From f5f6812fa46741892a05f6976af0896fb45a2faa Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Aug 21 2015 08:11:52 +0000 Subject: - Add ipmievd policy creaed by vmojzis@redhat.com - Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled. - Allow NetworkManager to write audit log messages - Add new policy for ipmievd (ipmitool). - mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block. - Allow sandbox domain to be also /dev/mem writer - Fix neverallow assertion for sys_module capability for openvswitch. - kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t. - Fix neverallow assertion for sys_module capability. - Add more attributes for sandbox domains to avoid neverallow assertion issues. - Add neverallow asserition fixes related to storage. - Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS - Allow openhpid_t to read system state. - Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. - Added labels for files provided by rh-nginx18 collection - Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. - Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. - Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions. - Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion. - seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues. - Add dev_raw_memory_writer() interface - Add auth_reader_shadow() and auth_writer_shadow() interfaces - Add dev_raw_memory_reader() interface. - Add storage_rw_inherited_scsi_generic() interface. - Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working. - Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t. - Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process. --- diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index bd4d1a9..783906b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3194,7 +3194,7 @@ index 1d732f1..f6ff7aa 100644 + stapserver_manage_lib(useradd_t) +') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..1a2084f 100644 +index 1dc7a85..e4f6fc2 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -43,18 +43,18 @@ interface(`seunshare_run',` @@ -3223,7 +3223,7 @@ index 1dc7a85..1a2084f 100644 ## ## ## Role allowed access. -@@ -66,15 +66,45 @@ interface(`seunshare_run',` +@@ -66,15 +66,47 @@ interface(`seunshare_run',` ## ## # @@ -3243,6 +3243,8 @@ index 1dc7a85..1a2084f 100644 - seunshare_domtrans($1) + kernel_read_system_state($1_seunshare_t) + ++ domain_dyntrans_type($1_seunshare_t) ++ + auth_use_nsswitch($1_seunshare_t) + + logging_send_syslog_msg($1_seunshare_t) @@ -6193,7 +6195,7 @@ index b31c054..d500876 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..450a2b7 100644 +index 76f285e..68ef8e7 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6894,7 +6896,57 @@ index 76f285e..450a2b7 100644 ## ## ## -@@ -2725,7 +3149,7 @@ interface(`dev_write_misc',` +@@ -2532,6 +2956,24 @@ interface(`dev_read_raw_memory',` + + ######################################## + ## ++## Allow to be reader of raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_raw_memory_reader',` ++ gen_require(` ++ attribute memory_raw_read; ++ ') ++ ++ typeattribute $1 memory_raw_read; ++') ++ ++######################################## ++## + ## Do not audit attempts to read raw memory devices + ## (e.g. /dev/mem). + ## +@@ -2573,6 +3015,24 @@ interface(`dev_write_raw_memory',` + + ######################################## + ## ++## Allow to be writer of raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_raw_memory_writer',` ++ gen_require(` ++ attribute memory_raw_write; ++ ') ++ ++ typeattribute $1 memory_raw_write; ++') ++ ++######################################## ++## + ## Read and execute raw memory devices (e.g. /dev/mem). + ## + ## +@@ -2725,7 +3185,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6903,7 +6955,7 @@ index 76f285e..450a2b7 100644 ## ## # -@@ -2811,6 +3235,78 @@ interface(`dev_rw_modem',` +@@ -2811,6 +3271,78 @@ interface(`dev_rw_modem',` ######################################## ## @@ -6982,7 +7034,7 @@ index 76f285e..450a2b7 100644 ## Get the attributes of the mouse devices. ## ## -@@ -2903,20 +3399,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3435,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -7007,7 +7059,7 @@ index 76f285e..450a2b7 100644 ##

## ## -@@ -2925,43 +3421,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3457,34 @@ interface(`dev_getattr_mtrr_dev',` ##
## # @@ -7063,7 +7115,7 @@ index 76f285e..450a2b7 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3457,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3493,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -7099,11 +7151,10 @@ index 76f285e..450a2b7 100644 ') ######################################## -@@ -3144,7 +3650,43 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3686,42 @@ interface(`dev_create_null_dev',` ######################################## ## --## Do not audit attempts to get the attributes +## Get the status of a null device service. +## +## @@ -7140,11 +7191,10 @@ index 76f285e..450a2b7 100644 + +######################################## +## -+## Do not audit attempts to get the attributes + ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## - ## -@@ -3163,6 +3705,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3741,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7169,7 +7219,7 @@ index 76f285e..450a2b7 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3850,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7196,7 +7246,7 @@ index 76f285e..450a2b7 100644 ## ## ## -@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3876,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7213,7 +7263,7 @@ index 76f285e..450a2b7 100644 ') ######################################## -@@ -3399,7 +3978,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4014,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7222,7 +7272,7 @@ index 76f285e..450a2b7 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +3992,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4028,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7231,213 +7281,760 @@ index 76f285e..450a2b7 100644 ') ######################################## -@@ -3855,6 +4434,114 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4470,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## +-## Search the sysfs directories. +## Set the attributes of sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3863,91 +4478,89 @@ interface(`dev_getattr_sysfs_dirs',` + ## + ## + # +-interface(`dev_search_sysfs',` +interface(`dev_setattr_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- search_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir setattr_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search sysfs. +## Get attributes of sysfs filesystems. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_dontaudit_search_sysfs',` +interface(`dev_getattr_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir search_dir_perms; + allow $1 sysfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of the sysfs directories. +## Mount a filesystem on /sys -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allow access. -+## -+## -+# + ## + ## + # +-interface(`dev_list_sysfs',` +interface(`dev_mounton_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- list_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir mounton; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write in a sysfs directories. +## Dontaudit attempts to mount a filesystem on /sys -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_mounton_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ dontaudit $1 sysfs_t:dir mounton; -+') -+ -+######################################## -+## -+## Mount sysfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_mount_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:filesystem mount; -+') -+ -+######################################## -+## -+## Unmount sysfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_unmount_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:filesystem unmount; -+') -+ -+######################################## -+## - ## Search the sysfs directories. ## ## -@@ -3904,6 +4591,7 @@ interface(`dev_list_sysfs',` + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-# cjp: added for cpuspeed +-interface(`dev_write_sysfs_dirs',` ++interface(`dev_dontaudit_mounton_sysfs',` + gen_require(` type sysfs_t; ') -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) - list_dirs_pattern($1, sysfs_t, sysfs_t) +- allow $1 sysfs_t:dir write; ++ dontaudit $1 sysfs_t:dir mounton; ') -@@ -3928,6 +4616,24 @@ interface(`dev_write_sysfs_dirs',` - ######################################## ## -+## Access check for a sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_access_check_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:dir audit_access; -+') -+ -+######################################## -+## - ## Do not audit attempts to write in a sysfs directory. +-## Do not audit attempts to write in a sysfs directory. ++## Mount sysfs filesystems. ## ## -@@ -3946,23 +4652,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_write_sysfs_dirs',` ++interface(`dev_mount_sysfs_fs',` + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir write; ++ allow $1 sysfs_t:filesystem mount; + ') ######################################## ## -## Create, read, write, and delete sysfs -## directories. -+## Read cpu online hardware state information. ++## Unmount sysfs filesystems. ## -+## -+##

-+## Allow the specified domain to read /sys/devices/system/cpu/online file. -+##

-+##
## ## - ## Domain allowed access. +@@ -3955,68 +4568,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # -interface(`dev_manage_sysfs_dirs',` -+interface(`dev_read_cpu_online',` -+ gen_require(` -+ type cpu_online_t; -+ ') -+ -+ dev_search_sysfs($1) -+ read_files_pattern($1, cpu_online_t, cpu_online_t) -+') -+ -+######################################## -+## -+## Relabel cpu online hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_cpu_online',` ++interface(`dev_unmount_sysfs_fs',` gen_require(` -+ type cpu_online_t; type sysfs_t; ') - manage_dirs_pattern($1, sysfs_t, sysfs_t) -+ dev_search_sysfs($1) ++ allow $1 sysfs_t:filesystem unmount; + ') + + ######################################## + ## +-## Read hardware state information. ++## Search the sysfs directories. + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-##
+ ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`dev_read_sysfs',` ++interface(`dev_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- read_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ search_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Allow caller to modify hardware state information. ++## Do not audit attempts to search sysfs. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_rw_sysfs',` ++interface(`dev_dontaudit_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- rw_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ dontaudit $1 sysfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read and write the TPM device. ++## List the contents of the sysfs directories. + ## + ## + ## +@@ -4024,114 +4622,97 @@ interface(`dev_rw_sysfs',` + ## + ## + # +-interface(`dev_rw_tpm',` ++interface(`dev_list_sysfs',` + gen_require(` +- type device_t, tpm_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## Write in a sysfs directories. + ## +-## +-##

+-## Allow the specified domain to read from pseudo random number +-## generator devices (e.g., /dev/urandom). Typically this is +-## used in situations when a cryptographically secure random +-## number is not necessarily needed. One example is the Stack +-## Smashing Protector (SSP, formerly known as ProPolice) support +-## that may be compiled into programs. +-##

+-##

+-## Related interface: +-##

+-##
    +-##
  • dev_read_rand()
  • +-##
+-##

+-## Related tunable: +-##

+-##
    +-##
  • global_ssp
  • +-##
+-##
+ ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`dev_read_urand',` ++# cjp: added for cpuspeed ++interface(`dev_write_sysfs_dirs',` + gen_require(` +- type device_t, urandom_device_t; ++ type sysfs_t; + ') + +- read_chr_files_pattern($1, device_t, urandom_device_t) ++ allow $1 sysfs_t:dir write; + ') + + ######################################## + ## +-## Do not audit attempts to read from pseudo +-## random devices (e.g., /dev/urandom) ++## Access check for a sysfs directories. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_read_urand',` ++interface(`dev_access_check_sysfs',` + gen_require(` +- type urandom_device_t; ++ type sysfs_t; + ') + +- dontaudit $1 urandom_device_t:chr_file { getattr read }; ++ allow $1 sysfs_t:dir audit_access; + ') + + ######################################## + ## +-## Write to the pseudo random device (e.g., /dev/urandom). This +-## sets the random number generator seed. ++## Do not audit attempts to write in a sysfs directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_urand',` ++interface(`dev_dontaudit_write_sysfs_dirs',` + gen_require(` +- type device_t, urandom_device_t; ++ type sysfs_t; + ') + +- write_chr_files_pattern($1, device_t, urandom_device_t) ++ dontaudit $1 sysfs_t:dir write; + ') + + ######################################## + ## +-## Getattr generic the USB devices. ++## Read cpu online hardware state information. + ## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++##
+ ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`dev_getattr_generic_usb_dev',` ++interface(`dev_read_cpu_online',` + gen_require(` +- type usb_device_t; ++ type cpu_online_t; + ') + +- getattr_chr_files_pattern($1, device_t, usb_device_t) ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) + ') + + ######################################## + ## +-## Setattr generic the USB devices. ++## Relabel cpu online hardware state information. + ## + ## + ## +@@ -4139,35 +4720,50 @@ interface(`dev_getattr_generic_usb_dev',` + ## + ## + # +-interface(`dev_setattr_generic_usb_dev',` ++interface(`dev_relabel_cpu_online',` + gen_require(` +- type usb_device_t; ++ type cpu_online_t; ++ type sysfs_t; + ') + +- setattr_chr_files_pattern($1, device_t, usb_device_t) ++ dev_search_sysfs($1) + allow $1 cpu_online_t:file relabel_file_perms; ') + - ######################################## - ## - ## Read hardware state information. -@@ -4016,6 +4748,62 @@ interface(`dev_rw_sysfs',` - - ######################################## - ## -+## Relabel hardware state directories. + ######################################## + ## +-## Read generic the USB devices. ++## Read hardware state information. + ## ++## ++##

++## Allow the specified domain to read the contents of ++## the sysfs filesystem. This filesystem contains ++## information, parameters, and other settings on the ++## hardware installed on the system. ++##

++##
+ ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`dev_read_generic_usb_dev',` ++interface(`dev_read_sysfs',` + gen_require(` +- type usb_device_t; ++ type sysfs_t; + ') + +- read_chr_files_pattern($1, device_t, usb_device_t) ++ read_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read and write generic the USB devices. ++## Allow caller to modify hardware state information. + ## + ## + ## +@@ -4175,17 +4771,20 @@ interface(`dev_read_generic_usb_dev',` + ## + ## + # +-interface(`dev_rw_generic_usb_dev',` ++interface(`dev_rw_sysfs',` + gen_require(` +- type device_t, usb_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, usb_device_t) ++ rw_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Relabel generic the USB devices. ++## Relabel hardware state directories. + ## + ## + ## +@@ -4193,17 +4792,17 @@ interface(`dev_rw_generic_usb_dev',` + ## + ## + # +-interface(`dev_relabel_generic_usb_dev',` ++interface(`dev_relabel_sysfs_dirs',` + gen_require(` +- type usb_device_t; ++ type sysfs_t; + ') + +- relabel_chr_files_pattern($1, device_t, usb_device_t) ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read USB monitor devices. ++## Relabel hardware state files + ## + ## + ## +@@ -4211,7 +4810,251 @@ interface(`dev_relabel_generic_usb_dev',` + ## + ## + # +-interface(`dev_read_usbmon_dev',` ++interface(`dev_relabel_all_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Allow caller to modify hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_sysfs_dirs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Read and write the TPM device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_tpm',` ++ gen_require(` ++ type device_t, tpm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, tpm_device_t) ++') ++ ++######################################## ++## ++## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## ++## ++##

++## Allow the specified domain to read from pseudo random number ++## generator devices (e.g., /dev/urandom). Typically this is ++## used in situations when a cryptographically secure random ++## number is not necessarily needed. One example is the Stack ++## Smashing Protector (SSP, formerly known as ProPolice) support ++## that may be compiled into programs. ++##

++##

++## Related interface: ++##

++##
    ++##
  • dev_read_rand()
  • ++##
++##

++## Related tunable: ++##

++##
    ++##
  • global_ssp
  • ++##
++##
++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_read_urand',` ++ gen_require(` ++ type device_t, urandom_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, urandom_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to read from pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file { getattr read }; ++') ++ ++######################################## ++## ++## Write to the pseudo random device (e.g., /dev/urandom). This ++## sets the random number generator seed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_urand',` ++ gen_require(` ++ type device_t, urandom_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, urandom_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to write to pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file write; ++') ++ ++######################################## ++## ++## Getattr generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t,device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Setattr generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read and write generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_generic_usb_dev',` ++ gen_require(` ++ type device_t, usb_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Relabel generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ relabel_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read USB monitor devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_usbmon_dev',` + gen_require(` + type device_t, usbmon_device_t; + ') +@@ -4267,15 +5110,169 @@ interface(`dev_mount_usbfs',` + # + interface(`dev_associate_usbfs',` + gen_require(` +- type usbfs_t; ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:filesystem associate; ++') ++ ++######################################## ++## ++## Get the attributes of a directory in the usb filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_usbfs_dirs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:dir getattr_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of a directory in the usb filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_usbfs_dirs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ dontaudit $1 usbfs_t:dir getattr_dir_perms; ++') ++ ++######################################## ++## ++## Search the directory containing USB hardware information. +## +## +## @@ -7445,17 +8042,17 @@ index 76f285e..450a2b7 100644 +## +## +# -+interface(`dev_relabel_sysfs_dirs',` ++interface(`dev_search_usbfs',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ search_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Relabel hardware state files ++## Allow caller to get a list of usb hardware. +## +## +## @@ -7463,19 +8060,20 @@ index 76f285e..450a2b7 100644 +## +## +# -+interface(`dev_relabel_all_sysfs',` ++interface(`dev_list_usbfs',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) -+ relabel_files_pattern($1, sysfs_t, sysfs_t) -+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_files_pattern($1, usbfs_t, usbfs_t) ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Allow caller to modify hardware state information. ++## Set the attributes of usbfs filesystem. +## +## +## @@ -7483,266 +8081,425 @@ index 76f285e..450a2b7 100644 +## +## +# -+interface(`dev_manage_sysfs_dirs',` ++interface(`dev_setattr_usbfs_files',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ setattr_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## - ## Read and write the TPM device. - ## - ## -@@ -4113,6 +4901,25 @@ interface(`dev_write_urand',` - - ######################################## - ## -+## Do not audit attempts to write to pseudo -+## random devices (e.g., /dev/urandom) ++## Read USB hardware information using ++## the usbfs filesystem interface. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_write_urand',` ++interface(`dev_read_usbfs',` + gen_require(` -+ type urandom_device_t; ++ type usbfs_t; + ') + -+ dontaudit $1 urandom_device_t:chr_file write; ++ read_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## - ## Getattr generic the USB devices. ++## Allow caller to modify usb hardware configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++') ++ ++###################################### ++## ++## Read and write userio device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_userio_dev',` ++ gen_require(` ++ type device_t, userio_device_t; + ') + +- allow $1 usbfs_t:filesystem associate; ++ rw_chr_files_pattern($1, device_t, userio_device_t) + ') + + ######################################## + ## +-## Get the attributes of a directory in the usb filesystem. ++## Get the attributes of video4linux devices. ## ## -@@ -4123,7 +4930,7 @@ interface(`dev_write_urand',` + ## +@@ -4283,18 +5280,18 @@ interface(`dev_associate_usbfs',` + ## + ## # - interface(`dev_getattr_generic_usb_dev',` +-interface(`dev_getattr_usbfs_dirs',` ++interface(`dev_getattr_video_dev',` gen_require(` -- type usb_device_t; -+ type usb_device_t,device_t; +- type usbfs_t; ++ type device_t, v4l_device_t; ') - getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5216,9 @@ interface(`dev_rw_usbfs',` - read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- allow $1 usbfs_t:dir getattr_dir_perms; ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) ') --######################################## -+###################################### + ######################################## ## --## Get the attributes of video4linux devices. -+## Read and write userio device. + ## Do not audit attempts to get the attributes +-## of a directory in the usb filesystem. ++## of video4linux device nodes. ## ## ## -@@ -4419,17 +5226,17 @@ interface(`dev_rw_usbfs',` +@@ -4302,17 +5299,17 @@ interface(`dev_getattr_usbfs_dirs',` ## ## # --interface(`dev_getattr_video_dev',` -+interface(`dev_rw_userio_dev',` +-interface(`dev_dontaudit_getattr_usbfs_dirs',` ++interface(`dev_dontaudit_getattr_video_dev',` gen_require(` -- type device_t, v4l_device_t; -+ type device_t, userio_device_t; +- type usbfs_t; ++ type v4l_device_t; ') -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, userio_device_t) +- dontaudit $1 usbfs_t:dir getattr_dir_perms; ++ dontaudit $1 v4l_device_t:chr_file getattr; ') --###################################### -+######################################## + ######################################## ## --## Read and write userio device. -+## Get the attributes of video4linux devices. +-## Search the directory containing USB hardware information. ++## Set the attributes of video4linux device nodes. ## ## ## -@@ -4437,12 +5244,12 @@ interface(`dev_getattr_video_dev',` +@@ -4320,38 +5317,36 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` ## ## # --interface(`dev_rw_userio_dev',` -+interface(`dev_getattr_video_dev',` +-interface(`dev_search_usbfs',` ++interface(`dev_setattr_video_dev',` gen_require(` -- type device_t, userio_device_t; +- type usbfs_t; + type device_t, v4l_device_t; ') -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) +- search_dirs_pattern($1, usbfs_t, usbfs_t) ++ setattr_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## + ## +-## Allow caller to get a list of usb hardware. ++## Do not audit attempts to set the attributes ++## of video4linux device nodes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_list_usbfs',` ++interface(`dev_dontaudit_setattr_video_dev',` + gen_require(` +- type usbfs_t; ++ type v4l_device_t; + ') + +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- getattr_files_pattern($1, usbfs_t, usbfs_t) +- +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ dontaudit $1 v4l_device_t:chr_file setattr; + ') + + ######################################## + ## +-## Set the attributes of usbfs filesystem. ++## Read the video4linux devices. + ## + ## + ## +@@ -4359,19 +5354,17 @@ interface(`dev_list_usbfs',` + ## + ## + # +-interface(`dev_setattr_usbfs_files',` ++interface(`dev_read_video_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, v4l_device_t; + ') + +- setattr_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ read_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## -@@ -4539,6 +5346,134 @@ interface(`dev_write_video_dev',` + ## +-## Read USB hardware information using +-## the usbfs filesystem interface. ++## Write the video4linux devices. + ## + ## + ## +@@ -4379,19 +5372,17 @@ interface(`dev_setattr_usbfs_files',` + ## + ## + # +-interface(`dev_read_usbfs',` ++interface(`dev_write_video_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, v4l_device_t; + ') + +- read_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ write_chr_files_pattern($1, device_t, v4l_device_t) + ') ######################################## ## +-## Allow caller to modify usb hardware configuration files. +## Get the attributes of vfio devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ##
+ ## + ## +@@ -4399,37 +5390,36 @@ interface(`dev_read_usbfs',` + ## + ## + # +-interface(`dev_rw_usbfs',` +interface(`dev_getattr_vfio_dev',` -+ gen_require(` + gen_require(` +- type usbfs_t; + type device_t, vfio_device_t; -+ ') -+ + ') + +- list_dirs_pattern($1, usbfs_t, usbfs_t) +- rw_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) + getattr_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of video4linux devices. +## Do not audit attempts to get the attributes +## of vfio device nodes. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`dev_getattr_video_dev',` +interface(`dev_dontaudit_getattr_vfio_dev',` -+ gen_require(` + gen_require(` +- type device_t, v4l_device_t; + type vfio_device_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) + dontaudit $1 vfio_device_t:chr_file getattr; -+') -+ + ') + +-###################################### +######################################## -+## + ## +-## Read and write userio device. +## Set the attributes of vfio device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4437,18 +5427,18 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` +interface(`dev_setattr_vfio_dev',` -+ gen_require(` + gen_require(` +- type device_t, userio_device_t; + type device_t, vfio_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) + setattr_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of video4linux device nodes. +## Do not audit attempts to set the attributes +## of vfio device nodes. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -4456,17 +5446,17 @@ interface(`dev_rw_userio_dev',` + ## + ## + # +-interface(`dev_dontaudit_getattr_video_dev',` +interface(`dev_dontaudit_setattr_vfio_dev',` -+ gen_require(` + gen_require(` +- type v4l_device_t; + type vfio_device_t; -+ ') -+ + ') + +- dontaudit $1 v4l_device_t:chr_file getattr; + dontaudit $1 vfio_device_t:chr_file setattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of video4linux device nodes. +## Read the vfio devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4474,36 +5464,35 @@ interface(`dev_dontaudit_getattr_video_dev',` + ## + ## + # +-interface(`dev_setattr_video_dev',` +interface(`dev_read_vfio_dev',` -+ gen_require(` + gen_require(` +- type device_t, v4l_device_t; + type device_t, vfio_device_t; -+ ') -+ + ') + +- setattr_chr_files_pattern($1, device_t, v4l_device_t) + read_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to set the attributes +-## of video4linux device nodes. +## Write the vfio devices. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_dontaudit_setattr_video_dev',` +interface(`dev_write_vfio_dev',` -+ gen_require(` + gen_require(` +- type v4l_device_t; + type device_t, vfio_device_t; -+ ') -+ + ') + +- dontaudit $1 v4l_device_t:chr_file setattr; + write_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read the video4linux devices. +## Read and write the VFIO devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4511,17 +5500,17 @@ interface(`dev_dontaudit_setattr_video_dev',` + ## + ## + # +-interface(`dev_read_video_dev',` +interface(`dev_rw_vfio_dev',` -+ gen_require(` + gen_require(` +- type device_t, v4l_device_t; + type device_t, vfio_device_t; -+ ') -+ + ') + +- read_chr_files_pattern($1, device_t, v4l_device_t) + rw_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## - ## Allow read/write the vhost net device + ') + + ######################################## + ## +-## Write the video4linux devices. ++## Allow read/write the vhost net device ## ## -@@ -4557,6 +5492,24 @@ interface(`dev_rw_vhost',` + ## +@@ -4529,17 +5518,17 @@ interface(`dev_read_video_dev',` + ## + ## + # +-interface(`dev_write_video_dev',` ++interface(`dev_rw_vhost',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vhost_device_t; + ') + +- write_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, vhost_device_t) + ') ######################################## ## +-## Allow read/write the vhost net device +## Allow read/write inheretid the vhost net device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_inherited_vhost',` -+ gen_require(` -+ type device_t, vhost_device_t; -+ ') -+ -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## - ## Read and write VMWare devices. ## ## -@@ -4630,6 +5583,24 @@ interface(`dev_write_watchdog',` + ## +@@ -4547,12 +5536,12 @@ interface(`dev_write_video_dev',` + ## + ## + # +-interface(`dev_rw_vhost',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` + type device_t, vhost_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vhost_device_t) ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -4630,6 +5619,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -7767,7 +8524,7 @@ index 76f285e..450a2b7 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5733,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5769,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7812,7 +8569,7 @@ index 76f285e..450a2b7 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5860,966 @@ interface(`dev_unconfined',` +@@ -4851,3 +5896,966 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -10019,7 +10776,7 @@ index b876c48..a351aff 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..1a36ae2 100644 +index f962f76..a226015 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10760,7 +11517,7 @@ index f962f76..1a36ae2 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',` +@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -10773,7 +11530,20 @@ index f962f76..1a36ae2 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1609,6 @@ interface(`files_list_all',` ++ auth_relabelto_shadow($1) + ') + + ######################################## +@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',` + # satisfy the assertions: + seutil_create_bin_policy($1) + files_manage_kernel_modules($1) ++ auth_reader_shadow($1) ++ auth_writer_shadow($1) + ') + + ######################################## +@@ -1182,24 +1612,6 @@ interface(`files_list_all',` ######################################## ## @@ -10798,17 +11568,18 @@ index f962f76..1a36ae2 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',` - # device nodes with file types. +@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',` relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) -- + - # satisfy the assertions: - seutil_relabelto_bin_policy($1) ++ # satisfy the assertions: ++ seutil_relabelto_bin_policy($1) ') ############################################# -@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',` +@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## @@ -10833,7 +11604,7 @@ index f962f76..1a36ae2 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,6 +2121,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -10858,7 +11629,14 @@ index f962f76..1a36ae2 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1703,104 +2151,86 @@ interface(`files_dontaudit_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') ++ dontaudit $1 self:capability dac_override; + + dontaudit $1 mountpoint:dir write; + ') ######################################## ## @@ -10978,7 +11756,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',` +@@ -1808,18 +2238,128 @@ interface(`files_root_filetrans',` ## ## # @@ -10995,6 +11773,7 @@ index f962f76..1a36ae2 100644 ######################################## ## -## Do not audit attempts to read or write +-## files in the root directory. +## Do not audit attempts to write to / dirs. +## +## @@ -11106,10 +11885,11 @@ index f962f76..1a36ae2 100644 +######################################## +## +## Do not audit attempts to read or write - ## files in the root directory. ++## files in the root directory. ## ## -@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',` + ## +@@ -1892,25 +2432,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -11141,7 +11921,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2463,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -11150,7 +11930,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2486,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -11193,7 +11973,7 @@ index f962f76..1a36ae2 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2757,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -11218,7 +11998,7 @@ index f962f76..1a36ae2 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3239,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -11243,7 +12023,7 @@ index f962f76..1a36ae2 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3328,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -11251,7 +12031,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3337,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -11260,7 +12040,7 @@ index f962f76..1a36ae2 100644 ## ## # -@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3393,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -11286,7 +12066,7 @@ index f962f76..1a36ae2 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3430,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -11311,7 +12091,7 @@ index f962f76..1a36ae2 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3613,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -11336,7 +12116,7 @@ index f962f76..1a36ae2 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3653,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -11347,7 +12127,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3661,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -11369,7 +12149,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3689,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -11396,7 +12176,7 @@ index f962f76..1a36ae2 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3726,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -11404,7 +12184,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3748,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -11412,7 +12192,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,34 +3793,34 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -11455,7 +12235,7 @@ index f962f76..1a36ae2 100644 ## that have not yet been labeled. ## ## -@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3178,12 +3829,50 @@ interface(`files_dontaudit_search_isid_type_dirs',` ## ## # @@ -11468,11 +12248,10 @@ index f962f76..1a36ae2 100644 - allow $1 file_t:dir list_dir_perms; + allow $1 unlabeled_t:dir setattr; - ') - - ######################################## - ## --## Read and write directories on new filesystems ++') ++ ++######################################## ++## +## Do not audit attempts to search directories on new filesystems +## that have not yet been labeled. +## @@ -11507,15 +12286,10 @@ index f962f76..1a36ae2 100644 + ') + + allow $1 unlabeled_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Read and write directories on new filesystems - ## that have not yet been labeled. - ## - ## -@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',` + ') + + ######################################## +@@ -3199,10 +3888,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -11528,7 +12302,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3907,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -11571,9 +12345,8 @@ index f962f76..1a36ae2 100644 +interface(`files_mounton_isid',` + gen_require(` + type unlabeled_t; - ') - -- delete_dirs_pattern($1, file_t, file_t) ++ ') ++ + allow $1 unlabeled_t:dir mounton; +') + @@ -11591,13 +12364,14 @@ index f962f76..1a36ae2 100644 +interface(`files_relabelfrom_isid_type',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- delete_dirs_pattern($1, file_t, file_t) + dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') ######################################## -@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3982,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -11610,7 +12384,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +4001,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -11642,7 +12416,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +4039,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -11655,7 +12429,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4058,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -11668,7 +12442,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4077,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -11681,7 +12455,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4096,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -11694,7 +12468,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4115,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -11707,7 +12481,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4134,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -11720,7 +12494,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4153,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -11733,7 +12507,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4172,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -11746,7 +12520,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4191,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -11759,7 +12533,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4210,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -11772,7 +12546,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4229,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -11804,7 +12578,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4267,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -11817,7 +12591,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4286,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -11830,7 +12604,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3552,6 +4335,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -11858,7 +12632,7 @@ index f962f76..1a36ae2 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4618,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -11902,7 +12676,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +5039,175 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -12078,7 +12852,7 @@ index f962f76..1a36ae2 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5230,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -12105,7 +12879,7 @@ index f962f76..1a36ae2 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5263,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -12144,7 +12918,7 @@ index f962f76..1a36ae2 100644 ## ## # -@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',` +@@ -4289,6 +5320,8 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -12153,7 +12927,7 @@ index f962f76..1a36ae2 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5358,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -12161,7 +12935,7 @@ index f962f76..1a36ae2 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5368,7 @@ interface(`files_list_tmp',` ## ## ## @@ -12170,7 +12944,7 @@ index f962f76..1a36ae2 100644 ## ## # -@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,21 +5380,41 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -12187,8 +12961,9 @@ index f962f76..1a36ae2 100644 +## +## Domain not to audit. +## -+## -+# + ## + # +-interface(`files_delete_tmp_dir_entry',` +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; @@ -12206,10 +12981,10 @@ index f962f76..1a36ae2 100644 +## +## Domain allowed access. +## - ## - # - interface(`files_delete_tmp_dir_entry',` -@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',` ++## ++# ++interface(`files_delete_tmp_dir_entry',` + gen_require(` type tmp_t; ') @@ -12217,7 +12992,7 @@ index f962f76..1a36ae2 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5456,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -12250,7 +13025,7 @@ index f962f76..1a36ae2 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5536,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -12293,7 +13068,7 @@ index f962f76..1a36ae2 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5590,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -12354,7 +13129,7 @@ index f962f76..1a36ae2 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5689,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -12363,7 +13138,7 @@ index f962f76..1a36ae2 100644 ## ## # -@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5749,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -12372,7 +13147,7 @@ index f962f76..1a36ae2 100644 ## ## # -@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',` +@@ -4611,6 +5781,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -12417,7 +13192,7 @@ index f962f76..1a36ae2 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5872,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -12434,7 +13209,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6330,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -12459,7 +13234,7 @@ index f962f76..1a36ae2 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6470,24 @@ interface(`files_list_var',` +@@ -5241,6 +6477,24 @@ interface(`files_list_var',` ######################################## ## @@ -12484,7 +13259,7 @@ index f962f76..1a36ae2 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6582,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -12493,7 +13268,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6781,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -12519,7 +13294,7 @@ index f962f76..1a36ae2 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6869,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -12545,7 +13320,7 @@ index f962f76..1a36ae2 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6933,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -12554,7 +13329,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6941,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -12570,7 +13345,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -5672,6 +6958,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6965,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -12578,7 +13353,7 @@ index f962f76..1a36ae2 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6992,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -12606,7 +13381,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7019,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -12623,7 +13398,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7043,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -12632,7 +13407,7 @@ index f962f76..1a36ae2 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7076,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -12640,7 +13415,7 @@ index f962f76..1a36ae2 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7090,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -12649,7 +13424,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7098,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -12684,7 +13459,7 @@ index f962f76..1a36ae2 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7140,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -12702,7 +13477,7 @@ index f962f76..1a36ae2 100644 ') ######################################## -@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7164,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -12713,7 +13488,7 @@ index f962f76..1a36ae2 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7206,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -12723,7 +13498,7 @@ index f962f76..1a36ae2 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7228,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -12733,7 +13508,7 @@ index f962f76..1a36ae2 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7265,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -12743,7 +13518,7 @@ index f962f76..1a36ae2 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7304,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -12752,7 +13527,7 @@ index f962f76..1a36ae2 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7317,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7324,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -12801,7 +13576,7 @@ index f962f76..1a36ae2 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7388,43 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -12845,7 +13620,7 @@ index f962f76..1a36ae2 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7432,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7439,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -12854,7 +13629,7 @@ index f962f76..1a36ae2 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7458,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -12863,7 +13638,7 @@ index f962f76..1a36ae2 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7478,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -12872,7 +13647,7 @@ index f962f76..1a36ae2 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7540,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -12880,7 +13655,7 @@ index f962f76..1a36ae2 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7568,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -12905,7 +13680,7 @@ index f962f76..1a36ae2 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7599,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -12914,7 +13689,7 @@ index f962f76..1a36ae2 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7666,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12977,7 +13752,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7710,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -13027,7 +13802,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7746,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -13051,7 +13826,7 @@ index f962f76..1a36ae2 100644 ##
## ## -@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7765,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -13103,7 +13878,7 @@ index f962f76..1a36ae2 100644 ##
## ## -@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7806,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -13126,7 +13901,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -6424,18 +7817,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7824,18 @@ interface(`files_list_spool',` ## ## # @@ -13150,7 +13925,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7843,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -13175,7 +13950,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -6463,109 +7855,62 @@ interface(`files_read_generic_spool',` +@@ -6463,109 +7862,62 @@ interface(`files_read_generic_spool',` ## ## # @@ -13306,7 +14081,7 @@ index f962f76..1a36ae2 100644 ## ## ## -@@ -6573,10 +7918,944 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7925,944 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -17276,7 +18051,7 @@ index 7be4ddf..9710b33 100644 +/sys/kernel/debug -d gen_context(system_u:object_r:debugfs_t,s0) +/sys/kernel/debug/.* <> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..991e1a5 100644 +index e100d88..d2fc766 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -126,6 +126,24 @@ interface(`kernel_setsched',` @@ -17536,7 +18311,7 @@ index e100d88..991e1a5 100644 ## Do not audit attempts to list all proc directories. ## ## -@@ -1477,6 +1640,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1477,6 +1640,28 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -17551,9 +18326,13 @@ index e100d88..991e1a5 100644 +interface(`kernel_read_all_proc',` + gen_require(` + attribute proc_type; ++ attribute can_dump_kernel; ++ attribute can_receive_kernel_messages; + ') + + read_files_pattern($1, proc_type, proc_type) ++ typeattribute $1 can_dump_kernel; ++ typeattribute $1 can_receive_kernel_messages; +') + +######################################## @@ -17561,7 +18340,7 @@ index e100d88..991e1a5 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -1672,7 +1853,7 @@ interface(`kernel_read_net_sysctls',` +@@ -1672,7 +1857,7 @@ interface(`kernel_read_net_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -17570,7 +18349,7 @@ index e100d88..991e1a5 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1693,7 +1874,7 @@ interface(`kernel_rw_net_sysctls',` +@@ -1693,7 +1878,7 @@ interface(`kernel_rw_net_sysctls',` ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) @@ -17579,7 +18358,7 @@ index e100d88..991e1a5 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1715,7 +1896,6 @@ interface(`kernel_read_unix_sysctls',` +@@ -1715,7 +1900,6 @@ interface(`kernel_read_unix_sysctls',` ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) @@ -17587,7 +18366,7 @@ index e100d88..991e1a5 100644 list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) ') -@@ -1750,16 +1930,9 @@ interface(`kernel_rw_unix_sysctls',` +@@ -1750,16 +1934,9 @@ interface(`kernel_rw_unix_sysctls',` ## Domain allowed access. ## ## @@ -17605,7 +18384,7 @@ index e100d88..991e1a5 100644 ') ######################################## -@@ -1771,16 +1944,9 @@ interface(`kernel_read_hotplug_sysctls',` +@@ -1771,16 +1948,9 @@ interface(`kernel_read_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -17623,7 +18402,7 @@ index e100d88..991e1a5 100644 ') ######################################## -@@ -1792,16 +1958,9 @@ interface(`kernel_rw_hotplug_sysctls',` +@@ -1792,16 +1962,9 @@ interface(`kernel_rw_hotplug_sysctls',` ## Domain allowed access. ## ## @@ -17641,7 +18420,7 @@ index e100d88..991e1a5 100644 ') ######################################## -@@ -1813,16 +1972,9 @@ interface(`kernel_read_modprobe_sysctls',` +@@ -1813,16 +1976,9 @@ interface(`kernel_read_modprobe_sysctls',` ## Domain allowed access. ## ## @@ -17659,7 +18438,7 @@ index e100d88..991e1a5 100644 ') ######################################## -@@ -2085,9 +2237,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,9 +2241,28 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -17689,7 +18468,7 @@ index e100d88..991e1a5 100644 ######################################## ## ## Allow caller to read all sysctls. -@@ -2282,6 +2453,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2457,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -17715,7 +18494,7 @@ index e100d88..991e1a5 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2496,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2500,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -17724,7 +18503,7 @@ index e100d88..991e1a5 100644 ## ## # -@@ -2488,6 +2678,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2682,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -17749,7 +18528,7 @@ index e100d88..991e1a5 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2733,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2737,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -17774,7 +18553,7 @@ index e100d88..991e1a5 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,16 +2893,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,16 +2897,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -17818,7 +18597,7 @@ index e100d88..991e1a5 100644 ## ## ## -@@ -2694,6 +2938,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -17844,7 +18623,7 @@ index e100d88..991e1a5 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +3066,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -17878,7 +18657,7 @@ index e100d88..991e1a5 100644 ######################################## ## -@@ -2958,6 +3248,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -17903,7 +18682,7 @@ index e100d88..991e1a5 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3280,628 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3284,628 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -18534,7 +19313,7 @@ index e100d88..991e1a5 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..46d7f18 100644 +index 8dbab4c..a85c5d7 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -18690,7 +19469,7 @@ index 8dbab4c..46d7f18 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +315,53 @@ files_list_root(kernel_t) +@@ -277,25 +315,54 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -18720,6 +19499,7 @@ index 8dbab4c..46d7f18 100644 + +optional_policy(` + abrt_filetrans_named_content(kernel_t) ++ abrt_dump_oops_domtrans(kernel_t) +') + +optional_policy(` @@ -18744,7 +19524,7 @@ index 8dbab4c..46d7f18 100644 ') optional_policy(` -@@ -305,6 +371,19 @@ optional_policy(` +@@ -305,6 +372,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -18764,7 +19544,7 @@ index 8dbab4c..46d7f18 100644 ') optional_policy(` -@@ -312,6 +391,11 @@ optional_policy(` +@@ -312,6 +392,11 @@ optional_policy(` ') optional_policy(` @@ -18776,7 +19556,7 @@ index 8dbab4c..46d7f18 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +416,6 @@ optional_policy(` +@@ -332,9 +417,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -18786,7 +19566,7 @@ index 8dbab4c..46d7f18 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +424,7 @@ optional_policy(` +@@ -343,9 +425,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -18797,7 +19577,7 @@ index 8dbab4c..46d7f18 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +433,7 @@ optional_policy(` +@@ -354,7 +434,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -18806,7 +19586,7 @@ index 8dbab4c..46d7f18 100644 ') ') -@@ -367,6 +446,15 @@ optional_policy(` +@@ -367,6 +447,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -18822,7 +19602,7 @@ index 8dbab4c..46d7f18 100644 ######################################## # # Unlabeled process local policy -@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) { +@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) { # Rules for unconfined acccess to this module # @@ -19433,10 +20213,10 @@ index 54f1827..6910c88 100644 +/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 64c4cd0..542299c 100644 +index 64c4cd0..52070af 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if -@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',` +@@ -22,6 +22,30 @@ interface(`storage_getattr_fixed_disk_dev',` ######################################## ## @@ -19451,11 +20231,15 @@ index 64c4cd0..542299c 100644 +# +interface(`storage_rw_inherited_fixed_disk_dev',` + gen_require(` -+ type fixed_disk_device_t; ++ type fixed_disk_device_t; ++ attribute fixed_disk_raw_read; ++ attribute fixed_disk_raw_write; + ') + -+ allow $1 fixed_disk_device_t:chr_file { read write }; -+ allow $1 fixed_disk_device_t:blk_file { read write }; ++ allow $1 fixed_disk_device_t:chr_file { read write }; ++ allow $1 fixed_disk_device_t:blk_file { read write }; ++ typeattribute $1 fixed_disk_raw_read; ++ typeattribute $1 fixed_disk_raw_write; +') + +######################################## @@ -19463,7 +20247,7 @@ index 64c4cd0..542299c 100644 ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. ## -@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',` +@@ -101,6 +125,8 @@ interface(`storage_raw_read_fixed_disk',` dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; @@ -19472,7 +20256,7 @@ index 64c4cd0..542299c 100644 typeattribute $1 fixed_disk_raw_read; ') -@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',` +@@ -186,6 +212,7 @@ interface(`storage_dontaudit_write_fixed_disk',` interface(`storage_raw_rw_fixed_disk',` storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) @@ -19480,7 +20264,7 @@ index 64c4cd0..542299c 100644 ') ######################################## -@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',` +@@ -205,6 +232,7 @@ interface(`storage_create_fixed_disk_dev',` allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; @@ -19488,7 +20272,7 @@ index 64c4cd0..542299c 100644 dev_add_entry_generic_dirs($1) ') -@@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',` +@@ -274,6 +302,48 @@ interface(`storage_dev_filetrans_fixed_disk',` dev_filetrans($1, fixed_disk_device_t, blk_file, $2) ') @@ -19537,7 +20321,7 @@ index 64c4cd0..542299c 100644 ######################################## ## ## Create block devices in on a tmpfs filesystem with the -@@ -295,6 +361,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` +@@ -295,6 +365,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` ######################################## ## @@ -19563,7 +20347,43 @@ index 64c4cd0..542299c 100644 ## Relabel fixed disk device nodes. ## ## -@@ -716,6 +801,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` +@@ -478,6 +567,35 @@ interface(`storage_write_scsi_generic',` + typeattribute $1 scsi_generic_write; + ') + ++ ++######################################## ++## ++## Allow the caller to directly read and write, in a ++## generic fashion, from any SCSI device. ++## This is extremly dangerous as it can bypass the ++## SELinux protections for filesystem objects, and ++## should only be used by trusted domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`storage_rw_inherited_scsi_generic',` ++ gen_require(` ++ attribute scsi_generic_read; ++ attribute scsi_generic_write; ++ type scsi_generic_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms; ++ allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms; ++ typeattribute $1 scsi_generic_write; ++ typeattribute $1 scsi_generic_read; ++') ++ + ######################################## + ## + ## Set attributes of the device nodes +@@ -716,6 +834,24 @@ interface(`storage_dontaudit_raw_write_removable_device',` dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') @@ -19588,7 +20408,7 @@ index 64c4cd0..542299c 100644 ######################################## ## ## Allow the caller to directly read -@@ -813,3 +916,452 @@ interface(`storage_unconfined',` +@@ -813,3 +949,452 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -29100,7 +29920,7 @@ index 2479587..890e1e2 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..9e85ea0 100644 +index 3efd5b6..3db526f 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -29651,33 +30471,75 @@ index 3efd5b6..9e85ea0 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; --') -- --######################################## --## ++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") + ') + + ######################################## + ## -## Relabel login record files. --## --## --## --## Domain allowed access. --## --## --# ++## Read access to the authlogin module. + ## ++## ++##

++## Read access to the authlogin module. ++##

++##

++## Currently, this only allows assertions for ++## the shadow passwords file (/etc/shadow) to ++## be passed. No access is granted yet. ++##

++##
+ ## + ## + ## Domain allowed access. + ## + ## + # -interface(`auth_relabel_login_records',` -- gen_require(` ++interface(`auth_reader_shadow',` + gen_require(` - type wtmp_t; -- ') -- ++ attribute can_read_shadow_passwords; + ') + - allow $1 wtmp_t:file relabel_file_perms; -+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") ++ typeattribute $1 can_read_shadow_passwords; ++') ++ ++######################################## ++## ++## Write access to the authlogin module. ++## ++## ++##

++## Write access to the authlogin module. ++##

++##

++## Currently, this only allows assertions for ++## the shadow passwords file (/etc/shadow) to ++## be passed. No access is granted yet. ++##

++##
++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_writer_shadow',` ++ gen_require(` ++ attribute can_write_shadow_passwords; ++ ') ++ ++ typeattribute $1 can_write_shadow_passwords; ') ######################################## -@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -29694,7 +30556,7 @@ index 3efd5b6..9e85ea0 100644 ') ######################################## -@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',` +@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b1f2938..a121c91 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..158acba 100644 +index 058d908..7da78c7 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -111,7 +111,33 @@ index 058d908..158acba 100644 ###################################### ## -@@ -40,7 +62,7 @@ interface(`abrt_exec',` +@@ -21,6 +43,25 @@ interface(`abrt_domtrans',` + + ###################################### + ## ++## Execute abrt_dump_oops in the abrt_dump_oops_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`abrt_dump_oops_domtrans',` ++ gen_require(` ++ type abrt_dump_oops_t, abrt_dump_oops_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t) ++') ++ ++###################################### ++## + ## Execute abrt in the caller domain. + ## + ## +@@ -40,7 +81,7 @@ interface(`abrt_exec',` ######################################## ## @@ -120,7 +146,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -58,7 +80,7 @@ interface(`abrt_signull',` +@@ -58,7 +99,7 @@ interface(`abrt_signull',` ######################################## ## @@ -129,7 +155,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -71,12 +93,13 @@ interface(`abrt_read_state',` +@@ -71,12 +112,13 @@ interface(`abrt_read_state',` type abrt_t; ') @@ -144,7 +170,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',` +@@ -116,8 +158,7 @@ interface(`abrt_dbus_chat',` ##################################### ## @@ -154,7 +180,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',` +@@ -130,15 +171,13 @@ interface(`abrt_domtrans_helper',` type abrt_helper_t, abrt_helper_exec_t; ') @@ -172,7 +198,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -163,8 +183,26 @@ interface(`abrt_run_helper',` +@@ -163,8 +202,45 @@ interface(`abrt_run_helper',` ######################################## ## @@ -198,53 +224,53 @@ index 058d908..158acba 100644 +######################################## +## +## Append abrt cache ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_append_cache',` ++ gen_require(` ++ type abrt_var_cache_t; ++ ') ++ ++ ++ allow $1 abrt_var_cache_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read/Write inherited abrt cache ## ## ## -@@ -172,15 +210,37 @@ interface(`abrt_run_helper',` +@@ -172,15 +248,18 @@ interface(`abrt_run_helper',` ## ## # -interface(`abrt_cache_manage',` - refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') - abrt_manage_cache($1) -+interface(`abrt_append_cache',` ++interface(`abrt_rw_inherited_cache',` + gen_require(` + type abrt_var_cache_t; + ') + + -+ allow $1 abrt_var_cache_t:file append_inherited_file_perms; ++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; ') ######################################## ## -## Create, read, write, and delete -## abrt cache content. -+## Read/Write inherited abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`abrt_rw_inherited_cache',` -+ gen_require(` -+ type abrt_var_cache_t; -+ ') -+ -+ -+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## +## Manage abrt cache ## ## ## -@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',` +@@ -193,7 +272,6 @@ interface(`abrt_manage_cache',` type abrt_var_cache_t; ') @@ -252,7 +278,7 @@ index 058d908..158acba 100644 manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',` +@@ -201,7 +279,7 @@ interface(`abrt_manage_cache',` #################################### ## @@ -261,7 +287,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -218,9 +277,29 @@ interface(`abrt_read_config',` +@@ -218,9 +296,29 @@ interface(`abrt_read_config',` read_files_pattern($1, abrt_etc_t, abrt_etc_t) ') @@ -292,7 +318,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -258,8 +337,7 @@ interface(`abrt_read_pid_files',` +@@ -258,8 +356,7 @@ interface(`abrt_read_pid_files',` ###################################### ## @@ -302,7 +328,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -276,10 +354,52 @@ interface(`abrt_manage_pid_files',` +@@ -276,10 +373,52 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -357,7 +383,7 @@ index 058d908..158acba 100644 ## ## ## -@@ -288,39 +408,174 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +427,174 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -546,7 +572,7 @@ index 058d908..158acba 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..d6d0e34 100644 +index eb50f07..f93be3c 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -989,7 +1015,7 @@ index eb50f07..d6d0e34 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +456,60 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1011,7 +1037,7 @@ index eb50f07..d6d0e34 100644 # -allow abrt_dump_oops_t self:capability dac_override; -+allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override }; ++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override }; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; @@ -1034,13 +1060,17 @@ index eb50f07..d6d0e34 100644 +kernel_read_debugfs(abrt_dump_oops_t) kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) - ++kernel_read_security_state(abrt_dump_oops_t) ++ +auth_read_passwd(abrt_dump_oops_t) + +dev_read_urand(abrt_dump_oops_t) +dev_read_rand(abrt_dump_oops_t) -+ + domain_use_interactive_fds(abrt_dump_oops_t) ++domain_signull_all_domains(abrt_dump_oops_t) ++domain_ptrace_all_domains(abrt_dump_oops_t) ++domain_read_all_domains_state(abrt_dump_oops_t) +fs_getattr_all_fs(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) @@ -1054,7 +1084,7 @@ index eb50f07..d6d0e34 100644 ####################################### # -@@ -404,25 +517,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1117,7 +1147,7 @@ index eb50f07..d6d0e34 100644 ') ####################################### -@@ -430,10 +578,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -3364,10 +3394,10 @@ index 0000000..6183b21 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..3ef1de6 100644 +index 7caefc3..239cefa 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,207 @@ +@@ -1,162 +1,211 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3407,6 +3437,7 @@ index 7caefc3..3ef1de6 100644 +/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) ++/etc/opt/rh/rh-nginx18/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) /etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) @@ -3586,6 +3617,7 @@ index 7caefc3..3ef1de6 100644 +/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) ++/var/opt/rh/rh-nginx18/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) + @@ -3626,6 +3658,7 @@ index 7caefc3..3ef1de6 100644 +/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/opt/rh/rh-nginx18/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -3663,6 +3696,7 @@ index 7caefc3..3ef1de6 100644 +/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/opt/rh/rh-nginx18/run/nginx(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -9692,6 +9726,195 @@ index f5c1a48..f7b4f1d 100644 tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) ') + +diff --git a/blkmapd.fc b/blkmapd.fc +new file mode 100644 +index 0000000..5e59fb4 +--- /dev/null ++++ b/blkmapd.fc +@@ -0,0 +1,6 @@ ++ ++/etc/rc\.d/init\.d/blkmapd -- gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0) ++ ++/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0) ++ ++/var/run/blkmapd\.pid -- gen_context(system_u:object_r:blkmapd_var_run_t,s0) +diff --git a/blkmapd.if b/blkmapd.if +new file mode 100644 +index 0000000..7666379 +--- /dev/null ++++ b/blkmapd.if +@@ -0,0 +1,121 @@ ++ ++## The blkmapd daemon performs device discovery and mapping for pNFS block layout client. ++ ++######################################## ++## ++## Execute blkmapd_exec_t in the blkmapd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`blkmapd_domtrans',` ++ gen_require(` ++ type blkmapd_t, blkmapd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, blkmapd_exec_t, blkmapd_t) ++') ++ ++###################################### ++## ++## Execute blkmapd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`blkmapd_exec',` ++ gen_require(` ++ type blkmapd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, blkmapd_exec_t) ++') ++ ++######################################## ++## ++## Execute blkmapd server in the blkmapd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`blkmapd_initrc_domtrans',` ++ gen_require(` ++ type blkmapd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, blkmapd_initrc_exec_t) ++') ++######################################## ++## ++## Read blkmapd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`blkmapd_read_pid_files',` ++ gen_require(` ++ type blkmapd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an blkmapd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`blkmapd_admin',` ++ gen_require(` ++ type blkmapd_t; ++ type blkmapd_initrc_exec_t; ++ type blkmapd_var_run_t; ++ ') ++ ++ allow $1 blkmapd_t:process { signal_perms }; ++ ps_process_pattern($1, blkmapd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 blkmapd_t:process ptrace; ++ ') ++ ++ blkmapd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 blkmapd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_pids($1) ++ admin_pattern($1, blkmapd_var_run_t) ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/blkmapd.te b/blkmapd.te +new file mode 100644 +index 0000000..6cfb355 +--- /dev/null ++++ b/blkmapd.te +@@ -0,0 +1,44 @@ ++policy_module(blkmapd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type blkmapd_t; ++type blkmapd_exec_t; ++init_daemon_domain(blkmapd_t, blkmapd_exec_t) ++ ++type blkmapd_initrc_exec_t; ++init_script_file(blkmapd_initrc_exec_t) ++ ++type blkmapd_var_run_t; ++files_pid_file(blkmapd_var_run_t) ++ ++ ++######################################## ++# ++# blkmapd local policy ++# ++ ++allow blkmapd_t self:capability sys_rawio; ++ ++manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t) ++files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file) ++ ++kernel_read_system_state(blkmapd_t) ++ ++dev_list_sysfs(blkmapd_t) ++ ++fs_list_rpc(blkmapd_t) ++fs_rw_rpc_named_pipes(blkmapd_t) ++ ++storage_raw_read_fixed_disk(blkmapd_t) ++storage_raw_read_removable_device(blkmapd_t) ++ ++ ++logging_send_syslog_msg(blkmapd_t) ++ ++optional_policy(` ++ rpc_read_nfs_state_data(blkmapd_t) ++') diff --git a/blueman.fc b/blueman.fc index c295d2e..4f84e9c 100644 --- a/blueman.fc @@ -35956,10 +36179,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..2e4b08a 100644 +index 4eb7041..3ba4a51 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,135 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -35997,7 +36220,7 @@ index 4eb7041..2e4b08a 100644 # -# Local policy +# hyperv domain local policy -+# + # + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -36011,12 +36234,13 @@ index 4eb7041..2e4b08a 100644 +dev_read_sysfs(hyperv_domain) + +######################################## - # ++# +# hypervkvp local policy # -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++allow hypervkvp_t self:capability sys_ptrace; +allow hypervkvp_t self:process setfscreate; +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms; + @@ -36032,6 +36256,8 @@ index 4eb7041..2e4b08a 100644 +kernel_read_network_state(hypervkvp_t) +kernel_rw_net_sysctls(hypervkvp_t) + ++corecmd_getattr_all_executables(hypervkvp_t) ++ +domain_read_all_domains_state(hypervkvp_t) + +seutil_exec_setfiles(hypervkvp_t) @@ -36074,6 +36300,7 @@ index 4eb7041..2e4b08a 100644 + +optional_policy(` + dbus_read_pid_files(hypervkvp_t) ++ dbus_system_bus_client(hypervkvp_t) +') + +optional_policy(` @@ -36976,10 +37203,10 @@ index 0000000..71bde7d + diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..7d70dcb +index 0000000..694c092 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,113 @@ +@@ -0,0 +1,122 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -37047,7 +37274,10 @@ index 0000000..7d70dcb +# + + -+allow ipa_helper_t self:capability { dac_override chown }; ++allow ipa_helper_t self:capability { net_admin dac_override chown }; ++ ++#kernel bug ++dontaudit ipa_helper_t self:capability2 block_suspend; + +allow ipa_helper_t self:process setfscreate; +allow ipa_helper_t self:fifo_file rw_fifo_file_perms; @@ -37065,6 +37295,8 @@ index 0000000..7d70dcb + +auth_use_nsswitch(ipa_helper_t) + ++files_list_tmp(ipa_helper_t) ++ +ipa_manage_pid_files(ipa_helper_t) +ipa_read_lib(ipa_helper_t) + @@ -37087,12 +37319,191 @@ index 0000000..7d70dcb +') + +optional_policy(` ++ rpm_read_db(ipa_helper_t) ++') ++ ++optional_policy(` + samba_read_config(ipa_helper_t) +') + +optional_policy(` + sssd_manage_lib_files(ipa_helper_t) +') +diff --git a/ipmievd.fc b/ipmievd.fc +new file mode 100644 +index 0000000..caf1fe5 +--- /dev/null ++++ b/ipmievd.fc +@@ -0,0 +1,5 @@ ++/usr/lib/systemd/system/ipmievd\.service -- gen_context(system_u:object_r:ipmievd_unit_file_t,s0) ++ ++/usr/sbin/ipmievd -- gen_context(system_u:object_r:ipmievd_exec_t,s0) ++ ++/var/run/ipmievd\.pid -- gen_context(system_u:object_r:ipmievd_var_run_t,s0) +diff --git a/ipmievd.if b/ipmievd.if +new file mode 100644 +index 0000000..e86db54 +--- /dev/null ++++ b/ipmievd.if +@@ -0,0 +1,120 @@ ++## IPMI event daemon for sending events to syslog. ++ ++######################################## ++## ++## Execute ipmievd_exec_t in the ipmievd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipmievd_domtrans',` ++ gen_require(` ++ type ipmievd_t, ipmievd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ipmievd_exec_t, ipmievd_t) ++') ++ ++###################################### ++## ++## Execute ipmievd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipmievd_exec',` ++ gen_require(` ++ type ipmievd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, ipmievd_exec_t) ++') ++ ++######################################## ++## ++## Read ipmievd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipmievd_read_pid_files',` ++ gen_require(` ++ type ipmievd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t) ++') ++ ++######################################## ++## ++## Execute ipmievd server in the ipmievd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipmievd_systemctl',` ++ gen_require(` ++ type ipmievd_t; ++ type ipmievd_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 ipmievd_unit_file_t:file read_file_perms; ++ allow $1 ipmievd_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, ipmievd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an ipmievd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipmievd_admin',` ++ gen_require(` ++ type ipmievd_t; ++ type ipmievd_var_run_t; ++ type ipmievd_unit_file_t; ++ ') ++ ++ allow $1 ipmievd_t:process { signal_perms }; ++ ps_process_pattern($1, ipmievd_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ipmievd_t:process ptrace; ++ ') ++ ++ files_search_pids($1) ++ admin_pattern($1, ipmievd_var_run_t) ++ ++ ipmievd_systemctl($1) ++ admin_pattern($1, ipmievd_unit_file_t) ++ allow $1 ipmievd_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/ipmievd.te b/ipmievd.te +new file mode 100644 +index 0000000..f8428ca +--- /dev/null ++++ b/ipmievd.te +@@ -0,0 +1,32 @@ ++policy_module(ipmievd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type ipmievd_t; ++type ipmievd_exec_t; ++init_daemon_domain(ipmievd_t, ipmievd_exec_t) ++ ++type ipmievd_var_run_t; ++files_pid_file(ipmievd_var_run_t) ++ ++type ipmievd_unit_file_t; ++systemd_unit_file(ipmievd_unit_file_t) ++ ++######################################## ++# ++# ipmievd local policy ++# ++ ++allow ipmievd_t self:process { fork setpgid }; ++allow ipmievd_t self:fifo_file rw_fifo_file_perms; ++ ++manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t) ++files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file }) ++ ++dev_rw_ipmi_dev(ipmievd_t) ++ ++logging_send_syslog_msg(ipmievd_t) ++ diff --git a/irc.fc b/irc.fc index 48e7739..1bf0326 100644 --- a/irc.fc @@ -37572,7 +37983,7 @@ index 1a35420..8101022 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..d4ed777 100644 +index ca020fa..989eba9 100644 --- a/iscsi.te +++ b/iscsi.te @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0) @@ -37620,12 +38031,12 @@ index ca020fa..d4ed777 100644 can_exec(iscsid_t, iscsid_exec_t) ++kernel_load_module(iscsid_t) +kernel_request_load_module(iscsid_t) kernel_read_network_state(iscsid_t) kernel_read_system_state(iscsid_t) -kernel_setsched(iscsid_t) +kernel_dontaudit_setsched(iscsid_t) -+kernel_request_load_module(iscsid_t) -corenet_all_recvfrom_unlabeled(iscsid_t) corenet_all_recvfrom_netlabel(iscsid_t) @@ -47145,10 +47556,10 @@ index 0000000..86467cf +') diff --git a/mirrormanager.te b/mirrormanager.te new file mode 100644 -index 0000000..841b732 +index 0000000..f59af1b --- /dev/null +++ b/mirrormanager.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,46 @@ +policy_module(mirrormanager, 1.0.0) + +######################################## @@ -47158,7 +47569,7 @@ index 0000000..841b732 + +type mirrormanager_t; +type mirrormanager_exec_t; -+cron_system_entry(mirrormanager_t, mirrormanager_exec_t) ++application_domain(mirrormanager_t, mirrormanager_exec_t) + +type mirrormanager_log_t; +logging_log_file(mirrormanager_log_t) @@ -47192,6 +47603,9 @@ index 0000000..841b732 +manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t) +files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir }) + ++optional_policy(` ++ cron_system_entry(mirrormanager_t, mirrormanager_exec_t) ++') diff --git a/mock.fc b/mock.fc new file mode 100644 index 0000000..8d0e473 @@ -53015,7 +53429,7 @@ index b744fe3..cb0e2af 100644 + admin_pattern($1, munin_content_t) ') diff --git a/munin.te b/munin.te -index b708708..dd6e04b 100644 +index b708708..f4c0e61 100644 --- a/munin.te +++ b/munin.te @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t) @@ -53122,7 +53536,7 @@ index b708708..dd6e04b 100644 ') optional_policy(` -@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; +@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms; rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -53141,16 +53555,18 @@ index b708708..dd6e04b 100644 - -files_read_etc_runtime_files(disk_munin_plugin_t) +dev_read_all_blk_files(disk_munin_plugin_t) ++dev_raw_memory_reader(disk_munin_plugin_t) fs_getattr_all_fs(disk_munin_plugin_t) fs_getattr_all_dirs(disk_munin_plugin_t) -storage_getattr_fixed_disk_dev(disk_munin_plugin_t) +storage_raw_read_fixed_disk(disk_munin_plugin_t) ++storage_read_scsi_generic(disk_munin_plugin_t) sysnet_read_config(disk_munin_plugin_t) -@@ -272,6 +262,10 @@ optional_policy(` +@@ -272,6 +264,10 @@ optional_policy(` fstools_exec(disk_munin_plugin_t) ') @@ -53161,7 +53577,7 @@ index b708708..dd6e04b 100644 #################################### # # Mail local policy -@@ -279,27 +273,39 @@ optional_policy(` +@@ -279,27 +275,39 @@ optional_policy(` allow mail_munin_plugin_t self:capability dac_override; @@ -53205,7 +53621,7 @@ index b708708..dd6e04b 100644 ') optional_policy(` -@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t) +@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t) optional_policy(` @@ -53214,7 +53630,7 @@ index b708708..dd6e04b 100644 ') optional_policy(` -@@ -348,6 +354,10 @@ optional_policy(` +@@ -348,6 +356,10 @@ optional_policy(` ') optional_policy(` @@ -53225,7 +53641,7 @@ index b708708..dd6e04b 100644 lpd_exec_lpr(services_munin_plugin_t) ') -@@ -361,7 +371,11 @@ optional_policy(` +@@ -361,7 +373,11 @@ optional_policy(` ') optional_policy(` @@ -53238,7 +53654,7 @@ index b708708..dd6e04b 100644 ') optional_policy(` -@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) +@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t) kernel_read_network_state(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t) @@ -53246,7 +53662,7 @@ index b708708..dd6e04b 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -421,3 +436,33 @@ optional_policy(` +@@ -421,3 +438,33 @@ optional_policy(` optional_policy(` unconfined_domain(unconfined_munin_plugin_t) ') @@ -61436,10 +61852,19 @@ index 3b6920e..3e9b17f 100644 userdom_dontaudit_search_user_home_dirs(openct_t) diff --git a/openhpi.te b/openhpi.te -index 8de6191..af7f2a8 100644 +index 8de6191..1a01e99 100644 --- a/openhpi.te +++ b/openhpi.te -@@ -50,8 +50,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) +@@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir) + manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t) + files_pid_filetrans(openhpid_t, openhpid_var_run_t, file) + ++kernel_read_system_state(openhpid_t) ++ + corenet_all_recvfrom_unlabeled(openhpid_t) + corenet_all_recvfrom_netlabel(openhpid_t) + corenet_tcp_sendrecv_generic_if(openhpid_t) +@@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t) dev_read_urand(openhpid_t) @@ -63990,7 +64415,7 @@ index 9b15730..cb00f20 100644 + ') ') diff --git a/openvswitch.te b/openvswitch.te -index 44dbc99..ac08330 100644 +index 44dbc99..eb8d420 100644 --- a/openvswitch.te +++ b/openvswitch.te @@ -9,11 +9,8 @@ type openvswitch_t; @@ -64055,12 +64480,13 @@ index 44dbc99..ac08330 100644 manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t) logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file }) -@@ -65,33 +68,45 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ +@@ -65,33 +68,46 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file }) -can_exec(openvswitch_t, openvswitch_exec_t) - ++kernel_load_module(openvswitch_t) kernel_read_network_state(openvswitch_t) kernel_read_system_state(openvswitch_t) +kernel_request_load_module(openvswitch_t) @@ -85125,7 +85551,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..e030327 100644 +index d32e1a2..2078892 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t) @@ -85164,7 +85590,7 @@ index d32e1a2..e030327 100644 manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) -@@ -50,25 +56,78 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) +@@ -50,25 +56,83 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) @@ -85211,8 +85637,12 @@ index d32e1a2..e030327 100644 sysnet_dns_name_resolve(rhsmcertd_t) - optional_policy(` -- rpm_read_db(rhsmcertd_t) ++ifdef(`hide_broken_symptoms',` ++ exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t) ++ exec_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t) ++') ++ ++optional_policy(` + dbus_system_domain(rhsmcertd_t,rhsmcertd_exec_t) +') + @@ -85245,7 +85675,8 @@ index d32e1a2..e030327 100644 + virt_signull(rhsmcertd_t) +') + -+optional_policy(` + optional_policy(` +- rpm_read_db(rhsmcertd_t) + unconfined_signull(rhsmcertd_t) ') diff --git a/ricci.if b/ricci.if @@ -91902,10 +92333,10 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..1e7c447 +index 0000000..b21026b --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,80 @@ +@@ -0,0 +1,92 @@ + +## policy for sandbox + @@ -91983,8 +92414,20 @@ index 0000000..1e7c447 + + application_type($1_t) + ++ # this is to satisfy the assertion: ++ dev_raw_memory_reader($1_t) ++ dev_raw_memory_writer($1_t) ++ + mls_rangetrans_target($1_t) + mcs_constrained($1_t) ++ ++ # this is to satisfy the assertion: ++ storage_rw_inherited_fixed_disk_dev($1_t) ++ storage_rw_inherited_scsi_generic($1_t) ++ ++ # this is to satisfy the assertion: ++ auth_reader_shadow($1_t) ++ auth_writer_shadow($1_t) +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 @@ -92066,7 +92509,7 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..03bdcef +index 0000000..5b65b7c --- /dev/null +++ b/sandboxX.if @@ -0,0 +1,395 @@ @@ -92157,7 +92600,7 @@ index 0000000..03bdcef + attribute sandbox_type; + ') + -+ type $1_t, sandbox_x_domain, sandbox_type; ++ type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type; + application_type($1_t) + mcs_constrained($1_t) + @@ -92467,10 +92910,10 @@ index 0000000..03bdcef +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..a3319b0 +index 0000000..7a8e744 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,501 @@ +@@ -0,0 +1,505 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -92764,6 +93207,10 @@ index 0000000..a3319b0 +files_search_home(sandbox_x_t) +userdom_use_user_ptys(sandbox_x_t) + ++#1103622 ++corenet_tcp_connect_xserver_port(sandbox_x_t) ++xserver_stream_connect(sandbox_x_t) ++ +######################################## +# +# sandbox_x_client_t local policy @@ -108693,7 +109140,7 @@ index facdee8..a6dcaaa 100644 + typeattribute $1 sandbox_caps_domain; ') diff --git a/virt.te b/virt.te -index f03dcf5..36afdd2 100644 +index f03dcf5..d15b4d3 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -110193,7 +110640,7 @@ index f03dcf5..36afdd2 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1171,325 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1171,326 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -110484,6 +110931,7 @@ index f03dcf5..36afdd2 100644 +dontaudit svirt_lxc_net_t self:capability2 block_suspend ; +allow svirt_lxc_net_t self:process { execstack execmem }; +manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t) ++kernel_load_module(svirt_lxc_net_t) + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow svirt_lxc_net_t self:capability sys_admin; @@ -110660,7 +111108,7 @@ index f03dcf5..36afdd2 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1502,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1503,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -110675,7 +111123,7 @@ index f03dcf5..36afdd2 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1520,8 @@ optional_policy(` +@@ -1192,9 +1521,8 @@ optional_policy(` ######################################## # @@ -110686,7 +111134,7 @@ index f03dcf5..36afdd2 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1534,242 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1535,242 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -111205,7 +111653,7 @@ index 20a1fb2..470ea95 100644 allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; diff --git a/vmware.te b/vmware.te -index 4ad1894..d72037f 100644 +index 4ad1894..840409e 100644 --- a/vmware.te +++ b/vmware.te @@ -65,7 +65,8 @@ ifdef(`enable_mcs',` @@ -111218,7 +111666,11 @@ index 4ad1894..d72037f 100644 dontaudit vmware_host_t self:capability sys_tty_config; allow vmware_host_t self:process { execstack execmem signal_perms }; allow vmware_host_t self:fifo_file rw_fifo_file_perms; -@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t) +@@ -91,11 +92,12 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, file) + + can_exec(vmware_host_t, vmware_host_exec_t) + ++kernel_load_module(vmware_host_t) kernel_read_kernel_sysctls(vmware_host_t) kernel_read_system_state(vmware_host_t) kernel_read_network_state(vmware_host_t) @@ -111228,7 +111680,7 @@ index 4ad1894..d72037f 100644 corenet_all_recvfrom_netlabel(vmware_host_t) corenet_tcp_sendrecv_generic_if(vmware_host_t) corenet_udp_sendrecv_generic_if(vmware_host_t) -@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t) +@@ -115,14 +117,13 @@ dev_getattr_all_blk_files(vmware_host_t) dev_read_sysfs(vmware_host_t) dev_read_urand(vmware_host_t) dev_rw_vmware(vmware_host_t) @@ -111244,7 +111696,7 @@ index 4ad1894..d72037f 100644 fs_getattr_all_fs(vmware_host_t) fs_search_auto_mountpoints(vmware_host_t) -@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t) +@@ -138,23 +139,27 @@ libs_exec_ld_so(vmware_host_t) logging_send_syslog_msg(vmware_host_t) @@ -111276,7 +111728,7 @@ index 4ad1894..d72037f 100644 optional_policy(` samba_read_config(vmware_host_t) -@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t) +@@ -244,9 +249,7 @@ dev_search_sysfs(vmware_t) domain_use_interactive_fds(vmware_t) @@ -111286,7 +111738,7 @@ index 4ad1894..d72037f 100644 files_list_home(vmware_t) fs_getattr_all_fs(vmware_t) -@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t) +@@ -258,9 +261,8 @@ storage_raw_write_removable_device(vmware_t) libs_exec_ld_so(vmware_t) libs_read_lib_files(vmware_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index d5babb9..59f6779 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 142%{?dist} +Release: 143%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,35 @@ exit 0 %endif %changelog +* Fri Aug 21 2015 Miroslav Grepl 3.13.1-143 +- Add ipmievd policy creaed by vmojzis@redhat.com +- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled. +- Allow NetworkManager to write audit log messages +- Add new policy for ipmievd (ipmitool). +- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block. +- Allow sandbox domain to be also /dev/mem writer +- Fix neverallow assertion for sys_module capability for openvswitch. +- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t. +- Fix neverallow assertion for sys_module capability. +- Add more attributes for sandbox domains to avoid neverallow assertion issues. +- Add neverallow asserition fixes related to storage. +- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS +- Allow openhpid_t to read system state. +- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type. +- Added labels for files provided by rh-nginx18 collection +- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db. +- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution. +- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions. +- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion. +- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues. +- Add dev_raw_memory_writer() interface +- Add auth_reader_shadow() and auth_writer_shadow() interfaces +- Add dev_raw_memory_reader() interface. +- Add storage_rw_inherited_scsi_generic() interface. +- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working. +- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t. +- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process. + * Tue Aug 18 2015 Lukas Vrabec 3.13.1-142 - Allow samba_net_t to manage samba_var_t sock files. - Allow httpd daemon to manage httpd_var_lib_t lnk_files.