diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 35c2662..251805a 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 1593fb5..337540a 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -11023,7 +11023,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..f0133ab 100644 +index f962f76..917b5b2 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11279,7 +11279,32 @@ index f962f76..f0133ab 100644 allow $1 non_security_file_type:file mounton; ') -@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',` +@@ -545,6 +711,24 @@ interface(`files_write_non_security_dirs',` + + ######################################## + ## ++## Allow attempts to setattr any directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_setattr_non_security_dirs',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ allow $1 non_security_file_type:dir { read setattr }; ++') ++ ++######################################## ++## + ## Allow attempts to manage non-security directories + ## + ## +@@ -582,6 +766,42 @@ interface(`files_getattr_all_files',` ######################################## ## @@ -11322,7 +11347,7 @@ index f962f76..f0133ab 100644 ## Do not audit attempts to get the attributes ## of all files. ## -@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -620,6 +840,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -11386,7 +11411,7 @@ index f962f76..f0133ab 100644 ## Read all files. ## ## -@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',` +@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -11504,7 +11529,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',` +@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',` ## ## # @@ -11566,23 +11591,19 @@ index f962f76..f0133ab 100644 +## +## The types to be excluded. Each type or attribute +## must be negated by the caller. - ## - ## - # --interface(`files_dontaudit_read_all_symlinks',` ++## ++## ++# +interface(`files_read_all_dirs_except',` - gen_require(` - attribute file_type; - ') - -- dontaudit $1 file_type:lnk_file read; ++ gen_require(` ++ attribute file_type; ++ ') ++ + allow $1 { file_type $2 }:dir list_dir_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of non security symbolic links. ++') ++ ++######################################## ++## +## Read all files on the filesystem, except +## the listed exceptions. +## @@ -11675,25 +11696,10 @@ index f962f76..f0133ab 100644 +## +## +## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_read_all_symlinks',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ dontaudit $1 file_type:lnk_file read; -+') -+ -+######################################## -+## -+## Do not audit attempts to get the attributes -+## of non security symbolic links. - ## - ## - ## -@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` + ## + ## + # +@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -11719,7 +11725,7 @@ index f962f76..f0133ab 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -11764,7 +11770,7 @@ index f962f76..f0133ab 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',` +@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -11781,7 +11787,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',` +@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',` # satisfy the assertions: seutil_create_bin_policy($1) files_manage_kernel_modules($1) @@ -11790,7 +11796,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -1182,24 +1612,6 @@ interface(`files_list_all',` +@@ -1182,24 +1630,6 @@ interface(`files_list_all',` ######################################## ## @@ -11815,7 +11821,7 @@ index f962f76..f0133ab 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',` +@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',` relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -11826,7 +11832,7 @@ index f962f76..f0133ab 100644 ') ############################################# -@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',` +@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',` ######################################## ## @@ -11851,7 +11857,7 @@ index f962f76..f0133ab 100644 ## Do not audit attempts to set the attributes on all mount points. ## ## -@@ -1691,44 +2121,44 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1691,44 +2139,44 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -11910,7 +11916,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -1736,94 +2166,223 @@ interface(`files_list_root',` +@@ -1736,79 +2184,208 @@ interface(`files_list_root',` ## ## # @@ -12004,24 +12010,19 @@ index f962f76..f0133ab 100644 # -interface(`files_dontaudit_read_root_files',` +interface(`files_write_all_dirs',` - gen_require(` -- type root_t; ++ gen_require(` + attribute file_type; - ') - -- dontaudit $1 root_t:file { getattr read }; ++ ') ++ + allow $1 file_type:dir write; - ') - - ######################################## - ## --## Do not audit attempts to read or write --## files in the root directory. ++') ++ ++######################################## ++## +## List the contents of the root directory. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. +## +## @@ -12155,25 +12156,10 @@ index f962f76..f0133ab 100644 +## +# +interface(`files_dontaudit_read_root_files',` -+ gen_require(` -+ type root_t; -+ ') -+ -+ dontaudit $1 root_t:file { getattr read }; -+') -+ -+######################################## -+## -+## Do not audit attempts to read or write -+## files in the root directory. -+## -+## -+## -+## Domain to not audit. - ## - ## - # -@@ -1892,25 +2451,25 @@ interface(`files_delete_root_dir_entry',` + gen_require(` + type root_t; + ') +@@ -1892,25 +2469,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -12205,7 +12191,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -1923,7 +2482,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2500,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -12214,7 +12200,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -1946,6 +2505,42 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2523,42 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -12257,7 +12243,7 @@ index f962f76..f0133ab 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2776,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2794,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -12282,7 +12268,7 @@ index f962f76..f0133ab 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3258,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -12307,7 +12293,7 @@ index f962f76..f0133ab 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3347,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -12315,7 +12301,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -2724,7 +3356,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -12324,7 +12310,7 @@ index f962f76..f0133ab 100644 ## ## # -@@ -2780,6 +3412,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -12350,7 +12336,7 @@ index f962f76..f0133ab 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3449,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -12375,7 +12361,7 @@ index f962f76..f0133ab 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3632,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -12400,7 +12386,7 @@ index f962f76..f0133ab 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3672,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -12411,7 +12397,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -3031,18 +3680,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -12433,7 +12419,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -3060,6 +3708,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -12460,7 +12446,7 @@ index f962f76..f0133ab 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3077,6 +3745,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -12468,7 +12454,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3098,6 +3767,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -12476,7 +12462,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3142,10 +3812,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -12527,7 +12513,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3161,10 +3869,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -12540,7 +12526,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3180,10 +3888,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -12553,7 +12539,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3199,10 +3907,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -12566,7 +12552,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3218,10 +3926,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -12635,7 +12621,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3237,10 +4001,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -12648,7 +12634,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3256,10 +4020,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -12680,7 +12666,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3275,10 +4058,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -12693,7 +12679,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3294,10 +4077,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -12706,7 +12692,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3313,10 +4096,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -12719,7 +12705,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3332,10 +4115,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -12732,7 +12718,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3351,10 +4134,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -12745,7 +12731,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3370,10 +4153,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -12758,7 +12744,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3389,10 +4172,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -12771,7 +12757,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3408,10 +4191,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -12784,7 +12770,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3427,10 +4210,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -12797,7 +12783,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3446,10 +4229,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -12810,7 +12796,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3465,10 +4248,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -12842,7 +12828,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3484,10 +4286,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -12855,7 +12841,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3503,10 +4305,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -12868,7 +12854,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -3552,6 +4354,27 @@ interface(`files_dontaudit_getattr_home_dir',` +@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',` ######################################## ## @@ -12896,7 +12882,7 @@ index f962f76..f0133ab 100644 ## Search home directories root (/home). ## ## -@@ -3814,20 +4637,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -12940,7 +12926,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -4012,6 +4853,12 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -12953,7 +12939,7 @@ index f962f76..f0133ab 100644 ') ######################################## -@@ -4217,192 +5064,218 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13213,12 +13199,11 @@ index f962f76..f0133ab 100644 ######################################## ## -## Read files in the tmp directory (/tmp). --## --## +## Allow the specified type to associate +## to a filesystem with the type of the +## temporary directory (/tmp). -+## + ## +-## +## ## -## Domain allowed access. @@ -13269,7 +13254,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -4410,53 +5283,56 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',` ## ## # @@ -13338,7 +13323,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -4464,77 +5340,93 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -13456,7 +13441,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -4542,110 +5434,116 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -13573,40 +13558,25 @@ index f962f76..f0133ab 100644 -## -## -## -+# -+interface(`files_manage_generic_tmp_files',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ manage_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## -+## Read symbolic links in the tmp directory (/tmp). -+## -+## - ## +-## -## The name of the object being created. -+## Domain allowed access. - ## - ## +-## +-## # -interface(`files_tmp_filetrans',` -+interface(`files_read_generic_tmp_symlinks',` ++interface(`files_manage_generic_tmp_files',` gen_require(` type tmp_t; ') - filetrans_pattern($1, tmp_t, $2, $3, $4) -+ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ manage_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Delete the contents of /tmp. -+## Read and write generic named sockets in the tmp directory (/tmp). ++## Read symbolic links in the tmp directory (/tmp). ## ## ## @@ -13615,7 +13585,7 @@ index f962f76..f0133ab 100644 ## # -interface(`files_purge_tmp',` -+interface(`files_rw_generic_tmp_sockets',` ++interface(`files_read_generic_tmp_symlinks',` gen_require(` - attribute tmpfile; + type tmp_t; @@ -13627,13 +13597,13 @@ index f962f76..f0133ab 100644 - delete_lnk_files_pattern($1, tmpfile, tmpfile) - delete_fifo_files_pattern($1, tmpfile, tmpfile) - delete_sock_files_pattern($1, tmpfile, tmpfile) -+ rw_sock_files_pattern($1, tmp_t, tmp_t) ++ read_lnk_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Set the attributes of the /usr directory. -+## Relabel a dir from the type used in /tmp. ++## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## @@ -13642,20 +13612,20 @@ index f962f76..f0133ab 100644 ## # -interface(`files_setattr_usr_dirs',` -+interface(`files_relabelfrom_tmp_dirs',` ++interface(`files_rw_generic_tmp_sockets',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir setattr; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ++ rw_sock_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Search the content of /usr. -+## Relabel a file from the type used in /tmp. ++## Relabel a dir from the type used in /tmp. ## ## ## @@ -13664,21 +13634,21 @@ index f962f76..f0133ab 100644 ## # -interface(`files_search_usr',` -+interface(`files_relabelfrom_tmp_files',` ++interface(`files_relabelfrom_tmp_dirs',` gen_require(` - type usr_t; + type tmp_t; ') - allow $1 usr_t:dir search_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## List the contents of generic -## directories in /usr. -+## Set the attributes of all tmp directories. ++## Relabel a file from the type used in /tmp. ## ## ## @@ -13687,20 +13657,20 @@ index f962f76..f0133ab 100644 ## # -interface(`files_list_usr',` -+interface(`files_setattr_all_tmp_dirs',` ++interface(`files_relabelfrom_tmp_files',` gen_require(` - type usr_t; -+ attribute tmpfile; ++ type tmp_t; ') - allow $1 usr_t:dir list_dir_perms; -+ allow $1 tmpfile:dir { search_dir_perms setattr }; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) ') ######################################## ## -## Do not audit write of /usr dirs -+## Allow caller to read inherited tmp files. ++## Set the attributes of all tmp directories. ## ## ## @@ -13710,20 +13680,20 @@ index f962f76..f0133ab 100644 ## # -interface(`files_dontaudit_write_usr_dirs',` -+interface(`files_read_inherited_tmp_files',` ++interface(`files_setattr_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir write; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 tmpfile:dir { search_dir_perms setattr }; ') ######################################## ## -## Add and remove entries from /usr directories. -+## Allow caller to append inherited tmp files. ++## Allow caller to read inherited tmp files. ## ## ## @@ -13732,21 +13702,21 @@ index f962f76..f0133ab 100644 ## # -interface(`files_rw_usr_dirs',` -+interface(`files_append_inherited_tmp_files',` ++interface(`files_read_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - allow $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file append_inherited_file_perms; ++ allow $1 tmpfile:file { append read_inherited_file_perms }; ') ######################################## ## -## Do not audit attempts to add and remove -## entries from /usr directories. -+## Allow caller to read and write inherited tmp files. ++## Allow caller to append inherited tmp files. ## ## ## @@ -13756,92 +13726,90 @@ index f962f76..f0133ab 100644 ## # -interface(`files_dontaudit_rw_usr_dirs',` -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_append_inherited_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; ') - dontaudit $1 usr_t:dir rw_dir_perms; -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ allow $1 tmpfile:file append_inherited_file_perms; ') ######################################## ## -## Delete generic directories in /usr in the caller domain. -+## List all tmp directories. ++## Allow caller to read and write inherited tmp files. ## ## ## -@@ -4786,111 +5677,100 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # -interface(`files_delete_usr_dirs',` -+interface(`files_list_all_tmp',` ++interface(`files_rw_inherited_tmp_file',` gen_require(` - type usr_t; + attribute tmpfile; ') - delete_dirs_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:dir list_dir_perms; ++ allow $1 tmpfile:file rw_inherited_file_perms; ') ######################################## ## -## Delete generic files in /usr in the caller domain. -+## Relabel to and from all temporary -+## directory types. ++## List all tmp directories. ## ## ## - ## Domain allowed access. +@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',` ## ## -+## # -interface(`files_delete_usr_files',` -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_list_all_tmp',` gen_require(` - type usr_t; + attribute tmpfile; -+ type var_t; ') - delete_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:dir list_dir_perms; ') ######################################## ## -## Get the attributes of files in /usr. -+## Do not audit attempts to get the attributes -+## of all tmp files. ++## Relabel to and from all temporary ++## directory types. ## ## ## --## Domain allowed access. -+## Domain to not audit. + ## Domain allowed access. ## ## ++## # -interface(`files_getattr_usr_files',` -+interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_relabel_all_tmp_dirs',` gen_require(` - type usr_t; + attribute tmpfile; ++ type var_t; ') - getattr_files_pattern($1, usr_t, usr_t) -+ dontaudit $1 tmpfile:file getattr; ++ allow $1 var_t:dir search_dir_perms; ++ relabel_dirs_pattern($1, tmpfile, tmpfile) ') ######################################## ## -## Read generic files in /usr. -+## Allow attempts to get the attributes ++## Do not audit attempts to get the attributes +## of all tmp files. ## -## @@ -13863,13 +13831,14 @@ index f962f76..f0133ab 100644 -## ## ## - ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`files_read_usr_files',` -+interface(`files_getattr_all_tmp_files',` ++interface(`files_dontaudit_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; @@ -13878,67 +13847,74 @@ index f962f76..f0133ab 100644 - allow $1 usr_t:dir list_dir_perms; - read_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 tmpfile:file getattr; ++ dontaudit $1 tmpfile:file getattr; ') ######################################## ## -## Execute generic programs in /usr in the caller domain. -+## Relabel to and from all temporary -+## file types. ++## Allow attempts to get the attributes ++## of all tmp files. ## ## ## - ## Domain allowed access. +@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',` ## ## -+## # -interface(`files_exec_usr_files',` -+interface(`files_relabel_all_tmp_files',` ++interface(`files_getattr_all_tmp_files',` gen_require(` - type usr_t; + attribute tmpfile; -+ type var_t; ') - allow $1 usr_t:dir list_dir_perms; - exec_files_pattern($1, usr_t, usr_t) - read_lnk_files_pattern($1, usr_t, usr_t) -+ allow $1 var_t:dir search_dir_perms; -+ relabel_files_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:file getattr; ') ######################################## ## -## dontaudit write of /usr files -+## Do not audit attempts to get the attributes -+## of all tmp sock_file. ++## Relabel to and from all temporary ++## file types. ## ## ## -@@ -4898,35 +5778,17 @@ interface(`files_exec_usr_files',` +-## Domain to not audit. ++## Domain allowed access. ## ## ++## # -interface(`files_dontaudit_write_usr_files',` -- gen_require(` ++interface(`files_relabel_all_tmp_files',` + gen_require(` - type usr_t; -- ') -- ++ attribute tmpfile; ++ type var_t; + ') + - dontaudit $1 usr_t:file write; --') -- --######################################## --## ++ allow $1 var_t:dir search_dir_perms; ++ relabel_files_pattern($1, tmpfile, tmpfile) + ') + + ######################################## + ## -## Create, read, write, and delete files in the /usr directory. --## --## --## ++## Do not audit attempts to get the attributes ++## of all tmp sock_file. + ## + ## + ## -## Domain allowed access. --## --## --# ++## Domain to not audit. + ## + ## + # -interface(`files_manage_usr_files',` +interface(`files_dontaudit_getattr_all_tmp_sockets',` gen_require(` @@ -13957,7 +13933,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -4934,67 +5796,70 @@ interface(`files_manage_usr_files',` +@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -14046,7 +14022,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5003,35 +5868,50 @@ interface(`files_read_usr_symlinks',` +@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -14106,7 +14082,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5039,20 +5919,17 @@ interface(`files_dontaudit_search_src',` +@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -14131,7 +14107,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5060,20 +5937,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -14156,7 +14132,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5081,38 +5956,35 @@ interface(`files_read_usr_src_files',` +@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -14204,7 +14180,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5120,37 +5992,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -14252,7 +14228,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5158,35 +6029,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -14297,7 +14273,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5194,36 +6065,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -14363,7 +14339,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5231,36 +6121,37 @@ interface(`files_dontaudit_search_var',` +@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -14411,7 +14387,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5268,17 +6159,17 @@ interface(`files_manage_var_dirs',` +@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -14433,7 +14409,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5286,17 +6177,17 @@ interface(`files_read_var_files',` +@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',` ## ## # @@ -14455,7 +14431,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5304,73 +6195,86 @@ interface(`files_append_var_files',` +@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',` ## ## # @@ -14562,7 +14538,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5378,50 +6282,41 @@ interface(`files_read_var_symlinks',` +@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -14627,7 +14603,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5429,69 +6324,56 @@ interface(`files_var_filetrans',` +@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',` ## ## # @@ -14712,7 +14688,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5499,17 +6381,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -14736,7 +14712,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5517,70 +6400,54 @@ interface(`files_list_var_lib',` +@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',` ## ## # @@ -14820,7 +14796,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5588,41 +6455,36 @@ interface(`files_read_var_lib_files',` +@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',` ## ## # @@ -14872,7 +14848,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5630,36 +6492,36 @@ interface(`files_manage_urandom_seed',` +@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',` ## ## # @@ -14919,7 +14895,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5667,38 +6529,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -14967,7 +14943,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5706,19 +6565,17 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14991,7 +14967,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5726,60 +6583,54 @@ interface(`files_list_locks',` +@@ -5726,60 +6601,54 @@ interface(`files_list_locks',` ## ## # @@ -15067,7 +15043,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5787,20 +6638,18 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -15093,7 +15069,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5808,165 +6657,156 @@ interface(`files_getattr_generic_locks',` +@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',` ## ## # @@ -15321,7 +15297,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -5974,59 +6814,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -15412,7 +15388,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6034,18 +6886,18 @@ interface(`files_dontaudit_search_pids',` +@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',` ## ## # @@ -15436,47 +15412,58 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6053,19 +6905,1228 @@ interface(`files_list_pids',` +@@ -6053,19 +6923,21 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` +interface(`files_manage_var_lib_symlinks',` gen_require(` +- type var_t, var_run_t; + type var_lib_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) +- read_files_pattern($1, var_run_t, var_run_t) + manage_lnk_files_pattern($1,var_lib_t,var_lib_t) -+') -+ + ') + +# cjp: the next two interfaces really need to be fixed +# in some way. They really neeed their own types. + -+######################################## -+## + ######################################## + ## +-## Write named generic process ID pipes +## Create, read, write, and delete the +## pseudorandom number generator seed. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',` + ## + ## + # +-interface(`files_write_generic_pid_pipes',` +interface(`files_manage_urandom_seed',` -+ gen_require(` + gen_require(` +- type var_run_t; + type var_t, var_lib_t; -+ ') -+ + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:fifo_file write; + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create an object in the process ID directory, with a private type. +## Allow domain to manage mount tables +## necessary for rpcd, nfsd, etc. -+## + ## +-## +## +## +## Domain allowed access. @@ -16489,12 +16476,9 @@ index f962f76..f0133ab 100644 +interface(`files_delete_all_pid_dirs',` + gen_require(` + attribute pidfile; - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) ++ type var_t, var_run_t; ++ ') ++ + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) @@ -16506,21 +16490,29 @@ index f962f76..f0133ab 100644 +## used for spool files. +## +## -+##

+ ##

+-## Create an object in the process ID directory (e.g., /var/run) +-## with a private type. Typically this is used for creating +-## private PID files in /var/run with the private type instead +-## of the general PID file type. To accomplish this goal, +-## either the program must be SELinux-aware, or use this interface. +## Make the specified type usable for spool files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a spool file may result in problems with +## purging spool files. -+##

-+##

-+## Related interfaces: -+##

-+## + ##

+ ## Example usage with a domain that can create and +-## write its PID file with a private PID file type in the +-## /var/run directory: +## write its spool file in the system spool file +## directories (/var/spool): +##

@@ -16529,7 +16521,7 @@ index f962f76..f0133ab 100644 +## files_spool_file(myfile_spool_t) +## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; +## files_spool_filetrans(mydomain_t, myfile_spool_t, file) -+##

+ ##

+##
+## +## @@ -16660,36 +16652,30 @@ index f962f76..f0133ab 100644 + ') + + list_dirs_pattern($1, var_t, var_spool_t) - ') - - ######################################## - ## --## Write named generic process ID pipes ++') ++ ++######################################## ++## +## Create, read, write, and delete generic +## spool directories (/var/spool). - ## - ## - ## -@@ -6073,43 +8134,170 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_generic_spool_dirs',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_spool_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:fifo_file write; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_dirs_pattern($1, var_spool_t, var_spool_t) - ') - - ######################################## - ## --## Create an object in the process ID directory, with a private type. ++') ++ ++######################################## ++## +## Read generic spool files. +## +## @@ -16839,27 +16825,9 @@ index f962f76..f0133ab 100644 +######################################## +## +## Create a core files in / - ## - ## ++## ++## ##

--## Create an object in the process ID directory (e.g., /var/run) --## with a private type. Typically this is used for creating --## private PID files in /var/run with the private type instead --## of the general PID file type. To accomplish this goal, --## either the program must be SELinux-aware, or use this interface. --##

--##

--## Related interfaces: --##

--##
    --##
  • files_pid_file()
  • --##
--##

--## Example usage with a domain that can create and --## write its PID file with a private PID file type in the --## /var/run directory: --##

--##

-## type mypidfile_t; -## files_pid_file(mypidfile_t) -## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; @@ -16868,7 +16836,7 @@ index f962f76..f0133ab 100644 ##

##
## -@@ -6117,80 +8305,157 @@ interface(`files_write_generic_pid_pipes',` +@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',` ## Domain allowed access. ##
## @@ -17055,7 +17023,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6198,19 +8463,17 @@ interface(`files_rw_generic_pids',` +@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -17079,7 +17047,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6218,18 +8481,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -17102,7 +17070,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6237,129 +8499,119 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8517,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17272,7 +17240,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6367,18 +8619,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8637,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17297,7 +17265,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6386,132 +8639,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8657,227 @@ interface(`files_search_spool',` ## ## # @@ -17571,7 +17539,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6519,53 +8867,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8885,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17629,7 +17597,7 @@ index f962f76..f0133ab 100644 ## ## ## -@@ -6573,10 +8885,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8903,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -25224,7 +25192,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6..a73a163 100644 +index 2522ca6..f7ff2c7 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1) @@ -25388,14 +25356,14 @@ index 2522ca6..a73a163 100644 + +optional_policy(` + consoletype_exec(sysadm_t) ++') ++ ++optional_policy(` ++ daemonstools_run_start(sysadm_t, sysadm_r) ') optional_policy(` - cvs_exec(sysadm_t) -+ daemonstools_run_start(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + dbus_role_template(sysadm, sysadm_r, sysadm_t) + + dontaudit sysadm_dbusd_t self:capability net_admin; @@ -25430,7 +25398,19 @@ index 2522ca6..a73a163 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -172,13 +246,31 @@ optional_policy(` +@@ -164,6 +238,11 @@ optional_policy(` + ') + + optional_policy(` ++ hwloc_admin(sysadm_t) ++ hwloc_run_dhwd(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + hadoop_role(sysadm_r, sysadm_t) + ') + +@@ -172,13 +251,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -25462,7 +25442,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -190,11 +282,12 @@ optional_policy(` +@@ -190,11 +287,12 @@ optional_policy(` ') optional_policy(` @@ -25477,7 +25457,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -210,22 +303,20 @@ optional_policy(` +@@ -210,22 +308,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25506,7 +25486,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -237,14 +328,28 @@ optional_policy(` +@@ -237,14 +333,28 @@ optional_policy(` ') optional_policy(` @@ -25535,7 +25515,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -252,10 +357,20 @@ optional_policy(` +@@ -252,10 +362,20 @@ optional_policy(` ') optional_policy(` @@ -25556,7 +25536,7 @@ index 2522ca6..a73a163 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +381,41 @@ optional_policy(` +@@ -266,35 +386,41 @@ optional_policy(` ') optional_policy(` @@ -25605,7 +25585,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -308,6 +429,7 @@ optional_policy(` +@@ -308,6 +434,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25613,7 +25593,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -315,12 +437,20 @@ optional_policy(` +@@ -315,12 +442,20 @@ optional_policy(` ') optional_policy(` @@ -25635,7 +25615,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -345,30 +475,37 @@ optional_policy(` +@@ -345,30 +480,37 @@ optional_policy(` ') optional_policy(` @@ -25682,7 +25662,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -380,10 +517,6 @@ optional_policy(` +@@ -380,10 +522,6 @@ optional_policy(` ') optional_policy(` @@ -25693,7 +25673,7 @@ index 2522ca6..a73a163 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +524,9 @@ optional_policy(` +@@ -391,6 +529,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25703,7 +25683,7 @@ index 2522ca6..a73a163 100644 ') optional_policy(` -@@ -398,31 +534,34 @@ optional_policy(` +@@ -398,31 +539,34 @@ optional_policy(` ') optional_policy(` @@ -25744,7 +25724,7 @@ index 2522ca6..a73a163 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +574,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +579,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25755,7 +25735,7 @@ index 2522ca6..a73a163 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +594,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +599,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -50509,7 +50489,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..e6556aa 100644 +index 9dc60c6..595ad40 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -51204,7 +51184,7 @@ index 9dc60c6..e6556aa 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +737,132 @@ template(`userdom_common_user_template',` +@@ -546,93 +737,137 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -51315,18 +51295,23 @@ index 9dc60c6..e6556aa 100644 optional_policy(` - consolekit_dbus_chat($1_t) + hal_dbus_chat($1_usertype) - ') - - optional_policy(` -- cups_dbus_chat_config($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) + ') + ++ optional_policy(` ++ hwloc_exec_dhwd($1_t) ++ hwloc_read_runtime_files($1_t) ++ ') ++ ++ optional_policy(` ++ kde_dbus_chat_backlighthelper($1_usertype) + ') + + optional_policy(` + memcached_stream_connect($1_usertype) + ') + -+ optional_policy(` + optional_policy(` +- cups_dbus_chat_config($1_t) + modemmanager_dbus_chat($1_usertype) ') @@ -51351,31 +51336,31 @@ index 9dc60c6..e6556aa 100644 - inetd_use_fds($1_t) - inetd_rw_tcp_sockets($1_t) + git_role($1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ inetd_use_fds($1_usertype) ++ inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ inetd_use_fds($1_usertype) -+ inetd_rw_tcp_sockets($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - kerberos_manage_krb5_home_files($1_t) - kerberos_relabel_krb5_home_files($1_t) - kerberos_home_filetrans_krb5_home($1_t, file, ".k5login") -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) -+ ') -+ -+ optional_policy(` + lircd_stream_connect($1_usertype) ') optional_policy(` -@@ -642,23 +872,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +877,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -51404,7 +51389,7 @@ index 9dc60c6..e6556aa 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +899,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +904,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -51413,7 +51398,7 @@ index 9dc60c6..e6556aa 100644 ') optional_policy(` -@@ -680,9 +908,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +913,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -51426,7 +51411,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -693,32 +921,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +926,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -51473,7 +51458,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -743,17 +974,32 @@ template(`userdom_common_user_template',` +@@ -743,17 +979,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -51492,9 +51477,7 @@ index 9dc60c6..e6556aa 100644 + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -51502,7 +51485,9 @@ index 9dc60c6..e6556aa 100644 + tunable_policy(`$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -51510,7 +51495,7 @@ index 9dc60c6..e6556aa 100644 userdom_change_password_template($1) -@@ -761,82 +1007,112 @@ template(`userdom_login_user_template', ` +@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -51586,14 +51571,14 @@ index 9dc60c6..e6556aa 100644 - init_dontaudit_use_script_fds($1_t) + init_dontaudit_use_fds($1_usertype) + init_dontaudit_use_script_fds($1_usertype) - -- libs_exec_lib_files($1_t) ++ + # Needed by pam_selinux.so calling in systemd-users + init_entrypoint_exec(login_userdomain) -- logging_dontaudit_getattr_all_logs($1_t) +- libs_exec_lib_files($1_t) + libs_exec_lib_files($1_usertype) -+ + +- logging_dontaudit_getattr_all_logs($1_t) + logging_dontaudit_getattr_all_logs($1_usertype) - miscfiles_read_man_pages($1_t) @@ -51659,7 +51644,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -868,6 +1144,12 @@ template(`userdom_restricted_user_template',` +@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -51672,7 +51657,7 @@ index 9dc60c6..e6556aa 100644 ############################## # # Local policy -@@ -907,53 +1189,137 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -51692,14 +51677,10 @@ index 9dc60c6..e6556aa 100644 + dev_read_rand($1_usertype) - logging_send_syslog_msg($1_t) -- logging_dontaudit_send_audit_msgs($1_t) + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) - -- # Need to to this just so screensaver will work. Should be moved to screensaver domain -- logging_send_audit_msgs($1_t) -- selinux_get_enforce_mode($1_t) ++ + libs_dontaudit_setattr_lib_files($1_usertype) + + init_read_state($1_usertype) @@ -51717,10 +51698,11 @@ index 9dc60c6..e6556aa 100644 + ') + + logging_send_syslog_msg($1_t) -+ logging_dontaudit_send_audit_msgs($1_t) -+ -+ # Need to to this just so screensaver will work. Should be moved to screensaver domain -+ selinux_get_enforce_mode($1_t) + logging_dontaudit_send_audit_msgs($1_t) + + # Need to to this just so screensaver will work. Should be moved to screensaver domain +- logging_send_audit_msgs($1_t) + selinux_get_enforce_mode($1_t) + seutil_exec_restorecond($1_t) + seutil_read_file_contexts($1_t) + seutil_read_default_contexts($1_t) @@ -51827,7 +51809,7 @@ index 9dc60c6..e6556aa 100644 ') ####################################### -@@ -987,27 +1353,33 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -51865,7 +51847,7 @@ index 9dc60c6..e6556aa 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1390,63 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -51925,21 +51907,21 @@ index 9dc60c6..e6556aa 100644 + optional_policy(` + mount_run_fusermount($1_t, $1_r) + mount_read_pid_files($1_t) ++ ') ++ ++ optional_policy(` ++ wine_role_template($1, $1_r, $1_t) ') optional_policy(` - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) -+ wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1455,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -51950,7 +51932,7 @@ index 9dc60c6..e6556aa 100644 ') ') -@@ -1079,7 +1493,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -51961,7 +51943,7 @@ index 9dc60c6..e6556aa 100644 ') ############################## -@@ -1095,6 +1511,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -51969,7 +51951,7 @@ index 9dc60c6..e6556aa 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1522,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -51986,7 +51968,7 @@ index 9dc60c6..e6556aa 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1539,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -51995,7 +51977,7 @@ index 9dc60c6..e6556aa 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1558,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -52011,7 +51993,7 @@ index 9dc60c6..e6556aa 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1577,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -52056,7 +52038,7 @@ index 9dc60c6..e6556aa 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1620,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -52065,7 +52047,7 @@ index 9dc60c6..e6556aa 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1629,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -52088,7 +52070,7 @@ index 9dc60c6..e6556aa 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1679,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -52097,7 +52079,7 @@ index 9dc60c6..e6556aa 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1689,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -52106,7 +52088,7 @@ index 9dc60c6..e6556aa 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1703,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -52118,7 +52100,7 @@ index 9dc60c6..e6556aa 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1717,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -52161,7 +52143,7 @@ index 9dc60c6..e6556aa 100644 ') optional_policy(` -@@ -1357,14 +1802,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -52180,7 +52162,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1397,12 +1845,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -52234,7 +52216,7 @@ index 9dc60c6..e6556aa 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -52266,7 +52248,7 @@ index 9dc60c6..e6556aa 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -52281,7 +52263,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -52293,7 +52275,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1613,6 +2131,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -52318,7 +52300,7 @@ index 9dc60c6..e6556aa 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2167,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -52378,7 +52360,7 @@ index 9dc60c6..e6556aa 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2293,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -52393,7 +52375,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1741,10 +2332,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -52408,7 +52390,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1769,7 +2362,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -52417,7 +52399,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1777,19 +2370,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -52441,7 +52423,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1797,55 +2388,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -52512,7 +52494,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1853,18 +2444,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ## ## # @@ -52540,7 +52522,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1872,17 +2464,167 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',` ## ## # @@ -52548,13 +52530,17 @@ index 9dc60c6..e6556aa 100644 - gen_require(` - type user_home_dir_t, user_home_t; - ') +- +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) +- files_search_home($1) +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read user home files. +## Dontaudit getattr on user tmp sockets. +## +## @@ -52613,22 +52599,24 @@ index 9dc60c6..e6556aa 100644 +## +## Do not audit attempts to set the +## attributes of user home files. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# + ## + ## + ## +@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',` + ## + ## + # +-interface(`userdom_dontaudit_read_user_home_content_files',` +interface(`userdom_dontaudit_setattr_user_home_content_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ + gen_require(` + type user_home_t; + ') + +- dontaudit $1 user_home_t:dir list_dir_perms; +- dontaudit $1 user_home_t:file read_file_perms; + dontaudit $1 user_home_t:file setattr_file_perms; +') - -- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ +######################################## +## +## Set the attributes of all user home directories. @@ -52664,11 +52652,11 @@ index 9dc60c6..e6556aa 100644 + ') + + mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) - files_search_home($1) - ') - - ######################################## - ## ++ files_search_home($1) ++') ++ ++######################################## ++## +## Read user home files. +## +## @@ -52710,20 +52698,20 @@ index 9dc60c6..e6556aa 100644 + +######################################## +## - ## Do not audit attempts to read user home files. - ## - ## -@@ -1893,11 +2635,14 @@ interface(`userdom_read_user_home_content_files',` - # - interface(`userdom_dontaudit_read_user_home_content_files',` - gen_require(` -- type user_home_t; ++## Do not audit attempts to read user home files. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_read_user_home_content_files',` ++ gen_require(` + attribute user_home_type; + type user_home_dir_t; - ') - -- dontaudit $1 user_home_t:dir list_dir_perms; -- dontaudit $1 user_home_t:file read_file_perms; ++ ') ++ + dontaudit $1 user_home_dir_t:dir list_dir_perms; + dontaudit $1 user_home_type:dir list_dir_perms; + dontaudit $1 user_home_type:file read_file_perms; @@ -52731,7 +52719,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -1938,7 +2683,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -52740,7 +52728,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1946,10 +2691,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -52753,7 +52741,7 @@ index 9dc60c6..e6556aa 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2702,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -52762,7 +52750,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -1966,12 +2710,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -52831,7 +52819,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2007,8 +2805,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -52841,7 +52829,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2024,21 +2821,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -52855,19 +52843,18 @@ index 9dc60c6..e6556aa 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -2120,7 +2911,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -52876,7 +52863,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2128,19 +2919,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -52900,7 +52887,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2148,12 +2937,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -52916,7 +52903,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2388,18 +3177,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -52974,7 +52961,7 @@ index 9dc60c6..e6556aa 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3239,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -52983,7 +52970,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2455,6 +3280,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -53009,34 +52996,12 @@ index 9dc60c6..e6556aa 100644 ######################################## ## -@@ -2538,7 +3382,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user -## temporary symbolic links. +## temporary files. - ## - ## - ## -@@ -2546,18 +3390,59 @@ interface(`userdom_manage_user_tmp_files',` - ## - ## - # --interface(`userdom_manage_user_tmp_symlinks',` -+interface(`userdom_filetrans_named_user_tmp_files',` - gen_require(` - type user_tmp_t; - ') - -- manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) -+ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") - files_search_tmp($1) - ') - - ######################################## - ## - ## Create, read, write, and delete user -+## temporary symbolic links. +## +## +## @@ -53044,26 +53009,26 @@ index 9dc60c6..e6556aa 100644 +## +## +# -+interface(`userdom_manage_user_tmp_symlinks',` ++interface(`userdom_filetrans_named_user_tmp_files',` + gen_require(` + type user_tmp_t; + ') + -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user -+## temporary named pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# ++## temporary symbolic links. + ## + ## + ## +@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # +interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; @@ -53077,10 +53042,18 @@ index 9dc60c6..e6556aa 100644 +######################################## +## +## Create, read, write, and delete user - ## temporary named pipes. - ## - ## -@@ -2661,6 +3546,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` ++## temporary named pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; +@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -53102,7 +53075,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3572,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -53124,7 +53097,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2692,19 +3587,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -53147,7 +53120,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2713,13 +3602,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -53208,7 +53181,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2814,6 +3746,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -53233,7 +53206,7 @@ index 9dc60c6..e6556aa 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3782,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -53276,7 +53249,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -2856,14 +3818,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -53314,7 +53287,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2882,8 +3863,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -53344,7 +53317,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -2955,6 +3955,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -53387,7 +53360,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4014,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -53412,7 +53385,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4032,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -53424,7 +53397,7 @@ index 9dc60c6..e6556aa 100644 ## memory segments. ## ## -@@ -3025,17 +4043,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -53445,7 +53418,7 @@ index 9dc60c6..e6556aa 100644 ## memory segments. ## ## -@@ -3044,12 +4062,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -53460,7 +53433,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -3094,7 +4112,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -53469,7 +53442,7 @@ index 9dc60c6..e6556aa 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4128,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -53503,7 +53476,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -3214,7 +4216,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -53530,7 +53503,7 @@ index 9dc60c6..e6556aa 100644 ') ######################################## -@@ -3269,12 +4289,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -53546,7 +53519,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -3282,54 +4303,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -53618,7 +53591,7 @@ index 9dc60c6..e6556aa 100644 ## ## ## -@@ -3337,12 +4360,86 @@ interface(`userdom_getattr_all_users',` +@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',` ## ## # @@ -53630,10 +53603,11 @@ index 9dc60c6..e6556aa 100644 - allow $1 userdomain:fd use; + allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to inherit the file +## Do not audit attempts to use user ttys. +## +## @@ -53704,10 +53678,15 @@ index 9dc60c6..e6556aa 100644 + ') + + allow $1 userdomain:fd use; - ') - - ######################################## -@@ -3382,6 +4479,42 @@ interface(`userdom_signal_all_users',` ++') ++ ++######################################## ++## ++## Do not audit attempts to inherit the file + ## descriptors from any user domains. + ## + ## +@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -53750,7 +53729,7 @@ index 9dc60c6..e6556aa 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4535,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -53811,7 +53790,7 @@ index 9dc60c6..e6556aa 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index fb9b995..0203074 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -32032,10 +32032,10 @@ index 0000000..764ae00 + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..33654d5 +index 0000000..c31e40e --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,297 @@ +@@ -0,0 +1,302 @@ +policy_module(glusterd, 1.1.3) + +## @@ -32100,7 +32100,7 @@ index 0000000..33654d5 +allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw }; + +allow glusterd_t self:capability2 block_suspend; -+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched }; ++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate}; +allow glusterd_t self:sem create_sem_perms; +allow glusterd_t self:fifo_file rw_fifo_file_perms; +allow glusterd_t self:tcp_socket { accept listen }; @@ -32284,6 +32284,11 @@ index 0000000..33654d5 + hostname_exec(glusterd_t) +') + ++ ++optional_policy(` ++ kerberos_read_keytab(glusterd_t) ++') ++ +optional_policy(` + lvm_domtrans(glusterd_t) +') @@ -37023,6 +37028,166 @@ index 0000000..28816b4 +auth_use_nsswitch(hsqldb_t) + +sysnet_read_config(hsqldb_t) +diff --git a/hwloc.fc b/hwloc.fc +new file mode 100644 +index 0000000..d0c5a15 +--- /dev/null ++++ b/hwloc.fc +@@ -0,0 +1,5 @@ ++/usr/sbin/hwloc-dump-hwdata -- gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0) ++ ++/usr/lib/systemd/system/hwloc-dump-hwdata.* -- gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0) ++ ++/var/run/hwloc(/.*)? gen_context(system_u:object_r:hwloc_var_run_t,s0) +diff --git a/hwloc.if b/hwloc.if +new file mode 100644 +index 0000000..c2349ec +--- /dev/null ++++ b/hwloc.if +@@ -0,0 +1,106 @@ ++## Dump topology and locality information from hardware tables. ++ ++######################################## ++## ++## Execute hwloc dhwd in the hwloc dhwd domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`hwloc_domtrans_dhwd',` ++ gen_require(` ++ type hwloc_dhwd_t, hwloc_dhwd_exec_t; ++ ') ++ ++ domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) ++') ++ ++######################################## ++## ++## Execute hwloc dhwd in the hwloc dhwd domain, and ++## allow the specified role the hwloc dhwd domain, ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`hwloc_run_dhwd',` ++ gen_require(` ++ attribute_role hwloc_dhwd_roles; ++ ') ++ ++ hwloc_domtrans_dhwd($1) ++ roleattribute $2 hwloc_dhwd_roles; ++') ++ ++######################################## ++## ++## Execute hwloc dhwd in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hwloc_exec_dhwd',` ++ gen_require(` ++ type hwloc_dhwd_exec_t; ++ ') ++ ++ can_exec($1, hwloc_dhwd_exec_t) ++') ++ ++######################################## ++## ++## Read hwloc runtime files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`hwloc_read_runtime_files',` ++ gen_require(` ++ type hwloc_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t) ++') ++ ++######################################## ++## ++## All of the rules required to ++## administrate an hwloc environment. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`hwloc_admin',` ++ gen_require(` ++ type hwloc_dhwd_t, hwloc_var_run_t; ++ ') ++ ++ allow $1 hwloc_dhwd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, hwloc_dhwd_t) ++ ++ admin_pattern($1, hwloc_var_run_t) ++ files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc") ++') +diff --git a/hwloc.te b/hwloc.te +new file mode 100644 +index 0000000..0f45fd5 +--- /dev/null ++++ b/hwloc.te +@@ -0,0 +1,31 @@ ++policy_module(hwloc, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute_role hwloc_dhwd_roles; ++roleattribute system_r hwloc_dhwd_roles; ++ ++type hwloc_dhwd_t; ++type hwloc_dhwd_exec_t; ++init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t) ++role hwloc_dhwd_roles types hwloc_dhwd_t; ++ ++type hwloc_var_run_t; ++files_pid_file(hwloc_var_run_t) ++ ++type hwloc_dhwd_unit_t; ++systemd_unit_file(hwloc_dhwd_unit_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms; ++allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms; ++files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir) ++ ++dev_read_sysfs(hwloc_dhwd_t) diff --git a/hypervkvp.fc b/hypervkvp.fc index b46130e..e2ae3b2 100644 --- a/hypervkvp.fc @@ -48068,7 +48233,7 @@ index 0000000..8bc27f4 +domain_use_interactive_fds(mcollective_t) + diff --git a/mediawiki.fc b/mediawiki.fc -index 99f7c41..93ec6db 100644 +index 99f7c41..1745603 100644 --- a/mediawiki.fc +++ b/mediawiki.fc @@ -1,8 +1,8 @@ @@ -48080,12 +48245,12 @@ index 99f7c41..93ec6db 100644 +/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:mediawiki_script_exec_t,s0) -/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) -+/usr/share/mediawiki(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) ++/usr/share/mediawiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_content_t,s0) -/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) -/var/www/wiki/.*\.php -- gen_context(system_u:object_r:httpd_mediawiki_content_t,s0) -+/var/www/wiki(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) -+/var/www/wiki/.*\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) ++/var/www/wiki[0-9]?(/.*)? gen_context(system_u:object_r:mediawiki_rw_content_t,s0) ++/var/www/wiki[0-9]?\.php -- gen_context(system_u:object_r:mediawiki_content_t,s0) diff --git a/mediawiki.if b/mediawiki.if index 9771b4b..9b183e6 100644 --- a/mediawiki.if @@ -85688,10 +85853,10 @@ index c8a1e16..2d409bf 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..dfb3396 100644 +index 47de2d6..bc62d96 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,95 @@ +@@ -1,31 +1,96 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -85782,6 +85947,7 @@ index 47de2d6..dfb3396 100644 +/usr/share/corosync/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) + +/usr/share/cluster/fence_scsi_check\.pl -- gen_context(system_u:object_r:fenced_exec_t,s0) ++/usr/share/cluster/fence_scsi_check_hardreboot -- gen_context(system_u:object_r:fenced_exec_t,s0) + +/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) + @@ -86679,7 +86845,7 @@ index c8bdea2..1574225 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 6cf79c4..1a605f9 100644 +index 6cf79c4..943fd8b 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false) @@ -87047,7 +87213,7 @@ index 6cf79c4..1a605f9 100644 -allow fenced_t self:process { getsched signal_perms }; -allow fenced_t self:tcp_socket { accept listen }; +allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin }; -+allow fenced_t self:process { getsched setpgid signal_perms }; ++allow fenced_t self:process { getsched setcap setpgid signal_perms }; + +allow fenced_t self:tcp_socket create_stream_socket_perms; +allow fenced_t self:udp_socket create_socket_perms; @@ -107668,7 +107834,7 @@ index 97cd155..49321a5 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index 585a77f..948bc5b 100644 +index 585a77f..a7cb326 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1) @@ -107714,7 +107880,7 @@ index 585a77f..948bc5b 100644 dev_read_urand(tmpreaper_t) -@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t) +@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t) fs_getattr_xattr_fs(tmpreaper_t) fs_list_all(tmpreaper_t) @@ -107725,11 +107891,9 @@ index 585a77f..948bc5b 100644 -files_getattr_all_files(tmpreaper_t) files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) +-files_setattr_all_tmp_dirs(tmpreaper_t) +files_delete_all_non_security_files(tmpreaper_t) -+# why does it need setattr? - files_setattr_all_tmp_dirs(tmpreaper_t) -+files_setattr_isid_type_dirs(tmpreaper_t) -+files_setattr_usr_dirs(tmpreaper_t) ++files_setattr_non_security_dirs(tmpreaper_t) +files_getattr_all_dirs(tmpreaper_t) +files_getattr_all_files(tmpreaper_t) @@ -107738,7 +107902,7 @@ index 585a77f..948bc5b 100644 mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) -@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t) +@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t) logging_send_syslog_msg(tmpreaper_t) @@ -107746,7 +107910,7 @@ index 585a77f..948bc5b 100644 miscfiles_delete_man_pages(tmpreaper_t) ifdef(`distro_debian',` -@@ -53,10 +82,33 @@ ifdef(`distro_debian',` +@@ -53,10 +79,33 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -107781,7 +107945,7 @@ index 585a77f..948bc5b 100644 ') optional_policy(` -@@ -64,6 +116,7 @@ optional_policy(` +@@ -64,6 +113,7 @@ optional_policy(` ') optional_policy(` @@ -107789,7 +107953,7 @@ index 585a77f..948bc5b 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -79,7 +132,19 @@ optional_policy(` +@@ -79,7 +129,19 @@ optional_policy(` ') optional_policy(` @@ -107810,7 +107974,7 @@ index 585a77f..948bc5b 100644 ') optional_policy(` -@@ -89,3 +154,8 @@ optional_policy(` +@@ -89,3 +151,8 @@ optional_policy(` optional_policy(` rpm_manage_cache(tmpreaper_t) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 00c614a..12b5672 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 194%{?dist} +Release: 195%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,17 @@ exit 0 %endif %changelog +* Thu Jun 08 2016 Lukas Vrabec 3.13.1-195 +- Add hwloc-dump-hwdata SELinux policy +- Add labels for mediawiki123 +- Fix label for all fence_scsi_check scripts +- Allow setcap for fenced +- Allow glusterd domain read krb5_keytab_t files. +- Allow tmpreaper_t to read/setattr all non_security_file_type dirs +- Update refpolicy to handle hwloc +- Fix typo in files_setattr_non_security_dirs. +- Add interface files_setattr_non_security_dirs() + * Tue Jun 07 2016 Lukas Vrabec 3.13.1-194 - Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) - Add nrpe_dontaudit_write_pipes()