From f4f51d7574df27bace736a0bfd1ea42e12a35873 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 05 2013 15:34:40 +0000 Subject: * Fri Apr 5 2013 Miroslav Grepl 3.12.1-26 - Try to label on controlC devices up to 30 correctly - Add mount_rw_pid_files() interface - Add additional mount/umount interfaces needed by mock - fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk - Fix tabs - Allow initrc_domain to search rgmanager lib files - Add more fixes which make mock working together with confined users * Allow mock_t to manage rpm files * Allow mock_t to read rpm log files * Allow mock to setattr on tmpfs, devpts * Allow mount/umount filesystems - Add rpm_read_log() interface - yum-cron runs rpm from within it. - Allow tuned to transition to dmidecode - Allow firewalld to do net_admin - Allow mock to unmont tmpfs_t - Fix virt_sigkill() interface - Add additional fixes for mock. Mainly caused by mount running in mock_t - Allow mock to write sysfs_t and mount pid files - Add mailman_domain to mailman_template() - Allow openvswitch to execute shell - Allow qpidd to use kerberos - Allow mailman to use fusefs, needs back port to RHEL6 - Allow apache and its scripts to use anon_inodefs - Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 - Realmd needs to connect to samba ports, needs back port to F18 also - Allow colord to read /run/initial-setup- - Allow sanlock-helper to send sigkill to virtd which is registred to sanlock - Add virt_kill() interface - Add rgmanager_search_lib() interface - Allow wdmd to getattr on all filesystems. Back ported from RHEL6 --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0b14445..45f92f2 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5515,7 +5515,7 @@ index b31c054..3a628fe 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..f7e9534 100644 +index 76f285e..059e984 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6306,7 +6306,7 @@ index 76f285e..f7e9534 100644 ') ######################################## -@@ -3855,6 +4185,42 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6346,10 +6346,46 @@ index 76f285e..f7e9534 100644 + +######################################## +## ++## Mount sysfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_mount_sysfs_fs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount sysfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_unmount_sysfs_fs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem unmount; ++') ++ ++######################################## ++## ## Search the sysfs directories. ## ## -@@ -3904,6 +4270,7 @@ interface(`dev_list_sysfs',` +@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',` type sysfs_t; ') @@ -6357,7 +6393,7 @@ index 76f285e..f7e9534 100644 list_dirs_pattern($1, sysfs_t, sysfs_t) ') -@@ -3946,23 +4313,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## @@ -6378,7 +6414,7 @@ index 76f285e..f7e9534 100644 # -interface(`dev_manage_sysfs_dirs',` +interface(`dev_read_cpu_online',` -+ gen_require(` + gen_require(` + type cpu_online_t; + ') + @@ -6397,7 +6433,7 @@ index 76f285e..f7e9534 100644 +## +# +interface(`dev_relabel_cpu_online',` - gen_require(` ++ gen_require(` + type cpu_online_t; type sysfs_t; ') @@ -6411,7 +6447,7 @@ index 76f285e..f7e9534 100644 ######################################## ## ## Read hardware state information. -@@ -4016,6 +4409,62 @@ interface(`dev_rw_sysfs',` +@@ -4016,6 +4445,62 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -6474,7 +6510,7 @@ index 76f285e..f7e9534 100644 ## Read and write the TPM device. ## ## -@@ -4113,6 +4562,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -6500,7 +6536,7 @@ index 76f285e..f7e9534 100644 ## Getattr generic the USB devices. ## ## -@@ -4557,6 +5025,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5061,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -6525,7 +6561,7 @@ index 76f285e..f7e9534 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5248,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5284,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -6552,7 +6588,7 @@ index 76f285e..f7e9534 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5357,917 @@ interface(`dev_unconfined',` +@@ -4851,3 +5393,937 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7386,6 +7422,26 @@ index 76f285e..f7e9534 100644 + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") ++ filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") + filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") @@ -15293,7 +15349,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 649e458..31a14c8 100644 +index 649e458..cc924ae 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -15305,7 +15361,32 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',` +@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',` + + ######################################## + ## ++## Mount the proc filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_mount_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ allow $1 proc_t:filesystem mount; ++') ++ ++######################################## ++## + ## Unmount the proc filesystem. + ## + ## +@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',` ######################################## ## @@ -15330,7 +15411,7 @@ index 649e458..31a14c8 100644 ## Get the attributes of the proc filesystem. ## ## -@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',` +@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',` # interface(`kernel_read_system_state',` gen_require(` @@ -15346,7 +15427,7 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -15371,7 +15452,7 @@ index 649e458..31a14c8 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -15380,7 +15461,7 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -15406,7 +15487,7 @@ index 649e458..31a14c8 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -15415,7 +15496,7 @@ index 649e458..31a14c8 100644 ## ## # -@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -15440,7 +15521,7 @@ index 649e458..31a14c8 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -15465,7 +15546,7 @@ index 649e458..31a14c8 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -15474,7 +15555,7 @@ index 649e458..31a14c8 100644 ') ######################################## -@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -15499,7 +15580,7 @@ index 649e458..31a14c8 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -15525,7 +15606,7 @@ index 649e458..31a14c8 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -15559,7 +15640,7 @@ index 649e458..31a14c8 100644 ######################################## ## -@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -15584,7 +15665,7 @@ index 649e458..31a14c8 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',` +@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -17164,7 +17245,7 @@ index 7d45d15..22c9cfe 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index 771bce1..8b0e5e6 100644 +index 771bce1..55ebf4b 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -17226,7 +17307,50 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -481,6 +504,24 @@ interface(`term_list_ptys',` +@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',` + + ######################################## + ## ++## Mount a pty filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_mount_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem mount; ++') ++ ++######################################## ++## ++## Unmount a pty filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_unmount_pty_fs',` ++ gen_require(` ++ type devpts_t; ++ ') ++ ++ allow $1 devpts_t:filesystem unmount; ++') ++ ++######################################## ++## + ## Relabel from and to pty filesystem. + ## + ## +@@ -481,6 +540,24 @@ interface(`term_list_ptys',` ######################################## ## @@ -17251,7 +17375,7 @@ index 771bce1..8b0e5e6 100644 ## Do not audit attempts to read the ## /dev/pts directory. ## -@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',` +@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',` ######################################## ## @@ -17260,7 +17384,7 @@ index 771bce1..8b0e5e6 100644 ## write the generic pty type. This is ## generally only used in the targeted policy. ## -@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',` +@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',` type devpts_t; ') @@ -17268,7 +17392,7 @@ index 771bce1..8b0e5e6 100644 dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; ') -@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',` +@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',` ######################################## ## @@ -17295,7 +17419,7 @@ index 771bce1..8b0e5e6 100644 ## Do not audit attempts to read or write any ptys. ## ## -@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',` +@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',` attribute ptynode; ') @@ -17304,7 +17428,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',` +@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',` ') dev_list_all_dev_nodes($1) @@ -17313,7 +17437,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',` +@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',` ## ## ## @@ -17322,7 +17446,7 @@ index 771bce1..8b0e5e6 100644 ## ## # -@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -17371,7 +17495,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -17385,7 +17509,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -17398,7 +17522,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -17427,7 +17551,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -17436,7 +17560,7 @@ index 771bce1..8b0e5e6 100644 ') ######################################## -@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -17445,7 +17569,7 @@ index 771bce1..8b0e5e6 100644 ## ## # -@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -26328,7 +26452,7 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 6c4b6ee..4ea7640 100644 +index 6c4b6ee..f512b72 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -13,6 +13,9 @@ role system_r types fsadm_t; @@ -26357,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644 # log files allow fsadm_t fsadm_log_t:dir setattr; -@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t) +@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) + # Enable swapping to files + allow fsadm_t swapfile_t:file { rw_file_perms swapon }; + ++kernel_get_sysvipc_info(fsadm_t) + kernel_read_system_state(fsadm_t) + kernel_read_kernel_sysctls(fsadm_t) + kernel_request_load_module(fsadm_t) +@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) @@ -26366,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644 # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t) +@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -26376,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -26394,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644 +init_stream_connect(fsadm_t) logging_send_syslog_msg(fsadm_t) ++logging_send_audit_msgs(fsadm_t) +logging_stream_connect_syslog(fsadm_t) -miscfiles_read_localization(fsadm_t) @@ -26405,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +185,11 @@ optional_policy(` +@@ -166,6 +187,11 @@ optional_policy(` ') optional_policy(` @@ -26417,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -179,6 +203,10 @@ optional_policy(` +@@ -179,6 +205,10 @@ optional_policy(` ') optional_policy(` @@ -26428,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644 nis_use_ypbind(fsadm_t) ') -@@ -192,6 +220,10 @@ optional_policy(` +@@ -192,6 +222,10 @@ optional_policy(` ') optional_policy(` @@ -27940,7 +28073,7 @@ index 24e7804..1894886 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..99c538c 100644 +index dd3be8d..61531ce 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -28206,15 +28339,14 @@ index dd3be8d..99c538c 100644 + +optional_policy(` + gnome_filetrans_home_content(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_aliases(init_t) @@ -28338,28 +28470,29 @@ index dd3be8d..99c538c 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + plymouthd_stream_connect(init_t) + plymouthd_exec_plymouth(init_t) ') @@ -29002,7 +29135,7 @@ index dd3be8d..99c538c 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1353,187 @@ optional_policy(` +@@ -896,3 +1353,191 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -29184,11 +29317,15 @@ index dd3be8d..99c538c 100644 +allow initrc_domain systemprocess_entry:file { getattr open read execute }; +allow initrc_domain systemprocess:process transition; + ++optional_policy(` ++ rgmanager_search_lib(initrc_domain) ++') ++ +ifdef(`direct_sysadm_daemon',` -+ allow daemon direct_run_init:fd use; -+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; -+ allow daemon direct_run_init:process sigchld; -+ allow direct_run_init direct_init_entry:file { getattr open read execute }; ++ allow daemon direct_run_init:fd use; ++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms; ++ allow daemon direct_run_init:process sigchld; ++ allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc index 662e79b..626a689 100644 @@ -32614,7 +32751,7 @@ index 72c746e..f035d9f 100644 +/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) +/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 4584457..0755e25 100644 +index 4584457..e432df3 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -16,6 +16,13 @@ interface(`mount_domtrans',` @@ -32631,7 +32768,7 @@ index 4584457..0755e25 100644 ') ######################################## -@@ -38,11 +45,103 @@ interface(`mount_domtrans',` +@@ -38,11 +45,122 @@ interface(`mount_domtrans',` # interface(`mount_run',` gen_require(` @@ -32719,6 +32856,25 @@ index 4584457..0755e25 100644 + +######################################## +## ++## Read/write mount PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mount_rw_pid_files',` ++ gen_require(` ++ type mount_var_run_t; ++ ') ++ ++ rw_files_pattern($1, mount_var_run_t, mount_var_run_t) ++ files_search_pids($1) ++') ++ ++######################################## ++## +## Manage mount PID files. +## +## @@ -32737,7 +32893,7 @@ index 4584457..0755e25 100644 ') ######################################## -@@ -91,7 +190,7 @@ interface(`mount_signal',` +@@ -91,7 +209,7 @@ interface(`mount_signal',` ## ## ## @@ -32746,7 +32902,7 @@ index 4584457..0755e25 100644 ## ## # -@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',` +@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',` ######################################## ## @@ -32806,14 +32962,19 @@ index 4584457..0755e25 100644 ## -## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`mount_run_unconfined',` +interface(`mount_exec_fusermount',` -+ gen_require(` + gen_require(` +- type unconfined_mount_t; + type fusermount_exec_t; -+ ') -+ + ') + +- mount_domtrans_unconfined($1) +- role $2 types unconfined_mount_t; + can_exec($1, fusermount_exec_t) +') + @@ -32824,19 +32985,14 @@ index 4584457..0755e25 100644 +## +## +## Domain to not audit. - ## - ## --## - # --interface(`mount_run_unconfined',` ++## ++## ++# +interface(`mount_dontaudit_exec_fusermount',` - gen_require(` -- type unconfined_mount_t; ++ gen_require(` + type fusermount_exec_t; - ') - -- mount_domtrans_unconfined($1) -- role $2 types unconfined_mount_t; ++ ') ++ + dontaudit $1 fusermount_exec_t:file exec_file_perms; +') + @@ -32902,7 +33058,7 @@ index 4584457..0755e25 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..2fc14cd 100644 +index 6a50270..b34911e 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) @@ -33003,7 +33159,7 @@ index 6a50270..2fc14cd 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t) +@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -33019,6 +33175,7 @@ index 6a50270..2fc14cd 100644 dev_dontaudit_getattr_all_chr_files(mount_t) dev_dontaudit_getattr_memory_dev(mount_t) dev_getattr_sound_dev(mount_t) ++dev_rw_loop_control(mount_t) + +ifdef(`hide_broken_symptoms',` + dev_rw_generic_blk_files(mount_t) @@ -33053,7 +33210,7 @@ index 6a50270..2fc14cd 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +147,39 @@ files_list_mnt(mount_t) +@@ -92,28 +148,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -33099,7 +33256,7 @@ index 6a50270..2fc14cd 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -33123,7 +33280,7 @@ index 6a50270..2fc14cd 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -33163,7 +33320,7 @@ index 6a50270..2fc14cd 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +251,8 @@ optional_policy(` +@@ -179,6 +252,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -33172,7 +33329,7 @@ index 6a50270..2fc14cd 100644 ') optional_policy(` -@@ -186,6 +260,36 @@ optional_policy(` +@@ -186,6 +261,36 @@ optional_policy(` ') optional_policy(` @@ -33209,7 +33366,7 @@ index 6a50270..2fc14cd 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +298,128 @@ optional_policy(` +@@ -194,24 +299,128 @@ optional_policy(` ') optional_policy(` diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ab50247..43bfddb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -4367,7 +4367,7 @@ index 83e899c..e3bed6a 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..c388418 100644 +index 1a82e29..5e167ca 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,353 @@ @@ -5105,7 +5105,7 @@ index 1a82e29..c388418 100644 -fs_read_anon_inodefs_files(httpd_t) fs_read_iso9660_files(httpd_t) -fs_search_auto_mountpoints(httpd_t) -+fs_read_anon_inodefs_files(httpd_t) ++fs_rw_anon_inodefs_files(httpd_t) +fs_read_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) @@ -5728,10 +5728,11 @@ index 1a82e29..c388418 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache PHP script local policy +# + @@ -5790,11 +5791,10 @@ index 1a82e29..c388418 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache suexec local policy # @@ -6006,7 +6006,7 @@ index 1a82e29..c388418 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1270,103 @@ optional_policy(` +@@ -1077,172 +1270,104 @@ optional_policy(` ') ') @@ -6031,11 +6031,11 @@ index 1a82e29..c388418 100644 - -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -+allow httpd_sys_script_t self:process getsched; - +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) -- ++allow httpd_sys_script_t self:process getsched; + -corenet_all_recvfrom_unlabeled(httpd_script_domains) -corenet_all_recvfrom_netlabel(httpd_script_domains) -corenet_tcp_sendrecv_generic_if(httpd_script_domains) @@ -6145,6 +6145,7 @@ index 1a82e29..c388418 100644 +fs_cifs_entry_type(httpd_sys_script_t) +fs_read_iso9660_files(httpd_sys_script_t) +fs_nfs_entry_type(httpd_sys_script_t) ++fs_rw_anon_inodefs_files(httpd_sys_script_t) - tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',` - postgresql_tcp_connect(httpd_script_domains) @@ -6172,7 +6173,8 @@ index 1a82e29..c388418 100644 -# - -allow httpd_sys_script_t self:tcp_socket { accept listen }; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; @@ -6202,8 +6204,7 @@ index 1a82e29..c388418 100644 - corenet_sendrecv_pop_client_packets(httpd_sys_script_t) - corenet_tcp_connect_pop_port(httpd_sys_script_t) - corenet_tcp_sendrecv_pop_port(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- - mta_send_mail(httpd_sys_script_t) - mta_signal_system_mail(httpd_sys_script_t) +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` @@ -6241,7 +6242,7 @@ index 1a82e29..c388418 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1375,70 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6335,7 +6336,7 @@ index 1a82e29..c388418 100644 ######################################## # -@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1446,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6352,7 +6353,7 @@ index 1a82e29..c388418 100644 ') ######################################## -@@ -1324,49 +1461,36 @@ optional_policy(` +@@ -1324,49 +1462,36 @@ optional_policy(` # User content local policy # @@ -6416,7 +6417,7 @@ index 1a82e29..c388418 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1500,94 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -11806,7 +11807,7 @@ index 8e27a37..825f537 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 09f18e2..e891ec4 100644 +index 09f18e2..f0cade4 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2) @@ -11907,7 +11908,7 @@ index 09f18e2..e891ec4 100644 ') optional_policy(` -@@ -133,3 +142,14 @@ optional_policy(` +@@ -133,3 +142,16 @@ optional_policy(` optional_policy(` udev_read_db(colord_t) ') @@ -11917,6 +11918,8 @@ index 09f18e2..e891ec4 100644 + xserver_read_xdm_state(colord_t) + # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc + xserver_read_inherited_xdm_lib_files(colord_t) ++ # allow to read /run/initial-setup-$username ++ xserver_read_xdm_pid(colord_t) +') + +optional_policy(` @@ -19337,10 +19340,10 @@ index 0000000..332a1c9 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..ab083cf +index 0000000..35455bf --- /dev/null +++ b/dirsrv-admin.te -@@ -0,0 +1,144 @@ +@@ -0,0 +1,156 @@ +policy_module(dirsrv-admin,1.0.0) + +######################################## @@ -19373,6 +19376,7 @@ index 0000000..ab083cf +# +# Local policy for the daemon +# ++ +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; +allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; +allow dirsrvadmin_t self:process { setrlimit signal_perms }; @@ -19394,7 +19398,6 @@ index 0000000..ab083cf + +logging_search_logs(dirsrvadmin_t) + -+ +# Needed for stop and restart scripts +dirsrv_read_var_run(dirsrvadmin_t) + @@ -19415,7 +19418,7 @@ index 0000000..ab083cf + apache_content_template(dirsrvadmin) + + allow httpd_dirsrvadmin_script_t self:process { getsched getpgid }; -+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; ++ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override }; + allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms; + allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms; + allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms; @@ -19428,7 +19431,12 @@ index 0000000..ab083cf + + kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t) + ++ ++ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t) ++ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t) + corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t) ++ ++ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t) + corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t) @@ -19442,6 +19450,13 @@ index 0000000..ab083cf + files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir }) + + optional_policy(` ++ apache_read_modules(httpd_dirsrvadmin_script_t) ++ apache_read_config(httpd_dirsrvadmin_script_t) ++ apache_signal(httpd_dirsrvadmin_script_t) ++ apache_signull(httpd_dirsrvadmin_script_t) ++ ') ++ ++ optional_policy(` + # The CGI scripts must be able to manage dirsrv-admin + dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t) + dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t) @@ -22582,7 +22597,7 @@ index 5cf6ac6..839999e 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index c8014f8..d84522b 100644 +index c8014f8..64e18e1 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t) @@ -22603,7 +22618,7 @@ index c8014f8..d84522b 100644 # Local policy # - -+allow firewalld_t self:capability dac_override; ++allow firewalld_t self:capability { dac_override net_admin }; dontaudit firewalld_t self:capability sys_tty_config; allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; @@ -23562,7 +23577,7 @@ index 1e29af1..a1c464e 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 93b0301..8561970 100644 +index 93b0301..9108ddc 100644 --- a/git.te +++ b/git.te @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false) @@ -23580,6 +23595,19 @@ index 93b0301..8561970 100644 ## Determine whether Git system daemon ## can search home directories. ##

+@@ -92,10 +84,10 @@ type git_session_t, git_daemon; + userdom_user_application_domain(git_session_t, gitd_exec_t) + role git_session_roles types git_session_t; + +-type git_sys_content_t; ++type git_sys_content_t alias git_system_content_t; + files_type(git_sys_content_t) + +-type git_user_content_t; ++type git_user_content_t alias git_session_content_t; + userdom_user_home_content(git_user_content_t) + + ######################################## @@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t) read_files_pattern(git_session_t, git_user_content_t, git_user_content_t) userdom_search_user_home_dirs(git_session_t) @@ -33597,10 +33625,10 @@ index b9270f7..15f3748 100644 + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') diff --git a/mailman.if b/mailman.if -index 108c0f1..d28241c 100644 +index 108c0f1..a248501 100644 --- a/mailman.if +++ b/mailman.if -@@ -1,44 +1,66 @@ +@@ -1,44 +1,70 @@ -## Manage electronic mail discussion and e-newsletter lists. +## Mailman is for managing electronic mail discussion and e-newsletter lists @@ -33638,8 +33666,13 @@ index 108c0f1..d28241c 100644 + # Declarations + # - type mailman_$1_t; +- type mailman_$1_t; - type mailman_$1_exec_t; ++ gen_require(` ++ attribute mailman_domain; ++ ') ++ ++ type mailman_$1_t, mailman_domain; domain_type(mailman_$1_t) + type mailman_$1_exec_t; domain_entry_file(mailman_$1_t, mailman_$1_exec_t) @@ -33684,7 +33717,7 @@ index 108c0f1..d28241c 100644 ') ####################################### -@@ -56,15 +78,12 @@ interface(`mailman_domtrans',` +@@ -56,15 +82,12 @@ interface(`mailman_domtrans',` type mailman_mail_exec_t, mailman_mail_t; ') @@ -33701,7 +33734,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -73,18 +92,18 @@ interface(`mailman_domtrans',` +@@ -73,18 +96,18 @@ interface(`mailman_domtrans',` ## ## ## @@ -33723,7 +33756,7 @@ index 108c0f1..d28241c 100644 ') ####################################### -@@ -103,7 +122,6 @@ interface(`mailman_domtrans_cgi',` +@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',` type mailman_cgi_exec_t, mailman_cgi_t; ') @@ -33731,7 +33764,7 @@ index 108c0f1..d28241c 100644 domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) ') -@@ -122,13 +140,12 @@ interface(`mailman_exec',` +@@ -122,13 +144,12 @@ interface(`mailman_exec',` type mailman_mail_exec_t; ') @@ -33746,7 +33779,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -146,7 +163,7 @@ interface(`mailman_signal_cgi',` +@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',` ####################################### ## @@ -33755,7 +33788,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -159,13 +176,12 @@ interface(`mailman_search_data',` +@@ -159,13 +180,12 @@ interface(`mailman_search_data',` type mailman_data_t; ') @@ -33770,7 +33803,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -178,7 +194,6 @@ interface(`mailman_read_data_files',` +@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',` type mailman_data_t; ') @@ -33778,7 +33811,7 @@ index 108c0f1..d28241c 100644 list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) -@@ -186,8 +201,8 @@ interface(`mailman_read_data_files',` +@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',` ####################################### ## @@ -33789,7 +33822,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -200,14 +215,13 @@ interface(`mailman_manage_data_files',` +@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',` type mailman_data_t; ') @@ -33805,7 +33838,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -220,13 +234,12 @@ interface(`mailman_list_data',` +@@ -220,13 +238,12 @@ interface(`mailman_list_data',` type mailman_data_t; ') @@ -33820,7 +33853,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -244,7 +257,7 @@ interface(`mailman_read_data_symlinks',` +@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',` ####################################### ## @@ -33829,7 +33862,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -257,13 +270,12 @@ interface(`mailman_read_log',` +@@ -257,13 +274,12 @@ interface(`mailman_read_log',` type mailman_log_t; ') @@ -33844,7 +33877,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -276,14 +288,13 @@ interface(`mailman_append_log',` +@@ -276,14 +292,13 @@ interface(`mailman_append_log',` type mailman_log_t; ') @@ -33860,7 +33893,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -296,14 +307,13 @@ interface(`mailman_manage_log',` +@@ -296,14 +311,13 @@ interface(`mailman_manage_log',` type mailman_log_t; ') @@ -33876,7 +33909,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -316,7 +326,6 @@ interface(`mailman_read_archive',` +@@ -316,7 +330,6 @@ interface(`mailman_read_archive',` type mailman_archive_t; ') @@ -33884,7 +33917,7 @@ index 108c0f1..d28241c 100644 allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) -@@ -324,8 +333,7 @@ interface(`mailman_read_archive',` +@@ -324,8 +337,7 @@ interface(`mailman_read_archive',` ####################################### ## @@ -33894,7 +33927,7 @@ index 108c0f1..d28241c 100644 ## ## ## -@@ -338,6 +346,5 @@ interface(`mailman_domtrans_queue',` +@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',` type mailman_queue_exec_t, mailman_queue_t; ') @@ -33902,10 +33935,23 @@ index 108c0f1..d28241c 100644 domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) ') diff --git a/mailman.te b/mailman.te -index 8eaf51b..5e9f5bb 100644 +index 8eaf51b..16086a5 100644 --- a/mailman.te +++ b/mailman.te -@@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) +@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4) + # + # Declarations + # ++## ++##

++## Allow mailman to access FUSE file systems ++##

++## ++gen_tunable(mailman_use_fusefs, false) + + attribute mailman_domain; + +@@ -56,10 +62,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t) logging_log_filetrans(mailman_domain, mailman_log_t, file) kernel_read_kernel_sysctls(mailman_domain) @@ -33916,7 +33962,7 @@ index 8eaf51b..5e9f5bb 100644 corenet_tcp_sendrecv_generic_if(mailman_domain) corenet_tcp_sendrecv_generic_node(mailman_domain) -@@ -82,10 +79,6 @@ fs_getattr_all_fs(mailman_domain) +@@ -82,10 +85,6 @@ fs_getattr_all_fs(mailman_domain) libs_exec_ld_so(mailman_domain) libs_exec_lib_files(mailman_domain) @@ -33927,7 +33973,7 @@ index 8eaf51b..5e9f5bb 100644 ######################################## # # CGI local policy -@@ -115,8 +108,9 @@ optional_policy(` +@@ -115,8 +114,9 @@ optional_policy(` # Mail local policy # @@ -33939,7 +33985,7 @@ index 8eaf51b..5e9f5bb 100644 manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t) -@@ -127,8 +121,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) +@@ -127,8 +127,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t) corenet_tcp_sendrecv_innd_port(mailman_mail_t) corenet_sendrecv_spamd_client_packets(mailman_mail_t) @@ -33949,7 +33995,7 @@ index 8eaf51b..5e9f5bb 100644 dev_read_urand(mailman_mail_t) -@@ -142,6 +136,10 @@ optional_policy(` +@@ -142,6 +142,10 @@ optional_policy(` ') optional_policy(` @@ -33960,6 +34006,16 @@ index 8eaf51b..5e9f5bb 100644 cron_read_pipes(mailman_mail_t) ') +@@ -182,3 +186,9 @@ optional_policy(` + optional_policy(` + su_exec(mailman_queue_t) + ') ++ ++tunable_policy(`mailman_use_fusefs',` ++ fs_manage_fusefs_dirs(mailman_domain) ++ fs_manage_fusefs_files(mailman_domain) ++ fs_manage_fusefs_symlinks(mailman_domain) ++') diff --git a/mailscanner.if b/mailscanner.if index 0293f34..bd1d48e 100644 --- a/mailscanner.if @@ -35673,10 +35729,10 @@ index 0000000..1446e6a +') diff --git a/mock.te b/mock.te new file mode 100644 -index 0000000..d27f8f3 +index 0000000..67b8b3d --- /dev/null +++ b/mock.te -@@ -0,0 +1,245 @@ +@@ -0,0 +1,264 @@ +policy_module(mock,1.0.0) + +## @@ -35729,6 +35785,8 @@ index 0000000..d27f8f3 +allow mock_t self:unix_stream_socket create_stream_socket_perms; +allow mock_t self:unix_dgram_socket create_socket_perms; + ++allow mock_t mock_build_t:process { siginh noatsecure rlimitinh }; ++ +manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t) +manage_files_pattern(mock_t, mock_cache_t, mock_cache_t) +manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t) @@ -35752,7 +35810,6 @@ index 0000000..d27f8f3 +allow mock_t mock_var_lib_t:dir relabel_dir_perms; +allow mock_t mock_var_lib_t:file relabel_file_perms; + -+kernel_list_proc(mock_t) +kernel_read_irq_sysctls(mock_t) +kernel_read_system_state(mock_t) +kernel_read_network_state(mock_t) @@ -35760,6 +35817,13 @@ index 0000000..d27f8f3 +kernel_request_load_module(mock_t) +kernel_dontaudit_setattr_proc_dirs(mock_t) +kernel_read_fs_sysctls(mock_t) ++# we run mount in mock_t ++kernel_mount_proc(mock_t) ++kernel_unmount_proc(mock_t) ++ ++fs_mount_tmpfs(mock_t) ++fs_unmount_tmpfs(mock_t) ++fs_unmount_xattr_fs(mock_t) + +corecmd_exec_bin(mock_t) +corecmd_exec_shell(mock_t) @@ -35771,23 +35835,28 @@ index 0000000..d27f8f3 +corenet_tcp_connect_all_ephemeral_ports(mock_t) + +dev_read_urand(mock_t) -+dev_read_sysfs(mock_t) ++dev_rw_sysfs(mock_t) +dev_setattr_sysfs_dirs(mock_t) ++dev_mount_sysfs_fs(mock_t) ++dev_unmount_sysfs_fs(mock_t) + +domain_read_all_domains_state(mock_t) +domain_use_interactive_fds(mock_t) + +files_read_etc_runtime_files(mock_t) +files_dontaudit_list_boot(mock_t) ++files_list_isid_type_dirs(mock_t) + +fs_getattr_all_fs(mock_t) -+fs_search_all(mock_t) +fs_manage_cgroup_dirs(mock_t) -+files_list_isid_type_dirs(mock_t) ++fs_search_all(mock_t) ++fs_setattr_tmpfs_dirs(mock_t) + +selinux_get_enforce_mode(mock_t) + +term_search_ptys(mock_t) ++term_mount_pty_fs(mock_t) ++term_unmount_pty_fs(mock_t) + +auth_use_nsswitch(mock_t) + @@ -35827,17 +35896,23 @@ index 0000000..d27f8f3 +') + +optional_policy(` -+ rpm_exec(mock_t) ++ apache_read_sys_content_rw_files(mock_t) +') + +optional_policy(` -+ mount_exec(mock_t) ++ rpm_exec(mock_t) ++ rpm_manage_cache(mock_t) ++ rpm_manage_db(mock_t) ++ rpm_manage_tmp_files(mock_t) ++ rpm_read_log(mock_t) +') + +optional_policy(` -+ apache_read_sys_content_rw_files(mock_t) ++ mount_exec(mock_t) ++ mount_rw_pid_files(mock_t) +') + ++ +######################################## +# +# mock_build local policy @@ -48314,7 +48389,7 @@ index 0000000..407386d +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..3c311bb +index 0000000..989a48d --- /dev/null +++ b/openshift.te @@ -0,0 +1,535 @@ @@ -48782,7 +48857,7 @@ index 0000000..3c311bb +# +# openshift_cron local policy +# -+allow openshift_cron_t self:capability { net_admin sys_admin }; ++allow openshift_cron_t self:capability { dac_override net_admin sys_admin }; +allow openshift_cron_t self:process signal_perms; +allow openshift_cron_t self:tcp_socket create_stream_socket_perms; +allow openshift_cron_t self:udp_socket create_socket_perms; @@ -49245,7 +49320,7 @@ index 9b15730..14f29e4 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 508fedf..3e42ef8 100644 +index 508fedf..9d7741b 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -1,4 +1,4 @@ @@ -49314,7 +49389,7 @@ index 508fedf..3e42ef8 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -57,33 +58,33 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -57,33 +58,34 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) @@ -49330,6 +49405,7 @@ index 508fedf..3e42ef8 100644 +kernel_request_load_module(openvswitch_t) corecmd_exec_bin(openvswitch_t) ++corecmd_exec_shell(openvswitch_t) +dev_read_rand(openvswitch_t) dev_read_urand(openvswitch_t) @@ -61360,10 +61436,28 @@ index cd51b96..f7e9c70 100644 + admin_pattern($1, qpidd_var_run_t) ') diff --git a/qpid.te b/qpid.te -index 76f5b39..53f9a64 100644 +index 76f5b39..8bb80a2 100644 --- a/qpid.te +++ b/qpid.te -@@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) +@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t) + type qpidd_initrc_exec_t; + init_script_file(qpidd_initrc_exec_t) + ++type qpidd_tmp_t; ++files_tmp_file(qpidd_tmp_t) ++ + type qpidd_tmpfs_t; + files_tmpfs_file(qpidd_tmpfs_t) + +@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms; + allow qpidd_t self:tcp_socket { accept listen }; + allow qpidd_t self:unix_stream_socket { accept listen }; + ++manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) ++manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t) ++files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file }) ++ + manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t) fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file }) @@ -61411,9 +61505,13 @@ index 76f5b39..53f9a64 100644 optional_policy(` - corosync_stream_connect(qpidd_t) -+ rhcs_stream_connect_cluster(qpidd_t) ++ kerberos_use(qpidd_t) ') + ++optional_policy(` ++ rhcs_stream_connect_cluster(qpidd_t) ++') ++ diff --git a/quantum.fc b/quantum.fc index 70ab68b..e97da31 100644 --- a/quantum.fc @@ -63244,7 +63342,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..9817f00 100644 +index 9a8f052..cffb3ca 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -63253,7 +63351,7 @@ index 9a8f052..9817f00 100644 ######################################## # -@@ -7,29 +7,37 @@ policy_module(realmd, 1.0.2) +@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2) type realmd_t; type realmd_exec_t; @@ -63297,10 +63395,11 @@ index 9a8f052..9817f00 100644 corenet_tcp_connect_http_port(realmd_t) -corenet_tcp_sendrecv_http_port(realmd_t) +corenet_tcp_connect_ldap_port(realmd_t) ++corenet_tcp_connect_smbd_port(realmd_t) domain_use_interactive_fds(realmd_t) -@@ -38,12 +46,20 @@ dev_read_urand(realmd_t) +@@ -38,12 +47,20 @@ dev_read_urand(realmd_t) fs_getattr_all_fs(realmd_t) @@ -63323,7 +63422,7 @@ index 9a8f052..9817f00 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +83,25 @@ optional_policy(` +@@ -67,17 +84,25 @@ optional_policy(` optional_policy(` nis_exec_ypbind(realmd_t) @@ -63352,7 +63451,7 @@ index 9a8f052..9817f00 100644 ') optional_policy(` -@@ -86,5 +110,26 @@ optional_policy(` +@@ -86,5 +111,26 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) @@ -63634,7 +63733,7 @@ index 5421af0..91e69b8 100644 +/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0) +/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0) diff --git a/rgmanager.if b/rgmanager.if -index 1c2f9aa..8af1f78 100644 +index 1c2f9aa..a4133dc 100644 --- a/rgmanager.if +++ b/rgmanager.if @@ -1,13 +1,13 @@ @@ -63758,7 +63857,7 @@ index 1c2f9aa..8af1f78 100644 init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) -@@ -121,3 +158,47 @@ interface(`rgmanager_admin',` +@@ -121,3 +158,66 @@ interface(`rgmanager_admin',` files_list_pids($1) admin_pattern($1, rgmanager_var_run_t) ') @@ -63803,9 +63902,28 @@ index 1c2f9aa..8af1f78 100644 + ') + + files_list_var_lib($1) -+ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; + can_exec($1, rgmanager_var_lib_t) +') ++ ++###################################### ++## ++## Allow the specified domain to search rgmanager's lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rgmanager_search_lib',` ++ gen_require(` ++ type rgmanager_var_lib_t; ++ ') ++ ++ files_list_var_lib($1) ++ allow $1 rgmanager_var_lib_t:dir search_dir_perms; ++') diff --git a/rgmanager.te b/rgmanager.te index b418d1c..1ad9c12 100644 --- a/rgmanager.te @@ -67709,10 +67827,10 @@ index c49828c..a323332 100644 sysnet_dns_name_resolve(rpcbind_t) diff --git a/rpm.fc b/rpm.fc -index ebe91fc..54fe358 100644 +index ebe91fc..8dd55c5 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -1,61 +1,69 @@ +@@ -1,61 +1,70 @@ -/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) -/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0) @@ -67765,6 +67883,7 @@ index ebe91fc..54fe358 100644 -/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) -/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -67827,7 +67946,7 @@ index ebe91fc..54fe358 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index 0628d50..dbe00f4 100644 +index 0628d50..c73d362 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -68033,13 +68152,31 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -276,14 +318,12 @@ interface(`rpm_append_log',` +@@ -276,14 +318,30 @@ interface(`rpm_append_log',` type rpm_log_t; ') - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete the RPM log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_read_log',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ ++ read_files_pattern($1, rpm_log_t, rpm_log_t) ') ######################################## @@ -68050,7 +68187,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -302,7 +342,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +360,7 @@ interface(`rpm_manage_log',` ######################################## ## @@ -68059,7 +68196,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -320,8 +360,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -68070,7 +68207,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -335,12 +375,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -68087,7 +68224,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -353,14 +396,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -68105,7 +68242,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -374,12 +416,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -68121,7 +68258,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -399,7 +443,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -68130,7 +68267,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -420,8 +464,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +482,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -68140,7 +68277,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -442,7 +485,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -68149,7 +68286,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -459,11 +502,12 @@ interface(`rpm_read_db',` +@@ -459,11 +520,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -68163,7 +68300,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -482,8 +526,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +544,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -68173,7 +68310,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -504,7 +547,7 @@ interface(`rpm_manage_db',` +@@ -504,7 +565,7 @@ interface(`rpm_manage_db',` ######################################## ## ## Do not audit attempts to create, read, @@ -68182,7 +68319,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -517,7 +560,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +578,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -68191,7 +68328,7 @@ index 0628d50..dbe00f4 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +586,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +604,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -68201,7 +68338,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -563,8 +605,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +623,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -68211,7 +68348,7 @@ index 0628d50..dbe00f4 100644 ## ## ## -@@ -573,94 +614,72 @@ interface(`rpm_manage_pid_files',` +@@ -573,94 +632,72 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -68315,15 +68452,15 @@ index 0628d50..dbe00f4 100644 - - files_list_var($1) - admin_pattern($1, rpm_cache_t) -- ++ typeattribute $1 rpm_transition_domain; ++ allow $1 rpm_script_t:process transition; + - files_list_tmp($1) - admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) - - files_list_var_lib($1) - admin_pattern($1, rpm_var_lib_t) -+ typeattribute $1 rpm_transition_domain; -+ allow $1 rpm_script_t:process transition; - +- - files_search_locks($1) - admin_pattern($1, rpm_lock_t) - @@ -72942,7 +73079,7 @@ index cd6c213..34b861a 100644 + allow $1 sanlock_unit_file_t:service all_service_perms; ') diff --git a/sanlock.te b/sanlock.te -index a34eac4..114c9d2 100644 +index a34eac4..25ad7ec 100644 --- a/sanlock.te +++ b/sanlock.te @@ -1,4 +1,4 @@ @@ -73076,12 +73213,13 @@ index a34eac4..114c9d2 100644 ') optional_policy(` -@@ -100,7 +117,7 @@ optional_policy(` +@@ -100,7 +117,8 @@ optional_policy(` ') optional_policy(` - virt_kill_all_virt_domains(sanlock_t) + virt_kill_svirt(sanlock_t) ++ virt_kill(sanlock_t) virt_manage_lib_files(sanlock_t) - virt_signal_all_virt_domains(sanlock_t) + virt_signal_svirt(sanlock_t) @@ -82487,7 +82625,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..7a80e6d 100644 +index 7116181..a6bd365 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -82536,7 +82674,7 @@ index 7116181..7a80e6d 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +74,48 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +74,52 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -82548,10 +82686,10 @@ index 7116181..7a80e6d 100644 files_dontaudit_search_home(tuned_t) -files_dontaudit_list_tmp(tuned_t) +files_list_tmp(tuned_t) -+ -+fs_getattr_all_fs(tuned_t) -fs_getattr_xattr_fs(tuned_t) ++fs_getattr_all_fs(tuned_t) ++ +auth_use_nsswitch(tuned_t) logging_send_syslog_msg(tuned_t) @@ -82568,6 +82706,10 @@ index 7116181..7a80e6d 100644 + dbus_connect_system_bus(tuned_t) +') + ++optional_policy(` ++ dmidecode_domtrans(tuned_t) ++') ++ +# to allow disk tuning +optional_policy(` fstools_domtrans(tuned_t) @@ -84188,7 +84330,7 @@ index c30da4c..014e40c 100644 +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index 9dec06c..8f6d2a3 100644 +index 9dec06c..fa2c674 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -85468,32 +85610,47 @@ index 9dec06c..8f6d2a3 100644 ######################################## ## -## Read virt image files. -+## Send a signal to virtual machines ++## Send a sigkill to virtd daemon. ## ## ## -@@ -995,36 +867,17 @@ interface(`virt_search_images',` +@@ -995,36 +867,35 @@ interface(`virt_search_images',` ## ## # -interface(`virt_read_images',` -+interface(`virt_signal_svirt',` ++interface(`virt_kill',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -- ') -- ++ type virtd_t; + ') + - virt_search_lib($1) - allow $1 virt_image_type:dir list_dir_perms; - list_dirs_pattern($1, virt_image_type, virt_image_type) - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -- ++ allow $1 virtd_t:process sigkill; ++') + - tunable_policy(`virt_use_nfs',` - fs_list_nfs($1) - fs_read_nfs_files($1) - fs_read_nfs_symlinks($1) ++######################################## ++## ++## Send a signal to virtual machines ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_signal_svirt',` ++ gen_require(` + attribute virt_domain; ') @@ -85513,7 +85670,7 @@ index 9dec06c..8f6d2a3 100644 ## ## ## -@@ -1032,58 +885,57 @@ interface(`virt_read_images',` +@@ -1032,58 +903,57 @@ interface(`virt_read_images',` ## ## # @@ -85593,7 +85750,7 @@ index 9dec06c..8f6d2a3 100644 ## ## ## -@@ -1091,95 +943,150 @@ interface(`virt_manage_virt_cache',` +@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -88106,10 +88263,17 @@ index 1e3aec0..d17ff39 100644 + ') diff --git a/wdmd.te b/wdmd.te -index ebbdaf6..956f8f0 100644 +index ebbdaf6..144c0e7 100644 --- a/wdmd.te +++ b/wdmd.te -@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t) +@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t) + dev_read_watchdog(wdmd_t) + dev_write_watchdog(wdmd_t) + ++fs_getattr_all_fs(wdmd_t) + fs_read_anon_inodefs_files(wdmd_t) + + auth_use_nsswitch(wdmd_t) logging_send_syslog_msg(wdmd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a6980b9..97e7a85 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 25%{?dist} +Release: 26%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,39 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Apr 5 2013 Miroslav Grepl 3.12.1-26 +- Try to label on controlC devices up to 30 correctly +- Add mount_rw_pid_files() interface +- Add additional mount/umount interfaces needed by mock +- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk +- Fix tabs +- Allow initrc_domain to search rgmanager lib files +- Add more fixes which make mock working together with confined users + * Allow mock_t to manage rpm files + * Allow mock_t to read rpm log files + * Allow mock to setattr on tmpfs, devpts + * Allow mount/umount filesystems +- Add rpm_read_log() interface +- yum-cron runs rpm from within it. +- Allow tuned to transition to dmidecode +- Allow firewalld to do net_admin +- Allow mock to unmont tmpfs_t +- Fix virt_sigkill() interface +- Add additional fixes for mock. Mainly caused by mount running in mock_t +- Allow mock to write sysfs_t and mount pid files +- Add mailman_domain to mailman_template() +- Allow openvswitch to execute shell +- Allow qpidd to use kerberos +- Allow mailman to use fusefs, needs back port to RHEL6 +- Allow apache and its scripts to use anon_inodefs +- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7 +- Realmd needs to connect to samba ports, needs back port to F18 also +- Allow colord to read /run/initial-setup- +- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock +- Add virt_kill() interface +- Add rgmanager_search_lib() interface +- Allow wdmd to getattr on all filesystems. Back ported from RHEL6 + * Tue Apr 2 2013 Miroslav Grepl 3.12.1-25 - Allow realmd to create tmp files - FIx ircssi_home_t type to irssi_home_t