From fac3fc97fac6eae32dcd76d9cc22cb48c9412765 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 30 2016 10:56:26 +0000 Subject: * Wed Mar 30 2016 Lukas Vrabec 3.13.1-180 - Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) - Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514 - sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints. - Allow sandbox domain to have entrypoint access only for executables and mountpoints. - Allow bitlee to create bitlee_var_t dirs. - Allow CIM provider to read sssd public files. - Fix some broken interfaces in distro policy. - Allow power button to shutdown the laptop. - Allow lsm plugins to create named fixed disks. rhbz#1238066 - Allow hyperv domains to rw hyperv devices. rhbz#1241636 - Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t. - Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ - Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. - Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics - Label nagios scripts as httpd_sys_script_exec_t. - Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. - Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576 - Merge pull request #104 from berrange/rawhide-contrib-virtlogd - Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336 - Dontaudit logrotate to setrlimit itself. rhbz#1309604 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. - Allow pcp_pmie and pcp_pmlogger to read all domains state. - Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446) - Merge pull request #115 from rhatdan/nvidea - Label all nvidia binaries as xserver_exec_t - Add new systemd_hwdb_read_config() interface. rhbz#1316514 - Add back corecmd_read_all_executables() interface. - Call files_type() instead of file_type() for unlabeled_t. - Add files_entrypoint_all_mountpoint() interface. - Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling. - Add corecmd_entrypoint_all_executables() interface. - Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361 - Add neverallow assertion for unlabaled_t to increase policy security. - Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499 - Label 8952 tcp port as nsd_control. - Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 --- diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 05cb417..07d7238 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6f97c6e..0a4879b 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -3867,7 +3867,7 @@ index 33e0f8d..b94f32f 100644 +/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 9e9263a..77e6c8c 100644 +index 9e9263a..f0aef3e 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -8,6 +8,22 @@ @@ -4042,32 +4042,58 @@ index 9e9263a..77e6c8c 100644 ') read_lnk_files_pattern($1, bin_t, bin_t) -@@ -954,6 +1008,24 @@ interface(`corecmd_exec_chroot',` +@@ -954,28 +1008,25 @@ interface(`corecmd_exec_chroot',` ######################################## ## +-## Get the attributes of all executable files. +## Do not audit attempts to access check executable files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## +-## + # +-interface(`corecmd_getattr_all_executables',` +interface(`corecmd_dontaudit_access_all_executables',` -+ gen_require(` -+ attribute exec_type; -+ ') -+ + gen_require(` + attribute exec_type; +- type bin_t; + ') + +- allow $1 bin_t:dir list_dir_perms; +- getattr_files_pattern($1, bin_t, exec_type) + dontaudit $1 exec_type:file audit_access; -+') -+ -+######################################## -+## - ## Get the attributes of all executable files. + ') + + ######################################## + ## +-## Read all executable files. ++## Get the attributes of all executable files. ## ## -@@ -1012,6 +1084,10 @@ interface(`corecmd_exec_all_executables',` + ## +@@ -984,12 +1035,14 @@ interface(`corecmd_getattr_all_executables',` + ## + ## + # +-interface(`corecmd_read_all_executables',` ++interface(`corecmd_getattr_all_executables',` + gen_require(` + attribute exec_type; ++ type bin_t; + ') + +- read_files_pattern($1, exec_type, exec_type) ++ allow $1 bin_t:dir list_dir_perms; ++ getattr_files_pattern($1, bin_t, exec_type) + ') + + ######################################## +@@ -1012,6 +1065,10 @@ interface(`corecmd_exec_all_executables',` can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) @@ -4078,7 +4104,7 @@ index 9e9263a..77e6c8c 100644 ') ######################################## -@@ -1049,6 +1125,7 @@ interface(`corecmd_manage_all_executables',` +@@ -1049,6 +1106,7 @@ interface(`corecmd_manage_all_executables',` type bin_t; ') @@ -4086,13 +4112,51 @@ index 9e9263a..77e6c8c 100644 manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) ') -@@ -1091,3 +1168,36 @@ interface(`corecmd_mmap_all_executables',` +@@ -1091,3 +1149,74 @@ interface(`corecmd_mmap_all_executables',` mmap_files_pattern($1, bin_t, exec_type) ') + +######################################## +## ++## Read all executable files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corecmd_read_all_executables',` ++ gen_require(` ++ attribute exec_type; ++ ') ++ ++ read_files_pattern($1, exec_type, exec_type) ++') ++ ++######################################## ++## ++## Read all executable files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corecmd_entrypoint_all_executables',` ++ gen_require(` ++ attribute exec_type; ++ ') ++ ++ allow $1 exec_type:file entrypoint; ++') ++ ++######################################## ++## +## Create objects in the /bin directory +## +## @@ -5709,7 +5773,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..1be0b6d 100644 +index b191055..58a4018 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5939,7 +6003,7 @@ index b191055..1be0b6d 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +238,126 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +238,127 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5999,6 +6063,7 @@ index b191055..1be0b6d 100644 -network_port(radacct, udp,1646,s0, udp,1813,s0) -network_port(radius, udp,1645,s0, udp,1812,s0) +network_port(neutron, tcp, 8775, s0, tcp,9696,s0, tcp,9697,s0) ++network_port(nsd_control, tcp,8952,s0) +network_port(radacct, udp,1646,s0, tcp,1646,s0, tcp,1813,s0, udp,1813,s0) +network_port(radius, udp,1645,s0, tcp,1645,s0, tcp,1812,s0, udp,1812,s0, tcp,18120-18121,s0, udp,18120-18121, s0) network_port(radsec, tcp,2083,s0) @@ -6084,7 +6149,7 @@ index b191055..1be0b6d 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +365,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +366,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6111,7 +6176,7 @@ index b191055..1be0b6d 100644 ######################################## # -@@ -333,6 +414,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +415,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6120,7 +6185,7 @@ index b191055..1be0b6d 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +428,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +429,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -6176,7 +6241,7 @@ index 3f6e168..340e49f 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..8722f6d 100644 +index b31c054..50a45cf 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6284,7 +6349,7 @@ index b31c054..8722f6d 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -172,6 +193,8 @@ ifdef(`distro_suse', ` +@@ -172,11 +193,16 @@ ifdef(`distro_suse', ` /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) @@ -6293,7 +6358,15 @@ index b31c054..8722f6d 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +221,27 @@ ifdef(`distro_debian',` + /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) + ++/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hypervvssd_device_t,s0) ++/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hypervkvp_device_t,s0) ++ + /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) + /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) + /dev/xen/gntdev -c gen_context(system_u:object_r:xen_device_t,s0) +@@ -198,12 +224,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6324,7 +6397,7 @@ index b31c054..8722f6d 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..1c1addd 100644 +index 76f285e..3f6a351 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8087,62 +8160,12 @@ index 76f285e..1c1addd 100644 gen_require(` type device_t, usb_device_t; ') -@@ -4409,9 +5270,9 @@ interface(`dev_rw_usbfs',` - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - ') - --######################################## -+###################################### - ## --## Get the attributes of video4linux devices. -+## Read and write userio device. - ## - ## - ## -@@ -4419,17 +5280,17 @@ interface(`dev_rw_usbfs',` - ## - ## - # --interface(`dev_getattr_video_dev',` -+interface(`dev_rw_userio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, userio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, userio_device_t) - ') - --###################################### -+######################################## - ## --## Read and write userio device. -+## Get the attributes of video4linux devices. - ## - ## - ## -@@ -4437,12 +5298,12 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` -+interface(`dev_getattr_video_dev',` - gen_require(` -- type device_t, userio_device_t; -+ type device_t, v4l_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## -@@ -4539,6 +5400,134 @@ interface(`dev_write_video_dev',` +@@ -4330,28 +5191,180 @@ interface(`dev_search_usbfs',` ######################################## ## -+## Get the attributes of vfio devices. +-## Allow caller to get a list of usb hardware. ++## Allow caller to get a list of usb hardware. +## +## +## @@ -8150,36 +8173,40 @@ index 76f285e..1c1addd 100644 +## +## +# -+interface(`dev_getattr_vfio_dev',` ++interface(`dev_list_usbfs',` + gen_require(` -+ type device_t, vfio_device_t; ++ type usbfs_t; + ') + -+ getattr_chr_files_pattern($1, device_t, vfio_device_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_files_pattern($1, usbfs_t, usbfs_t) ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Do not audit attempts to get the attributes -+## of vfio device nodes. ++## Set the attributes of usbfs filesystem. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_getattr_vfio_dev',` ++interface(`dev_setattr_usbfs_files',` + gen_require(` -+ type vfio_device_t; ++ type usbfs_t; + ') + -+ dontaudit $1 vfio_device_t:chr_file getattr; ++ setattr_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Set the attributes of vfio device nodes. ++## Read USB hardware information using ++## the usbfs filesystem interface. +## +## +## @@ -8187,36 +8214,39 @@ index 76f285e..1c1addd 100644 +## +## +# -+interface(`dev_setattr_vfio_dev',` ++interface(`dev_read_usbfs',` + gen_require(` -+ type device_t, vfio_device_t; ++ type usbfs_t; + ') + -+ setattr_chr_files_pattern($1, device_t, vfio_device_t) ++ read_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Do not audit attempts to set the attributes -+## of vfio device nodes. ++## Allow caller to modify usb hardware configuration files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_setattr_vfio_dev',` ++interface(`dev_rw_usbfs',` + gen_require(` -+ type vfio_device_t; ++ type usbfs_t; + ') + -+ dontaudit $1 vfio_device_t:chr_file setattr; ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) +') + -+######################################## ++###################################### +## -+## Read the vfio devices. ++## Read and write userio device. +## +## +## @@ -8224,17 +8254,17 @@ index 76f285e..1c1addd 100644 +## +## +# -+interface(`dev_read_vfio_dev',` ++interface(`dev_rw_userio_dev',` + gen_require(` -+ type device_t, vfio_device_t; ++ type device_t, userio_device_t; + ') + -+ read_chr_files_pattern($1, device_t, vfio_device_t) ++ rw_chr_files_pattern($1, device_t, userio_device_t) +') + +######################################## +## -+## Write the vfio devices. ++## Get the attributes of video4linux devices. +## +## +## @@ -8242,42 +8272,36 @@ index 76f285e..1c1addd 100644 +## +## +# -+interface(`dev_write_vfio_dev',` ++interface(`dev_getattr_video_dev',` + gen_require(` -+ type device_t, vfio_device_t; ++ type device_t, v4l_device_t; + ') + -+ write_chr_files_pattern($1, device_t, vfio_device_t) ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## -+## Read and write the VFIO devices. ++## Do not audit attempts to get the attributes ++## of video4linux device nodes. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_rw_vfio_dev',` ++interface(`dev_dontaudit_getattr_video_dev',` + gen_require(` -+ type device_t, vfio_device_t; ++ type v4l_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, vfio_device_t) ++ dontaudit $1 v4l_device_t:chr_file getattr; +') + +######################################## +## - ## Allow read/write the vhost net device - ## - ## -@@ -4557,6 +5546,24 @@ interface(`dev_rw_vhost',` - - ######################################## - ## -+## Allow read/write inheretid the vhost net device ++## Set the attributes of video4linux device nodes. +## +## +## @@ -8285,19 +8309,295 @@ index 76f285e..1c1addd 100644 +## +## +# -+interface(`dev_rw_inherited_vhost',` ++interface(`dev_setattr_video_dev',` + gen_require(` -+ type device_t, vhost_device_t; ++ type device_t, v4l_device_t; + ') + -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; ++ setattr_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## - ## Read and write VMWare devices. ++## Do not audit attempts to set the attributes ++## of video4linux device nodes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_list_usbfs',` ++interface(`dev_dontaudit_setattr_video_dev',` + gen_require(` +- type usbfs_t; ++ type v4l_device_t; + ') + +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- getattr_files_pattern($1, usbfs_t, usbfs_t) +- +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ dontaudit $1 v4l_device_t:chr_file setattr; + ') + + ######################################## + ## +-## Set the attributes of usbfs filesystem. ++## Read the video4linux devices. + ## + ## + ## +@@ -4359,19 +5372,17 @@ interface(`dev_list_usbfs',` + ## + ## + # +-interface(`dev_setattr_usbfs_files',` ++interface(`dev_read_video_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, v4l_device_t; + ') + +- setattr_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ read_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## + ## +-## Read USB hardware information using +-## the usbfs filesystem interface. ++## Write the video4linux devices. + ## + ## + ## +@@ -4379,19 +5390,17 @@ interface(`dev_setattr_usbfs_files',` + ## + ## + # +-interface(`dev_read_usbfs',` ++interface(`dev_write_video_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, v4l_device_t; + ') + +- read_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ write_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## + ## +-## Allow caller to modify usb hardware configuration files. ++## Get the attributes of vfio devices. + ## + ## + ## +@@ -4399,37 +5408,36 @@ interface(`dev_read_usbfs',` + ## + ## + # +-interface(`dev_rw_usbfs',` ++interface(`dev_getattr_vfio_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, vfio_device_t; + ') + +- list_dirs_pattern($1, usbfs_t, usbfs_t) +- rw_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Get the attributes of video4linux devices. ++## Do not audit attempts to get the attributes ++## of vfio device nodes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_dontaudit_getattr_vfio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type vfio_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ dontaudit $1 vfio_device_t:chr_file getattr; + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Set the attributes of vfio device nodes. + ## + ## + ## +@@ -4437,18 +5445,18 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_setattr_vfio_dev',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, vfio_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ setattr_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of video4linux device nodes. ++## Do not audit attempts to set the attributes ++## of vfio device nodes. + ## + ## + ## +@@ -4456,17 +5464,17 @@ interface(`dev_rw_userio_dev',` + ## + ## + # +-interface(`dev_dontaudit_getattr_video_dev',` ++interface(`dev_dontaudit_setattr_vfio_dev',` + gen_require(` +- type v4l_device_t; ++ type vfio_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file getattr; ++ dontaudit $1 vfio_device_t:chr_file setattr; + ') + + ######################################## + ## +-## Set the attributes of video4linux device nodes. ++## Read the vfio devices. ## ## + ## +@@ -4474,36 +5482,35 @@ interface(`dev_dontaudit_getattr_video_dev',` + ## + ## + # +-interface(`dev_setattr_video_dev',` ++interface(`dev_read_vfio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vfio_device_t; + ') + +- setattr_chr_files_pattern($1, device_t, v4l_device_t) ++ read_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to set the attributes +-## of video4linux device nodes. ++## Write the vfio devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_setattr_video_dev',` ++interface(`dev_write_vfio_dev',` + gen_require(` +- type v4l_device_t; ++ type device_t, vfio_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file setattr; ++ write_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Read the video4linux devices. ++## Read and write the VFIO devices. + ## + ## + ## +@@ -4511,17 +5518,17 @@ interface(`dev_dontaudit_setattr_video_dev',` + ## + ## + # +-interface(`dev_read_video_dev',` ++interface(`dev_rw_vfio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vfio_device_t; + ') + +- read_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Write the video4linux devices. ++## Allow read/write the vhost net device + ## + ## + ## +@@ -4529,17 +5536,17 @@ interface(`dev_read_video_dev',` + ## + ## + # +-interface(`dev_write_video_dev',` ++interface(`dev_rw_vhost',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vhost_device_t; + ') + +- write_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, vhost_device_t) + ') + + ######################################## + ## +-## Allow read/write the vhost net device ++## Allow read/write inheretid the vhost net device + ## + ## + ## +@@ -4547,12 +5554,12 @@ interface(`dev_write_video_dev',` + ## + ## + # +-interface(`dev_rw_vhost',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` + type device_t, vhost_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vhost_device_t) ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## @@ -4630,6 +5637,24 @@ interface(`dev_write_watchdog',` ######################################## @@ -8368,7 +8668,7 @@ index 76f285e..1c1addd 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5914,978 @@ interface(`dev_unconfined',` +@@ -4851,3 +5914,1019 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8464,6 +8764,43 @@ index 76f285e..1c1addd 100644 + rw_chr_files_pattern($1, device_t, uhid_device_t) +') + ++ ++######################################## ++## ++## Allow read/write the hypervkvp device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_hypervkvp',` ++ gen_require(` ++ type device_t, hypervkvp_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, hypervkvp_device_t) ++') ++ ++######################################## ++## ++## Allow read/write the hypervvssd device ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_hypervvssd',` ++ gen_require(` ++ type device_t, hypervvssd_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, hypervvssd_device_t) ++') ++ +######################################## +## +## Create all named devices with the correct label @@ -8582,6 +8919,8 @@ index 76f285e..1c1addd 100644 + type mtrr_device_t; + type ecryptfs_device_t; + type mptctl_device_t; ++ type hypervkvp_device_t; ++ type hypervvssd_device_t; +') + + dev_filetrans_printer_named_dev($1) @@ -9280,6 +9619,8 @@ index 76f285e..1c1addd 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") + filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") ++ filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp") ++ filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss") + dev_filetrans_xserver_named_dev($1) +') + @@ -9348,7 +9689,7 @@ index 76f285e..1c1addd 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..db37cad 100644 +index 0b1a871..8d4003a 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9385,7 +9726,22 @@ index 0b1a871..db37cad 100644 # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) -@@ -94,6 +95,12 @@ type ipmi_device_t; +@@ -88,12 +89,27 @@ type framebuf_device_t; + dev_node(framebuf_device_t) + + # ++# Type for hyperv devices ++# ++type hypervkvp_device_t; ++dev_node(hypervkvp_device_t) ++ ++type hypervvssd_device_t; ++dev_node(hypervvssd_device_t) ++ ++# + # Type for /dev/ipmi/0 + # + type ipmi_device_t; dev_node(ipmi_device_t) # @@ -9398,7 +9754,7 @@ index 0b1a871..db37cad 100644 # Type for /dev/kmsg # type kmsg_device_t; -@@ -111,6 +118,7 @@ dev_node(ksm_device_t) +@@ -111,6 +127,7 @@ dev_node(ksm_device_t) # type kvm_device_t; dev_node(kvm_device_t) @@ -9406,7 +9762,7 @@ index 0b1a871..db37cad 100644 # # Type for /dev/lirc -@@ -118,6 +126,9 @@ dev_node(kvm_device_t) +@@ -118,6 +135,9 @@ dev_node(kvm_device_t) type lirc_device_t; dev_node(lirc_device_t) @@ -9416,7 +9772,7 @@ index 0b1a871..db37cad 100644 type loop_control_device_t; dev_node(loop_control_device_t) -@@ -150,12 +161,24 @@ type modem_device_t; +@@ -150,12 +170,24 @@ type modem_device_t; dev_node(modem_device_t) # @@ -9441,7 +9797,7 @@ index 0b1a871..db37cad 100644 # Type for /dev/cpu/mtrr and /proc/mtrr # type mtrr_device_t; -@@ -183,6 +206,12 @@ type nvram_device_t; +@@ -183,6 +215,12 @@ type nvram_device_t; dev_node(nvram_device_t) # @@ -9454,7 +9810,7 @@ index 0b1a871..db37cad 100644 # Type for /dev/pmu # type power_device_t; -@@ -227,6 +256,10 @@ files_mountpoint(sysfs_t) +@@ -227,6 +265,10 @@ files_mountpoint(sysfs_t) fs_type(sysfs_t) genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) @@ -9465,7 +9821,7 @@ index 0b1a871..db37cad 100644 # # Type for /dev/tpm # -@@ -266,6 +299,15 @@ dev_node(usbmon_device_t) +@@ -266,6 +308,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -9481,7 +9837,7 @@ index 0b1a871..db37cad 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +316,7 @@ dev_node(v4l_device_t) +@@ -274,6 +325,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -9489,7 +9845,7 @@ index 0b1a871..db37cad 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +362,6 @@ files_associate_tmp(device_node) +@@ -319,5 +371,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -10607,7 +10963,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..9cb7e98 100644 +index f962f76..89768e5 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11435,44 +11791,37 @@ index f962f76..9cb7e98 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,6 +2121,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,44 +2121,44 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## +-## Do not audit attempts to write to mount points. +## Write all mount points. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_write_all_mountpoints',` +- gen_require(` +- attribute mountpoint; +- ') +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') -+ -+ allow $1 mountpoint:dir write; -+') -+ -+######################################## -+## - ## Do not audit attempts to write to mount points. - ## - ## -@@ -1703,104 +2151,86 @@ interface(`files_dontaudit_write_all_mountpoints',` - gen_require(` - attribute mountpoint; - ') -+ dontaudit $1 self:capability dac_override; - dontaudit $1 mountpoint:dir write; +- dontaudit $1 mountpoint:dir write; ++ allow $1 mountpoint:dir write; ') ######################################## ## -## List the contents of the root directory. -+## Do not audit attempts to unmount all mount points. ++## Do not audit attempts to write to mount points. ## ## ## @@ -11482,38 +11831,38 @@ index f962f76..9cb7e98 100644 ## # -interface(`files_list_root',` -+interface(`files_dontaudit_unmount_all_mountpoints',` ++interface(`files_dontaudit_write_all_mountpoints',` gen_require(` - type root_t; + attribute mountpoint; ') ++ dontaudit $1 self:capability dac_override; - allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; -+ dontaudit $1 mountpoint:filesystem unmount; ++ dontaudit $1 mountpoint:dir write; ') ######################################## ## -## Do not audit attempts to write to / dirs. -+## Read all mountpoint symbolic links. ++## Do not audit attempts to unmount all mount points. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -1736,94 +2166,223 @@ interface(`files_list_root',` ## ## # -interface(`files_dontaudit_write_root_dirs',` -+interface(`files_read_all_mountpoint_symlinks',` ++interface(`files_dontaudit_unmount_all_mountpoints',` gen_require(` - type root_t; + attribute mountpoint; ') - dontaudit $1 root_t:dir write; -+ allow $1 mountpoint:lnk_file read_lnk_file_perms; ++ dontaudit $1 mountpoint:filesystem unmount; ') -################### @@ -11521,7 +11870,7 @@ index f962f76..9cb7e98 100644 ## -## Do not audit attempts to write -## files in the root directory. -+## Write all file type directories. ++## Read all mountpoint symbolic links. ## ## ## @@ -11531,21 +11880,22 @@ index f962f76..9cb7e98 100644 ## # -interface(`files_dontaudit_rw_root_dir',` -+interface(`files_write_all_dirs',` ++interface(`files_read_all_mountpoint_symlinks',` gen_require(` - type root_t; -+ attribute file_type; ++ attribute mountpoint; ') - dontaudit $1 root_t:dir rw_dir_perms; -+ allow $1 file_type:dir write; ++ allow $1 mountpoint:lnk_file read_lnk_file_perms; ') ++ ######################################## ## -## Create an object in the root directory, with a private -## type using a type transition. -+## List the contents of the root directory. ++## Make all mountpoint as entrypoint. ## ## ## @@ -11569,42 +11919,81 @@ index f962f76..9cb7e98 100644 -## # -interface(`files_root_filetrans',` -+interface(`files_list_root',` ++interface(`files_entrypoint_all_mountpoint',` gen_require(` - type root_t; +- type root_t; ++ attribute mountpoint; ') - filetrans_pattern($1, root_t, $2, $3, $4) -+ allow $1 root_t:dir list_dir_perms; -+ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ++ allow $1 mountpoint:file entrypoint; ') -- + ######################################## ## -## Do not audit attempts to read files in -## the root directory. -+## Do not audit attempts to write to / dirs. ++## Write all file type directories. ## ## ## -@@ -1808,18 +2238,128 @@ interface(`files_root_filetrans',` +-## Domain to not audit. ++## Domain allowed access. ## ## # -interface(`files_dontaudit_read_root_files',` -+interface(`files_write_root_dirs',` ++interface(`files_write_all_dirs',` gen_require(` - type root_t; +- type root_t; ++ attribute file_type; ') - dontaudit $1 root_t:file { getattr read }; -+ allow $1 root_t:dir write; ++ allow $1 file_type:dir write; ') ######################################## ## -## Do not audit attempts to read or write -## files in the root directory. ++## List the contents of the root directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_root',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:dir list_dir_perms; ++ allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ++') ++######################################## ++## ++## Do not audit attempts to write to / dirs. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_write_root_dirs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:dir write; ++') ++ ++######################################## ++## +## Do not audit attempts to write to / dirs. +## +## @@ -11717,10 +12106,14 @@ index f962f76..9cb7e98 100644 +## +## Do not audit attempts to read or write +## files in the root directory. - ## - ## - ## -@@ -1892,25 +2432,25 @@ interface(`files_delete_root_dir_entry',` ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -1892,25 +2451,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -11752,7 +12145,7 @@ index f962f76..9cb7e98 100644 ## ## ## -@@ -1923,7 +2463,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2482,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -11761,7 +12154,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -1946,6 +2486,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2505,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -11804,7 +12197,7 @@ index f962f76..9cb7e98 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2757,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2776,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -11829,7 +12222,7 @@ index f962f76..9cb7e98 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3239,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3258,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -11854,7 +12247,7 @@ index f962f76..9cb7e98 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3328,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3347,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -11862,7 +12255,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -2724,7 +3337,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3356,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -11871,7 +12264,7 @@ index f962f76..9cb7e98 100644 ## ## # -@@ -2780,6 +3393,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3412,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -11897,7 +12290,7 @@ index f962f76..9cb7e98 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3430,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3449,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -11922,7 +12315,7 @@ index f962f76..9cb7e98 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3613,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3632,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -11947,7 +12340,7 @@ index f962f76..9cb7e98 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3653,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3672,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -11958,7 +12351,7 @@ index f962f76..9cb7e98 100644 ## ## ## -@@ -3031,18 +3661,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3680,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -11980,7 +12373,7 @@ index f962f76..9cb7e98 100644 ## ## ## -@@ -3060,6 +3689,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3708,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -12007,7 +12400,7 @@ index f962f76..9cb7e98 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3726,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3745,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -12015,7 +12408,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3098,6 +3748,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3767,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -12023,86 +12416,39 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3142,34 +3793,34 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3812,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` - type file_t; + type unlabeled_t; - ') - -- allow $1 file_t:dir getattr; ++ ') ++ + allow $1 unlabeled_t:dir getattr; - ') - - ######################################## - ## --## Do not audit attempts to search directories on new filesystems -+## Getattr all file opbjects on new filesystems - ## that have not yet been labeled. - ## - ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_isid_type_dirs',` -+interface(`files_getattr_isid_type',` - gen_require(` -- type file_t; -+ type unlabeled_t; - ') - -- dontaudit $1 file_t:dir search_dir_perms; -+ allow $1 unlabeled_t:dir_file_class_set getattr; - ') - - ######################################## - ## --## List the contents of directories on new filesystems -+## Setattr of directories on new filesystems - ## that have not yet been labeled. - ## - ## -@@ -3178,12 +3829,50 @@ interface(`files_dontaudit_search_isid_type_dirs',` - ## - ## - # --interface(`files_list_isid_type_dirs',` -+interface(`files_setattr_isid_type_dirs',` - gen_require(` -- type file_t; -+ type unlabeled_t; - ') - -- allow $1 file_t:dir list_dir_perms; -+ allow $1 unlabeled_t:dir setattr; +') + +######################################## +## -+## Do not audit attempts to search directories on new filesystems ++## Getattr all file opbjects on new filesystems +## that have not yet been labeled. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_search_isid_type_dirs',` ++interface(`files_getattr_isid_type',` + gen_require(` + type unlabeled_t; + ') + -+ dontaudit $1 unlabeled_t:dir search_dir_perms; ++ allow $1 unlabeled_t:dir_file_class_set getattr; +') + +######################################## +## -+## List the contents of directories on new filesystems ++## Setattr of directories on new filesystems +## that have not yet been labeled. +## +## @@ -12111,16 +12457,43 @@ index f962f76..9cb7e98 100644 +## +## +# -+interface(`files_list_isid_type_dirs',` ++interface(`files_setattr_isid_type_dirs',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- allow $1 file_t:dir getattr; ++ allow $1 unlabeled_t:dir setattr; + ') + + ######################################## +@@ -3161,10 +3869,10 @@ interface(`files_getattr_isid_type_dirs',` + # + interface(`files_dontaudit_search_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- dontaudit $1 file_t:dir search_dir_perms; ++ dontaudit $1 unlabeled_t:dir search_dir_perms; + ') + + ######################################## +@@ -3180,10 +3888,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` + # + interface(`files_list_isid_type_dirs',` + gen_require(` +- type file_t; ++ type unlabeled_t; + ') + +- allow $1 file_t:dir list_dir_perms; + allow $1 unlabeled_t:dir list_dir_perms; ') ######################################## -@@ -3199,10 +3888,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3907,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -12133,7 +12506,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3218,10 +3907,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3926,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -12202,7 +12575,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3237,10 +3982,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +4001,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -12215,7 +12588,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3256,10 +4001,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +4020,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -12247,7 +12620,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3275,10 +4039,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +4058,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -12260,7 +12633,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3294,10 +4058,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4077,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -12273,7 +12646,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3313,10 +4077,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4096,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -12286,7 +12659,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3332,10 +4096,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4115,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -12299,7 +12672,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3351,10 +4115,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4134,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -12312,7 +12685,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3370,10 +4134,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4153,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -12325,7 +12698,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3389,10 +4153,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4172,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -12338,7 +12711,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3408,10 +4172,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4191,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -12351,7 +12724,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3427,10 +4191,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4210,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -12364,7 +12737,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3446,10 +4210,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4229,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -12377,7 +12750,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3465,10 +4229,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4248,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -12409,7 +12782,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3484,10 +4267,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4286,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -12422,7 +12795,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3503,10 +4286,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4305,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -12435,7 +12808,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -3552,6 +4335,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3552,6 +4354,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -12463,7 +12836,7 @@ index f962f76..9cb7e98 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4618,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4637,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -12507,7 +12880,7 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -4012,6 +4834,12 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4853,12 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -12520,64 +12893,98 @@ index f962f76..9cb7e98 100644 ') ######################################## -@@ -4217,6 +5045,175 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,192 +5064,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') +-######################################## +####################################### -+## + ## +-## Allow the specified type to associate +-## to a filesystem with the type of the +-## temporary directory (/tmp). +## Read manageable system configuration files in /etc -+## + ## +-## +-## +-## Type of the file to associate. +-## +## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_associate_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_read_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:filesystem associate; + allow $1 etc_t:dir list_dir_perms; + read_files_pattern($1, etc_t, system_conf_t) + read_lnk_files_pattern($1, etc_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Get the attributes of the tmp directory (/tmp). +## Manage manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir getattr; + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Do not audit attempts to get the +-## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_getattr_tmp_dirs',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t, usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir getattr; + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -12598,162 +13005,254 @@ index f962f76..9cb7e98 100644 + filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- allow $1 tmp_t:dir search_dir_perms; + relabelto_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit attempts to search the tmp directory (/tmp). +## Relabel manageable system configuration files in /etc. -+## -+## + ## + ## +-## +-## Domain to not audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_search_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_relabelfrom_system_conf_files',` + gen_require(` + type usr_t; + ') -+ + +- dontaudit $1 tmp_t:dir search_dir_perms; + relabelfrom_files_pattern($1, system_conf_t, system_conf_t) -+') -+ + ') + +-######################################## +################################### -+## + ## +-## Read the tmp directory (/tmp). +## Create files in /etc with the type used for +## the manageable system config files. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## The type of the process performing this action. +## -+## -+# + ## + # +-interface(`files_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_etc_filetrans_system_conf',` + gen_require(` + type etc_t, system_conf_t; + ') -+ + +- allow $1 tmp_t:dir list_dir_perms; + filetrans_pattern($1, etc_t, system_conf_t, file) -+') -+ + ') + +-######################################## +###################################### -+## + ## +-## Do not audit listing of the tmp directory (/tmp). +## Manage manageable system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain not to audit. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_dontaudit_list_tmp',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_manage_system_db_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- dontaudit $1 tmp_t:dir list_dir_perms; + manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) + files_filetrans_system_db_named_files($1) -+') -+ + ') + +-######################################## +##################################### -+## + ## +-## Remove entries from the tmp directory. +## File name transition for system db files in /var/lib. -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain allowed access. +## -+## -+# + ## + # +-interface(`files_delete_tmp_dir_entry',` +- gen_require(` +- type tmp_t; +- ') +interface(`files_filetrans_system_db_named_files',` + gen_require(` + type var_lib_t, system_db_t; + ') -+ + +- allow $1 tmp_t:dir del_entry_dir_perms; + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") + filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") -+') -+ + ') + ######################################## ## - ## Allow the specified type to associate -@@ -4239,6 +5236,26 @@ interface(`files_associate_tmp',` +-## Read files in the tmp directory (/tmp). +-## +-## ++## Allow the specified type to associate ++## to a filesystem with the type of the ++## temporary directory (/tmp). ++## ++## + ## +-## Domain allowed access. ++## Type of the file to associate. + ## + ## + # +-interface(`files_read_generic_tmp_files',` ++interface(`files_associate_tmp',` + gen_require(` + type tmp_t; + ') + +- read_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:filesystem associate; + ') ######################################## ## +-## Manage temporary directories in /tmp. +## Allow the specified type to associate +## to a filesystem with the type of the +## / file system -+## + ## +-## +## -+## + ## +-## Domain allowed access. +## Type of the file to associate. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_tmp_dirs',` +interface(`files_associate_rootfs',` -+ gen_require(` + gen_require(` +- type tmp_t; + type root_t; -+ ') -+ + ') + +- manage_dirs_pattern($1, tmp_t, tmp_t) + allow $1 root_t:filesystem associate; -+') -+ -+######################################## -+## - ## Get the attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Manage temporary files and directories in /tmp. ++## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5269,37 @@ interface(`files_getattr_tmp_dirs',` + ## +@@ -4410,53 +5283,56 @@ interface(`files_manage_generic_tmp_dirs',` + ## + ## + # +-interface(`files_manage_generic_tmp_files',` ++interface(`files_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') +- manage_files_pattern($1, tmp_t, tmp_t) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir getattr; ++ allow $1 tmp_t:dir getattr; ') ######################################## ## +-## Read symbolic links in the tmp directory (/tmp). +## Do not audit attempts to check the +## access on tmp files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_read_generic_tmp_symlinks',` +interface(`files_dontaudit_access_check_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + type etc_t; -+ ') -+ + ') + +- read_lnk_files_pattern($1, tmp_t, tmp_t) + dontaudit $1 tmp_t:dir_file_class_set audit_access; -+') -+ -+######################################## -+## - ## Do not audit attempts to get the - ## attributes of the tmp directory (/tmp). + ') + + ######################################## + ## +-## Read and write generic named sockets in the tmp directory (/tmp). ++## Do not audit attempts to get the ++## attributes of the tmp directory (/tmp). ## ## ## @@ -12762,46 +13261,119 @@ index f962f76..9cb7e98 100644 ## ## # -@@ -4289,6 +5326,8 @@ interface(`files_search_tmp',` +-interface(`files_rw_generic_tmp_sockets',` ++interface(`files_dontaudit_getattr_tmp_dirs',` + gen_require(` type tmp_t; ') -+ fs_search_tmpfs($1) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir search_dir_perms; +- rw_sock_files_pattern($1, tmp_t, tmp_t) ++ dontaudit $1 tmp_t:dir getattr; ') -@@ -4325,6 +5364,7 @@ interface(`files_list_tmp',` - type tmp_t; + ######################################## + ## +-## Set the attributes of all tmp directories. ++## Search the tmp directory (/tmp). + ## + ## + ## +@@ -4464,77 +5340,93 @@ interface(`files_rw_generic_tmp_sockets',` + ## + ## + # +-interface(`files_setattr_all_tmp_dirs',` ++interface(`files_search_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; ') +- allow $1 tmpfile:dir { search_dir_perms setattr }; ++ fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) - allow $1 tmp_t:dir list_dir_perms; ++ allow $1 tmp_t:dir search_dir_perms; ') -@@ -4334,7 +5374,7 @@ interface(`files_list_tmp',` + ######################################## + ## +-## List all tmp directories. ++## Do not audit attempts to search the tmp directory (/tmp). ## ## ## --## Domain not to audit. +-## Domain allowed access. +## Domain to not audit. ## ## # -@@ -4346,14 +5386,33 @@ interface(`files_dontaudit_list_tmp',` - dontaudit $1 tmp_t:dir list_dir_perms; +-interface(`files_list_all_tmp',` ++interface(`files_dontaudit_search_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; ++ dontaudit $1 tmp_t:dir search_dir_perms; ') --######################################## -+####################################### + ######################################## ## --## Remove entries from the tmp directory. -+## Allow read and write to the tmp directory (/tmp). +-## Relabel to and from all temporary +-## directory types. ++## Read the tmp directory (/tmp). ## ## --## --## Domain allowed access. --## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_dirs',` ++interface(`files_list_tmp',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_dirs_pattern($1, tmpfile, tmpfile) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmp_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp files. ++## Do not audit listing of the tmp directory (/tmp). + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_dontaudit_list_tmp',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:file getattr; ++ dontaudit $1 tmp_t:dir list_dir_perms; ++') ++ ++####################################### ++## ++## Allow read and write to the tmp directory (/tmp). ++## ++## +## +## Domain not to audit. +## @@ -12814,33 +13386,87 @@ index f962f76..9cb7e98 100644 + + files_search_tmp($1) + allow $1 tmp_t:dir rw_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow attempts to get the attributes +-## of all tmp files. +## Remove entries from the tmp directory. -+## -+## -+## -+## Domain allowed access. -+## + ## + ## + ## +@@ -4542,110 +5434,116 @@ interface(`files_dontaudit_getattr_all_tmp_files',` + ## ## # - interface(`files_delete_tmp_dir_entry',` -@@ -4361,6 +5420,7 @@ interface(`files_delete_tmp_dir_entry',` - type tmp_t; +-interface(`files_getattr_all_tmp_files',` ++interface(`files_delete_tmp_dir_entry',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; ') +- allow $1 tmpfile:file getattr; + files_search_tmp($1) - allow $1 tmp_t:dir del_entry_dir_perms; ++ allow $1 tmp_t:dir del_entry_dir_perms; + ') + + ######################################## + ## +-## Relabel to and from all temporary +-## file types. ++## Read files in the tmp directory (/tmp). + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_tmp_files',` ++interface(`files_read_generic_tmp_files',` + gen_require(` +- attribute tmpfile; +- type var_t; ++ type tmp_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- relabel_files_pattern($1, tmpfile, tmpfile) ++ read_files_pattern($1, tmp_t, tmp_t) ') -@@ -4402,6 +5462,32 @@ interface(`files_manage_generic_tmp_dirs',` + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of all tmp sock_file. ++## Manage temporary directories in /tmp. + ## + ## + ## +-## Domain not to audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_all_tmp_sockets',` ++interface(`files_manage_generic_tmp_dirs',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- dontaudit $1 tmpfile:sock_file getattr; ++ manage_dirs_pattern($1, tmp_t, tmp_t) + ') ######################################## ## +-## Read all tmp files. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -12849,1094 +13475,2966 @@ index f962f76..9cb7e98 100644 +## This is added to support java policy. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_read_all_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ + gen_require(` + attribute tmpfile; + ') + +- read_files_pattern($1, tmpfile, tmpfile) + allow $1 tmpfile:file execmod; -+') -+ -+######################################## -+## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4456,6 +5542,42 @@ interface(`files_rw_generic_tmp_sockets',` + ') ######################################## ## -+## Relabel a dir from the type used in /tmp. -+## -+## -+## -+## Domain allowed access. -+## -+## +-## Create an object in the tmp directories, with a private +-## type using a type transition. ++## Manage temporary files and directories in /tmp. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +# -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_manage_generic_tmp_files',` + gen_require(` + type tmp_t; + ') + -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ manage_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## Relabel a file from the type used in /tmp. ++## Read symbolic links in the tmp directory (/tmp). +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# -+interface(`files_relabelfrom_tmp_files',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## - ## Set the attributes of all tmp directories. - ## - ## -@@ -4474,6 +5596,60 @@ interface(`files_setattr_all_tmp_dirs',` + ## + ## + # +-interface(`files_tmp_filetrans',` ++interface(`files_read_generic_tmp_symlinks',` + gen_require(` + type tmp_t; + ') + +- filetrans_pattern($1, tmp_t, $2, $3, $4) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) + ') ######################################## ## -+## Allow caller to read inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_inherited_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file { append read_inherited_file_perms }; -+') -+ -+######################################## -+## -+## Allow caller to append inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_append_inherited_tmp_files',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file append_inherited_file_perms; -+') -+ -+######################################## -+## -+## Allow caller to read and write inherited tmp files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_tmp_file',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## List all tmp directories. - ## - ## -@@ -4519,7 +5695,7 @@ interface(`files_relabel_all_tmp_dirs',` +-## Delete the contents of /tmp. ++## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## --## Domain not to audit. -+## Domain to not audit. +@@ -4653,22 +5551,17 @@ interface(`files_tmp_filetrans',` ## ## # -@@ -4579,7 +5755,7 @@ interface(`files_relabel_all_tmp_files',` +-interface(`files_purge_tmp',` ++interface(`files_rw_generic_tmp_sockets',` + gen_require(` +- attribute tmpfile; ++ type tmp_t; + ') + +- allow $1 tmpfile:dir list_dir_perms; +- delete_dirs_pattern($1, tmpfile, tmpfile) +- delete_files_pattern($1, tmpfile, tmpfile) +- delete_lnk_files_pattern($1, tmpfile, tmpfile) +- delete_fifo_files_pattern($1, tmpfile, tmpfile) +- delete_sock_files_pattern($1, tmpfile, tmpfile) ++ rw_sock_files_pattern($1, tmp_t, tmp_t) + ') + + ######################################## + ## +-## Set the attributes of the /usr directory. ++## Relabel a dir from the type used in /tmp. ## ## ## --## Domain not to audit. -+## Domain to not audit. +@@ -4676,17 +5569,17 @@ interface(`files_purge_tmp',` ## ## # -@@ -4611,6 +5787,44 @@ interface(`files_read_all_tmp_files',` +-interface(`files_setattr_usr_dirs',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') - ######################################## - ## -+## Do not audit attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Do allow attempts to read or write -+## all leaked tmpfiles files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_rw_tmp_file_leaks',` -+ gen_require(` -+ attribute tmpfile; -+ ') -+ -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Create an object in the tmp directories, with a private - ## type using a type transition. - ## -@@ -4664,6 +5878,16 @@ interface(`files_purge_tmp',` - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ delete_chr_files_pattern($1, tmpfile, tmpfile) -+ delete_blk_files_pattern($1, tmpfile, tmpfile) -+ files_list_isid_type_dirs($1) -+ files_delete_isid_type_dirs($1) -+ files_delete_isid_type_files($1) -+ files_delete_isid_type_symlinks($1) -+ files_delete_isid_type_fifo_files($1) -+ files_delete_isid_type_sock_files($1) -+ files_delete_isid_type_blk_files($1) -+ files_delete_isid_type_chr_files($1) +- allow $1 usr_t:dir setattr; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## -@@ -5112,6 +6336,24 @@ interface(`files_create_kernel_symbol_table',` - - ######################################## ## -+## Dontaudit getattr attempts on the system.map file -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaduit_getattr_kernel_symbol_table',` -+ gen_require(` -+ type system_map_t; -+ ') -+ -+ dontaudit $1 system_map_t:file getattr; -+') -+ -+######################################## -+## - ## Read system.map in the /boot directory. +-## Search the content of /usr. ++## Relabel a file from the type used in /tmp. ## ## -@@ -5241,6 +6483,24 @@ interface(`files_list_var',` + ## +@@ -4694,18 +5587,17 @@ interface(`files_setattr_usr_dirs',` + ## + ## + # +-interface(`files_search_usr',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` +- type usr_t; ++ type tmp_t; + ') + +- allow $1 usr_t:dir search_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) + ') ######################################## ## -+## Do not audit listing of the var directory (/var). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_list_var',` -+ gen_require(` -+ type var_t; -+ ') -+ -+ dontaudit $1 var_t:dir list_dir_perms; -+') -+ -+######################################## -+## - ## Create, read, write, and delete directories - ## in the /var directory. +-## List the contents of generic +-## directories in /usr. ++## Set the attributes of all tmp directories. ## -@@ -5328,7 +6588,7 @@ interface(`files_dontaudit_rw_var_files',` - type var_t; + ## + ## +@@ -4713,35 +5605,35 @@ interface(`files_search_usr',` + ## + ## + # +-interface(`files_list_usr',` ++interface(`files_setattr_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- dontaudit $1 var_t:file rw_file_perms; -+ dontaudit $1 var_t:file rw_inherited_file_perms; +- allow $1 usr_t:dir list_dir_perms; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## -@@ -5527,6 +6787,25 @@ interface(`files_rw_var_lib_dirs',` - - ######################################## ## -+## Create directories in /var/lib -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_lib_dirs',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ allow $1 var_lib_t:dir { create rw_dir_perms }; -+') -+ -+ -+######################################## -+## - ## Create objects in the /var/lib directory +-## Do not audit write of /usr dirs ++## Allow caller to read inherited tmp files. ## ## -@@ -5596,6 +6875,25 @@ interface(`files_read_var_lib_symlinks',` - read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) - ') - -+######################################## -+## -+## manage generic symbolic links -+## in the /var/lib directory. -+## -+## -+## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# -+interface(`files_manage_var_lib_symlinks',` -+ gen_require(` -+ type var_lib_t; -+ ') -+ -+ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ - # cjp: the next two interfaces really need to be fixed - # in some way. They really neeed their own types. + ## + ## + # +-interface(`files_dontaudit_write_usr_dirs',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; + ') -@@ -5641,7 +6939,7 @@ interface(`files_manage_mounttab',` +- dontaudit $1 usr_t:dir write; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; + ') ######################################## ## --## Set the attributes of the generic lock directories. -+## List generic lock directories. +-## Add and remove entries from /usr directories. ++## Allow caller to append inherited tmp files. ## ## ## -@@ -5649,12 +6947,13 @@ interface(`files_manage_mounttab',` +@@ -4749,36 +5641,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # --interface(`files_setattr_lock_dirs',` -+interface(`files_list_locks',` +-interface(`files_rw_usr_dirs',` ++interface(`files_append_inherited_tmp_files',` gen_require(` - type var_t, var_lock_t; +- type usr_t; ++ attribute tmpfile; ') -- setattr_dirs_pattern($1, var_t, var_lock_t) -+ files_search_locks($1) -+ list_dirs_pattern($1, var_t, var_lock_t) +- allow $1 usr_t:dir rw_dir_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## -@@ -5672,6 +6971,7 @@ interface(`files_search_locks',` - type var_t, var_lock_t; + ## +-## Do not audit attempts to add and remove +-## entries from /usr directories. ++## Allow caller to read and write inherited tmp files. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_rw_usr_dirs',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -+ files_search_pids($1) - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_lock_t) +- dontaudit $1 usr_t:dir rw_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; ') -@@ -5698,7 +6998,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## --## List generic lock directories. -+## Do not audit attempts to read/write inherited -+## locks (/var/lock). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_rw_inherited_locks',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ -+ dontaudit $1 var_lock_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Set the attributes of the /var/lock directory. +-## Delete generic directories in /usr in the caller domain. ++## List all tmp directories. ## ## ## -@@ -5706,13 +7025,12 @@ interface(`files_dontaudit_search_locks',` +@@ -4786,111 +5677,100 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # --interface(`files_list_locks',` -+interface(`files_setattr_lock_dirs',` +-interface(`files_delete_usr_dirs',` ++interface(`files_list_all_tmp',` gen_require(` -- type var_t, var_lock_t; -+ type var_lock_t; +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_lock_t) -+ allow $1 var_lock_t:dir setattr; +- delete_dirs_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:dir list_dir_perms; ') ######################################## -@@ -5731,7 +7049,7 @@ interface(`files_rw_lock_dirs',` - type var_t, var_lock_t; + ## +-## Delete generic files in /usr in the caller domain. ++## Relabel to and from all temporary ++## directory types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_delete_usr_files',` ++interface(`files_relabel_all_tmp_dirs',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; ') -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - rw_dirs_pattern($1, var_t, var_lock_t) +- delete_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ') -@@ -5764,7 +7082,6 @@ interface(`files_create_lock_dirs',` - ## Domain allowed access. + ######################################## + ## +-## Get the attributes of files in /usr. ++## Do not audit attempts to get the attributes ++## of all tmp files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. ## ## --## # - interface(`files_relabel_all_lock_dirs',` +-interface(`files_getattr_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` -@@ -5779,7 +7096,7 @@ interface(`files_relabel_all_lock_dirs',` +- type usr_t; ++ attribute tmpfile; + ') + +- getattr_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file getattr; + ') ######################################## ## --## Get the attributes of generic lock files. -+## Relabel to and from all lock file types. +-## Read generic files in /usr. ++## Allow attempts to get the attributes ++## of all tmp files. ## +-## +-##

+-## Allow the specified domain to read generic +-## files in /usr. These files are various program +-## files that do not have more specific SELinux types. +-## Some examples of these files are: +-##

+-##
    +-##
  • /usr/include/*
    • +-##
  • /usr/share/doc/*
    • +-##
  • /usr/share/info/*
    • +-##
+-##

+-## Generally, it is safe for many domains to have +-## this access. +-##

+-## ## ## -@@ -5787,13 +7104,33 @@ interface(`files_relabel_all_lock_dirs',` + ## Domain allowed access. ## ## +-## # --interface(`files_getattr_generic_locks',` -+interface(`files_relabel_all_lock_files',` +-interface(`files_read_usr_files',` ++interface(`files_getattr_all_tmp_files',` gen_require(` -+ attribute lockfile; - type var_t, var_lock_t; +- type usr_t; ++ attribute tmpfile; ') - allow $1 var_t:dir search_dir_perms; - allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ relabel_files_pattern($1, lockfile, lockfile) -+') -+ -+######################################## -+## -+## Get the attributes of generic lock files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_getattr_generic_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ -+ files_search_locks($1) - allow $1 var_lock_t:dir list_dir_perms; - getattr_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 usr_t:dir list_dir_perms; +- read_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file getattr; ') -@@ -5809,13 +7146,12 @@ interface(`files_getattr_generic_locks',` + + ######################################## + ## +-## Execute generic programs in /usr in the caller domain. ++## Relabel to and from all temporary ++## file types. + ## + ## + ## + ## Domain allowed access. + ## ## ++## # - interface(`files_delete_generic_locks',` -- gen_require(` -+ gen_require(` - type var_t, var_lock_t; -- ') -+ ') +-interface(`files_exec_usr_files',` ++interface(`files_relabel_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ++ type var_t; + ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- delete_files_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) -+ delete_files_pattern($1, var_lock_t, var_lock_t) +- allow $1 usr_t:dir list_dir_perms; +- exec_files_pattern($1, usr_t, usr_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) ') ######################################## -@@ -5834,9 +7170,7 @@ interface(`files_manage_generic_locks',` - type var_t, var_lock_t; + ## +-## dontaudit write of /usr files ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## +@@ -4898,35 +5778,17 @@ interface(`files_exec_usr_files',` + ## + ## + # +-interface(`files_dontaudit_write_usr_files',` +- gen_require(` +- type usr_t; +- ') +- +- dontaudit $1 usr_t:file write; +-') +- +-######################################## +-## +-## Create, read, write, and delete files in the /usr directory. +-## +-## +-## +-## Domain allowed access. +-## +-## +-# +-interface(`files_manage_usr_files',` ++interface(`files_dontaudit_getattr_all_tmp_sockets',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- manage_dirs_pattern($1, var_lock_t, var_lock_t) -+ files_search_locks($1) - manage_files_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:sock_file getattr; ') -@@ -5878,8 +7212,7 @@ interface(`files_read_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - allow $1 lockfile:dir list_dir_perms; - read_files_pattern($1, lockfile, lockfile) - read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7234,7 @@ interface(`files_manage_all_locks',` - type var_t, var_lock_t; - ') - -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -- allow $1 { var_t var_lock_t }:dir search_dir_perms; -+ files_search_locks($1) - manage_dirs_pattern($1, lockfile, lockfile) - manage_files_pattern($1, lockfile, lockfile) - manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7271,7 @@ interface(`files_lock_filetrans',` - type var_t, var_lock_t; + ######################################## + ## +-## Relabel a file to the type used in /usr. ++## Read all tmp files. + ## + ## + ## +@@ -4934,67 +5796,70 @@ interface(`files_manage_usr_files',` + ## + ## + # +-interface(`files_relabelto_usr_files',` ++interface(`files_read_all_tmp_files',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_lock_t:lnk_file read_lnk_file_perms; -+ files_search_locks($1) - filetrans_pattern($1, var_lock_t, $2, $3, $4) +- relabelto_files_pattern($1, usr_t, usr_t) ++ read_files_pattern($1, tmpfile, tmpfile) ') -@@ -5979,7 +7310,7 @@ interface(`files_setattr_pid_dirs',` - type var_run_t; + ######################################## + ## +-## Relabel a file from the type used in /usr. ++## Do not audit attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_relabelfrom_usr_files',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:dir setattr; +- relabelfrom_files_pattern($1, usr_t, usr_t) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; ') -@@ -5999,10 +7330,48 @@ interface(`files_search_pids',` - type var_t, var_run_t; + ######################################## + ## +-## Read symbolic links in /usr. ++## Do allow attempts to read or write ++## all leaked tmpfiles files. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_usr_symlinks',` ++interface(`files_rw_tmp_file_leaks',` + gen_require(` +- type usr_t; ++ attribute tmpfile; ') -+ allow $1 var_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - search_dirs_pattern($1, var_t, var_run_t) +- read_lnk_files_pattern($1, usr_t, usr_t) ++ allow $1 tmpfile:file rw_inherited_file_perms; ') -+###################################### -+## -+## Add and remove entries from pid directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_pid_dirs',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:dir rw_dir_perms; -+') -+ -+####################################### -+## -+## Create generic pid directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_create_var_run_dirs',` -+ gen_require(` -+ type var_t, var_run_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir create_dir_perms; -+') -+ - ######################################## - ## - ## Do not audit attempts to search -@@ -6025,6 +7394,43 @@ interface(`files_dontaudit_search_pids',` - ######################################## ## -+## Do not audit attempts to search -+## the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ dontaudit $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## -+## Allow search the all /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_search_all_pids',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ -+ allow $1 pidfile:dir search_dir_perms; -+') -+ -+######################################## -+## - ## List the contents of the runtime process - ## ID directories (/var/run). +-## Create objects in the /usr directory ++## Create an object in the tmp directories, with a private ++## type using a type transition. ## -@@ -6039,7 +7445,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; + ## + ## + ## Domain allowed access. + ## + ## +-## ++## + ## +-## The type of the object to be created ++## The type of the object to be created. + ## + ## +-## ++## + ## +-## The object class. ++## The object class of the object being created. + ## + ## + ## +@@ -5003,35 +5868,50 @@ interface(`files_read_usr_symlinks',` + ## + ## + # +-interface(`files_usr_filetrans',` ++interface(`files_tmp_filetrans',` + gen_require(` +- type usr_t; ++ type tmp_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) +- filetrans_pattern($1, usr_t, $2, $3, $4) ++ filetrans_pattern($1, tmp_t, $2, $3, $4) ') -@@ -6058,7 +7464,7 @@ interface(`files_read_generic_pids',` - type var_t, var_run_t; + ######################################## + ## +-## Do not audit attempts to search /usr/src. ++## Delete the contents of /tmp. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_src',` ++interface(`files_purge_tmp',` + gen_require(` +- type src_t; ++ attribute tmpfile; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) +- dontaudit $1 src_t:dir search_dir_perms; ++ allow $1 tmpfile:dir list_dir_perms; ++ delete_dirs_pattern($1, tmpfile, tmpfile) ++ delete_files_pattern($1, tmpfile, tmpfile) ++ delete_lnk_files_pattern($1, tmpfile, tmpfile) ++ delete_fifo_files_pattern($1, tmpfile, tmpfile) ++ delete_sock_files_pattern($1, tmpfile, tmpfile) ++ delete_chr_files_pattern($1, tmpfile, tmpfile) ++ delete_blk_files_pattern($1, tmpfile, tmpfile) ++ files_list_isid_type_dirs($1) ++ files_delete_isid_type_dirs($1) ++ files_delete_isid_type_files($1) ++ files_delete_isid_type_symlinks($1) ++ files_delete_isid_type_fifo_files($1) ++ files_delete_isid_type_sock_files($1) ++ files_delete_isid_type_blk_files($1) ++ files_delete_isid_type_chr_files($1) ') -@@ -6078,7 +7484,7 @@ interface(`files_write_generic_pid_pipes',` - type var_run_t; + + ######################################## + ## +-## Get the attributes of files in /usr/src. ++## Set the attributes of the /usr directory. + ## + ## + ## +@@ -5039,20 +5919,17 @@ interface(`files_dontaudit_search_src',` + ## + ## + # +-interface(`files_getattr_usr_src_files',` ++interface(`files_setattr_usr_dirs',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - allow $1 var_run_t:fifo_file write; +- getattr_files_pattern($1, src_t, src_t) +- +- # /usr/src/linux symlink: +- read_lnk_files_pattern($1, usr_t, src_t) ++ allow $1 usr_t:dir setattr; ') -@@ -6140,7 +7546,6 @@ interface(`files_pid_filetrans',` + ######################################## + ## +-## Read files in /usr/src. ++## Search the content of /usr. + ## + ## + ## +@@ -5060,20 +5937,18 @@ interface(`files_getattr_usr_src_files',` + ## + ## + # +-interface(`files_read_usr_src_files',` ++interface(`files_search_usr',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; ') - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - filetrans_pattern($1, var_run_t, $2, $3, $4) + allow $1 usr_t:dir search_dir_perms; +- read_files_pattern($1, { usr_t src_t }, src_t) +- read_lnk_files_pattern($1, { usr_t src_t }, src_t) +- allow $1 src_t:dir list_dir_perms; ') -@@ -6169,6 +7574,24 @@ interface(`files_pid_filetrans_lock_dir',` - ######################################## ## -+## rw generic pid files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_rw_inherited_generic_pid_files',` -+ gen_require(` -+ type var_run_t; -+ ') -+ -+ allow $1 var_run_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## - ## Read and write generic process ID files. +-## Execute programs in /usr/src in the caller domain. ++## List the contents of generic ++## directories in /usr. ## ## -@@ -6182,7 +7605,7 @@ interface(`files_rw_generic_pids',` - type var_t, var_run_t; + ## +@@ -5081,38 +5956,35 @@ interface(`files_read_usr_src_files',` + ## + ## + # +-interface(`files_exec_usr_src_files',` ++interface(`files_list_usr',` + gen_require(` +- type usr_t, src_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - rw_files_pattern($1, var_run_t, var_run_t) +- list_dirs_pattern($1, usr_t, src_t) +- exec_files_pattern($1, src_t, src_t) +- read_lnk_files_pattern($1, src_t, src_t) ++ allow $1 usr_t:dir list_dir_perms; ') -@@ -6249,55 +7672,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. -+## Relable all pid directories +-## Install a system.map into the /boot directory. ++## Do not audit write of /usr dirs ## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## --## # --interface(`files_read_all_pids',` -+interface(`files_relabel_all_pid_dirs',` +-interface(`files_create_kernel_symbol_table',` ++interface(`files_dontaudit_write_usr_dirs',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) -+ relabel_dirs_pattern($1, pidfile, pidfile) +- allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; +- allow $1 system_map_t:file { create_file_perms rw_file_perms }; ++ dontaudit $1 usr_t:dir write; ') ######################################## ## --## Delete all process IDs. -+## Delete all pid sockets +-## Read system.map in the /boot directory. ++## Add and remove entries from /usr directories. ## ## ## - ## Domain allowed access. +@@ -5120,37 +5992,36 @@ interface(`files_create_kernel_symbol_table',` ## ## --## # --interface(`files_delete_all_pids',` -+interface(`files_delete_all_pid_sockets',` +-interface(`files_read_kernel_symbol_table',` ++interface(`files_rw_usr_dirs',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+ allow $1 pidfile:sock_file delete_sock_file_perms; +- allow $1 boot_t:dir list_dir_perms; +- read_files_pattern($1, boot_t, system_map_t) ++ allow $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Delete all process ID directories. -+## Create all pid sockets +-## Delete a system.map in the /boot directory. ++## Do not audit attempts to add and remove ++## entries from /usr directories. ## ## ## -@@ -6305,42 +7716,35 @@ interface(`files_delete_all_pids',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_delete_all_pid_dirs',` -+interface(`files_create_all_pid_sockets',` +-interface(`files_delete_kernel_symbol_table',` ++interface(`files_dontaudit_rw_usr_dirs',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type boot_t, system_map_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:sock_file create_sock_file_perms; +- allow $1 boot_t:dir list_dir_perms; +- delete_files_pattern($1, boot_t, system_map_t) ++ dontaudit $1 usr_t:dir rw_dir_perms; ') ######################################## ## --## Create, read, write and delete all --## var_run (pid) content -+## Create all pid named pipes +-## Search the contents of /var. ++## Delete generic directories in /usr in the caller domain. ## ## ## --## Domain alloed access. -+## Domain allowed access. +@@ -5158,35 +6029,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # --interface(`files_manage_all_pids',` -+interface(`files_create_all_pid_pipes',` +-interface(`files_search_var',` ++interface(`files_delete_usr_dirs',` gen_require(` - attribute pidfile; +- type var_t; ++ type usr_t; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) -+ allow $1 pidfile:fifo_file create_fifo_file_perms; +- allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, usr_t, usr_t) ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. -+## Delete all pid named pipes +-## Do not audit attempts to write to /var. ++## Delete generic files in /usr in the caller domain. ## ## ## -@@ -6348,18 +7752,18 @@ interface(`files_manage_all_pids',` +-## Domain to not audit. ++## Domain allowed access. ## ## # --interface(`files_mounton_all_poly_members',` -+interface(`files_delete_all_pid_pipes',` +-interface(`files_dontaudit_write_var_dirs',` ++interface(`files_delete_usr_files',` gen_require(` -- attribute polymember; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- allow $1 polymember:dir mounton; -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; +- dontaudit $1 var_t:dir write; ++ delete_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Search the contents of generic spool --## directories (/var/spool). -+## manage all pidfile directories -+## in the /var/run directory. +-## Allow attempts to write to /var.dirs ++## Get the attributes of files in /usr. ## ## ## -@@ -6367,37 +7771,40 @@ interface(`files_mounton_all_poly_members',` +@@ -5194,36 +6065,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # --interface(`files_search_spool',` -+interface(`files_manage_all_pid_dirs',` +-interface(`files_write_var_dirs',` ++interface(`files_getattr_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- search_dirs_pattern($1, var_t, var_spool_t) -+ manage_dirs_pattern($1,pidfile,pidfile) +- allow $1 var_t:dir write; ++ getattr_files_pattern($1, usr_t, usr_t) ') -+ ######################################## ## --## Do not audit attempts to search generic --## spool directories. -+## Read all process ID files. +-## Do not audit attempts to search +-## the contents of /var. ++## Read generic files in /usr. ## ++## ++##

++## Allow the specified domain to read generic ++## files in /usr. These files are various program ++## files that do not have more specific SELinux types. ++## Some examples of these files are: ++##

++##
    ++##
  • /usr/include/*
    • ++##
  • /usr/share/doc/*
    • ++##
  • /usr/share/info/*
    • ++##
++##

++## Generally, it is safe for many domains to have ++## this access. ++##

++## ## ## -## Domain to not audit. +## Domain allowed access. ## ## -+## ++## # --interface(`files_dontaudit_search_spool',` -+interface(`files_read_all_pids',` +-interface(`files_dontaudit_search_var',` ++interface(`files_read_usr_files',` gen_require(` -- type var_spool_t; -+ attribute pidfile; -+ type var_t; +- type var_t; ++ type usr_t; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) +- dontaudit $1 var_t:dir search_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ read_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## List the contents of generic spool --## (/var/spool) directories. -+## Relable all pid files +-## List the contents of /var. ++## Execute generic programs in /usr in the caller domain. ## ## ## -@@ -6405,18 +7812,17 @@ interface(`files_dontaudit_search_spool',` +@@ -5231,36 +6121,37 @@ interface(`files_dontaudit_search_var',` ## ## # --interface(`files_list_spool',` -+interface(`files_relabel_all_pid_files',` +-interface(`files_list_var',` ++interface(`files_exec_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -+ relabel_files_pattern($1, pidfile, pidfile) +- allow $1 var_t:dir list_dir_perms; ++ allow $1 usr_t:dir list_dir_perms; ++ exec_files_pattern($1, usr_t, usr_t) ++ read_lnk_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete generic --## spool directories (/var/spool). -+## Execute generic programs in /var/run in the caller domain. +-## Create, read, write, and delete directories +-## in the /var directory. ++## dontaudit write of /usr files ## ## ## -@@ -6424,18 +7830,18 @@ interface(`files_list_spool',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`files_manage_generic_spool_dirs',` -+interface(`files_exec_generic_pid_files',` +-interface(`files_manage_var_dirs',` ++interface(`files_dontaudit_write_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ type var_run_t; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) -+ exec_files_pattern($1, var_run_t, var_run_t) +- allow $1 var_t:dir manage_dir_perms; ++ dontaudit $1 usr_t:file write; ') ######################################## ## --## Read generic spool files. -+## Write all sockets -+## in the /var/run directory. +-## Read files in the /var directory. ++## Create, read, write, and delete files in the /usr directory. ## ## ## -@@ -6443,19 +7849,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5268,17 +6159,17 @@ interface(`files_manage_var_dirs',` ## ## # --interface(`files_read_generic_spool',` -+interface(`files_write_all_pid_sockets',` +-interface(`files_read_var_files',` ++interface(`files_manage_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) -+ allow $1 pidfile:sock_file write_sock_file_perms; +- read_files_pattern($1, var_t, var_t) ++ manage_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create, read, write, and delete generic --## spool files. -+## manage all pidfiles -+## in the /var/run directory. +-## Append files in the /var directory. ++## Relabel a file to the type used in /usr. ## ## ## -@@ -6463,109 +7868,62 @@ interface(`files_read_generic_spool',` +@@ -5286,17 +6177,17 @@ interface(`files_read_var_files',` ## ## # --interface(`files_manage_generic_spool',` -+interface(`files_manage_all_pids',` +-interface(`files_append_var_files',` ++interface(`files_relabelto_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) -+ manage_files_pattern($1,pidfile,pidfile) +- append_files_pattern($1, var_t, var_t) ++ relabelto_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Create objects in the spool directory --## with a private type with a type transition. -+## Mount filesystems on all polyinstantiation -+## member directories. +-## Read and write files in the /var directory. ++## Relabel a file from the type used in /usr. ## ## ## - ## Domain allowed access. +@@ -5304,73 +6195,86 @@ interface(`files_append_var_files',` ## ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## --## --## The name of the object being created. --## --## # --interface(`files_spool_filetrans',` -+interface(`files_mounton_all_poly_members',` +-interface(`files_rw_var_files',` ++interface(`files_relabelfrom_usr_files',` gen_require(` -- type var_t, var_spool_t; -+ attribute polymember; +- type var_t; ++ type usr_t; ') -- allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ allow $1 polymember:dir mounton; +- rw_files_pattern($1, var_t, var_t) ++ relabelfrom_files_pattern($1, usr_t, usr_t) ') ######################################## ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all process IDs. +-## Do not audit attempts to read and write +-## files in the /var directory. ++## Read symbolic links in /usr. ## ## ## - ## Domain allowed access. +-## Domain to not audit. ++## Domain allowed access. ## ## -+## # --interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_pids',` +-interface(`files_dontaudit_rw_var_files',` ++interface(`files_read_usr_symlinks',` gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; -+ attribute pidfile; -+ type var_t, var_run_t; +- type var_t; ++ type usr_t; ') -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) +- dontaudit $1 var_t:file rw_file_perms; ++ read_lnk_files_pattern($1, usr_t, usr_t) + ') + + ######################################## + ## +-## Create, read, write, and delete files in the /var directory. ++## Create objects in the /usr directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_var_files',` ++interface(`files_usr_filetrans',` + gen_require(` +- type var_t; ++ type usr_t; + ') + +- manage_files_pattern($1, var_t, var_t) ++ filetrans_pattern($1, usr_t, $2, $3, $4) + ') + + ######################################## + ## +-## Read symbolic links in the /var directory. ++## Do not audit attempts to search /usr/src. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_symlinks',` ++interface(`files_dontaudit_search_src',` + gen_require(` +- type var_t; ++ type src_t; + ') + +- read_lnk_files_pattern($1, var_t, var_t) ++ dontaudit $1 src_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create, read, write, and delete symbolic +-## links in the /var directory. ++## Get the attributes of files in /usr/src. + ## + ## + ## +@@ -5378,50 +6282,41 @@ interface(`files_read_var_symlinks',` + ## + ## + # +-interface(`files_manage_var_symlinks',` ++interface(`files_getattr_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- manage_lnk_files_pattern($1, var_t, var_t) ++ getattr_files_pattern($1, src_t, src_t) ++ ++ # /usr/src/linux symlink: ++ read_lnk_files_pattern($1, usr_t, src_t) + ') + + ######################################## + ## +-## Create objects in the /var directory ++## Read files in /usr/src. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_var_filetrans',` ++interface(`files_read_usr_src_files',` + gen_require(` +- type var_t; ++ type usr_t, src_t; + ') + +- filetrans_pattern($1, var_t, $2, $3, $4) ++ allow $1 usr_t:dir search_dir_perms; ++ read_files_pattern($1, { usr_t src_t }, src_t) ++ read_lnk_files_pattern($1, { usr_t src_t }, src_t) ++ allow $1 src_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Get the attributes of the /var/lib directory. ++## Execute programs in /usr/src in the caller domain. + ## + ## + ## +@@ -5429,69 +6324,56 @@ interface(`files_var_filetrans',` + ## + ## + # +-interface(`files_getattr_var_lib_dirs',` ++interface(`files_exec_usr_src_files',` + gen_require(` +- type var_t, var_lib_t; ++ type usr_t, src_t; + ') + +- getattr_dirs_pattern($1, var_t, var_lib_t) ++ list_dirs_pattern($1, usr_t, src_t) ++ exec_files_pattern($1, src_t, src_t) ++ read_lnk_files_pattern($1, src_t, src_t) + ') + + ######################################## + ## +-## Search the /var/lib directory. ++## Install a system.map into the /boot directory. + ## +-## +-##

+-## Search the /var/lib directory. This is +-## necessary to access files or directories under +-## /var/lib that have a private type. For example, a +-## domain accessing a private library file in the +-## /var/lib directory: +-##

+-##

+-## allow mydomain_t mylibfile_t:file read_file_perms; +-## files_search_var_lib(mydomain_t) +-##

+-## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_search_var_lib',` ++interface(`files_create_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- search_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; ++ allow $1 system_map_t:file { create_file_perms rw_file_perms }; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## contents of /var/lib. ++## Dontaudit getattr attempts on the system.map file + ## + ## + ## + ## Domain to not audit. + ## + ## +-## + # +-interface(`files_dontaudit_search_var_lib',` ++interface(`files_dontaduit_getattr_kernel_symbol_table',` + gen_require(` +- type var_lib_t; ++ type system_map_t; + ') + +- dontaudit $1 var_lib_t:dir search_dir_perms; ++ dontaudit $1 system_map_t:file getattr; + ') + + ######################################## + ## +-## List the contents of the /var/lib directory. ++## Read system.map in the /boot directory. + ## + ## + ## +@@ -5499,17 +6381,18 @@ interface(`files_dontaudit_search_var_lib',` + ## + ## + # +-interface(`files_list_var_lib',` ++interface(`files_read_kernel_symbol_table',` + gen_require(` +- type var_t, var_lib_t; ++ type boot_t, system_map_t; + ') + +- list_dirs_pattern($1, var_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ read_files_pattern($1, boot_t, system_map_t) + ') + +-########################################### ++######################################## + ## +-## Read-write /var/lib directories ++## Delete a system.map in the /boot directory. + ## + ## + ## +@@ -5517,70 +6400,54 @@ interface(`files_list_var_lib',` + ## + ## + # +-interface(`files_rw_var_lib_dirs',` ++interface(`files_delete_kernel_symbol_table',` + gen_require(` +- type var_lib_t; ++ type boot_t, system_map_t; + ') + +- rw_dirs_pattern($1, var_lib_t, var_lib_t) ++ allow $1 boot_t:dir list_dir_perms; ++ delete_files_pattern($1, boot_t, system_map_t) + ') + + ######################################## + ## +-## Create objects in the /var/lib directory ++## Search the contents of /var. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created +-## +-## +-## +-## +-## The object class. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_var_lib_filetrans',` ++interface(`files_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Read generic files in /var/lib. ++## Do not audit attempts to write to /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_read_var_lib_files',` ++interface(`files_dontaudit_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_lib_t:dir list_dir_perms; +- read_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ dontaudit $1 var_t:dir write; + ') + + ######################################## + ## +-## Read generic symbolic links in /var/lib ++## Allow attempts to write to /var.dirs + ## + ## + ## +@@ -5588,41 +6455,36 @@ interface(`files_read_var_lib_files',` + ## + ## + # +-interface(`files_read_var_lib_symlinks',` ++interface(`files_write_var_dirs',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ++ allow $1 var_t:dir write; + ') + +-# cjp: the next two interfaces really need to be fixed +-# in some way. They really neeed their own types. - -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -- ') -+ files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + ######################################## + ## +-## Create, read, write, and delete the +-## pseudorandom number generator seed. ++## Do not audit attempts to search ++## the contents of /var. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_manage_urandom_seed',` ++interface(`files_dontaudit_search_var',` + gen_require(` +- type var_t, var_lib_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ dontaudit $1 var_t:dir search_dir_perms; ') ######################################## ## --## Unconfined access to files. -+## Delete all process ID directories. +-## Allow domain to manage mount tables +-## necessary for rpcd, nfsd, etc. ++## List the contents of /var. ## ## ## -@@ -6573,10 +7931,944 @@ interface(`files_polyinstantiate_all',` +@@ -5630,36 +6492,36 @@ interface(`files_manage_urandom_seed',` ## ## # --interface(`files_unconfined',` -+interface(`files_delete_all_pid_dirs',` +-interface(`files_manage_mounttab',` ++interface(`files_list_var',` gen_require(` -- attribute files_unconfined_type; -+ attribute pidfile; -+ type var_t, var_run_t; +- type var_t, var_lib_t; ++ type var_t; ') -- typeattribute $1 files_unconfined_type; +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_lib_t, var_lib_t) ++ allow $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Set the attributes of the generic lock directories. ++## Do not audit listing of the var directory (/var). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_setattr_lock_dirs',` ++interface(`files_dontaudit_list_var',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) ++ dontaudit $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Search the locks directory (/var/lock). ++## Create, read, write, and delete directories ++## in the /var directory. + ## + ## + ## +@@ -5667,38 +6529,35 @@ interface(`files_setattr_lock_dirs',` + ## + ## + # +-interface(`files_search_locks',` ++interface(`files_manage_var_dirs',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_lock_t) ++ allow $1 var_t:dir manage_dir_perms; + ') + + ######################################## + ## +-## Do not audit attempts to search the +-## locks directory (/var/lock). ++## Read files in the /var directory. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_locks',` ++interface(`files_read_var_files',` + gen_require(` +- type var_lock_t; ++ type var_t; + ') + +- dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_lock_t:dir search_dir_perms; ++ read_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## List generic lock directories. ++## Append files in the /var directory. + ## + ## + ## +@@ -5706,19 +6565,17 @@ interface(`files_dontaudit_search_locks',` + ## + ## + # +-interface(`files_list_locks',` ++interface(`files_append_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_lock_t) ++ append_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Add and remove entries in the /var/lock +-## directories. ++## Read and write files in the /var directory. + ## + ## + ## +@@ -5726,60 +6583,54 @@ interface(`files_list_locks',` + ## + ## + # +-interface(`files_rw_lock_dirs',` ++interface(`files_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- rw_dirs_pattern($1, var_t, var_lock_t) ++ rw_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create lock directories ++## Do not audit attempts to read and write ++## files in the /var directory. + ## + ## +-## +-## Domain allowed access ++## ++## Domain to not audit. + ## + ## + # +-interface(`files_create_lock_dirs',` ++interface(`files_dontaudit_rw_var_files',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- create_dirs_pattern($1, var_lock_t, var_lock_t) ++ dontaudit $1 var_t:file rw_inherited_file_perms; + ') + + ######################################## + ## +-## Relabel to and from all lock directory types. ++## Create, read, write, and delete files in the /var directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_relabel_all_lock_dirs',` ++interface(`files_manage_var_files',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- relabel_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Get the attributes of generic lock files. ++## Read symbolic links in the /var directory. + ## + ## + ## +@@ -5787,20 +6638,18 @@ interface(`files_relabel_all_lock_dirs',` + ## + ## + # +-interface(`files_getattr_generic_locks',` ++interface(`files_read_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 var_lock_t:dir list_dir_perms; +- getattr_files_pattern($1, var_lock_t, var_lock_t) ++ read_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Delete generic lock files. ++## Create, read, write, and delete symbolic ++## links in the /var directory. + ## + ## + ## +@@ -5808,165 +6657,156 @@ interface(`files_getattr_generic_locks',` + ## + ## + # +-interface(`files_delete_generic_locks',` ++interface(`files_manage_var_symlinks',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, var_lock_t, var_lock_t) ++ manage_lnk_files_pattern($1, var_t, var_t) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## lock files. ++## Create objects in the /var directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_manage_generic_locks',` ++interface(`files_var_filetrans',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- manage_dirs_pattern($1, var_lock_t, var_lock_t) +- manage_files_pattern($1, var_lock_t, var_lock_t) ++ filetrans_pattern($1, var_t, $2, $3, $4) + ') + + ######################################## + ## +-## Delete all lock files. ++## Get the attributes of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_locks',` ++interface(`files_getattr_var_lib_dirs',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- delete_files_pattern($1, lockfile, lockfile) ++ getattr_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## Read all lock files. ++## Search the /var/lib directory. + ## ++## ++##

++## Search the /var/lib directory. This is ++## necessary to access files or directories under ++## /var/lib that have a private type. For example, a ++## domain accessing a private library file in the ++## /var/lib directory: ++##

++##

++## allow mydomain_t mylibfile_t:file read_file_perms; ++## files_search_var_lib(mydomain_t) ++##

++## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_read_all_locks',` ++interface(`files_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- allow $1 lockfile:dir list_dir_perms; +- read_files_pattern($1, lockfile, lockfile) +- read_lnk_files_pattern($1, lockfile, lockfile) ++ search_dirs_pattern($1, var_t, var_lib_t) + ') + + ######################################## + ## +-## manage all lock files. ++## Do not audit attempts to search the ++## contents of /var/lib. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## ++## + # +-interface(`files_manage_all_locks',` ++interface(`files_dontaudit_search_var_lib',` + gen_require(` +- attribute lockfile; +- type var_t, var_lock_t; ++ type var_lib_t; + ') + +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- allow $1 { var_t var_lock_t }:dir search_dir_perms; +- manage_dirs_pattern($1, lockfile, lockfile) +- manage_files_pattern($1, lockfile, lockfile) +- manage_lnk_files_pattern($1, lockfile, lockfile) ++ dontaudit $1 var_lib_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Create an object in the locks directory, with a private +-## type using a type transition. ++## List the contents of the /var/lib directory. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The type of the object to be created. +-## +-## +-## +-## +-## The object class of the object being created. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`files_lock_filetrans',` ++interface(`files_list_var_lib',` + gen_require(` +- type var_t, var_lock_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_lock_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_lock_t, $2, $3, $4) ++ list_dirs_pattern($1, var_t, var_lib_t) + ') + +-######################################## ++########################################### + ## +-## Do not audit attempts to get the attributes +-## of the /var/run directory. ++## Read-write /var/lib directories + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_getattr_pid_dirs',` ++interface(`files_rw_var_lib_dirs',` + gen_require(` +- type var_run_t; ++ type var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir getattr; ++ rw_dirs_pattern($1, var_lib_t, var_lib_t) + ') + + ######################################## + ## +-## Set the attributes of the /var/run directory. ++## Create directories in /var/lib + ## + ## + ## +@@ -5974,59 +6814,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` + ## + ## + # +-interface(`files_setattr_pid_dirs',` ++interface(`files_create_var_lib_dirs',` + gen_require(` +- type var_run_t; ++ type var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir setattr; ++ allow $1 var_lib_t:dir { create rw_dir_perms }; + ') + ++ + ######################################## + ## +-## Search the contents of runtime process +-## ID directories (/var/run). ++## Create objects in the /var/lib directory + ## + ## + ## + ## Domain allowed access. + ## + ## ++## ++## ++## The type of the object to be created ++## ++## ++## ++## ++## The object class. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## + # +-interface(`files_search_pids',` ++interface(`files_var_lib_filetrans',` + gen_require(` +- type var_t, var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- search_dirs_pattern($1, var_t, var_run_t) ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_lib_t, $2, $3, $4) + ') + + ######################################## + ## +-## Do not audit attempts to search +-## the /var/run directory. ++## Read generic files in /var/lib. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`files_dontaudit_search_pids',` ++interface(`files_read_var_lib_files',` + gen_require(` +- type var_run_t; ++ type var_t, var_lib_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; ++ allow $1 var_lib_t:dir list_dir_perms; ++ read_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). ++## Read generic symbolic links in /var/lib + ## + ## + ## +@@ -6034,18 +6886,18 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_read_var_lib_symlinks',` + gen_require(` +- type var_t, var_run_t; ++ type var_t, var_lib_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) ++ read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) + ') + + ######################################## + ## +-## Read generic process ID files. ++## manage generic symbolic links ++## in the /var/lib directory. + ## + ## + ## +@@ -6053,19 +6905,1228 @@ interface(`files_list_pids',` + ## + ## + # +-interface(`files_read_generic_pids',` ++interface(`files_manage_var_lib_symlinks',` + gen_require(` ++ type var_lib_t; ++ ') ++ ++ manage_lnk_files_pattern($1,var_lib_t,var_lib_t) ++') ++ ++# cjp: the next two interfaces really need to be fixed ++# in some way. They really neeed their own types. ++ ++######################################## ++## ++## Create, read, write, and delete the ++## pseudorandom number generator seed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_urandom_seed',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## Allow domain to manage mount tables ++## necessary for rpcd, nfsd, etc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_mounttab',` ++ gen_require(` ++ type var_t, var_lib_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_lib_t, var_lib_t) ++') ++ ++######################################## ++## ++## List generic lock directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ list_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Search the locks directory (/var/lock). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search the ++## locks directory (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_lock_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to read/write inherited ++## locks (/var/lock). ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_rw_inherited_locks',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ dontaudit $1 var_lock_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/lock directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_lock_dirs',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ allow $1 var_lock_t:dir setattr; ++') ++ ++######################################## ++## ++## Add and remove entries in the /var/lock ++## directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ rw_dirs_pattern($1, var_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create lock directories ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_create_lock_dirs',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ create_dirs_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Relabel to and from all lock directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_dirs',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_dirs_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Relabel to and from all lock file types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_lock_files',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ relabel_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Get the attributes of generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_getattr_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 var_lock_t:dir list_dir_perms; ++ getattr_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete generic lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ delete_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_locks',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, var_lock_t, var_lock_t) ++') ++ ++######################################## ++## ++## Delete all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_lock_t:lnk_file read_lnk_file_perms; ++ delete_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Read all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 lockfile:dir list_dir_perms; ++ read_files_pattern($1, lockfile, lockfile) ++ read_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## manage all lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_locks',` ++ gen_require(` ++ attribute lockfile; ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_dirs_pattern($1, lockfile, lockfile) ++ manage_files_pattern($1, lockfile, lockfile) ++ manage_lnk_files_pattern($1, lockfile, lockfile) ++') ++ ++######################################## ++## ++## Create an object in the locks directory, with a private ++## type using a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_lock_filetrans',` ++ gen_require(` ++ type var_t, var_lock_t; ++ ') ++ ++ files_search_locks($1) ++ filetrans_pattern($1, var_lock_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir getattr; ++') ++ ++######################################## ++## ++## Set the attributes of the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_run_t:dir setattr; ++') ++ ++######################################## ++## ++## Search the contents of runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ search_dirs_pattern($1, var_t, var_run_t) ++') ++ ++###################################### ++## ++## Add and remove entries from pid directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_pid_dirs',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:dir rw_dir_perms; ++') ++ ++####################################### ++## ++## Create generic pid directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_run_dirs',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir create_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search ++## the /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_pids',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 var_run_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to search ++## the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## ++## Allow search the all /var/run directory. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_search_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of the runtime process ++## ID directories (/var/run). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++') ++ ++######################################## ++## ++## Read generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ read_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Write named generic process ID pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_generic_pid_pipes',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_run_t:fifo_file write; ++') ++ ++######################################## ++## ++## Create an object in the process ID directory, with a private type. ++## ++## ++##

++## Create an object in the process ID directory (e.g., /var/run) ++## with a private type. Typically this is used for creating ++## private PID files in /var/run with the private type instead ++## of the general PID file type. To accomplish this goal, ++## either the program must be SELinux-aware, or use this interface. ++##

++##

++## Related interfaces: ++##

++##
    ++##
  • files_pid_file()
    • ++##
++##

++## Example usage with a domain that can create and ++## write its PID file with a private PID file type in the ++## /var/run directory: ++##

++##

++## type mypidfile_t; ++## files_pid_file(mypidfile_t) ++## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ++## files_pid_filetrans(mydomain_t, mypidfile_t, file) ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to be created. ++## ++## ++## ++## ++## The object class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++## ++# ++interface(`files_pid_filetrans',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_run_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Create a generic lock directory within the run directories ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_pid_filetrans_lock_dir',` ++ gen_require(` ++ type var_lock_t; ++ ') ++ ++ files_pid_filetrans($1, var_lock_t, dir, $2) ++') ++ ++######################################## ++## ++## rw generic pid files inherited from another process ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_inherited_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ allow $1 var_run_t:file rw_inherited_file_perms; ++') ++ ++######################################## ++## ++## Read and write generic process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_rw_generic_pids',` ++ gen_require(` ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) ++ rw_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of ++## daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_getattr_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file getattr; ++') ++ ++######################################## ++## ++## Do not audit attempts to write to daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file write; ++') ++ ++######################################## ++## ++## Do not audit attempts to ioctl daemon runtime data files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_ioctl_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_run_t; ++ ') ++ ++ dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; ++ dontaudit $1 pidfile:file ioctl; ++') ++ ++######################################## ++## ++## Relable all pid directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Delete all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Create all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file create_fifo_file_perms; ++') ++ ++######################################## ++## ++## Delete all pid named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_pipes',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++') ++ ++######################################## ++## ++## manage all pidfile directories ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_dirs_pattern($1,pidfile,pidfile) ++') ++ ++ ++######################################## ++## ++## Read all process ID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Relable all pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabel_all_pid_files',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ relabel_files_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## ++## Execute generic programs in /var/run in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ exec_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## ++## Write all sockets ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_write_all_pid_sockets',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ allow $1 pidfile:sock_file write_sock_file_perms; ++') ++ ++######################################## ++## ++## manage all pidfiles ++## in the /var/run directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ ++ manage_files_pattern($1,pidfile,pidfile) ++') ++ ++######################################## ++## ++## Mount filesystems on all polyinstantiation ++## member directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_all_poly_members',` ++ gen_require(` ++ attribute polymember; ++ ') ++ ++ allow $1 polymember:dir mounton; ++') ++ ++######################################## ++## ++## Delete all process IDs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_delete_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ type var_t, var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_pid_dirs',` ++ gen_require(` ++ attribute pidfile; + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -14102,30 +16600,36 @@ index f962f76..9cb7e98 100644 + ') + + list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Write named generic process ID pipes +## Create, read, write, and delete generic +## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +8134,170 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_manage_generic_spool_dirs',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_spool_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Read generic spool files. +## +## @@ -14275,17 +16779,40 @@ index f962f76..9cb7e98 100644 +######################################## +## +## Create a core files in / -+## -+## -+##

+ ##

+ ## + ##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +-##

+-##

+-## Related interfaces: +-##

+-##
    +-##
  • files_pid_file()
    • +-##
+-##

+-## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +-##

+-##

+-## type mypidfile_t; +-## files_pid_file(mypidfile_t) +-## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; +-## files_pid_filetrans(mydomain_t, mypidfile_t, file) +## Create a core file in /, -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## + ##

+ ## + ## +@@ -6117,80 +8305,157 @@ interface(`files_write_generic_pid_pipes',` + ## Domain allowed access. + ## + ## +-## +## +# +interface(`files_manage_root_files',` @@ -14326,12 +16853,14 @@ index f962f76..9cb7e98 100644 +## type transition. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## -+## -+## + ## + ## + ## + ## +-## The object class of the object being created. +## The class of the object being created. +## +## @@ -14362,10 +16891,11 @@ index f962f76..9cb7e98 100644 +## +## +## The class of the object being created. -+## -+## -+## -+## + ## + ## + ## + ## +-## The name of the object being created. +## The name of the object being created. +## +## @@ -14386,314 +16916,432 @@ index f962f76..9cb7e98 100644 +## +## +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`files_pid_filetrans',` +interface(`files_manage_generic_pids_symlinks',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- filetrans_pattern($1, var_run_t, $2, $3, $4) + manage_lnk_files_pattern($1,var_run_t,var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create a generic lock directory within the run directories +## Do not audit attempts to getattr +## all tmpfs files. -+## -+## -+## + ## + ## +-## +-## Domain allowed access +-## +-## +-## + ## +-## The name of the object being created. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_pid_filetrans_lock_dir',` +interface(`files_dontaudit_getattr_tmpfs_files',` -+ gen_require(` + gen_require(` +- type var_lock_t; + attribute tmpfsfile; -+ ') -+ + ') + +- files_pid_filetrans($1, var_lock_t, dir, $2) + allow $1 tmpfsfile:file getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write generic process ID files. +## Allow delete all tmpfs files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_rw_generic_pids',` +interface(`files_delete_tmpfs_files',` -+ gen_require(` + gen_require(` +- type var_t, var_run_t; + attribute tmpfsfile; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- rw_files_pattern($1, var_run_t, var_run_t) + allow $1 tmpfsfile:file delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of +-## daemon runtime data files. +## Allow read write all tmpfs files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6198,19 +8463,17 @@ interface(`files_rw_generic_pids',` + ## + ## + # +-interface(`files_dontaudit_getattr_all_pids',` +interface(`files_rw_tmpfs_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute tmpfsfile; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file getattr; + allow $1 tmpfsfile:file { read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write to daemon runtime data files. +## Do not audit attempts to read security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6218,18 +8481,17 @@ interface(`files_dontaudit_getattr_all_pids',` + ## + ## + # +-interface(`files_dontaudit_write_all_pids',` +interface(`files_dontaudit_read_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file write; + dontaudit $1 security_file_type:file read_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to ioctl daemon runtime data files. +## Do not audit attempts to search security files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6237,129 +8499,118 @@ interface(`files_dontaudit_write_all_pids',` + ## + ## + # +-interface(`files_dontaudit_ioctl_all_pids',` +interface(`files_dontaudit_search_security_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_run_t; + attribute security_file_type; -+ ') -+ + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 pidfile:file ioctl; + dontaudit $1 security_file_type:dir search_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read all process ID files. +## Do not audit attempts to read security dirs -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## +-## + # +-interface(`files_read_all_pids',` +interface(`files_dontaudit_list_security_dirs',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute security_file_type; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + dontaudit $1 security_file_type:dir list_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## rw any files inherited from another process -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +## +## +## Object type. +## +## -+# + # +-interface(`files_delete_all_pids',` +interface(`files_rw_all_inherited_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_entrypoint_all_files',` -+ gen_require(` + gen_require(` +- attribute pidfile; +- type var_t, var_run_t; + attribute file_type; -+ ') + ') +- +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + allow $1 file_type:file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Do not audit attempts to rw inherited file perms +## of non security files. -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_dontaudit_all_non_security_leaks',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute non_security_file_type; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Do not audit attempts to read or write +## all leaked files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_dontaudit_leaks',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute file_type; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + dontaudit $1 file_type:file rw_inherited_file_perms; + dontaudit $1 file_type:lnk_file { read }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## Allow domain to create_file_ass all types -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6367,18 +8618,19 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` +interface(`files_create_as_is_all_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; + class kernel_service create_files_as; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + allow $1 file_type:kernel_service create_files_as; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. +## Do not audit attempts to check the +## access on all files -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -6386,132 +8638,227 @@ interface(`files_search_spool',` + ## + ## + # +-interface(`files_dontaudit_search_spool',` +interface(`files_dontaudit_all_access_check',` -+ gen_require(` + gen_require(` +- type var_spool_t; + attribute file_type; -+ ') -+ + ') + +- dontaudit $1 var_spool_t:dir search_dir_perms; + dontaudit $1 file_type:dir_file_class_set audit_access; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Do not audit attempts to write to all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_list_spool',` +interface(`files_dontaudit_write_all_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute file_type; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + dontaudit $1 file_type:dir_file_class_set write; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Allow domain to delete to all files -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_delete_all_non_security_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir del_entry_dir_perms; + allow $1 non_security_file_type:file_class_set delete_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## Allow domain to delete to all dirs -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_delete_all_non_security_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute non_security_file_type; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) + allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. +## Transition named content in the var_run_t directory -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_generic_spool',` +interface(`files_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type etc_t; + type mnt_t; + type usr_t; @@ -14702,8 +17350,10 @@ index f962f76..9cb7e98 100644 + type var_run_t; + type var_lock_t; + type tmp_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) + files_pid_filetrans($1, mnt_t, dir, "media") + files_root_filetrans($1, etc_runtime_t, file, ".readahead") + files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") @@ -14743,13 +17393,16 @@ index f962f76..9cb7e98 100644 + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") + files_var_filetrans($1, etc_runtime_t, file, ".updated") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. +## Make the specified type a +## base file. -+## + ## +-## +## +##

+## Identify file type as base file type. Tools will use this attribute, @@ -14757,10 +17410,12 @@ index f962f76..9cb7e98 100644 +##

+## +## -+## + ## +-## Domain allowed access. +## Type to be used as a base files. -+## -+## + ## + ## +-## +## +# +interface(`files_base_file',` @@ -14782,10 +17437,12 @@ index f962f76..9cb7e98 100644 +##

+## +## -+## + ## +-## Type to which the created node will be transitioned. +## Type to be used as a base read only files. -+## -+## + ## + ## +-## +## +# +interface(`files_ro_base_file',` @@ -14801,10 +17458,13 @@ index f962f76..9cb7e98 100644 +## Read all ro base files. +## +## -+## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Domain allowed access. -+## -+## + ## + ## +-## +## +# +interface(`files_read_all_base_ro_files',` @@ -14822,54 +17482,104 @@ index f962f76..9cb7e98 100644 +## Execute all base ro files. +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## + ## + ## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_exec_all_base_ro_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute base_ro_file_type; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + can_exec($1, base_ro_file_type) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Allow the specified domain to modify the systemd configuration of +## any file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6519,53 +8866,17 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` +interface(`files_config_all_files',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute file_type; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') + allow $1 file_type:service all_service_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Get the status of etc_t files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6573,10 +8884,10 @@ interface(`files_polyinstantiate_all',` + ## + ## + # +-interface(`files_unconfined',` +interface(`files_status_etc',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + type etc_t; -+ ') -+ + ') + +- typeattribute $1 files_unconfined_type; + allow $1 etc_t:service status; ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te @@ -19398,7 +22108,7 @@ index e100d88..c652350 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..7c405f5 100644 +index 8dbab4c..092e065 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -19494,11 +22204,11 @@ index 8dbab4c..7c405f5 100644 +allow unlabeled_t self:filesystem associate; + +# Need the following because we are type alias of file_t. -+files_mountpoint(unlabeled_t) -+files_base_file(unlabeled_t) ++files_type(unlabeled_t) +kernel_rootfs_mountpoint(unlabeled_t) +sid file gen_context(system_u:object_r:unlabeled_t,s0) +typealias unlabeled_t alias file_t; ++neverallow * unlabeled_t:file entrypoint; # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -26397,7 +29107,7 @@ index cc877c7..b8e6e98 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..12a5645 100644 +index 8274418..53f66a4 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,38 @@ @@ -26462,7 +29172,7 @@ index 8274418..12a5645 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +79,34 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +79,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -26497,13 +29207,14 @@ index 8274418..12a5645 100644 /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) + +/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +132,34 @@ ifndef(`distro_debian',` +@@ -91,19 +133,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -26542,7 +29253,7 @@ index 8274418..12a5645 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +167,18 @@ ifndef(`distro_debian',` +@@ -111,7 +168,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -43602,10 +46313,10 @@ index 0000000..0e4185f +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..21f7c14 +index 0000000..3380372 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1678 @@ +@@ -0,0 +1,1698 @@ +## SELinux policy for systemd components + +###################################### @@ -45284,12 +47995,32 @@ index 0000000..21f7c14 + + allow $1 systemd_coredump_tmpfs_t:file rw_file_perms; +') ++ ++######################################## ++## ++## Allow process to read hwdb config file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_hwdb_read_config',` ++ gen_require(` ++ type systemd_hwdb_etc_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 systemd_hwdb_etc_t:file read_file_perms; ++') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..605f160 +index 0000000..45fcf4c --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,909 @@ +@@ -0,0 +1,919 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45409,6 +48140,9 @@ index 0000000..605f160 +#domain for gpt-auto-generator +systemd_domain_template(systemd_gpt_generator) + ++type systemd_gpt_generator_unit_file_t; ++systemd_unit_file(systemd_gpt_generator_unit_file_t) ++ +#domain for systemd-machined +systemd_domain_template(systemd_machined) + @@ -45987,6 +48721,8 @@ index 0000000..605f160 +allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms; + +manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) ++manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) ++init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir, "rfkill") + +kernel_dgram_send(systemd_rfkill_t) + @@ -46134,6 +48870,11 @@ index 0000000..605f160 + +storage_raw_read_fixed_disk(systemd_gpt_generator_t) + ++allow systemd_gpt_generator_t systemd_gpt_generator_unit_file_t:file manage_file_perms; ++systemd_unit_file_filetrans(systemd_gpt_generator_t, systemd_gpt_generator_unit_file_t, file) ++systemd_create_unit_file_dirs(systemd_gpt_generator_t) ++systemd_create_unit_file_lnk(systemd_gpt_generator_t) ++ +####################################### +# +# systemd_resolved domain diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ba812ef..6008469 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3459,10 +3459,10 @@ index 0000000..d8b04b5 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..4313ba3 100644 +index 7caefc3..754c30f 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,212 @@ +@@ -1,162 +1,214 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3635,6 +3635,7 @@ index 7caefc3..4313ba3 100644 +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) ++/usr/local/nagios/sbin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) +/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + +/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) @@ -3792,6 +3793,7 @@ index 7caefc3..4313ba3 100644 +/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0) +/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/www/html(/.*)?/wp_backups(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html(/.*)?/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/html/owncloud/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -8065,7 +8067,7 @@ index 1a7a97e..2c7252a 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 7fd431b..41f2a57 100644 +index 7fd431b..708ae24 100644 --- a/apm.te +++ b/apm.te @@ -35,12 +35,15 @@ files_type(apmd_var_lib_t) @@ -8156,7 +8158,7 @@ index 7fd431b..41f2a57 100644 optional_policy(` automount_domtrans(apmd_t) -@@ -206,11 +211,15 @@ optional_policy(` +@@ -206,11 +211,20 @@ optional_policy(` ') optional_policy(` @@ -8171,6 +8173,11 @@ index 7fd431b..41f2a57 100644 + +optional_policy(` + systemd_dbus_chat_logind(apmd_t) ++') ++ ++optional_policy(` ++ systemd_start_power_services(apmd_t) ++ systemd_status_power_services(apmd_t) ') optional_policy(` @@ -9792,7 +9799,7 @@ index e73fb79..2badfc0 100644 domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; diff --git a/bitlbee.te b/bitlbee.te -index f5c1a48..f7b4f1d 100644 +index f5c1a48..d8e7d55 100644 --- a/bitlbee.te +++ b/bitlbee.te @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t) @@ -9810,7 +9817,7 @@ index f5c1a48..f7b4f1d 100644 allow bitlbee_t bitlbee_conf_t:dir list_dir_perms; allow bitlbee_t bitlbee_conf_t:file read_file_perms; -@@ -45,7 +48,9 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; +@@ -45,22 +48,25 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms; manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t) @@ -9820,7 +9827,15 @@ index f5c1a48..f7b4f1d 100644 manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) manage_dirs_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t) -@@ -59,8 +64,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file }) + + manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) +-files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file) ++manage_dirs_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t) ++files_var_lib_filetrans(bitlbee_t, bitlbee_var_t,{dir file}) + + manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) + manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t) files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) @@ -9830,7 +9845,7 @@ index f5c1a48..f7b4f1d 100644 corenet_all_recvfrom_unlabeled(bitlbee_t) corenet_all_recvfrom_netlabel(bitlbee_t) -@@ -98,7 +103,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t) +@@ -98,7 +104,9 @@ corenet_tcp_sendrecv_http_cache_port(bitlbee_t) corenet_sendrecv_ircd_server_packets(bitlbee_t) corenet_tcp_bind_ircd_port(bitlbee_t) @@ -9840,7 +9855,7 @@ index f5c1a48..f7b4f1d 100644 corenet_tcp_connect_ircd_port(bitlbee_t) corenet_tcp_sendrecv_ircd_port(bitlbee_t) -@@ -109,16 +116,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) +@@ -109,16 +117,17 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t) dev_read_rand(bitlbee_t) dev_read_urand(bitlbee_t) @@ -15493,7 +15508,7 @@ index 8e27a37..c69be28 100644 + ps_process_pattern($1, colord_t) +') diff --git a/colord.te b/colord.te -index 9f2dfb2..3d5988c 100644 +index 9f2dfb2..def3424 100644 --- a/colord.te +++ b/colord.te @@ -8,6 +8,7 @@ policy_module(colord, 1.1.0) @@ -15560,18 +15575,18 @@ index 9f2dfb2..3d5988c 100644 auth_use_nsswitch(colord_t) +-logging_send_syslog_msg(colord_t) +init_read_state(colord_t) -+ - logging_send_syslog_msg(colord_t) -miscfiles_read_localization(colord_t) -+systemd_read_logind_sessions_files(colord_t) ++logging_send_syslog_msg(colord_t) -tunable_policy(`use_nfs_home_dirs',` - fs_getattr_nfs(colord_t) - fs_read_nfs_files(colord_t) -') -- ++systemd_read_logind_sessions_files(colord_t) + -tunable_policy(`use_samba_home_dirs',` - fs_getattr_cifs(colord_t) - fs_read_cifs_files(colord_t) @@ -15597,7 +15612,14 @@ index 9f2dfb2..3d5988c 100644 ') optional_policy(` -@@ -137,3 +147,16 @@ optional_policy(` +@@ -134,6 +144,23 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_hwdb_read_config(colord_t) ++') ++ ++optional_policy(` udev_read_db(colord_t) udev_read_pid_files(colord_t) ') @@ -16274,14 +16296,16 @@ index ce9f040..dc29445 100644 +') diff --git a/conman.fc b/conman.fc new file mode 100644 -index 0000000..d2f5c80 +index 0000000..b13a6f6 --- /dev/null +++ b/conman.fc -@@ -0,0 +1,8 @@ +@@ -0,0 +1,10 @@ +/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0) + +/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0) + ++/usr/share/conman/exec(/.*)? gen_context(system_u:object_r:conman_unconfined_script_exec_t,s0) ++ +/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0) +/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0) + @@ -16437,10 +16461,10 @@ index 0000000..1cc5fa4 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..3bc9494 +index 0000000..722f400 --- /dev/null +++ b/conman.te -@@ -0,0 +1,78 @@ +@@ -0,0 +1,93 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -16472,6 +16496,10 @@ index 0000000..3bc9494 +type conman_unit_file_t; +systemd_unit_file(conman_unit_file_t) + ++type conman_unconfined_script_t; ++type conman_unconfined_script_exec_t; ++application_domain(conman_unconfined_script_t, conman_unconfined_script_exec_t) ++ +######################################## +# +# conman local policy @@ -16519,6 +16547,17 @@ index 0000000..3bc9494 +optional_policy(` + freeipmi_stream_connect(conman_t) +') ++ ++######################################## ++# ++# conman script local policy ++# ++ ++domtrans_pattern(conman_t, conman_unconfined_script_exec_t, conman_unconfined_script_t) ++ ++optional_policy(` ++ unconfined_domain(conman_unconfined_script_t) ++') diff --git a/consolekit.fc b/consolekit.fc index 23c9558..29e5fd3 100644 --- a/consolekit.fc @@ -20301,10 +20340,10 @@ index 001b502..47199aa 100644 optional_policy(` diff --git a/cups.fc b/cups.fc -index 949011e..9437dbe 100644 +index 949011e..8f8bc20 100644 --- a/cups.fc +++ b/cups.fc -@@ -1,77 +1,91 @@ +@@ -1,77 +1,92 @@ -/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) -/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) @@ -20423,6 +20462,7 @@ index 949011e..9437dbe 100644 +/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) +/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/ecblp0 -- gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) +/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) @@ -26168,7 +26208,7 @@ index d5badb7..c2431fc 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index 0aabc7e..e1c4564 100644 +index 0aabc7e..315aa2f 100644 --- a/dovecot.te +++ b/dovecot.te @@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1) @@ -26422,7 +26462,7 @@ index 0aabc7e..e1c4564 100644 sendmail_domtrans(dovecot_t) ') -@@ -227,46 +223,67 @@ optional_policy(` +@@ -227,46 +223,69 @@ optional_policy(` ######################################## # @@ -26450,14 +26490,16 @@ index 0aabc7e..e1c4564 100644 allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms; manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -+dovecot_stream_connect_auth(dovecot_auth_t) ++manage_fifo_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t) -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; -+corecmd_exec_bin(dovecot_auth_t) ++dovecot_stream_connect_auth(dovecot_auth_t) -files_search_pids(dovecot_auth_t) -files_read_usr_files(dovecot_auth_t) -files_read_var_lib_files(dovecot_auth_t) ++corecmd_exec_bin(dovecot_auth_t) ++ +logging_send_audit_msgs(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) @@ -26499,7 +26541,7 @@ index 0aabc7e..e1c4564 100644 mysql_stream_connect(dovecot_auth_t) mysql_read_config(dovecot_auth_t) mysql_tcp_connect(dovecot_auth_t) -@@ -277,53 +294,79 @@ optional_policy(` +@@ -277,53 +296,79 @@ optional_policy(` ') optional_policy(` @@ -26598,7 +26640,7 @@ index 0aabc7e..e1c4564 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -332,5 +375,6 @@ optional_policy(` +@@ -332,5 +377,6 @@ optional_policy(` ') optional_policy(` @@ -36873,10 +36915,10 @@ index 6517fad..f183748 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..76a5802 100644 +index 4eb7041..fc5435f 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,142 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,146 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -36909,10 +36951,9 @@ index 4eb7041..76a5802 100644 + +type hypervvssd_unit_file_t; +systemd_unit_file(hypervvssd_unit_file_t) - - ######################################## - # --# Local policy ++ ++######################################## ++# +# hyperv domain local policy +# + @@ -36926,9 +36967,10 @@ index 4eb7041..76a5802 100644 +corecmd_exec_bin(hyperv_domain) + +dev_read_sysfs(hyperv_domain) -+ -+######################################## -+# + + ######################################## + # +-# Local policy +# hypervkvp local policy +# + @@ -36950,6 +36992,8 @@ index 4eb7041..76a5802 100644 + +corecmd_getattr_all_executables(hypervkvp_t) + ++dev_rw_hypervkvp(hypervkvp_t) ++ +domain_read_all_domains_state(hypervkvp_t) + +seutil_exec_setfiles(hypervkvp_t) @@ -37020,6 +37064,8 @@ index 4eb7041..76a5802 100644 -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +allow hypervvssd_t self:capability sys_admin; ++ ++dev_rw_hypervvssd(hypervvssd_t) -logging_send_syslog_msg(hypervkvpd_t) +files_list_boot(hypervvssd_t) @@ -38899,7 +38945,7 @@ index 59ad3b3..bd02cc8 100644 + +/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0) diff --git a/jabber.if b/jabber.if -index 7eb3811..d5d5ae7 100644 +index 7eb3811..629af1e 100644 --- a/jabber.if +++ b/jabber.if @@ -1,29 +1,76 @@ @@ -39091,7 +39137,15 @@ index 7eb3811..d5d5ae7 100644 init_labeled_script_domtrans($1, jabberd_initrc_exec_t) domain_system_change_exemption($1) -@@ -97,7 +175,4 @@ interface(`jabber_admin',` +@@ -89,15 +167,9 @@ interface(`jabber_admin',` + files_search_locks($1) + admin_pattern($1, jabberd_lock_t) + +- logging_search_logs($1) +- admin_pattern($1, jabberd_log_t) +- + files_search_spool($1) + admin_pattern($1, jabberd_spool_t) files_search_var_lib($1) admin_pattern($1, jabberd_var_lib_t) @@ -45154,7 +45208,7 @@ index dd8e01a..9cd6b0b 100644 ## ## diff --git a/logrotate.te b/logrotate.te -index be0ab84..24e669e 100644 +index be0ab84..3c99496 100644 --- a/logrotate.te +++ b/logrotate.te @@ -5,16 +5,22 @@ policy_module(logrotate, 1.15.0) @@ -45184,7 +45238,7 @@ index be0ab84..24e669e 100644 type logrotate_lock_t; files_lock_file(logrotate_lock_t) -@@ -25,21 +31,27 @@ files_tmp_file(logrotate_tmp_t) +@@ -25,21 +31,30 @@ files_tmp_file(logrotate_tmp_t) type logrotate_var_lib_t; files_type(logrotate_var_lib_t) @@ -45202,6 +45256,9 @@ index be0ab84..24e669e 100644 +allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace }; +dontaudit logrotate_t self:capability { sys_resource net_admin }; + ++# dontaudited due to systemctl command. ++dontaudit logrotate_t self:process setrlimit; ++ +allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + +# Set a context other than the default one for newly created files. @@ -45218,7 +45275,7 @@ index be0ab84..24e669e 100644 allow logrotate_t self:shm create_shm_perms; allow logrotate_t self:sem create_sem_perms; allow logrotate_t self:msgq create_msgq_perms; -@@ -48,36 +60,52 @@ allow logrotate_t self:msg { send receive }; +@@ -48,36 +63,52 @@ allow logrotate_t self:msg { send receive }; allow logrotate_t logrotate_lock_t:file manage_file_perms; files_lock_filetrans(logrotate_t, logrotate_lock_t, file) @@ -45276,7 +45333,7 @@ index be0ab84..24e669e 100644 files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) -@@ -95,32 +123,52 @@ mls_process_write_to_clearance(logrotate_t) +@@ -95,32 +126,52 @@ mls_process_write_to_clearance(logrotate_t) selinux_get_fs_mount(logrotate_t) selinux_get_enforce_mode(logrotate_t) @@ -45335,7 +45392,7 @@ index be0ab84..24e669e 100644 ') optional_policy(` -@@ -135,16 +183,17 @@ optional_policy(` +@@ -135,16 +186,17 @@ optional_policy(` optional_policy(` apache_read_config(logrotate_t) @@ -45355,7 +45412,7 @@ index be0ab84..24e669e 100644 ') optional_policy(` -@@ -170,6 +219,11 @@ optional_policy(` +@@ -170,6 +222,11 @@ optional_policy(` ') optional_policy(` @@ -45367,7 +45424,7 @@ index be0ab84..24e669e 100644 fail2ban_stream_connect(logrotate_t) ') -@@ -178,7 +232,7 @@ optional_policy(` +@@ -178,7 +235,7 @@ optional_policy(` ') optional_policy(` @@ -45376,7 +45433,7 @@ index be0ab84..24e669e 100644 ') optional_policy(` -@@ -198,17 +252,18 @@ optional_policy(` +@@ -198,17 +255,18 @@ optional_policy(` ') optional_policy(` @@ -45398,7 +45455,7 @@ index be0ab84..24e669e 100644 ') optional_policy(` -@@ -216,6 +271,14 @@ optional_policy(` +@@ -216,6 +274,14 @@ optional_policy(` ') optional_policy(` @@ -45413,7 +45470,7 @@ index be0ab84..24e669e 100644 samba_exec_log(logrotate_t) ') -@@ -228,26 +291,43 @@ optional_policy(` +@@ -228,26 +294,43 @@ optional_policy(` ') optional_policy(` @@ -46041,7 +46098,7 @@ index d314333..27ede09 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..03738f2 100644 +index 4ec0eea..db7c68b 100644 --- a/lsm.te +++ b/lsm.te @@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) @@ -46083,7 +46140,7 @@ index 4ec0eea..03738f2 100644 allow lsmd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) -@@ -26,4 +44,68 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,69 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -46152,6 +46209,7 @@ index 4ec0eea..03738f2 100644 +storage_raw_rw_fixed_disk(lsmd_plugin_t) +storage_read_scsi_generic(lsmd_plugin_t) +storage_write_scsi_generic(lsmd_plugin_t) ++storage_dev_filetrans_named_fixed_disk(lsmd_plugin_t) diff --git a/lttng-tools.fc b/lttng-tools.fc new file mode 100644 index 0000000..bdd17ca @@ -60252,7 +60310,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..3316c17 100644 +index 47bb1d2..17db1a1 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -60329,7 +60387,7 @@ index 47bb1d2..3316c17 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +72,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t) +@@ -72,16 +72,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) corenet_tcp_bind_generic_node(nsd_t) corenet_udp_bind_generic_node(nsd_t) @@ -60338,6 +60396,9 @@ index 47bb1d2..3316c17 100644 corenet_tcp_bind_dns_port(nsd_t) corenet_udp_bind_dns_port(nsd_t) +corenet_sendrecv_dns_server_packets(nsd_t) ++corenet_tcp_bind_nsd_control_port(nsd_t) ++corenet_sendrecv_nsd_control_server_packets(nsd_t) ++corenet_tcp_connect_nsd_control_port(nsd_t) dev_read_sysfs(nsd_t) +dev_read_urand(nsd_t) @@ -60349,7 +60410,7 @@ index 47bb1d2..3316c17 100644 fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) -@@ -90,8 +91,6 @@ auth_use_nsswitch(nsd_t) +@@ -90,8 +94,6 @@ auth_use_nsswitch(nsd_t) logging_send_syslog_msg(nsd_t) @@ -60358,7 +60419,7 @@ index 47bb1d2..3316c17 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -105,23 +104,24 @@ optional_policy(` +@@ -105,23 +107,24 @@ optional_policy(` ######################################## # @@ -60391,7 +60452,7 @@ index 47bb1d2..3316c17 100644 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,27 +133,27 @@ kernel_read_system_state(nsd_crond_t) +@@ -133,29 +136,33 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) @@ -60425,6 +60486,12 @@ index 47bb1d2..3316c17 100644 userdom_dontaudit_search_user_home_dirs(nsd_crond_t) optional_policy(` ++ nsd_read_pid(nsd_crond_t) ++') ++ ++optional_policy(` + cron_system_entry(nsd_crond_t, nsd_exec_t) + ') diff --git a/nslcd.fc b/nslcd.fc index 402100e..ce913b2 100644 --- a/nslcd.fc @@ -67427,10 +67494,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..2fecf5d +index 0000000..5eb733c --- /dev/null +++ b/pcp.te -@@ -0,0 +1,278 @@ +@@ -0,0 +1,279 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -67555,6 +67622,7 @@ index 0000000..2fecf5d + +corenet_tcp_bind_amqp_port(pcp_pmcd_t) +corenet_tcp_connect_amqp_port(pcp_pmcd_t) ++corenet_tcp_connect_http_port(pcp_pmcd_t) + +dev_read_sysfs(pcp_pmcd_t) + @@ -68146,7 +68214,7 @@ index d2fc677..86dce34 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..0aa43fc 100644 +index 608f454..6a92354 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -68165,7 +68233,7 @@ index 608f454..0aa43fc 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,334 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,335 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -68307,6 +68375,7 @@ index 608f454..0aa43fc 100644 +') + +optional_policy(` ++ sssd_read_public_files(pegasus_openlmi_services_t) + sssd_stream_connect(pegasus_openlmi_services_t) +') + @@ -68505,7 +68574,7 @@ index 608f454..0aa43fc 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +367,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +368,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -68536,7 +68605,7 @@ index 608f454..0aa43fc 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +393,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +394,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -68569,7 +68638,7 @@ index 608f454..0aa43fc 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +421,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +422,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -68581,7 +68650,7 @@ index 608f454..0aa43fc 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +437,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +438,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -68617,7 +68686,7 @@ index 608f454..0aa43fc 100644 ') optional_policy(` -@@ -151,16 +471,24 @@ optional_policy(` +@@ -151,16 +472,24 @@ optional_policy(` ') optional_policy(` @@ -68646,7 +68715,7 @@ index 608f454..0aa43fc 100644 ') optional_policy(` -@@ -168,7 +496,7 @@ optional_policy(` +@@ -168,7 +497,7 @@ optional_policy(` ') optional_policy(` @@ -68655,7 +68724,7 @@ index 608f454..0aa43fc 100644 ') optional_policy(` -@@ -180,6 +508,7 @@ optional_policy(` +@@ -180,6 +509,7 @@ optional_policy(` ') optional_policy(` @@ -91316,7 +91385,7 @@ index f1140ef..642e062 100644 + files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff --git a/rsync.te b/rsync.te -index abeb302..85582ef 100644 +index abeb302..6836678 100644 --- a/rsync.te +++ b/rsync.te @@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0) @@ -91332,40 +91401,24 @@ index abeb302..85582ef 100644 +##

## -gen_tunable(rsync_use_cifs, false) -- --## --##

--## Determine whether rsync can --## use fuse file systems. --##

--## --gen_tunable(rsync_use_fusefs, false) -- --## --##

--## Determine whether rsync can use --## nfs file systems. --##

--## --gen_tunable(rsync_use_nfs, false) +gen_tunable(rsync_client, false) ## -##

-## Determine whether rsync can --## run as a client +-## use fuse file systems. -##

+##

+## Allow rsync to export any files/directories read only. +##

## --gen_tunable(rsync_client, false) +-gen_tunable(rsync_use_fusefs, false) +gen_tunable(rsync_export_all_ro, false) ## -##

--## Determine whether rsync can --## export all content read only. +-## Determine whether rsync can use +-## nfs file systems. -##

+##

+## Allow rsync to modify public files @@ -91373,21 +91426,37 @@ index abeb302..85582ef 100644 +## labeled public_content_rw_t. +##

## --gen_tunable(rsync_export_all_ro, false) +-gen_tunable(rsync_use_nfs, false) +gen_tunable(rsync_anon_write, false) ## ##

--## Determine whether rsync can modify --## public files used for public file --## transfer services. Directories/Files must --## be labeled public_content_rw_t. +-## Determine whether rsync can +-## run as a client +## Allow rsync server to manage all files/directories on the system. ##

## --gen_tunable(allow_rsync_anon_write, false) +-gen_tunable(rsync_client, false) +gen_tunable(rsync_full_access, false) +-## +-##

+-## Determine whether rsync can +-## export all content read only. +-##

+-## +-gen_tunable(rsync_export_all_ro, false) +- +-## +-##

+-## Determine whether rsync can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

+-## +-gen_tunable(allow_rsync_anon_write, false) +- -attribute_role rsync_roles; type rsync_t; @@ -91413,14 +91482,14 @@ index abeb302..85582ef 100644 -allow rsync_t self:tcp_socket { accept listen }; +allow rsync_t self:tcp_socket create_stream_socket_perms; +allow rsync_t self:udp_socket connected_socket_perms; - --allow rsync_t rsync_etc_t:file read_file_perms; ++ +# for identd +# cjp: this should probably only be inetd_child_t rules? +# search home and kerberos also. +allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +#end for identd -+ + +-allow rsync_t rsync_etc_t:file read_file_perms; +read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t) allow rsync_t rsync_data_t:dir list_dir_perms; @@ -91437,7 +91506,7 @@ index abeb302..85582ef 100644 logging_log_filetrans(rsync_t, rsync_log_t, file) manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t) -@@ -108,91 +96,84 @@ kernel_read_kernel_sysctls(rsync_t) +@@ -108,46 +96,55 @@ kernel_read_kernel_sysctls(rsync_t) kernel_read_system_state(rsync_t) kernel_read_network_state(rsync_t) @@ -91474,76 +91543,63 @@ index abeb302..85582ef 100644 -tunable_policy(`allow_rsync_anon_write',` - miscfiles_manage_public_files(rsync_t) --') +userdom_home_manager(rsync_t) ++ ++optional_policy(` ++ daemontools_service_domain(rsync_t, rsync_exec_t) + ') -tunable_policy(`rsync_client',` - corenet_sendrecv_rsync_client_packets(rsync_t) - corenet_tcp_connect_rsync_port(rsync_t) +optional_policy(` -+ daemontools_service_domain(rsync_t, rsync_exec_t) ++ kerberos_use(rsync_t) +') - corenet_sendrecv_ssh_client_packets(rsync_t) - corenet_tcp_connect_ssh_port(rsync_t) - corenet_tcp_sendrecv_ssh_port(rsync_t) +optional_policy(` -+ kerberos_use(rsync_t) ++ inetd_service_domain(rsync_t, rsync_exec_t) +') - manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t) - manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t) +optional_policy(` -+ inetd_service_domain(rsync_t, rsync_exec_t) ++ mta_send_mail(rsync_t) ++') ++ ++tunable_policy(`rsync_anon_write',` ++ miscfiles_manage_public_files(rsync_t) ++') ++ ++tunable_policy(`rsync_full_access',` ++ allow rsync_t self:capability { dac_override dac_read_search }; ++ files_manage_non_auth_files(rsync_t) ') --tunable_policy(`rsync_export_all_ro',` -- fs_read_noxattr_fs_files(rsync_t) -- fs_read_nfs_files(rsync_t) -- fs_read_fusefs_files(rsync_t) -- fs_read_cifs_files(rsync_t) -- files_list_non_auth_dirs(rsync_t) -- files_read_non_auth_files(rsync_t) -- files_read_non_auth_symlinks(rsync_t) -- auth_tunable_read_shadow(rsync_t) -+optional_policy(` -+ mta_send_mail(rsync_t) + tunable_policy(`rsync_export_all_ro',` +@@ -161,38 +158,24 @@ tunable_policy(`rsync_export_all_ro',` + auth_tunable_read_shadow(rsync_t) ') -tunable_policy(`rsync_use_cifs',` - fs_list_cifs(rsync_t) - fs_read_cifs_files(rsync_t) - fs_read_cifs_symlinks(rsync_t) -+tunable_policy(`rsync_anon_write',` -+ miscfiles_manage_public_files(rsync_t) - ') - +-') +- -tunable_policy(`rsync_use_fusefs',` - fs_search_fusefs(rsync_t) - fs_read_fusefs_files(rsync_t) - fs_read_fusefs_symlinks(rsync_t) -+tunable_policy(`rsync_full_access',` -+ allow rsync_t self:capability { dac_override dac_read_search }; -+ files_manage_non_auth_files(rsync_t) - ') - +-') +- -tunable_policy(`rsync_use_nfs',` - fs_list_nfs(rsync_t) -+tunable_policy(`rsync_export_all_ro',` -+ files_getattr_all_pipes(rsync_t) -+ fs_read_noxattr_fs_files(rsync_t) - fs_read_nfs_files(rsync_t) +- fs_read_nfs_files(rsync_t) - fs_read_nfs_symlinks(rsync_t) -+ fs_read_cifs_files(rsync_t) -+ files_read_non_security_files(rsync_t) -+ auth_tunable_read_shadow(rsync_t) - ') - --optional_policy(` -- tunable_policy(`rsync_client',` -- ssh_exec(rsync_t) -- ') +tunable_policy(`rsync_client',` + corenet_tcp_connect_rsync_port(rsync_t) + corenet_tcp_connect_ssh_port(rsync_t) @@ -91553,13 +91609,17 @@ index abeb302..85582ef 100644 ') optional_policy(` -- daemontools_service_domain(rsync_t, rsync_exec_t) -+ tunable_policy(`rsync_client',` + tunable_policy(`rsync_client',` +- ssh_exec(rsync_t) + ssh_exec(rsync_t) -+ ') + ') ') -optional_policy(` +- daemontools_service_domain(rsync_t, rsync_exec_t) +-') +- +-optional_policy(` - kerberos_use(rsync_t) -') +auth_can_read_shadow_passwords(rsync_t) @@ -92121,7 +92181,7 @@ index b8b66ff..a93346e 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb..e9569d2 100644 +index 50d07fb..a34db48 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -92778,7 +92838,7 @@ index 50d07fb..e9569d2 100644 files_search_pids($1) - read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) + manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t) -+ manage_files_pattern($1, winbin_var_run_t, winbind_var_run_t) ++ manage_files_pattern($1, winbind_var_run_t, winbind_var_run_t) + manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t) +') + @@ -94491,10 +94551,10 @@ index 0000000..b21026b +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..eb990f6 +index 0000000..6b3fab1 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,65 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -94547,7 +94607,8 @@ index 0000000..eb990f6 +dev_dontaudit_getattr_all(sandbox_domain) + +files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) -+files_entrypoint_all_files(sandbox_domain) ++corecmd_entrypoint_all_executables(sandbox_domain) ++files_entrypoint_all_mountpoint(sandbox_domain) + +files_read_config_files(sandbox_domain) +files_read_var_files(sandbox_domain) @@ -94971,10 +95032,10 @@ index 0000000..3e89d71 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..3dc39bf +index 0000000..24cb7ca --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,506 @@ +@@ -0,0 +1,508 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -95146,10 +95207,12 @@ index 0000000..3dc39bf + +files_search_home(sandbox_x_domain) +files_dontaudit_list_all_mountpoints(sandbox_x_domain) -+files_entrypoint_all_files(sandbox_x_domain) +files_read_config_files(sandbox_x_domain) +files_read_usr_symlinks(sandbox_x_domain) + +++corecmd_entrypoint_all_executables(sandbox_x_domain) +++files_entrypoint_all_mountpoint(sandbox_x_domain) ++ +fs_getattr_tmpfs(sandbox_x_domain) +fs_getattr_xattr_fs(sandbox_x_domain) +fs_list_inotifyfs(sandbox_x_domain) @@ -96934,7 +96997,7 @@ index d14b6bf..da5d41d 100644 +/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) diff --git a/sendmail.if b/sendmail.if -index 35ad2a7..6b75e85 100644 +index 35ad2a7..afdc7da 100644 --- a/sendmail.if +++ b/sendmail.if @@ -1,4 +1,4 @@ @@ -97111,7 +97174,15 @@ index 35ad2a7..6b75e85 100644 ## ## ## -@@ -265,8 +321,7 @@ interface(`sendmail_log_filetrans_sendmail_log',` +@@ -231,7 +287,6 @@ interface(`sendmail_manage_log',` + # + interface(`sendmail_create_log',` + refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') +- sendmail_log_filetrans_sendmail_log($1, $2, $3) + ') + + ######################################## +@@ -265,8 +320,7 @@ interface(`sendmail_log_filetrans_sendmail_log',` ######################################## ## @@ -97121,7 +97192,7 @@ index 35ad2a7..6b75e85 100644 ## ## ## -@@ -285,58 +340,27 @@ interface(`sendmail_manage_tmp_files',` +@@ -285,58 +339,27 @@ interface(`sendmail_manage_tmp_files',` ######################################## ## @@ -97188,7 +97259,7 @@ index 35ad2a7..6b75e85 100644 ## ## ## -@@ -355,12 +379,17 @@ interface(`sendmail_admin',` +@@ -355,12 +378,17 @@ interface(`sendmail_admin',` type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; type sendmail_keytab_t; @@ -97209,7 +97280,7 @@ index 35ad2a7..6b75e85 100644 domain_system_change_exemption($1) role_transition $2 sendmail_initrc_exec_t system_r; -@@ -376,6 +405,6 @@ interface(`sendmail_admin',` +@@ -376,6 +404,6 @@ interface(`sendmail_admin',` files_list_pids($1) admin_pattern($1, sendmail_var_run_t) @@ -109332,10 +109403,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..c88e3e4 100644 +index a4f20bc..d8b1fd1 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,103 @@ +@@ -1,51 +1,109 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -109358,11 +109429,13 @@ index a4f20bc..c88e3e4 100644 -/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0) ++/etc/libvirt/virtlogd.conf -- gen_context(system_u:object_r:virtlogd_etc_t,s0) /etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) -/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/virtlogd -- gen_context(system_u:object_r:virtlogd_initrc_exec_t,s0) +/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0) +/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -109388,7 +109461,7 @@ index a4f20bc..c88e3e4 100644 /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0) -+/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) +/usr/bin/virt-who -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0) +/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -109407,24 +109480,34 @@ index a4f20bc..c88e3e4 100644 +/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -+ + +-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/run/virtlogd\.pid -- gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) +/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) ++/var/run/libvirt/virtlogd-sock -s gen_context(system_u:object_r:virtlogd_var_run_t,s0) +/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0) +/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) --/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +-/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) +-/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) +-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) +-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) +-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) +# support for AEOLUS project +/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -109434,15 +109517,7 @@ index a4f20bc..c88e3e4 100644 +/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/rkt/cas(/.*)? gen_context(system_u:object_r:container_image_t,s0) - --/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) --/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) --/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0) --/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh) --/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0) --/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ +# add support vios-proxy-* +/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0) +/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0) @@ -109466,6 +109541,8 @@ index a4f20bc..c88e3e4 100644 + +/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + ++/usr/lib/systemd/system/*virtlogd.* gen_context(system_u:object_r:virtlogd_unit_file_t,s0) ++ +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) @@ -109478,10 +109555,10 @@ index a4f20bc..c88e3e4 100644 +/var/log/qemu-ga\.log.* -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..280e040 100644 +index facdee8..816d860 100644 --- a/virt.if +++ b/virt.if -@@ -1,318 +1,226 @@ +@@ -1,318 +1,231 @@ -## Libvirt virtualization API. +## Libvirt virtualization API @@ -109652,6 +109729,7 @@ index facdee8..280e040 100644 + attribute virt_tmpfs_type; + attribute virt_ptynode; + type qemu_exec_t; ++ type virtlogd_t; ') - corecmd_search_bin($1) @@ -109674,6 +109752,10 @@ index facdee8..280e040 100644 + + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; + term_create_pty($1_t, $1_devpts_t) ++ ++ # Allow domain to write to pipes connected to virtlogd ++ allow $1_t virtlogd_t:fd use; ++ allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## @@ -109897,7 +109979,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -320,18 +228,17 @@ interface(`virt_run_svirt_lxc_domain',` +@@ -320,18 +233,17 @@ interface(`virt_run_svirt_lxc_domain',` ## ## # @@ -109921,7 +110003,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -339,18 +246,18 @@ interface(`virt_getattr_virtd_exec_files',` +@@ -339,18 +251,18 @@ interface(`virt_getattr_virtd_exec_files',` ## ## # @@ -109945,7 +110027,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -358,18 +265,18 @@ interface(`virt_stream_connect',` +@@ -358,18 +270,18 @@ interface(`virt_stream_connect',` ## ## # @@ -109968,7 +110050,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -383,7 +290,6 @@ interface(`virt_read_config',` +@@ -383,7 +295,6 @@ interface(`virt_read_config',` ') files_search_etc($1) @@ -109976,7 +110058,7 @@ index facdee8..280e040 100644 read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -391,8 +297,7 @@ interface(`virt_read_config',` +@@ -391,8 +302,7 @@ interface(`virt_read_config',` ######################################## ## @@ -109986,7 +110068,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -406,7 +311,6 @@ interface(`virt_manage_config',` +@@ -406,7 +316,6 @@ interface(`virt_manage_config',` ') files_search_etc($1) @@ -109994,7 +110076,7 @@ index facdee8..280e040 100644 manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) -@@ -414,8 +318,25 @@ interface(`virt_manage_config',` +@@ -414,8 +323,25 @@ interface(`virt_manage_config',` ######################################## ## @@ -110022,7 +110104,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -434,6 +355,7 @@ interface(`virt_read_content',` +@@ -434,6 +360,7 @@ interface(`virt_read_content',` read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) @@ -110030,7 +110112,7 @@ index facdee8..280e040 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -450,8 +372,7 @@ interface(`virt_read_content',` +@@ -450,8 +377,7 @@ interface(`virt_read_content',` ######################################## ## @@ -110040,7 +110122,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -459,35 +380,17 @@ interface(`virt_read_content',` +@@ -459,35 +385,17 @@ interface(`virt_read_content',` ## ## # @@ -110079,7 +110161,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -495,53 +398,38 @@ interface(`virt_manage_virt_content',` +@@ -495,53 +403,38 @@ interface(`virt_manage_virt_content',` ## ## # @@ -110144,7 +110226,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -549,34 +437,21 @@ interface(`virt_home_filetrans_virt_content',` +@@ -549,34 +442,21 @@ interface(`virt_home_filetrans_virt_content',` ## ## # @@ -110187,7 +110269,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -584,32 +459,36 @@ interface(`virt_manage_svirt_home_content',` +@@ -584,32 +464,36 @@ interface(`virt_manage_svirt_home_content',` ## ## # @@ -110224,19 +110306,19 @@ index facdee8..280e040 100644 ## -## +## - ## --## Class of the object being created. ++## +## Type to which the created node will be transitioned. +## +## +## -+## + ## +-## Class of the object being created. +## Object class(es) (single or set including {}) for which this +## the transition will occur. ## ## ## -@@ -618,54 +497,36 @@ interface(`virt_relabel_svirt_home_content',` +@@ -618,54 +502,36 @@ interface(`virt_relabel_svirt_home_content',` ## ## # @@ -110300,7 +110382,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -673,54 +534,472 @@ interface(`virt_home_filetrans',` +@@ -673,54 +539,472 @@ interface(`virt_home_filetrans',` ## ## # @@ -110539,14 +110621,13 @@ index facdee8..280e040 100644 +interface(`virt_rw_chr_files',` + gen_require(` + attribute virt_image_type; - ') ++ ') + + rw_chr_files_pattern($1, virt_image_type, virt_image_type) - ') - - ######################################## - ## --## Relabel virt home content. ++') ++ ++######################################## ++## +## Create, read, write, and delete +## svirt cache files. +## @@ -110669,13 +110750,14 @@ index facdee8..280e040 100644 +interface(`virt_exec_sandbox_files',` + gen_require(` + type svirt_sandbox_file_t; -+ ') + ') + + can_exec($1, svirt_sandbox_file_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Relabel virt home content. +## Allow any svirt_sandbox_file_t to be an entrypoint of this domain +## +## @@ -110795,7 +110877,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -728,52 +1007,80 @@ interface(`virt_manage_generic_virt_home_content',` +@@ -728,52 +1012,80 @@ interface(`virt_manage_generic_virt_home_content',` ## ## # @@ -110896,7 +110978,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -781,19 +1088,17 @@ interface(`virt_home_filetrans_virt_home',` +@@ -781,19 +1093,17 @@ interface(`virt_home_filetrans_virt_home',` ## ## # @@ -110920,7 +111002,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -801,18 +1106,17 @@ interface(`virt_read_pid_files',` +@@ -801,18 +1111,17 @@ interface(`virt_read_pid_files',` ## ## # @@ -110943,7 +111025,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -820,18 +1124,17 @@ interface(`virt_manage_pid_files',` +@@ -820,18 +1129,17 @@ interface(`virt_manage_pid_files',` ## ## # @@ -110966,7 +111048,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -839,20 +1142,17 @@ interface(`virt_search_lib',` +@@ -839,20 +1147,17 @@ interface(`virt_search_lib',` ## ## # @@ -110991,7 +111073,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -860,74 +1160,123 @@ interface(`virt_read_lib_files',` +@@ -860,74 +1165,123 @@ interface(`virt_read_lib_files',` ## ## # @@ -111139,7 +111221,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -935,117 +1284,153 @@ interface(`virt_read_log',` +@@ -935,117 +1289,153 @@ interface(`virt_read_log',` ## ## # @@ -111344,7 +111426,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -1053,15 +1438,17 @@ interface(`virt_rw_all_image_chr_files',` +@@ -1053,15 +1443,17 @@ interface(`virt_rw_all_image_chr_files',` ## ## # @@ -111367,7 +111449,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -1069,21 +1456,17 @@ interface(`virt_manage_svirt_cache',` +@@ -1069,21 +1461,17 @@ interface(`virt_manage_svirt_cache',` ## ## # @@ -111393,7 +111475,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -1091,36 +1474,36 @@ interface(`virt_manage_virt_cache',` +@@ -1091,36 +1479,36 @@ interface(`virt_manage_virt_cache',` ## ## # @@ -111450,7 +111532,7 @@ index facdee8..280e040 100644 ## ## ## -@@ -1136,50 +1519,76 @@ interface(`virt_manage_images',` +@@ -1136,50 +1524,76 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -111560,10 +111642,10 @@ index facdee8..280e040 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..ae377ac 100644 +index f03dcf5..2a1d3e5 100644 --- a/virt.te +++ b/virt.te -@@ -1,150 +1,234 @@ +@@ -1,451 +1,395 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -111860,6 +111942,23 @@ index f03dcf5..ae377ac 100644 type virtd_keytab_t; files_type(virtd_keytab_t) ++type virtlogd_t, virt_system_domain; ++type virtlogd_exec_t, virt_file_type; ++init_daemon_domain(virtlogd_t, virtlogd_exec_t) ++ ++type virtlogd_etc_t, virt_file_type; ++files_config_file(virtlogd_etc_t) ++ ++type virtlogd_var_run_t, virt_file_type; ++files_pid_file(virtlogd_var_run_t) ++ ++type virtlogd_unit_file_t, virt_file_type; ++systemd_unit_file(virtlogd_unit_file_t) ++ ++type virtlogd_initrc_exec_t, virt_file_type; ++init_script_file(virtlogd_initrc_exec_t) ++ ++ +type qemu_var_run_t, virt_file_type; +typealias qemu_var_run_t alias svirt_var_run_t; +files_pid_file(qemu_var_run_t) @@ -111867,9 +111966,12 @@ index f03dcf5..ae377ac 100644 + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ++ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +237,140 @@ ifdef(`enable_mls',` + + ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ++ init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') -type virt_qmf_t; @@ -112126,34 +112228,34 @@ index f03dcf5..ae377ac 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -- ++allow svirt_t self:process ptrace; + -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) - -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -+allow svirt_t self:process ptrace; - +- -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) +- +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - corenet_udp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) - corenet_udp_bind_generic_node(svirt_t) -- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) --corenet_udp_bind_generic_node(svirt_t) + corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) corenet_udp_bind_all_ports(svirt_t) @@ -112249,7 +112351,7 @@ index f03dcf5..ae377ac 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +380,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +399,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -112296,24 +112398,26 @@ index f03dcf5..ae377ac 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +415,20 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +434,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) ++# libvirtd is permitted to talk to virtlogd ++stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_var_run_t, virtlogd_t) + +-can_exec(virtd_t, virt_tmp_t) + -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) @@ -112327,7 +112431,7 @@ index f03dcf5..ae377ac 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +436,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +459,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -112355,7 +112459,7 @@ index f03dcf5..ae377ac 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +456,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +479,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -112386,7 +112490,7 @@ index f03dcf5..ae377ac 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +508,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +531,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -112406,7 +112510,7 @@ index f03dcf5..ae377ac 100644 selinux_validate_context(virtd_t) -@@ -620,18 +530,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +553,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -112443,7 +112547,7 @@ index f03dcf5..ae377ac 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +558,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +581,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -112452,7 +112556,7 @@ index f03dcf5..ae377ac 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +583,12 @@ optional_policy(` +@@ -665,20 +606,12 @@ optional_policy(` ') optional_policy(` @@ -112473,7 +112577,7 @@ index f03dcf5..ae377ac 100644 ') optional_policy(` -@@ -691,20 +601,26 @@ optional_policy(` +@@ -691,20 +624,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -112504,7 +112608,7 @@ index f03dcf5..ae377ac 100644 ') optional_policy(` -@@ -712,11 +628,18 @@ optional_policy(` +@@ -712,11 +651,18 @@ optional_policy(` ') optional_policy(` @@ -112523,24 +112627,26 @@ index f03dcf5..ae377ac 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,7 +650,15 @@ optional_policy(` +@@ -727,10 +673,18 @@ optional_policy(` ') optional_policy(` -- sasl_connect(virtd_t) + sanlock_stream_connect(virtd_t) +') + +optional_policy(` -+ sasl_connect(virtd_t) + sasl_connect(virtd_t) + ') + + optional_policy(` ++ setrans_manage_pid_files(virtd_t) +') + +optional_policy(` -+ setrans_manage_pid_files(virtd_t) - ') + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) - optional_policy(` -@@ -746,44 +677,278 @@ optional_policy(` +@@ -746,44 +700,321 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -112551,33 +112657,24 @@ index f03dcf5..ae377ac 100644 ######################################## # -# Virsh local policy -+# virtual domains common policy ++# virtlogd local policy # -+allow virt_domain self:capability2 compromise_kernel; -+allow virt_domain self:process { setrlimit signal_perms getsched setsched }; -+allow virt_domain self:fifo_file rw_fifo_file_perms; -+allow virt_domain self:shm create_shm_perms; -+allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms }; -+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; -+allow virt_domain self:tcp_socket create_stream_socket_perms; -+allow virt_domain self:udp_socket create_socket_perms; -+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; -allow virsh_t self:process { getcap getsched setsched setcap signal }; -allow virsh_t self:fifo_file rw_fifo_file_perms; -allow virsh_t self:unix_stream_socket { accept connectto listen }; -allow virsh_t self:tcp_socket { accept listen }; -+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) -+read_files_pattern(virt_domain, virt_content_t, virt_content_t) -+dontaudit virt_domain virt_content_t:file write_file_perms; -+dontaudit virt_domain virt_content_t:dir write; ++# virtlogd is allowed to manage files it creates in /var/run/libvirt ++manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) -manage_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) -+kernel_read_net_sysctls(virt_domain) -+kernel_read_network_state(virt_domain) ++# virtlogd needs to read /etc/libvirt/virtlogd.conf only ++allow virtlogd_t virtlogd_etc_t:file read_file_perms; ++files_search_etc(virtlogd_t) ++allow virtlogd_t virt_etc_t:dir search; -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -112585,6 +112682,64 @@ index f03dcf5..ae377ac 100644 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++# virtlogd creates /var/run/libvirt/virtlogd-sock with isolated ++# context from other stuff in /var/run/libvirt ++filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t, { sock_file }) ++# This lets systemd create the socket itself too + +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++# virtlogd creates a /var/run/virtlogd.pid file ++allow virtlogd_t virtlogd_var_run_t:file manage_file_perms; ++manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_var_run_t) ++files_pid_filetrans(virtlogd_t, virtlogd_var_run_t, file) + +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; ++kernel_read_network_state(virtlogd_t) + +-allow virsh_t svirt_lxc_domain:process transition; ++allow virtlogd_t self:unix_stream_socket create_stream_socket_perms; + +-can_exec(virsh_t, virsh_exec_t) ++dev_read_sysfs(virtlogd_t) ++ ++logging_send_syslog_msg(virtlogd_t) ++ ++auth_use_nsswitch(virtlogd_t) ++ ++manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t) ++ ++ ++# Allow virtlogd to look at /proc/$PID/status ++# to authenticate the connecting libvirtd ++allow virtlogd_t virtd_t:dir list_dir_perms; ++allow virtlogd_t virtd_t:file read_file_perms; ++allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; ++ ++ ++######################################## ++# ++# virtual domains common policy ++# ++allow virt_domain self:capability2 compromise_kernel; ++allow virt_domain self:process { setrlimit signal_perms getsched setsched }; ++allow virt_domain self:fifo_file rw_fifo_file_perms; ++allow virt_domain self:shm create_shm_perms; ++allow virt_domain self:unix_stream_socket { connectto create_stream_socket_perms }; ++allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; ++allow virt_domain self:tcp_socket create_stream_socket_perms; ++allow virt_domain self:udp_socket create_socket_perms; ++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms; ++ ++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t) ++read_files_pattern(virt_domain, virt_content_t, virt_content_t) ++dontaudit virt_domain virt_content_t:file write_file_perms; ++dontaudit virt_domain virt_content_t:dir write; + ++kernel_read_net_sysctls(virt_domain) ++kernel_read_network_state(virt_domain) ++ +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -112594,15 +112749,11 @@ index f03dcf5..ae377ac 100644 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t) +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) - --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") ++ +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) - --dontaudit virsh_t virt_var_lib_t:file read_file_perms; ++ +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -112634,11 +112785,9 @@ index f03dcf5..ae377ac 100644 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t) + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; - --allow virsh_t svirt_lxc_domain:process transition; ++ +dontaudit virt_domain virt_tmpfs_type:file { read write }; - --can_exec(virsh_t, virsh_exec_t) ++ +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) @@ -112696,7 +112845,7 @@ index f03dcf5..ae377ac 100644 +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) - ++ +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; +') @@ -112841,7 +112990,7 @@ index f03dcf5..ae377ac 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +959,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1025,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -112868,7 +113017,7 @@ index f03dcf5..ae377ac 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +979,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1045,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -112885,10 +113034,10 @@ index f03dcf5..ae377ac 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) -+ -+auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) ++auth_read_passwd(virsh_t) ++ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -112902,7 +113051,7 @@ index f03dcf5..ae377ac 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1016,20 @@ optional_policy(` +@@ -856,14 +1082,20 @@ optional_policy(` ') optional_policy(` @@ -112924,7 +113073,7 @@ index f03dcf5..ae377ac 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1054,65 @@ optional_policy(` +@@ -888,49 +1120,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -112958,7 +113107,8 @@ index f03dcf5..ae377ac 100644 +allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; -allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; -+files_entrypoint_all_files(virtd_lxc_t) ++corecmd_entrypoint_all_executables(virtd_lxc_t) ++files_entrypoint_all_mountpoint(virtd_lxc_t) allow virtd_lxc_t virt_image_type:dir mounton; manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) @@ -113008,7 +113158,7 @@ index f03dcf5..ae377ac 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1124,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1191,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -113028,7 +113178,7 @@ index f03dcf5..ae377ac 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1145,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1212,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -113052,7 +113202,7 @@ index f03dcf5..ae377ac 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1170,352 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1237,355 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -113175,7 +113325,10 @@ index f03dcf5..ae377ac 100644 +files_search_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_list_all_mountpoints(svirt_sandbox_domain) +files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain) -+files_entrypoint_all_files(svirt_sandbox_domain) ++ ++files_entrypoint_all_mountpoint(svirt_sandbox_domain) ++corecmd_entrypoint_all_executables(svirt_sandbox_domain) ++ +files_list_var(svirt_sandbox_domain) +files_list_var_lib(svirt_sandbox_domain) +files_search_all(svirt_sandbox_domain) @@ -113216,6 +113369,23 @@ index f03dcf5..ae377ac 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) ++ ++optional_policy(` ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ gear_read_pid_files(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++') ++ ++optional_policy(` ++ ssh_use_ptys(svirt_sandbox_domain) ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -113300,30 +113470,11 @@ index f03dcf5..ae377ac 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ gear_read_pid_files(svirt_sandbox_domain) ++ udev_read_pid_files(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) -+') -+ -+optional_policy(` -+ udev_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -113345,9 +113496,11 @@ index f03dcf5..ae377ac 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + docker_read_share_files(svirt_sandbox_domain) + docker_exec_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) @@ -113500,7 +113653,8 @@ index f03dcf5..ae377ac 100644 + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -113518,8 +113672,7 @@ index f03dcf5..ae377ac 100644 +fs_manage_cgroup_files(svirt_qemu_net_t) + +term_pty(svirt_sandbox_file_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +auth_use_nsswitch(svirt_qemu_net_t) + +rpm_read_db(svirt_qemu_net_t) @@ -113546,7 +113699,7 @@ index f03dcf5..ae377ac 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1528,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1598,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -113561,7 +113714,7 @@ index f03dcf5..ae377ac 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1546,7 @@ optional_policy(` +@@ -1192,7 +1616,7 @@ optional_policy(` ######################################## # @@ -113570,7 +113723,7 @@ index f03dcf5..ae377ac 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1555,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1625,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 4bd4dee..e698fb2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 179%{?dist} +Release: 180%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,44 @@ exit 0 %endif %changelog +* Wed Mar 30 2016 Lukas Vrabec 3.13.1-180 +- Allow dovecot_auth_t domain to manage also dovecot_var_run_t fifo files. BZ(1320415) +- Allow colord to read /etc/udev/hwdb.bin. rhzb#1316514 +- sandboxX.te: Allow sandbox domain to have entrypoint access only for executables and mountpoints. +- Allow sandbox domain to have entrypoint access only for executables and mountpoints. +- Allow bitlee to create bitlee_var_t dirs. +- Allow CIM provider to read sssd public files. +- Fix some broken interfaces in distro policy. +- Allow power button to shutdown the laptop. +- Allow lsm plugins to create named fixed disks. rhbz#1238066 +- Allow hyperv domains to rw hyperv devices. rhbz#1241636 +- Label /var/www/html(/.*)?/wp_backups(/.*)? as httpd_sys_rw_content_t. +- Create conman_unconfined_script_t type for conman script stored in /use/share/conman/exec/ +- Allow rsync_export_all_ro boolean to read also non_auth_dirs/files/symlinks. +- Allow pmdaapache labeled as pcp_pmcd_t access to port 80 for apache diagnostics +- Label nagios scripts as httpd_sys_script_exec_t. +- Allow nsd_t to bind on nsf_control tcp port. Allow nsd_crond_t to read nsd pid. +- Fix couple of cosmetic thing in new virtlogd_t policy. rhbz #1311576 +- Merge pull request #104 from berrange/rawhide-contrib-virtlogd +- Label /var/run/ecblp0 as cupsd_var_run_t due to this fifo_file is used by epson drivers. rhbz#1310336 +- Dontaudit logrotate to setrlimit itself. rhbz#1309604 +- Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. +- Allow pcp_pmie and pcp_pmlogger to read all domains state. +- Allow systemd-gpt-generator to create and manage systemd gpt generator unit files. BZ(1319446) +- Merge pull request #115 from rhatdan/nvidea +- Label all nvidia binaries as xserver_exec_t +- Add new systemd_hwdb_read_config() interface. rhbz#1316514 +- Add back corecmd_read_all_executables() interface. +- Call files_type() instead of file_type() for unlabeled_t. +- Add files_entrypoint_all_mountpoint() interface. +- Make unlabeled only as a file_type type. It is a type for fallback if there is an issue with labeling. +- Add corecmd_entrypoint_all_executables() interface. +- Create hyperv* devices and create rw interfaces for this devices. rhbz#1309361 +- Add neverallow assertion for unlabaled_t to increase policy security. +- Allow systemd-rfkill to create /var/lib/systemd/rfkill dir. rhbz#1319499 +- Label 8952 tcp port as nsd_control. +- Allow to log out to gdm after screen was resized in session via vdagent. Resolves: rhbz#1249020 + * Wed Mar 16 2016 Lukas Vrabec 3.13.1-179 - Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content() interface. - Revert "Add filename transition that /etc/princap will be created with cupsd_rw_etc_t label in cups_filetrans_named_content."