diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 4987b60..b4f3b28 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5410,7 +5410,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..b60c687 100644 +index b191055..b64c141 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5484,7 +5484,7 @@ index b191055..b60c687 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,55 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5497,7 +5497,9 @@ index b191055..b60c687 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,43 +119,53 @@ network_port(boinc, tcp,31416,s0) ++network_port(bacula, tcp,9103,s0, udp,9103,s0) + network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) + network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5556,7 +5558,7 @@ index b191055..b60c687 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5623,7 +5625,7 @@ index b191055..b60c687 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +227,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5663,7 +5665,7 @@ index b191055..b60c687 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,39 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,39 +265,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5716,7 +5718,7 @@ index b191055..b60c687 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -259,8 +315,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5727,7 +5729,7 @@ index b191055..b60c687 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +327,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -271,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5740,7 +5742,7 @@ index b191055..b60c687 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +344,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5767,7 +5769,7 @@ index b191055..b60c687 100644 ######################################## # -@@ -333,6 +393,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5776,7 +5778,7 @@ index b191055..b60c687 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +407,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -24233,7 +24235,7 @@ index 6bf0ecc..115c533 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..39c8bbb 100644 +index 8b40377..787bc72 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -24572,13 +24574,13 @@ index 8b40377..39c8bbb 100644 +ifdef(`hide_broken_symptoms',` + term_dontaudit_use_unallocated_ttys(xauth_t) + dev_dontaudit_rw_dri(xauth_t) -+') -+ -+optional_policy(` -+ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ') optional_policy(` ++ nx_var_lib_filetrans(xauth_t, xauth_home_t, file) ++') ++ ++optional_policy(` + ssh_use_ptys(xauth_t) ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) @@ -24613,8 +24615,7 @@ index 8b40377..39c8bbb 100644 +allow xdm_t self:dbus { send_msg acquire_svc }; + +allow xdm_t xauth_home_t:file manage_file_perms; - --allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; ++ +allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms }; +manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) +manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) @@ -24623,7 +24624,8 @@ index 8b40377..39c8bbb 100644 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t) +xserver_filetrans_home_content(xdm_t) +xserver_filetrans_admin_home_content(xdm_t) -+ + +-allow xdm_t xconsole_device_t:fifo_file { getattr setattr }; +#Handle mislabeled files in homedir +userdom_delete_user_home_content_files(xdm_t) +userdom_signull_unpriv_users(xdm_t) @@ -24880,7 +24882,7 @@ index 8b40377..39c8bbb 100644 + +#userdom_home_manager(xdm_t) +tunable_policy(`xdm_write_home',` -+ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file) ++ userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) +',` + userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file }) +') @@ -25071,13 +25073,13 @@ index 8b40377..39c8bbb 100644 + optional_policy(` + hal_dbus_chat(xdm_t) + ') -+ -+ optional_policy(` -+ gnomeclock_dbus_chat(xdm_t) -+ ') optional_policy(` - accountsd_dbus_chat(xdm_t) ++ gnomeclock_dbus_chat(xdm_t) ++ ') ++ ++ optional_policy(` + networkmanager_dbus_chat(xdm_t) ') ') @@ -25324,13 +25326,10 @@ index 8b40377..39c8bbb 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t) - fs_search_nfs(xserver_t) +@@ -705,6 +1180,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) -- -+fs_rw_tmpfs_files(xserver_t) -+ + +mls_file_read_to_clearance(xserver_t) +mls_file_write_all_levels(xserver_t) +mls_file_upgrade(xserver_t) @@ -25342,7 +25341,7 @@ index 8b40377..39c8bbb 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1202,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1201,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -25366,7 +25365,7 @@ index 8b40377..39c8bbb 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -25375,7 +25374,7 @@ index 8b40377..39c8bbb 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1265,44 @@ optional_policy(` +@@ -785,17 +1264,44 @@ optional_policy(` ') optional_policy(` @@ -25422,7 +25421,7 @@ index 8b40377..39c8bbb 100644 ') optional_policy(` -@@ -803,6 +1310,10 @@ optional_policy(` +@@ -803,6 +1309,10 @@ optional_policy(` ') optional_policy(` @@ -25433,7 +25432,7 @@ index 8b40377..39c8bbb 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -25447,7 +25446,7 @@ index 8b40377..39c8bbb 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -25456,7 +25455,7 @@ index 8b40377..39c8bbb 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1353,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1352,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -25491,7 +25490,7 @@ index 8b40377..39c8bbb 100644 ') optional_policy(` -@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25500,7 +25499,7 @@ index 8b40377..39c8bbb 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -25532,7 +25531,7 @@ index 8b40377..39c8bbb 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -27421,10 +27420,10 @@ index 016a770..1effeb4 100644 + files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") +') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index 3f48d30..3701405 100644 +index 3f48d30..90a20cf 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te -@@ -13,6 +13,9 @@ role system_r types fsadm_t; +@@ -13,9 +13,15 @@ role system_r types fsadm_t; type fsadm_log_t; logging_log_file(fsadm_log_t) @@ -27434,23 +27433,37 @@ index 3f48d30..3701405 100644 type fsadm_tmp_t; files_tmp_file(fsadm_tmp_t) -@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive }; ++type fsadm_tmpfs_t; ++files_tmpfs_file(fsadm_tmpfs_t) ++ + type swapfile_t; # customizable + files_type(swapfile_t) + +@@ -41,10 +47,21 @@ allow fsadm_t self:msg { send receive }; can_exec(fsadm_t, fsadm_exec_t) +-allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; +-allow fsadm_t fsadm_tmp_t:file manage_file_perms; +manage_dirs_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) +manage_files_pattern(fsadm_t, fsadm_var_run_t, fsadm_var_run_t) +files_pid_filetrans(fsadm_t, fsadm_var_run_t, {dir file }) + - allow fsadm_t fsadm_tmp_t:dir manage_dir_perms; - allow fsadm_t fsadm_tmp_t:file manage_file_perms; ++manage_dirs_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t) ++manage_files_pattern(fsadm_t, fsadm_tmp_t, fsadm_tmp_t) files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir }) + ++manage_dirs_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t) ++manage_files_pattern(fsadm_t, fsadm_tmpfs_t, fsadm_tmpfs_t) ++fs_tmpfs_filetrans(fsadm_t, fsadm_tmpfs_t, { file dir }) ++ +files_create_boot_flag(fsadm_t) +files_setattr_root_dirs(fsadm_t) - ++ # log files allow fsadm_t fsadm_log_t:dir setattr; -@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) + manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t) +@@ -53,6 +70,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file) # Enable swapping to files allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -27458,7 +27471,7 @@ index 3f48d30..3701405 100644 kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) kernel_request_load_module(fsadm_t) -@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t) +@@ -101,6 +119,8 @@ files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) files_manage_isid_type_dirs(fsadm_t) @@ -27467,7 +27480,15 @@ index 3f48d30..3701405 100644 # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t) +@@ -112,7 +132,6 @@ files_read_isid_type_files(fsadm_t) + fs_search_auto_mountpoints(fsadm_t) + fs_getattr_xattr_fs(fsadm_t) + fs_rw_ramfs_pipes(fsadm_t) +-fs_rw_tmpfs_files(fsadm_t) + # remount file system to apply changes + fs_remount_xattr_fs(fsadm_t) + # for /dev/shm +@@ -120,6 +139,9 @@ fs_list_auto_mountpoints(fsadm_t) fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) fs_read_tmpfs_symlinks(fsadm_t) @@ -27477,7 +27498,7 @@ index 3f48d30..3701405 100644 # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t) +@@ -133,21 +155,27 @@ storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t) storage_raw_write_removable_device(fsadm_t) storage_read_scsi_generic(fsadm_t) @@ -27507,7 +27528,7 @@ index 3f48d30..3701405 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -166,6 +187,11 @@ optional_policy(` +@@ -166,6 +194,11 @@ optional_policy(` ') optional_policy(` @@ -27519,7 +27540,7 @@ index 3f48d30..3701405 100644 hal_dontaudit_write_log(fsadm_t) ') -@@ -179,6 +205,10 @@ optional_policy(` +@@ -179,6 +212,10 @@ optional_policy(` ') optional_policy(` @@ -27530,7 +27551,7 @@ index 3f48d30..3701405 100644 nis_use_ypbind(fsadm_t) ') -@@ -192,6 +222,10 @@ optional_policy(` +@@ -192,6 +229,10 @@ optional_policy(` ') optional_policy(` @@ -29307,7 +29328,7 @@ index 79a45f6..9a14d49 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..17932ac 100644 +index 17eda24..afe80c5 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29555,7 +29576,7 @@ index 17eda24..17932ac 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +286,213 @@ ifdef(`distro_gentoo',` +@@ -186,29 +286,214 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -29736,6 +29757,7 @@ index 17eda24..17932ac 100644 + +optional_policy(` + ipsec_read_config(init_t) ++ ipsec_manage_pid(init_t) +') + +optional_policy(` @@ -29777,7 +29799,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -216,7 +500,30 @@ optional_policy(` +@@ -216,7 +501,30 @@ optional_policy(` ') optional_policy(` @@ -29808,7 +29830,7 @@ index 17eda24..17932ac 100644 ') ######################################## -@@ -225,9 +532,9 @@ optional_policy(` +@@ -225,9 +533,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29820,7 +29842,7 @@ index 17eda24..17932ac 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +565,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +566,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29837,7 +29859,7 @@ index 17eda24..17932ac 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +590,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +591,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -29880,7 +29902,7 @@ index 17eda24..17932ac 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +627,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +628,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -29892,7 +29914,7 @@ index 17eda24..17932ac 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +639,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +640,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -29903,7 +29925,7 @@ index 17eda24..17932ac 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +650,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +651,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -29913,7 +29935,7 @@ index 17eda24..17932ac 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +659,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +660,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -29921,7 +29943,7 @@ index 17eda24..17932ac 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +666,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +667,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -29929,7 +29951,7 @@ index 17eda24..17932ac 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +674,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +675,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -29947,7 +29969,7 @@ index 17eda24..17932ac 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +692,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +693,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -29961,7 +29983,7 @@ index 17eda24..17932ac 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +707,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +708,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -29975,7 +29997,7 @@ index 17eda24..17932ac 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +720,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +721,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -29986,7 +30008,7 @@ index 17eda24..17932ac 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +733,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +734,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -29994,7 +30016,7 @@ index 17eda24..17932ac 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +752,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +753,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30018,7 +30040,7 @@ index 17eda24..17932ac 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +785,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +786,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30026,7 +30048,7 @@ index 17eda24..17932ac 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +819,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +820,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30037,7 +30059,7 @@ index 17eda24..17932ac 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +843,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +844,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30046,7 +30068,7 @@ index 17eda24..17932ac 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +858,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +859,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30054,7 +30076,7 @@ index 17eda24..17932ac 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +879,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +880,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30062,7 +30084,7 @@ index 17eda24..17932ac 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +889,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +890,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30107,7 +30129,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -559,14 +934,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +935,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30139,7 +30161,7 @@ index 17eda24..17932ac 100644 ') ') -@@ -577,6 +969,39 @@ ifdef(`distro_suse',` +@@ -577,6 +970,39 @@ ifdef(`distro_suse',` ') ') @@ -30179,7 +30201,7 @@ index 17eda24..17932ac 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1014,8 @@ optional_policy(` +@@ -589,6 +1015,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30188,7 +30210,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -610,6 +1037,7 @@ optional_policy(` +@@ -610,6 +1038,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30196,7 +30218,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -626,6 +1054,17 @@ optional_policy(` +@@ -626,6 +1055,17 @@ optional_policy(` ') optional_policy(` @@ -30214,7 +30236,7 @@ index 17eda24..17932ac 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1081,13 @@ optional_policy(` +@@ -642,9 +1082,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30228,7 +30250,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -657,15 +1100,11 @@ optional_policy(` +@@ -657,15 +1101,11 @@ optional_policy(` ') optional_policy(` @@ -30246,7 +30268,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -686,6 +1125,15 @@ optional_policy(` +@@ -686,6 +1126,15 @@ optional_policy(` ') optional_policy(` @@ -30262,7 +30284,7 @@ index 17eda24..17932ac 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1174,7 @@ optional_policy(` +@@ -726,6 +1175,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30270,7 +30292,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -743,7 +1192,13 @@ optional_policy(` +@@ -743,7 +1193,13 @@ optional_policy(` ') optional_policy(` @@ -30285,7 +30307,7 @@ index 17eda24..17932ac 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1221,10 @@ optional_policy(` +@@ -766,6 +1222,10 @@ optional_policy(` ') optional_policy(` @@ -30296,7 +30318,7 @@ index 17eda24..17932ac 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1234,20 @@ optional_policy(` +@@ -775,10 +1235,20 @@ optional_policy(` ') optional_policy(` @@ -30317,7 +30339,7 @@ index 17eda24..17932ac 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1256,10 @@ optional_policy(` +@@ -787,6 +1257,10 @@ optional_policy(` ') optional_policy(` @@ -30328,7 +30350,7 @@ index 17eda24..17932ac 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1281,6 @@ optional_policy(` +@@ -808,8 +1282,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30337,7 +30359,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -818,6 +1289,10 @@ optional_policy(` +@@ -818,6 +1290,10 @@ optional_policy(` ') optional_policy(` @@ -30348,7 +30370,7 @@ index 17eda24..17932ac 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1302,12 @@ optional_policy(` +@@ -827,10 +1303,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30361,7 +30383,7 @@ index 17eda24..17932ac 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1334,60 @@ optional_policy(` +@@ -857,21 +1335,60 @@ optional_policy(` ') optional_policy(` @@ -30423,7 +30445,7 @@ index 17eda24..17932ac 100644 ') optional_policy(` -@@ -887,6 +1403,10 @@ optional_policy(` +@@ -887,6 +1404,10 @@ optional_policy(` ') optional_policy(` @@ -30434,7 +30456,7 @@ index 17eda24..17932ac 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1417,218 @@ optional_policy(` +@@ -897,3 +1418,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -32894,7 +32916,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..7b0ef85 100644 +index 59b04c1..19dc9ce 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -32945,7 +32967,15 @@ index 59b04c1..7b0ef85 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -76,6 +96,7 @@ files_type(syslogd_var_lib_t) +@@ -71,11 +91,15 @@ init_script_file(syslogd_initrc_exec_t) + type syslogd_tmp_t; + files_tmp_file(syslogd_tmp_t) + ++type syslogd_tmpfs_t; ++files_tmpfs_file(syslogd_tmpfs_t) ++ + type syslogd_var_lib_t; + files_type(syslogd_var_lib_t) type syslogd_var_run_t; files_pid_file(syslogd_var_run_t) @@ -32953,7 +32983,7 @@ index 59b04c1..7b0ef85 100644 type var_log_t; logging_log_file(var_log_t) -@@ -94,6 +115,8 @@ ifdef(`enable_mls',` +@@ -94,6 +118,8 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; @@ -32962,7 +32992,7 @@ index 59b04c1..7b0ef85 100644 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; -@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +137,7 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -32971,7 +33001,7 @@ index 59b04c1..7b0ef85 100644 init_dontaudit_use_fds(auditctl_t) -@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +174,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -32979,7 +33009,7 @@ index 59b04c1..7b0ef85 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +182,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -32989,7 +33019,7 @@ index 59b04c1..7b0ef85 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +207,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -33011,7 +33041,7 @@ index 59b04c1..7b0ef85 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +262,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -33042,7 +33072,7 @@ index 59b04c1..7b0ef85 100644 ') ######################################## -@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +303,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -33050,7 +33080,7 @@ index 59b04c1..7b0ef85 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +314,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -33070,7 +33100,7 @@ index 59b04c1..7b0ef85 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +368,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -33078,7 +33108,7 @@ index 59b04c1..7b0ef85 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +393,12 @@ optional_policy(` +@@ -355,13 +396,12 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -33095,7 +33125,7 @@ index 59b04c1..7b0ef85 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -371,6 +408,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -371,6 +411,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -33103,10 +33133,14 @@ index 59b04c1..7b0ef85 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +427,42 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +430,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) ++manage_dirs_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t) ++manage_files_pattern(syslogd_t, syslogd_tmpfs_t, syslogd_tmpfs_t) ++fs_tmpfs_filetrans(syslogd_t, syslogd_tmpfs_t, { dir file }) ++ +manage_sock_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) files_search_var_lib(syslogd_t) @@ -33149,7 +33183,7 @@ index 59b04c1..7b0ef85 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +479,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -33158,7 +33192,7 @@ index 59b04c1..7b0ef85 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +491,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -33186,11 +33220,9 @@ index 59b04c1..7b0ef85 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -447,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t) - files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +524,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) -+fs_rw_tmpfs_files(syslogd_t) fs_search_auto_mountpoints(syslogd_t) +fs_search_cgroup_dirs(syslogd_t) @@ -33206,7 +33238,7 @@ index 59b04c1..7b0ef85 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +540,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +546,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -33221,7 +33253,7 @@ index 59b04c1..7b0ef85 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -507,15 +581,40 @@ optional_policy(` +@@ -507,15 +587,40 @@ optional_policy(` ') optional_policy(` @@ -33262,7 +33294,7 @@ index 59b04c1..7b0ef85 100644 ') optional_policy(` -@@ -526,3 +625,26 @@ optional_policy(` +@@ -526,3 +631,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -39202,10 +39234,10 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..1605309 +index 0000000..9785384 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,659 @@ +@@ -0,0 +1,635 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -39491,32 +39523,8 @@ index 0000000..1605309 +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) +fs_list_all(systemd_tmpfiles_t) + -+files_getattr_all_dirs(systemd_tmpfiles_t) -+files_getattr_all_files(systemd_tmpfiles_t) -+files_getattr_all_sockets(systemd_tmpfiles_t) -+files_getattr_all_symlinks(systemd_tmpfiles_t) -+files_relabel_all_lock_dirs(systemd_tmpfiles_t) -+files_relabel_all_lock_files(systemd_tmpfiles_t) -+files_relabel_all_pid_dirs(systemd_tmpfiles_t) -+files_relabel_all_pid_files(systemd_tmpfiles_t) -+files_relabel_all_spool_dirs(systemd_tmpfiles_t) -+files_manage_all_pids(systemd_tmpfiles_t) -+files_manage_all_pid_dirs(systemd_tmpfiles_t) -+files_manage_all_locks(systemd_tmpfiles_t) -+files_read_generic_tmp_symlinks(systemd_tmpfiles_t) -+files_setattr_all_tmp_dirs(systemd_tmpfiles_t) -+files_delete_boot_flag(systemd_tmpfiles_t) -+files_delete_all_non_security_dirs(systemd_tmpfiles_t) -+files_delete_all_non_security_files(systemd_tmpfiles_t) -+files_delete_all_pid_sockets(systemd_tmpfiles_t) -+files_delete_all_pid_pipes(systemd_tmpfiles_t) -+files_purge_tmp(systemd_tmpfiles_t) -+files_manage_generic_tmp_files(systemd_tmpfiles_t) -+files_manage_generic_tmp_dirs(systemd_tmpfiles_t) -+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t) -+files_relabelfrom_tmp_files(systemd_tmpfiles_t) -+files_relabel_all_tmp_dirs(systemd_tmpfiles_t) -+files_relabel_all_tmp_files(systemd_tmpfiles_t) ++files_manage_non_auth_files(systemd_tmpfiles_t) ++files_relabel_non_auth_files(systemd_tmpfiles_t) +files_list_lost_found(systemd_tmpfiles_t) + +mls_file_read_all_levels(systemd_tmpfiles_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index bb62aba..a40e705 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -531,7 +531,7 @@ index 058d908..70eb89d 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..189ab37 100644 +index eb50f07..5508cee 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -808,15 +808,19 @@ index eb50f07..189ab37 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -233,6 +267,7 @@ optional_policy(` - corecmd_exec_all_executables(abrt_t) +@@ -234,6 +268,11 @@ optional_policy(` ') -+# to install debuginfo packages optional_policy(` ++ puppet_read_lib(abrt_t) ++') ++ ++# to install debuginfo packages ++optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -243,6 +278,7 @@ optional_policy(` + rpm_manage_cache(abrt_t) +@@ -243,6 +282,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -824,7 +828,7 @@ index eb50f07..189ab37 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +289,17 @@ optional_policy(` +@@ -253,9 +293,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -843,7 +847,7 @@ index eb50f07..189ab37 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +310,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +314,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -858,7 +862,7 @@ index eb50f07..189ab37 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +329,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +333,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -866,7 +870,7 @@ index eb50f07..189ab37 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +338,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +342,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -887,7 +891,7 @@ index eb50f07..189ab37 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +359,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +363,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -914,7 +918,7 @@ index eb50f07..189ab37 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +395,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +399,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -928,7 +932,7 @@ index eb50f07..189ab37 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +413,11 @@ optional_policy(` +@@ -343,10 +417,11 @@ optional_policy(` ####################################### # @@ -942,7 +946,7 @@ index eb50f07..189ab37 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +436,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +440,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -994,7 +998,7 @@ index eb50f07..189ab37 100644 ####################################### # -@@ -404,7 +485,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +489,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1003,7 +1007,7 @@ index eb50f07..189ab37 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +494,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +498,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1047,7 +1051,7 @@ index eb50f07..189ab37 100644 ') ####################################### -@@ -430,10 +537,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +541,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -8335,10 +8339,30 @@ index dcd774e..c240ffa 100644 allow $1 bacula_t:process { ptrace signal_perms }; diff --git a/bacula.te b/bacula.te -index f16b000..ed47057 100644 +index f16b000..6cf82b3 100644 --- a/bacula.te +++ b/bacula.te -@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) +@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t; + # Local policy + # + +-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid}; ++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid}; + allow bacula_t self:process signal; + allow bacula_t self:fifo_file rw_fifo_file_perms; + allow bacula_t self:tcp_socket { accept listen }; +@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t) + corenet_sendrecv_generic_server_packets(bacula_t) + corenet_udp_bind_generic_port(bacula_t) + ++ ++#TODO: check port labels for hplip a bacula ++corenet_tcp_bind_bacula_port(bacula_t) ++ + corenet_sendrecv_hplip_server_packets(bacula_t) + corenet_tcp_bind_hplip_port(bacula_t) + corenet_udp_bind_hplip_port(bacula_t) +@@ -148,9 +152,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t) domain_use_interactive_fds(bacula_admin_t) @@ -33517,7 +33541,7 @@ index 1a35420..2ea1241 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index ca020fa..775dd9f 100644 +index ca020fa..a25fc7f 100644 --- a/iscsi.te +++ b/iscsi.te @@ -9,8 +9,8 @@ type iscsid_t; @@ -33541,7 +33565,20 @@ index ca020fa..775dd9f 100644 allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; -@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) +@@ -55,20 +54,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) + manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t) + fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file }) + +-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms; +-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) +-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) ++manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) ++manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) ++manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) ++files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir) + + manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) + files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) can_exec(iscsid_t, iscsid_exec_t) @@ -33555,7 +33592,7 @@ index ca020fa..775dd9f 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -40470,7 +40507,7 @@ index e6136fd..14e2c47 100644 ifdef(`distro_debian',` optional_policy(` diff --git a/mcelog.if b/mcelog.if -index f89651e..ea89ab1 100644 +index f89651e..c73214d 100644 --- a/mcelog.if +++ b/mcelog.if @@ -19,6 +19,25 @@ interface(`mcelog_domtrans',` @@ -40489,11 +40526,11 @@ index f89651e..ea89ab1 100644 +# +interface(`mcelog_read_log',` + gen_require(` -+ type mcelog_var_log_t; ++ type mcelog_log_t; + ') + + logging_search_logs($1) -+ read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t) ++ read_files_pattern($1, mcelog_log_t, mcelog_log_t) +') + ######################################## @@ -57777,10 +57814,10 @@ index 0000000..05648bd +') diff --git a/osad.te b/osad.te new file mode 100644 -index 0000000..ac767bc +index 0000000..a40fcc3 --- /dev/null +++ b/osad.te -@@ -0,0 +1,38 @@ +@@ -0,0 +1,45 @@ +policy_module(osad, 1.0.0) + +######################################## @@ -57819,6 +57856,13 @@ index 0000000..ac767bc + +dev_read_urand(osad_t) + ++optional_policy(` ++ gnome_dontaudit_search_config(osad_t) ++') ++ ++optional_policy(` ++ rhnsd_manage_config(osad_t) ++') diff --git a/pacemaker.fc b/pacemaker.fc index 2f0ad56..d4da0b8 100644 --- a/pacemaker.fc @@ -58516,10 +58560,10 @@ index 8176e4a..2df1789 100644 diff --git a/pcp.fc b/pcp.fc new file mode 100644 -index 0000000..ceecf91 +index 0000000..9b8cb6b --- /dev/null +++ b/pcp.fc -@@ -0,0 +1,22 @@ +@@ -0,0 +1,28 @@ +/etc/rc\.d/init\.d/pmcd -- gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0) @@ -58527,7 +58571,13 @@ index 0000000..ceecf91 +/etc/rc\.d/init\.d/pmie -- gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0) +/etc/rc\.d/init\.d/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0) + -+/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++/usr/bin/pmie -- gen_context(system_u:object_r:pcp_pmie_exec_t,s0) ++/usr/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) ++/usr/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) ++/usr/bin/pmproxy -- gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0) ++/usr/bin/pmwebd -- gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0) ++/usr/bin/pmmgr -- gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0) ++ + +/usr/libexec/pcp/bin/pmcd -- gen_context(system_u:object_r:pcp_pmcd_exec_t,s0) +/usr/libexec/pcp/bin/pmlogger -- gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0) @@ -58544,10 +58594,10 @@ index 0000000..ceecf91 +/var/run/pmcd\.socket -- gen_context(system_u:object_r:pcp_var_run_t,s0) diff --git a/pcp.if b/pcp.if new file mode 100644 -index 0000000..9ca6d26 +index 0000000..4f074cb --- /dev/null +++ b/pcp.if -@@ -0,0 +1,80 @@ +@@ -0,0 +1,100 @@ +## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation + +###################################### @@ -58628,12 +58678,32 @@ index 0000000..9ca6d26 + files_search_pids($1) + admin_pattern($1, pcp_var_run_t) +') ++ ++######################################## ++## ++## Allow the specified domain to execute pcp_pmie ++## in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`pcp_pmie_exec',` ++ gen_require(` ++ type pcp_pmie_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, pcp_pmie_exec_t) ++') diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..6493b00 +index 0000000..8ec3a48 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,150 @@ +@@ -0,0 +1,164 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -58743,7 +58813,7 @@ index 0000000..6493b00 + +optional_policy(` + dbus_system_bus_client(pcp_pmcd_t) -+ ++ + optional_policy(` + avahi_dbus_chat(pcp_pmcd_t) + ') @@ -58784,6 +58854,20 @@ index 0000000..6493b00 +corecmd_exec_bin(pcp_pmmgr_t) + +auth_use_nsswitch(pcp_pmmgr_t) ++ ++optional_policy(` ++ pcp_pmie_exec(pcp_pmmgr_t) ++') ++ ++######################################## ++# ++# pcp_pmie local policy ++# ++ ++allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ++ ++allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; ++ diff --git a/pcscd.if b/pcscd.if index 43d50f9..7f77d32 100644 --- a/pcscd.if @@ -63639,7 +63723,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..ab42dca 100644 +index 5cfb83e..7a242df 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -63735,8 +63819,9 @@ index 5cfb83e..ab42dca 100644 ######################################## # -# Common postfix domain local policy --# -- ++# Postfix master process local policy + # + -allow postfix_domain self:capability { sys_nice sys_chroot }; -dontaudit postfix_domain self:capability sys_tty_config; -allow postfix_domain self:process { signal_perms setpgid setsched }; @@ -63824,9 +63909,8 @@ index 5cfb83e..ab42dca 100644 -######################################## -# -# Master local policy -+# Postfix master process local policy - # - +-# +- -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config }; +# chown is to set the correct ownership of queue dirs +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config }; @@ -64121,7 +64205,7 @@ index 5cfb83e..ab42dca 100644 ') optional_policy(` -@@ -442,6 +345,7 @@ optional_policy(` +@@ -442,16 +345,25 @@ optional_policy(` ') optional_policy(` @@ -64129,7 +64213,14 @@ index 5cfb83e..ab42dca 100644 mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) mailman_read_log(postfix_local_t) -@@ -452,6 +356,10 @@ optional_policy(` + ') + + optional_policy(` ++ munin_search_lib(postfix_local_t) ++') ++ ++optional_policy(` + nagios_search_spool(postfix_local_t) ') optional_policy(` @@ -64140,7 +64231,7 @@ index 5cfb83e..ab42dca 100644 procmail_domtrans(postfix_local_t) ') -@@ -466,15 +374,17 @@ optional_policy(` +@@ -466,15 +378,17 @@ optional_policy(` ######################################## # @@ -64164,7 +64255,7 @@ index 5cfb83e..ab42dca 100644 manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t) -@@ -484,14 +394,15 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -484,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -64184,7 +64275,7 @@ index 5cfb83e..ab42dca 100644 corecmd_list_bin(postfix_map_t) corecmd_read_bin_symlinks(postfix_map_t) -@@ -500,7 +411,6 @@ corecmd_read_bin_pipes(postfix_map_t) +@@ -500,7 +415,6 @@ corecmd_read_bin_pipes(postfix_map_t) corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) @@ -64192,7 +64283,7 @@ index 5cfb83e..ab42dca 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -508,21 +418,22 @@ auth_use_nsswitch(postfix_map_t) +@@ -508,21 +422,22 @@ auth_use_nsswitch(postfix_map_t) logging_send_syslog_msg(postfix_map_t) @@ -64218,7 +64309,7 @@ index 5cfb83e..ab42dca 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -532,21 +443,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -532,21 +447,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -64244,7 +64335,7 @@ index 5cfb83e..ab42dca 100644 write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) -@@ -557,6 +468,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) +@@ -557,6 +472,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) corecmd_exec_bin(postfix_pipe_t) optional_policy(` @@ -64255,7 +64346,7 @@ index 5cfb83e..ab42dca 100644 dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -584,19 +499,26 @@ optional_policy(` +@@ -584,19 +503,26 @@ optional_policy(` ######################################## # @@ -64287,7 +64378,7 @@ index 5cfb83e..ab42dca 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +533,7 @@ optional_policy(` +@@ -611,10 +537,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -64299,7 +64390,7 @@ index 5cfb83e..ab42dca 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +548,24 @@ optional_policy(` +@@ -629,17 +552,24 @@ optional_policy(` ####################################### # @@ -64327,7 +64418,7 @@ index 5cfb83e..ab42dca 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +581,78 @@ optional_policy(` +@@ -655,69 +585,78 @@ optional_policy(` ######################################## # @@ -64424,7 +64515,7 @@ index 5cfb83e..ab42dca 100644 ') optional_policy(` -@@ -730,29 +665,30 @@ optional_policy(` +@@ -730,29 +669,30 @@ optional_policy(` ######################################## # @@ -64463,7 +64554,7 @@ index 5cfb83e..ab42dca 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -764,6 +700,7 @@ optional_policy(` +@@ -764,6 +704,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -64471,7 +64562,7 @@ index 5cfb83e..ab42dca 100644 ') optional_policy(` -@@ -774,31 +711,100 @@ optional_policy(` +@@ -774,31 +715,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -69526,7 +69617,7 @@ index 86ea53c..a2dcf7b 100644 /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) /usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/qemu.if b/qemu.if -index eaf56b8..580f9ee 100644 +index eaf56b8..c32349e 100644 --- a/qemu.if +++ b/qemu.if @@ -1,19 +1,21 @@ @@ -69557,8 +69648,13 @@ index eaf56b8..580f9ee 100644 # type $1_t; -@@ -24,7 +26,7 @@ template(`qemu_domain_template',` +@@ -22,9 +24,12 @@ template(`qemu_domain_template',` + type $1_tmp_t; + files_tmp_file($1_tmp_t) ++ type $1_tmpfs_t; ++ files_tmpfs_file($1_tmpfs_t) ++ ############################## # - # Policy @@ -69566,15 +69662,29 @@ index eaf56b8..580f9ee 100644 # allow $1_t self:capability { dac_read_search dac_override }; -@@ -41,7 +43,6 @@ template(`qemu_domain_template',` +@@ -39,9 +44,12 @@ template(`qemu_domain_template',` + manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) + files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) ++ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ files_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir }) ++ kernel_read_system_state($1_t) - corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_generic_node($1_t) -@@ -70,11 +71,10 @@ template(`qemu_domain_template',` +@@ -61,7 +69,6 @@ template(`qemu_domain_template',` + + fs_list_inotifyfs($1_t) + fs_rw_anon_inodefs_files($1_t) +- fs_rw_tmpfs_files($1_t) + + storage_raw_write_removable_device($1_t) + storage_raw_read_removable_device($1_t) +@@ -70,11 +77,10 @@ template(`qemu_domain_template',` term_getattr_pty_fs($1_t) term_use_generic_ptys($1_t) @@ -69587,7 +69697,7 @@ index eaf56b8..580f9ee 100644 userdom_attach_admin_tun_iface($1_t) optional_policy(` -@@ -98,38 +98,12 @@ template(`qemu_domain_template',` +@@ -98,38 +104,12 @@ template(`qemu_domain_template',` ######################################## ## @@ -69628,7 +69738,7 @@ index eaf56b8..580f9ee 100644 ## # interface(`qemu_domtrans',` -@@ -137,18 +111,17 @@ interface(`qemu_domtrans',` +@@ -137,18 +117,17 @@ interface(`qemu_domtrans',` type qemu_t, qemu_exec_t; ') @@ -69650,7 +69760,7 @@ index eaf56b8..580f9ee 100644 ## # interface(`qemu_exec',` -@@ -156,15 +129,12 @@ interface(`qemu_exec',` +@@ -156,15 +135,12 @@ interface(`qemu_exec',` type qemu_exec_t; ') @@ -69667,7 +69777,7 @@ index eaf56b8..580f9ee 100644 ## ## ## -@@ -173,23 +143,25 @@ interface(`qemu_exec',` +@@ -173,23 +149,25 @@ interface(`qemu_exec',` ## ## ## @@ -69697,7 +69807,7 @@ index eaf56b8..580f9ee 100644 ## ## ## -@@ -202,15 +174,12 @@ interface(`qemu_read_state',` +@@ -202,15 +180,12 @@ interface(`qemu_read_state',` type qemu_t; ') @@ -69715,7 +69825,7 @@ index eaf56b8..580f9ee 100644 ## ## ## -@@ -228,7 +197,7 @@ interface(`qemu_setsched',` +@@ -228,7 +203,7 @@ interface(`qemu_setsched',` ######################################## ## @@ -69724,7 +69834,7 @@ index eaf56b8..580f9ee 100644 ## ## ## -@@ -246,7 +215,7 @@ interface(`qemu_signal',` +@@ -246,7 +221,7 @@ interface(`qemu_signal',` ######################################## ## @@ -69733,7 +69843,7 @@ index eaf56b8..580f9ee 100644 ## ## ## -@@ -264,48 +233,68 @@ interface(`qemu_kill',` +@@ -264,48 +239,68 @@ interface(`qemu_kill',` ######################################## ## @@ -69821,7 +69931,7 @@ index eaf56b8..580f9ee 100644 ## ## ## -@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',` +@@ -313,58 +308,41 @@ interface(`qemu_manage_tmp_dirs',` ## ## # @@ -72488,7 +72598,7 @@ index 951db7f..c0cabe8 100644 + files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ') diff --git a/raid.te b/raid.te -index c99753f..2eb5455 100644 +index c99753f..c5d944b 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t; @@ -72603,7 +72713,15 @@ index c99753f..2eb5455 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -94,13 +128,30 @@ optional_policy(` +@@ -90,17 +124,38 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_system_bus_client(mdadm_t) ++') ++ ++optional_policy(` + gpm_dontaudit_getattr_gpmctl(mdadm_t) ') optional_policy(` @@ -76661,10 +76779,10 @@ index 3f32e4b..f97ea42 100644 diff --git a/rhnsd.fc b/rhnsd.fc new file mode 100644 -index 0000000..88fe240 +index 0000000..860a91d --- /dev/null +++ b/rhnsd.fc -@@ -0,0 +1,7 @@ +@@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0) + +/usr/lib/systemd/system/rhnsd.* -- gen_context(system_u:object_r:rhnsd_unit_file_t,s0) @@ -76672,12 +76790,14 @@ index 0000000..88fe240 +/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0) + +/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0) ++ ++/etc/sysconfig/rhn(/.*)? gen_context(system_u:object_r:rhnsd_conf_t,s0) diff --git a/rhnsd.if b/rhnsd.if new file mode 100644 -index 0000000..335573a +index 0000000..8a5aaf0 --- /dev/null +++ b/rhnsd.if -@@ -0,0 +1,98 @@ +@@ -0,0 +1,118 @@ +## policy for rhnsd + +######################################## @@ -76741,6 +76861,26 @@ index 0000000..335573a + ps_process_pattern($1, rhnsd_t) +') + ++###################################### ++## ++## Allow the specified domain to manage ++## rhnsd configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhnsd_manage_config',` ++ gen_require(` ++ type rhnsd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t) ++') ++ +######################################## +## +## All of the rules required to administrate @@ -76778,10 +76918,10 @@ index 0000000..335573a +') diff --git a/rhnsd.te b/rhnsd.te new file mode 100644 -index 0000000..be2e57e +index 0000000..898d82c --- /dev/null +++ b/rhnsd.te -@@ -0,0 +1,43 @@ +@@ -0,0 +1,47 @@ +policy_module(rhnsd, 1.0.0) + +######################################## @@ -76802,6 +76942,9 @@ index 0000000..be2e57e +type rhnsd_unit_file_t; +systemd_unit_file(rhnsd_unit_file_t) + ++type rhnsd_conf_t; ++files_config_file(rhnsd_conf_t) ++ +######################################## +# +# rhnsd local policy @@ -76816,14 +76959,15 @@ index 0000000..be2e57e +manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t) +files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file }) + -+corecmd_exec_bin(rhnsd_t) ++manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t) + ++corecmd_exec_bin(rhnsd_t) + +logging_send_syslog_msg(rhnsd_t) + +optional_policy(` -+ # execute rhn_check -+ rpm_domtrans(rhnsd_t) ++ # execute rhn_check ++ rpm_domtrans(rhnsd_t) +') diff --git a/rhsmcertd.if b/rhsmcertd.if index 6dbc905..4b17c93 100644 @@ -77085,7 +77229,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..64b5dee 100644 +index d32e1a2..413f4b8 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) @@ -77106,7 +77250,7 @@ index d32e1a2..64b5dee 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -52,23 +51,40 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +@@ -52,23 +51,44 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -77148,6 +77292,10 @@ index d32e1a2..64b5dee 100644 +') + +optional_policy(` ++ rhnsd_manage_config(rhsmcertd_t) ++') ++ ++optional_policy(` rpm_read_db(rhsmcertd_t) + rpm_signull(rhsmcertd_t) ') @@ -79546,7 +79694,7 @@ index ef3b225..d248cd3 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..13ae4ca 100644 +index 6fc360e..4e28c91 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -79836,7 +79984,7 @@ index 6fc360e..13ae4ca 100644 kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) -@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t) +@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t) kernel_list_all_proc(rpm_script_t) kernel_read_software_raid_state(rpm_script_t) @@ -79851,6 +79999,8 @@ index 6fc360e..13ae4ca 100644 -corenet_tcp_sendrecv_http_port(rpm_script_t) - -corecmd_exec_all_executables(rpm_script_t) ++# needed by unbound-anchor ++corenet_udp_bind_all_unreserved_ports(rpm_script_t) dev_list_sysfs(rpm_script_t) + @@ -79886,7 +80036,7 @@ index 6fc360e..13ae4ca 100644 mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) -@@ -331,30 +329,51 @@ storage_raw_write_fixed_disk(rpm_script_t) +@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t) term_list_ptys(rpm_script_t) @@ -79927,6 +80077,7 @@ index 6fc360e..13ae4ca 100644 +libs_ldconfig_exec_entry_type(rpm_script_t) logging_send_syslog_msg(rpm_script_t) ++logging_send_audit_msgs(rpm_script_t) -miscfiles_read_localization(rpm_script_t) +miscfiles_filetrans_named_content(rpm_script_t) @@ -79947,7 +80098,7 @@ index 6fc360e..13ae4ca 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +382,67 @@ ifdef(`distro_redhat',` +@@ -363,41 +385,67 @@ ifdef(`distro_redhat',` ') ') @@ -80026,7 +80177,7 @@ index 6fc360e..13ae4ca 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +454,6 @@ optional_policy(` +@@ -409,6 +457,6 @@ optional_policy(` ') optional_policy(` @@ -81993,7 +82144,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..71cbfc7 100644 +index 2b7c441..9cda11e 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -82423,7 +82574,7 @@ index 2b7c441..71cbfc7 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -366,44 +368,55 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +368,53 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -82471,8 +82622,7 @@ index 2b7c441..71cbfc7 100644 +ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) - fs_dontaudit_getattr_tmpfs_dirs(smbd_t) -+ fs_rw_inherited_tmpfs_files(smbd_t) +- fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') -tunable_policy(`allow_smbd_anon_write',` @@ -82490,7 +82640,7 @@ index 2b7c441..71cbfc7 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +430,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -82513,7 +82663,7 @@ index 2b7c441..71cbfc7 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +442,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -82521,7 +82671,7 @@ index 2b7c441..71cbfc7 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,17 +450,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -82539,7 +82689,7 @@ index 2b7c441..71cbfc7 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -466,6 +459,7 @@ optional_policy(` +@@ -466,6 +457,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -82547,7 +82697,7 @@ index 2b7c441..71cbfc7 100644 ') optional_policy(` -@@ -479,6 +473,11 @@ optional_policy(` +@@ -479,6 +471,11 @@ optional_policy(` ') optional_policy(` @@ -82559,7 +82709,7 @@ index 2b7c441..71cbfc7 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +487,10 @@ optional_policy(` +@@ -488,6 +485,10 @@ optional_policy(` ') optional_policy(` @@ -82570,7 +82720,7 @@ index 2b7c441..71cbfc7 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +502,33 @@ optional_policy(` +@@ -499,9 +500,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -82605,7 +82755,7 @@ index 2b7c441..71cbfc7 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +537,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -82620,7 +82770,7 @@ index 2b7c441..71cbfc7 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +553,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -82644,7 +82794,7 @@ index 2b7c441..71cbfc7 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +570,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -82711,7 +82861,7 @@ index 2b7c441..71cbfc7 100644 ') optional_policy(` -@@ -606,16 +620,22 @@ optional_policy(` +@@ -606,16 +618,22 @@ optional_policy(` ######################################## # @@ -82738,7 +82888,7 @@ index 2b7c441..71cbfc7 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +645,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -82756,7 +82906,7 @@ index 2b7c441..71cbfc7 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +659,23 @@ optional_policy(` +@@ -644,22 +657,23 @@ optional_policy(` ######################################## # @@ -82788,7 +82938,7 @@ index 2b7c441..71cbfc7 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -82824,7 +82974,7 @@ index 2b7c441..71cbfc7 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +709,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -82916,7 +83066,7 @@ index 2b7c441..71cbfc7 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -82940,7 +83090,7 @@ index 2b7c441..71cbfc7 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +802,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -82983,7 +83133,7 @@ index 2b7c441..71cbfc7 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +832,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -82997,7 +83147,7 @@ index 2b7c441..71cbfc7 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +857,20 @@ optional_policy(` +@@ -840,17 +855,20 @@ optional_policy(` # Winbind local policy # @@ -83023,7 +83173,7 @@ index 2b7c441..71cbfc7 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -83034,7 +83184,7 @@ index 2b7c441..71cbfc7 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -83064,7 +83214,7 @@ index 2b7c441..71cbfc7 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +912,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -83085,7 +83235,7 @@ index 2b7c441..71cbfc7 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -83096,7 +83246,7 @@ index 2b7c441..71cbfc7 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -83138,7 +83288,7 @@ index 2b7c441..71cbfc7 100644 ') optional_policy(` -@@ -959,31 +988,29 @@ optional_policy(` +@@ -959,31 +986,29 @@ optional_policy(` # Winbind helper local policy # @@ -83176,7 +83326,7 @@ index 2b7c441..71cbfc7 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1024,38 @@ optional_policy(` +@@ -997,25 +1022,38 @@ optional_policy(` ######################################## # @@ -83839,10 +83989,10 @@ index 0000000..e30b346 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 0000000..0161658 +index 0000000..01ff0ea --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,498 @@ +@@ -0,0 +1,496 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -84021,8 +84171,6 @@ index 0000000..0161658 +fs_getattr_xattr_fs(sandbox_x_domain) +fs_list_inotifyfs(sandbox_x_domain) +fs_dontaudit_getattr_xattr_fs(sandbox_x_domain) -+# Random tmpfs_t that gets created when you run X. -+fs_rw_tmpfs_files(sandbox_x_domain) +fs_get_xattr_fs_quotas(sandbox_x_domain) + +auth_dontaudit_read_login_records(sandbox_x_domain) @@ -87968,12 +88116,14 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..48c0623 +index 0000000..1cb1360 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1,3 @@ +@@ -0,0 +1,5 @@ +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) + ++/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) ++ +/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 @@ -88025,10 +88175,10 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..3df20a6 +index 0000000..838f907 --- /dev/null +++ b/snapper.te -@@ -0,0 +1,56 @@ +@@ -0,0 +1,66 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -88043,6 +88193,9 @@ index 0000000..3df20a6 +type snapperd_log_t; +logging_log_file(snapperd_log_t) + ++type snappperd_conf_t; ++files_config_file(snappperd_conf_t) ++ +type snapperd_data_t; +files_type(snapperd_data_t) + @@ -88057,6 +88210,10 @@ index 0000000..3df20a6 +manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t) +logging_log_filetrans(snapperd_t, snapperd_log_t, file) + ++manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t) ++manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t) ++manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t) ++ +manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) +manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) @@ -88085,6 +88242,9 @@ index 0000000..3df20a6 + mount_domtrans(snapperd_t) +') + ++optional_policy(` ++ lvm_domtrans(snapperd_t) ++') diff --git a/snmp.fc b/snmp.fc index 2f0a2f2..1569e33 100644 --- a/snmp.fc @@ -89172,7 +89332,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..6e9cde8 100644 +index cc58e35..b9e1c32 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -89700,7 +89860,7 @@ index cc58e35..6e9cde8 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +435,58 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +435,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -89710,6 +89870,7 @@ index cc58e35..6e9cde8 100644 corenet_tcp_bind_spamd_port(spamd_t) - -corenet_sendrecv_razor_client_packets(spamd_t) ++corenet_tcp_connect_spamd_port(spamd_t) corenet_tcp_connect_razor_port(spamd_t) - -corenet_sendrecv_smtp_client_packets(spamd_t) @@ -89803,7 +89964,7 @@ index cc58e35..6e9cde8 100644 ') optional_policy(` -@@ -421,21 +505,13 @@ optional_policy(` +@@ -421,21 +506,13 @@ optional_policy(` ') optional_policy(` @@ -89827,7 +89988,7 @@ index cc58e35..6e9cde8 100644 ') optional_policy(` -@@ -443,8 +519,8 @@ optional_policy(` +@@ -443,8 +520,8 @@ optional_policy(` ') optional_policy(` @@ -89837,7 +89998,7 @@ index cc58e35..6e9cde8 100644 ') optional_policy(` -@@ -455,7 +531,12 @@ optional_policy(` +@@ -455,7 +532,12 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -89851,7 +90012,7 @@ index cc58e35..6e9cde8 100644 ') optional_policy(` -@@ -463,9 +544,9 @@ optional_policy(` +@@ -463,9 +545,9 @@ optional_policy(` ') optional_policy(` @@ -89862,7 +90023,7 @@ index cc58e35..6e9cde8 100644 ') optional_policy(` -@@ -474,32 +555,32 @@ optional_policy(` +@@ -474,32 +556,32 @@ optional_policy(` ######################################## # @@ -89905,7 +90066,7 @@ index cc58e35..6e9cde8 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +589,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +590,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -98690,7 +98851,7 @@ index facdee8..fddb027 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..215ace6 100644 +index f03dcf5..81e9d56 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,197 @@ @@ -99663,7 +99824,13 @@ index f03dcf5..215ace6 100644 -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) +kernel_read_net_sysctls(virt_domain) -+ + +-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +userdom_search_user_home_content(virt_domain) +userdom_read_user_home_content_symlinks(virt_domain) +userdom_read_all_users_state(virt_domain) @@ -99674,19 +99841,14 @@ index f03dcf5..215ace6 100644 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file }) +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t) --manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) +-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t) +files_var_filetrans(virt_domain, virt_cache_t, { file dir }) --manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) --filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +-dontaudit virsh_t virt_var_lib_t:file read_file_perms; +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t) + +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t) @@ -99718,13 +99880,12 @@ index f03dcf5..215ace6 100644 + +dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; --dontaudit virsh_t virt_var_lib_t:file read_file_perms; -+dontaudit virt_domain virt_tmpfs_type:file { read write }; - -allow virsh_t svirt_lxc_domain:process transition; -+append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++dontaudit virt_domain virt_tmpfs_type:file { read write }; -can_exec(virsh_t, virsh_exec_t) ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++ +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +corecmd_exec_bin(virt_domain) @@ -99806,7 +99967,7 @@ index f03dcf5..215ace6 100644 + sssd_dontaudit_read_lib(virt_domain) + sssd_dontaudit_read_public_files(virt_domain) +') - ++ +optional_policy(` + virt_read_config(virt_domain) + virt_read_lib_files(virt_domain) @@ -99824,7 +99985,7 @@ index f03dcf5..215ace6 100644 + term_use_unallocated_ttys(virt_domain) + dev_rw_printer(virt_domain) +') -+ + +tunable_policy(`virt_use_fusefs',` + fs_manage_fusefs_dirs(virt_domain) + fs_manage_fusefs_files(virt_domain) @@ -99969,10 +100130,10 @@ index f03dcf5..215ace6 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -100165,7 +100326,8 @@ index f03dcf5..215ace6 100644 +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') -+ + +-sysnet_domtrans_ifconfig(virtd_lxc_t) +optional_policy(` + gnome_read_generic_cache_files(virtd_lxc_t) +') @@ -100173,8 +100335,7 @@ index f03dcf5..215ace6 100644 +optional_policy(` + setrans_manage_pid_files(virtd_lxc_t) +') - --sysnet_domtrans_ifconfig(virtd_lxc_t) ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -100272,6 +100433,12 @@ index f03dcf5..215ace6 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') ++ ++optional_policy(` ++ docker_read_share_files(svirt_sandbox_domain) ++ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) ++ docker_use_ptys(svirt_sandbox_domain) ++') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -100356,27 +100523,21 @@ index f03dcf5..215ace6 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ docker_read_share_files(svirt_sandbox_domain) -+ docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) -+ docker_use_ptys(svirt_sandbox_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ ssh_use_ptys(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) ++ udev_read_pid_files(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) -+ udev_read_pid_files(svirt_sandbox_domain) -+') -+ -+optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) ') @@ -100404,10 +100565,6 @@ index f03dcf5..215ace6 100644 -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t self:process { execstack execmem }; -+ -+tunable_policy(`virt_sandbox_use_sys_admin',` -+ allow svirt_lxc_net_t self:capability sys_admin; -+') -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -100419,6 +100576,13 @@ index f03dcf5..215ace6 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) ++tunable_policy(`virt_sandbox_use_sys_admin',` ++ allow svirt_lxc_net_t self:capability sys_admin; ++') + +-corenet_sendrecv_all_server_packets(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) +tunable_policy(`virt_sandbox_use_netlink',` + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; @@ -100427,14 +100591,11 @@ index f03dcf5..215ace6 100644 + logging_dontaudit_send_audit_msgs(svirt_lxc_net_t) +') --corenet_sendrecv_all_server_packets(svirt_lxc_net_t) --corenet_udp_bind_all_ports(svirt_lxc_net_t) --corenet_tcp_bind_all_ports(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; ++ +kernel_read_irq_sysctls(svirt_lxc_net_t) +dev_read_sysfs(svirt_lxc_net_t) @@ -100503,15 +100664,15 @@ index f03dcf5..215ace6 100644 +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) + +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) @@ -100576,7 +100737,7 @@ index f03dcf5..215ace6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1430,198 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1430,206 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -100589,7 +100750,7 @@ index f03dcf5..215ace6 100644 +# virt_qemu_ga local policy +# + -+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config }; ++allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config }; + +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; @@ -100617,7 +100778,10 @@ index f03dcf5..215ace6 100644 +corecmd_exec_shell(virt_qemu_ga_t) +corecmd_exec_bin(virt_qemu_ga_t) + ++clock_read_adjtime(virt_qemu_ga_t) ++ +dev_rw_sysfs(virt_qemu_ga_t) ++dev_rw_realtime_clock(virt_qemu_ga_t) + +files_list_all_mountpoints(virt_qemu_ga_t) +files_write_all_mountpoints(virt_qemu_ga_t) @@ -100630,6 +100794,7 @@ index f03dcf5..215ace6 100644 +term_use_unallocated_ttys(virt_qemu_ga_t) + +logging_send_syslog_msg(virt_qemu_ga_t) ++logging_send_audit_msgs(virt_qemu_ga_t) + +sysnet_dns_name_resolve(virt_qemu_ga_t) + @@ -100643,6 +100808,10 @@ index f03dcf5..215ace6 100644 +') + +optional_policy(` ++ clock_domtrans(virt_qemu_ga_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(virt_qemu_ga_t) +') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 612727d..a1af035 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 22%{?dist} +Release: 23%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -578,6 +578,40 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Feb 11 2014 Miroslav Grepl 3.13.1-23 +- Addopt corenet rules for unbound-anchor to rpm_script_t +- Allow runuser to send send audit messages. +- Allow postfix-local to search .forward in munin lib dirs +- Allow udisks to connect to D-Bus +- Allow spamd to connect to spamd port +- Fix syntax error in snapper.te +- Dontaudit osad to search gconf home files +- Allow rhsmcertd to manage /etc/sysconf/rhn director +- Fix pcp labeling to accept /usr/bin for all daemon binaries +- Fix mcelog_read_log() interface +- Allow iscsid to manage iscsi lib files +- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it. +- Make tuned_t as unconfined domain for RHEL7.0 +- Allow ABRT to read puppet certs +- Add sys_time capability for virt-ga +- Allow gemu-ga to domtrans to hwclock_t +- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages +- Fix some AVCs in pcp policy +- Add to bacula capability setgid and setuid and allow to bind to bacula ports +- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t +- Add access rhnsd and osad to /etc/sysconfig/rhn +- drbdadm executes drbdmeta +- Fixes needed for docker +- Allow epmd to manage /var/log/rabbitmq/startup_err file +- Allow beam.smp connect to amqp port +- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true +- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t +- Allow systemd_tmpfiles_t to manage all non security files on the system +- Added labels for bacula ports +- Fix label on /dev/vfio/vfio +- Add kernel_mounton_messages() interface +- init wants to manage lock files for iscsi + * Wed Feb 5 2014 Miroslav Grepl 3.13.1-22 - Fix /dev/vfio/vfio labeling