read_config(pcp_pmcd_t) ++ postfix_search_spool(pcp_pmcd_t) ++') ++ ++tunable_policy(`pcp_read_generic_logs',` ++ logging_read_generic_logs(pcp_pmcd_t) ++ ++') ++ +######################################## +# +# pcp_pmproxy local policy @@ -65465,6 +65495,175 @@ index 1fb1964..5212cd2 100644 + virt_rw_svirt_dev(pcscd_t) +') + +diff --git a/pdns.fc b/pdns.fc +new file mode 100644 +index 0000000..22bc51b +--- /dev/null ++++ b/pdns.fc +@@ -0,0 +1,6 @@ ++/usr/lib/systemd/system/pdns.* -- gen_context(system_u:object_r:pdns_unit_file_t,s0) ++/usr/bin/pdns_control -- gen_context(system_u:object_r:pdns_control_exec_t,s0) ++/usr/sbin/pdns_server -- gen_context(system_u:object_r:pdns_exec_t,s0) ++/var/run/pdns\.pid -- gen_context(system_u:object_r:pdns_var_run_t,s0) ++/var/run/pdns\.controlsocket -s gen_context(system_u:object_r:pdns_var_run_t,s0) ++/etc/pdns(/.*)? gen_context(system_u:object_r:pdns_conf_t,s0) +diff --git a/pdns.if b/pdns.if +new file mode 100644 +index 0000000..08314c4 +--- /dev/null ++++ b/pdns.if +@@ -0,0 +1,63 @@ ++## PowerDNS DNS server. ++ ++######################################## ++## ++## Execute pdns in the pdns domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pdns_domtrans',` ++ gen_require(` ++ type pdns_t, pdns_exec_t; ++ ') ++ ++ domtrans_pattern($1, pdns_exec_t, pdns_t) ++') ++ ++######################################## ++## ++## Execute pdns_control in the pdns_control domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pdns_domtrans_pdns_control',` ++ gen_require(` ++ type pdns_control_t, pdns_control_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pdns_control_exec_t, pdns_control_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to read ++## pdns configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`pdns_read_config',` ++ gen_require(` ++ type pdns_conf_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 pdns_conf_t:dir list_dir_perms; ++ read_files_pattern($1, pdns_conf_t, pdns_conf_t) ++ read_lnk_files_pattern($1, pdns_conf_t, pdns_conf_t) ++') ++ ++ +diff --git a/pdns.te b/pdns.te +new file mode 100644 +index 0000000..509d898 +--- /dev/null ++++ b/pdns.te +@@ -0,0 +1,82 @@ ++policy_module(pdns, 1.0.2) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Allow PowerDNS to connect to databases over the network. ++##

    ++##
    ++gen_tunable(pdns_can_network_connect_db, false) ++ ++type pdns_t; ++type pdns_exec_t; ++init_daemon_domain(pdns_t, pdns_exec_t) ++ ++type pdns_unit_file_t; ++systemd_unit_file(pdns_unit_file_t) ++ ++type pdns_conf_t; ++files_config_file(pdns_conf_t) ++ ++type pdns_var_run_t; ++files_pid_file(pdns_var_run_t) ++ ++type pdns_control_t; ++type pdns_control_exec_t; ++init_system_domain(pdns_control_t, pdns_control_exec_t) ++ ++######################################## ++# ++# pdns_t local policy ++# ++ ++allow pdns_t self:capability { setuid setgid chown }; ++allow pdns_t self:tcp_socket create_stream_socket_perms; ++allow pdns_t self:udp_socket create_socket_perms; ++allow pdns_t self:unix_dgram_socket create_socket_perms; ++pdns_read_config(pdns_t) ++ ++corenet_tcp_bind_dns_port(pdns_t) ++corenet_udp_bind_dns_port(pdns_t) ++ ++files_pid_filetrans(pdns_t, pdns_var_run_t, { file sock_file }) ++manage_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) ++manage_sock_files_pattern(pdns_t, pdns_var_run_t, pdns_var_run_t) ++ ++auth_use_nsswitch(pdns_t) ++ ++logging_send_syslog_msg(pdns_t) ++ ++ ++######################################## ++# ++# pdns_control_t local policy ++# ++ ++pdns_read_config(pdns_control_t) ++stream_connect_pattern(pdns_control_t, pdns_var_run_t, pdns_var_run_t, pdns_t) ++ ++ ++######################################## ++# ++# optional policy ++# ++ ++optional_policy(` ++ mysql_read_config(pdns_t) ++ mysql_stream_connect(pdns_t) ++ tunable_policy(`pdns_can_network_connect_db',` ++ mysql_tcp_connect(pdns_t) ++ ') ++') ++ ++optional_policy(` ++ postgresql_stream_connect(pdns_t) ++ tunable_policy(`pdns_can_network_connect_db',` ++ postgresql_tcp_connect(pdns_t) ++ ') ++') diff --git a/pegasus.fc b/pegasus.fc index dfd46e4..747aa2a 100644 --- a/pegasus.fc @@ -77787,7 +77986,7 @@ index fe2adf8..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 83eb09e..9f4739c 100644 +index 83eb09e..41033de 100644 --- a/qpid.te +++ b/qpid.te @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) @@ -77800,7 +77999,7 @@ index 83eb09e..9f4739c 100644 type qpidd_tmpfs_t; files_tmpfs_file(qpidd_tmpfs_t) -@@ -33,41 +36,55 @@ allow qpidd_t self:shm create_shm_perms; +@@ -33,41 +36,56 @@ allow qpidd_t self:shm create_shm_perms; allow qpidd_t self:tcp_socket { accept listen }; allow qpidd_t self:unix_stream_socket { accept listen }; @@ -77814,9 +78013,11 @@ index 83eb09e..9f4739c 100644 -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +-files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) +manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) - files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir }) ++manage_lnk_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t) ++files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir lnk_file }) -manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) -manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t) @@ -81375,7 +81576,7 @@ index 16c8ecb..4e021ec 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd417..e331b5d 100644 +index 25cd417..edf5ca8 100644 --- a/redis.te +++ b/redis.te @@ -21,6 +21,9 @@ files_type(redis_var_lib_t) @@ -81388,15 +81589,18 @@ index 25cd417..e331b5d 100644 ######################################## # # Local policy -@@ -42,6 +45,7 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +@@ -42,8 +45,10 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) kernel_read_system_state(redis_t) ++kernel_read_net_sysctls(redis_t) -@@ -60,6 +64,4 @@ dev_read_urand(redis_t) + corenet_all_recvfrom_unlabeled(redis_t) + corenet_all_recvfrom_netlabel(redis_t) +@@ -60,6 +65,4 @@ dev_read_urand(redis_t) logging_send_syslog_msg(redis_t) @@ -98702,6 +98906,260 @@ index 03472ed..48b5633 100644 +optional_policy(` + cron_system_entry(squid_cron_t, squid_cron_exec_t) +') +diff --git a/sslh.fc b/sslh.fc +new file mode 100644 +index 0000000..1a217f5 +--- /dev/null ++++ b/sslh.fc +@@ -0,0 +1,9 @@ ++ ++/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0) ++/usr/sbin/sslh-select -- gen_context(system_u:object_r:sslh_exec_t,s0) ++/etc/rc\.d/init\.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) ++/etc/sslh(/.*)? gen_context(system_u:object_r:sslh_config_t,s0) ++/etc/sslh\.cfg -- gen_context(system_u:object_r:sslh_config_t,s0) ++/etc/sysconfig/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) ++/usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) ++/var/run/sslh.* gen_context(system_u:object_r:sslh_var_run_t,s0) +diff --git a/sslh.if b/sslh.if +new file mode 100644 +index 0000000..218360d +--- /dev/null ++++ b/sslh.if +@@ -0,0 +1,127 @@ ++## policy for sslh ++ ++######################################## ++## ++## Execute sslh in the sslh domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sslh_domtrans',` ++ gen_require(` ++ type sslh_t, sslh_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sslh_exec_t, sslh_t) ++') ++ ++####################################### ++## ++## Execute tor server in the tor domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sslh_systemctl',` ++ gen_require(` ++ type sslh_t; ++ type sslh_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ init_reload_services($1) ++ allow $1 sslh_unit_file_t:file read_file_perms; ++ allow $1 sslh_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, sslh_t) ++') ++ ++ ++######################################## ++## ++## Permit the reading of sslh config files ++## ++## ++## ++## Domain allowed to access. ++## ++## ++# ++interface(`sslh_read_config',` ++ gen_require(` ++ type sslh_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 sslh_config_t:dir list_dir_perms; ++ allow $1 sslh_config_t:file read_file_perms; ++ allow $1 sslh_config_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## ++## Permit the creation and writing of sslh config files ++## ++## ++## ++## Domain allowed to configure. ++## ++## ++# ++interface(`sslh_write_config',` ++ gen_require(` ++ type sslh_config_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 sslh_config_t:dir rw_dir_perms; ++ allow $1 sslh_config_t:file { rw_file_perms create }; ++ allow $1 sslh_config_t:lnk_file read_lnk_file_perms; ++') ++ ++ ++####################################### ++## ++## All of the rules required to ++## administrate an sslh environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`sslh_admin',` ++ gen_require(` ++ type sslh_t, sslh_config_t; ++ type sslh_var_run_t; ++ type sslh_initrc_exec_t; ++ ') ++ ++ allow $1 sslh_t:process signal_perms; ++ ++ ps_process_pattern($1, sslh_t) ++ ++ init_labeled_script_domtrans($1, sslh_initrc_exec_t) ++ domain_system_change_exemption($1) ++ role_transition $2 sslh_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ admin_pattern($1, sslh_config_t) ++ ++ files_list_pids($1) ++ admin_pattern($1, sslh_var_run_t) ++') +diff --git a/sslh.te b/sslh.te +new file mode 100644 +index 0000000..821e158 +--- /dev/null ++++ b/sslh.te +@@ -0,0 +1,100 @@ ++ ++policy_module(sslh,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++## ++##

    ++## Determine whether sslh can connect ++## to any tcp port or if it is restricted ++## to the standard http, openvpn and jabber ports. ++##

    ++##
    ++gen_tunable(sslh_can_connect_any_port, false) ++ ++## ++##

    ++## Determine whether sslh can listen ++## on any tcp port or if it is restricted ++## to the standard http. ++##

    ++##
    ++gen_tunable(sslh_can_bind_any_port, false) ++ ++ ++type sslh_t; ++type sslh_exec_t; ++init_daemon_domain(sslh_t, sslh_exec_t) ++ ++type sslh_config_t; ++files_config_file(sslh_config_t) ++ ++type sslh_initrc_exec_t; ++init_script_file(sslh_initrc_exec_t) ++ ++type sslh_var_run_t; ++files_pid_file(sslh_var_run_t) ++ ++type sslh_unit_file_t; ++systemd_unit_file(sslh_unit_file_t) ++ ++######################################## ++# ++# sslh local policy ++# ++ ++read_files_pattern(sslh_t, sslh_config_t, sslh_config_t) ++ ++auth_read_passwd(sslh_t) ++miscfiles_read_localization(sslh_t) ++ ++manage_files_pattern(sslh_t, sslh_var_run_t, sslh_var_run_t) ++ ++logging_send_syslog_msg(sslh_t); ++ ++allow sslh_t self:capability { setuid setgid }; ++allow sslh_t self:process { setcap getcap signal }; ++ ++allow sslh_t self:tcp_socket create_stream_socket_perms; ++ ++sysnet_dns_name_resolve(sslh_t) ++ ++corenet_all_recvfrom_unlabeled(sslh_t) ++corenet_all_recvfrom_netlabel(sslh_t) ++corenet_tcp_sendrecv_generic_if(sslh_t) ++corenet_udp_sendrecv_generic_if(sslh_t) ++corenet_tcp_sendrecv_generic_node(sslh_t) ++corenet_udp_sendrecv_generic_node(sslh_t) ++corenet_tcp_bind_generic_node(sslh_t) ++corenet_udp_bind_generic_node(sslh_t) ++ ++corenet_tcp_bind_http_port(sslh_t) ++ ++corenet_tcp_sendrecv_http_port(sslh_t) ++corenet_tcp_connect_http_port(sslh_t) ++ ++corenet_tcp_connect_ssh_port(sslh_t) ++corenet_tcp_sendrecv_ssh_port(sslh_t) ++ ++corenet_tcp_connect_openvpn_port(sslh_t) ++corenet_tcp_sendrecv_openvpn_port(sslh_t) ++ ++corenet_tcp_connect_jabber_client_port(sslh_t) ++corenet_tcp_sendrecv_jabber_client_port(sslh_t) ++ ++ ++tunable_policy(`sslh_can_connect_any_port',` ++ # allow sslh to connect to any port ++ corenet_tcp_sendrecv_all_ports(sslh_t) ++ corenet_tcp_connect_all_ports(sslh_t) ++') ++ ++tunable_policy(`sslh_can_bind_any_port',` ++ # allow sslh to bind to any port ++ corenet_tcp_sendrecv_all_ports(sslh_t) ++ corenet_tcp_bind_all_ports(sslh_t) ++') ++ diff --git a/sssd.fc b/sssd.fc index dbb005a..835122a 100644 --- a/sssd.fc @@ -107472,7 +107930,7 @@ index facdee8..a6dcaaa 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..fffd1f5 100644 +index f03dcf5..36afdd2 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -108562,7 +109020,7 @@ index f03dcf5..fffd1f5 100644 -can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -108723,7 +109181,7 @@ index f03dcf5..fffd1f5 100644 +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow virsh_t self:tcp_socket create_stream_socket_perms; - ++ +ps_process_pattern(virsh_t, svirt_sandbox_domain) + +can_exec(virsh_t, virsh_exec_t) @@ -108805,10 +109263,10 @@ index f03dcf5..fffd1f5 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -109199,20 +109657,20 @@ index f03dcf5..fffd1f5 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) ++ ++optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) ++ gear_read_pid_files(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ gear_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -109402,10 +109860,10 @@ index f03dcf5..fffd1f5 100644 +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) ++ ++files_read_kernel_modules(svirt_qemu_net_t) -allow svirt_prot_exec_t self:process { execmem execstack }; -+files_read_kernel_modules(svirt_qemu_net_t) -+ +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) @@ -109465,7 +109923,7 @@ index f03dcf5..fffd1f5 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1534,240 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1534,242 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -109534,6 +109992,8 @@ index f03dcf5..fffd1f5 100644 + +userdom_use_user_ptys(virt_qemu_ga_t) + ++usermanage_domtrans_passwd(virt_qemu_ga_t) ++ +tunable_policy(`virt_read_qemu_ga_data',` + read_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) + read_lnk_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index fc7b9a9..282591a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 138%{?dist} +Release: 139%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,44 @@ exit 0 %endif %changelog +* Tue Aug 04 2015 Lukas Vrabec 3.13.1-139 +- Add header for sslh.if file +- Fix sslh_admin() interface +- Clean up sslh.if +- Fix typo in pdns.if +- Allow qpid to create lnk_files in qpid_var_lib_t. +- Allow httpd_suexec_t to read and write Apache stream sockets +- Merge pull request #21 from hogarthj/rawhide-contrib +- Allow virt_qemu_ga_t domtrans to passwd_t. +- use read and manage files_patterns and the description for the admin interface +- Merge pull request #17 from rubenk/pdns-policy +- Allow redis to read kernel parameters. +- Label /etc/rt dir as httpd_sys_rw_content_t BZ(#1185500) +- Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343) +- Allow bumblebee to seng kill signal to xserver +- glusterd call pcs utility which calls find for cib.* files and runs pstree under glusterd. Dontaudit access to security files and update gluster boolean to reflect these changes. +- Allow drbd to get attributes from filesystems. +- Allow drbd to read configuration options used when loading modules. +- fix the description for the write config files, add systemd administration support and fix a missing gen_require in the admin interface +- Added Booleans: pcp_read_generic_logs. +- Allow pcp_pmcd daemon to read postfix config files. Allow pcp_pmcd daemon to search postfix spool dirs. +- Allow glusterd to communicate with cluster domains over stream socket. +- fix copy paste error with writing the admin interface +- fix up the regex in sslh.fc, add sslh_admin() interface +- adding selinux policy files for sslh +- Remove diplicate sftpd_write_ssh_home boolean rule. +- Revert "Allow smbd_t and nmbd_t to manage winbind_var_run_t files/socktes/dirs." +- gnome_dontaudit_search_config() needs to be a part of optinal_policy in pegasus.te +- Allow glusterd to manage nfsd and rpcd services. +- Add kdbus.pp policy to allow access /sys/fs/kdbus. It needs to go with own module because this is workaround for now to avoid SELinux in enforcing mode. +- kdbusfs should not be accessible for now by default for shipped policies. It should be moved to kdbus.pp +- kdbusfs should not be accessible for now. +- Add support for /sys/fs/kdbus and allow login_pgm domain to access it. +- Allow sysadm to administrate ldap environment and allow to bind ldap port to allow to setup an LDAP server (389ds). +- Label /usr/sbin/chpasswd as passwd_exec_t. +- Allow audisp_remote_t to read/write user domain pty. +- Allow audisp_remote_t to start power unit files domain to allow halt system. + * Mon Jul 20 2015 Lukas Vrabec 3.13.1-138 - Add fixes for selinux-policy packages to reflect the latest changes related to policy module store migration. - Prepare selinux-policy package for SELinux store migration