diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index ad31282..deac5d9 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -12666,7 +12666,7 @@ index cda5588..924f856 100644 +/var/run/[^/]*/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) +/var/run/[^/]*/gvfs/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..2216778 100644 +index 8416beb..f71d93e 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -13494,10 +13494,19 @@ index 8416beb..2216778 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,6 +3821,24 @@ interface(`fs_getattr_nfsd_files',` - getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) - ') - +@@ -3255,17 +3813,53 @@ interface(`fs_list_nfsd_fs',` + ## + ## + # +-interface(`fs_getattr_nfsd_files',` ++interface(`fs_getattr_nfsd_files',` ++ gen_require(` ++ type nfsd_fs_t; ++ ') ++ ++ getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++') ++ +####################################### +## +## read files on an nfsd filesystem @@ -13516,14 +13525,9 @@ index 8416beb..2216778 100644 + read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) +') + - ######################################## - ## - ## Read and write NFS server files. -@@ -3283,6 +3859,24 @@ interface(`fs_rw_nfsd_fs',` - - ######################################## - ## -+## Manage NFS server files. ++######################################## ++## ++## Read and write NFS server files. +## +## +## @@ -13531,19 +13535,37 @@ index 8416beb..2216778 100644 +## +## +# ++interface(`fs_rw_nfsd_fs',` + gen_require(` + type nfsd_fs_t; + ') + +- getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ++ rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + ') + + ######################################## + ## +-## Read and write NFS server files. ++## Manage NFS server files. + ## + ## + ## +@@ -3273,12 +3867,12 @@ interface(`fs_getattr_nfsd_files',` + ## + ## + # +-interface(`fs_rw_nfsd_fs',` +interface(`fs_manage_nfsd_fs',` -+ gen_require(` -+ type nfsd_fs_t; -+ ') -+ + gen_require(` + type nfsd_fs_t; + ') + +- rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) + manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) -+') -+ -+######################################## -+## - ## Allow the type to associate to ramfs filesystems. - ## - ## + ') + + ######################################## @@ -3392,7 +3986,7 @@ interface(`fs_search_ramfs',` ######################################## @@ -13963,7 +13985,33 @@ index 8416beb..2216778 100644 ## Get the quotas of all filesystems. ## ## -@@ -4912,3 +5711,43 @@ interface(`fs_unconfined',` +@@ -4671,6 +5470,25 @@ interface(`fs_getattr_all_dirs',` + + ######################################## + ## ++## Dontaudit Get the attributes of all directories ++## with a filesystem type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_dontaudit_getattr_all_dirs',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ dontaudit $1 filesystem_type:dir getattr; ++') ++ ++######################################## ++## + ## Search all directories with a filesystem type. + ## + ## +@@ -4912,3 +5730,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -16952,13 +17000,22 @@ index 0000000..0ce0470 +## Policy for allowing confined domains to use unlabeled_t packets diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te new file mode 100644 -index 0000000..64b5db7 +index 0000000..48caabc --- /dev/null +++ b/policy/modules/kernel/unlabelednet.te -@@ -0,0 +1,3 @@ +@@ -0,0 +1,12 @@ +policy_module(unlabelednet, 1.0.0) + +corenet_enable_unlabeled_packets() ++ ++gen_require(` ++ type unlabeled_t; ++ attribute domain; ++') ++ ++# temporary hack until labeling on packets is supported ++allow domain unlabeled_t:packet { send recv }; ++ diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te index 834a065..1105353 100644 --- a/policy/modules/roles/auditadm.te @@ -19750,10 +19807,10 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..7d17a7e 100644 +index 76d9f66..f2672ea 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,16 +1,38 @@ +@@ -1,16 +1,39 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) @@ -19781,12 +19838,13 @@ index 76d9f66..7d17a7e 100644 /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) +/usr/lib/systemd/system/sshd.* -- gen_context(system_u:object_r:sshd_unit_file_t,s0) ++/usr/lib/systemd/system/sshd-keygen.* -- gen_context(system_u:object_r:sshd_keygen_unit_file_t,s0) +/usr/libexec/nm-ssh-service -- gen_context(system_u:object_r:ssh_exec_t,s0) /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -+/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) ++/usr/sbin/sshd-keygen -- gen_context(system_u:object_r:sshd_keygen_exec_t,s0) +/usr/sbin/gsisshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -20494,10 +20552,10 @@ index fe0c682..225aaa7 100644 + ps_process_pattern($1, sshd_t) +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 5fc0391..f4d7e57 100644 +index 5fc0391..f06e006 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te -@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3) +@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3) # ## @@ -20540,6 +20598,13 @@ index 5fc0391..f4d7e57 100644 type ssh_keygen_exec_t; init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) -role system_r types ssh_keygen_t; ++ ++type sshd_keygen_t; ++type sshd_keygen_exec_t; ++init_daemon_domain(sshd_keygen_t, sshd_keygen_exec_t) ++ ++type sshd_keygen_unit_file_t; ++systemd_unit_file(sshd_keygen_unit_file_t) type sshd_exec_t; corecmd_executable_file(sshd_exec_t) @@ -20567,7 +20632,7 @@ index 5fc0391..f4d7e57 100644 type ssh_t; type ssh_exec_t; -@@ -73,6 +84,11 @@ type ssh_home_t; +@@ -73,6 +91,11 @@ type ssh_home_t; typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; userdom_user_home_content(ssh_home_t) @@ -20579,7 +20644,7 @@ index 5fc0391..f4d7e57 100644 ############################## # -@@ -83,6 +99,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; +@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; @@ -20587,7 +20652,7 @@ index 5fc0391..f4d7e57 100644 allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; -@@ -90,15 +107,11 @@ allow ssh_t self:sem create_sem_perms; +@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms; allow ssh_t self:msgq create_msgq_perms; allow ssh_t self:msg { send receive }; allow ssh_t self:tcp_socket create_stream_socket_perms; @@ -20604,7 +20669,7 @@ index 5fc0391..f4d7e57 100644 manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) -@@ -107,33 +120,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } +@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) @@ -20652,7 +20717,7 @@ index 5fc0391..f4d7e57 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -154,40 +176,46 @@ files_read_var_files(ssh_t) +@@ -154,40 +183,46 @@ files_read_var_files(ssh_t) logging_send_syslog_msg(ssh_t) logging_read_generic_logs(ssh_t) @@ -20718,7 +20783,7 @@ index 5fc0391..f4d7e57 100644 ') optional_policy(` -@@ -195,6 +223,7 @@ optional_policy(` +@@ -195,6 +230,7 @@ optional_policy(` xserver_domtrans_xauth(ssh_t) ') @@ -20726,7 +20791,7 @@ index 5fc0391..f4d7e57 100644 ############################## # # ssh_keysign_t local policy -@@ -206,6 +235,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms; allow ssh_keysign_t sshd_key_t:file { getattr read }; dev_read_urand(ssh_keysign_t) @@ -20734,7 +20799,7 @@ index 5fc0391..f4d7e57 100644 files_read_etc_files(ssh_keysign_t) -@@ -223,33 +253,54 @@ optional_policy(` +@@ -223,33 +260,54 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -20798,7 +20863,7 @@ index 5fc0391..f4d7e57 100644 ') optional_policy(` -@@ -257,11 +308,28 @@ optional_policy(` +@@ -257,11 +315,28 @@ optional_policy(` ') optional_policy(` @@ -20828,7 +20893,7 @@ index 5fc0391..f4d7e57 100644 ') optional_policy(` -@@ -269,6 +337,10 @@ optional_policy(` +@@ -269,6 +344,10 @@ optional_policy(` ') optional_policy(` @@ -20839,7 +20904,7 @@ index 5fc0391..f4d7e57 100644 rpm_use_script_fds(sshd_t) ') -@@ -279,13 +351,69 @@ optional_policy(` +@@ -279,13 +358,93 @@ optional_policy(` ') optional_policy(` @@ -20906,10 +20971,34 @@ index 5fc0391..f4d7e57 100644 + ') +') dnl endif TODO + ++######################################## ++# ++# sshd-keygen local policy ++# ++ ++allow sshd_keygen_t self:capability { chown fsetid }; ++allow sshd_keygen_t self:fifo_file rw_fifo_file_perms; ++allow sshd_keygen_t self:unix_stream_socket create_stream_socket_perms; ++ ++allow sshd_keygen_t sshd_key_t:file manage_file_perms; ++ ++kernel_read_system_state(sshd_keygen_t) ++ ++corecmd_exec_bin(sshd_keygen_t) ++ ++auth_read_passwd(sshd_keygen_t) ++ ++files_rw_etc_dirs(sshd_keygen_t) ++ ++#run restorecon ++seutil_domtrans_setfiles(sshd_keygen_t) ++ ++ssh_domtrans_keygen(sshd_keygen_t) ++ ######################################## # # ssh_keygen local policy -@@ -294,19 +422,29 @@ optional_policy(` +@@ -294,19 +453,29 @@ optional_policy(` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -20940,7 +21029,7 @@ index 5fc0391..f4d7e57 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -323,6 +461,12 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -20953,7 +21042,7 @@ index 5fc0391..f4d7e57 100644 optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) -@@ -331,3 +475,138 @@ optional_policy(` +@@ -331,3 +506,138 @@ optional_policy(` optional_policy(` udev_read_db(ssh_keygen_t) ') @@ -21253,7 +21342,7 @@ index d1f64a0..9a5dab5 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..9b46e11 100644 +index 6bf0ecc..7c72b3f 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -18,100 +18,37 @@ @@ -21919,10 +22008,17 @@ index 6bf0ecc..9b46e11 100644 ') ######################################## -@@ -869,6 +1057,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -864,7 +1052,26 @@ interface(`xserver_read_xdm_lib_files',` + type xdm_var_lib_t; + ') - ######################################## - ## +- allow $1 xdm_var_lib_t:file read_file_perms; ++ read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++ read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) ++') ++ ++######################################## ++## +## Read inherited XDM var lib files. +## +## @@ -21937,14 +22033,10 @@ index 6bf0ecc..9b46e11 100644 + ') + + allow $1 xdm_var_lib_t:file read_inherited_file_perms; -+') -+ -+######################################## -+## - ## Make an X session script an entrypoint for the specified domain. - ## - ## -@@ -938,10 +1144,29 @@ interface(`xserver_getattr_log',` + ') + + ######################################## +@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -21976,7 +22068,7 @@ index 6bf0ecc..9b46e11 100644 ## ## Do not audit attempts to write the X server ## log files. -@@ -957,7 +1182,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -21985,7 +22077,7 @@ index 6bf0ecc..9b46e11 100644 ') ######################################## -@@ -1004,6 +1229,64 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -22050,7 +22142,7 @@ index 6bf0ecc..9b46e11 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1300,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -22059,7 +22151,7 @@ index 6bf0ecc..9b46e11 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,6 +1362,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -22102,7 +22194,7 @@ index 6bf0ecc..9b46e11 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1093,7 +1412,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -22111,7 +22203,7 @@ index 6bf0ecc..9b46e11 100644 ') ######################################## -@@ -1111,8 +1430,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -22123,7 +22215,7 @@ index 6bf0ecc..9b46e11 100644 ') ######################################## -@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -22149,7 +22241,7 @@ index 6bf0ecc..9b46e11 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -22176,7 +22268,7 @@ index 6bf0ecc..9b46e11 100644 ') ######################################## -@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -22185,7 +22277,7 @@ index 6bf0ecc..9b46e11 100644 ## ## ## -@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -22214,7 +22306,7 @@ index 6bf0ecc..9b46e11 100644 ') ######################################## -@@ -1284,10 +1658,623 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1659,623 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -26153,7 +26245,7 @@ index e4376aa..2c98c56 100644 + allow $1 getty_unit_file_t:service start; +') diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te -index fc38c9c..61a1d24 100644 +index fc38c9c..1c9f909 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t) @@ -26195,11 +26287,15 @@ index fc38c9c..61a1d24 100644 # Support logging in from /dev/console term_use_console(getty_t) ',` -@@ -121,11 +126,11 @@ tunable_policy(`console_login',` +@@ -121,11 +126,15 @@ tunable_policy(`console_login',` ') optional_policy(` - mta_send_mail(getty_t) ++ hostname_exec(getty_t) ++') ++ ++optional_policy(` + lockdev_manage_files(getty_t) ') @@ -27719,7 +27815,7 @@ index 24e7804..76da5dd 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..97d6597 100644 +index dd3be8d..c4fe08b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27954,7 +28050,7 @@ index dd3be8d..97d6597 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +275,198 @@ ifdef(`distro_gentoo',` +@@ -186,29 +275,203 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27983,6 +28079,10 @@ index dd3be8d..97d6597 100644 +sysnet_read_dhcpc_state(init_t) + +optional_policy(` ++ chronyd_read_keys(init_t) ++') ++ ++optional_policy(` + kdump_read_crash(init_t) +') + @@ -28003,7 +28103,7 @@ index dd3be8d..97d6597 100644 + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) -+ mta_read_aliases(init_t) ++ mta_manage_aliases(init_t) +') + +allow init_t self:system all_system_perms; @@ -28103,6 +28203,7 @@ index dd3be8d..97d6597 100644 +seutil_read_file_contexts(init_t) + +systemd_exec_systemctl(init_t) ++systemd_manage_home_content(init_t) +systemd_manage_unit_dirs(init_t) +systemd_manage_random_seed(init_t) +systemd_manage_all_unit_files(init_t) @@ -28161,7 +28262,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -216,7 +474,29 @@ optional_policy(` +@@ -216,7 +479,30 @@ optional_policy(` ') optional_policy(` @@ -28183,6 +28284,7 @@ index dd3be8d..97d6597 100644 +optional_policy(` + xserver_relabel_xdm_tmp_dirs(init_t) + xserver_manage_xdm_tmp_dirs(init_t) ++ xserver_read_xdm_lib_files(init_t) +') + +optional_policy(` @@ -28191,7 +28293,7 @@ index dd3be8d..97d6597 100644 ') ######################################## -@@ -225,8 +505,9 @@ optional_policy(` +@@ -225,8 +511,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -28203,7 +28305,7 @@ index dd3be8d..97d6597 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +538,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +544,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -28220,7 +28322,7 @@ index dd3be8d..97d6597 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +563,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +569,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -28263,7 +28365,7 @@ index dd3be8d..97d6597 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +600,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +606,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -28275,7 +28377,7 @@ index dd3be8d..97d6597 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +612,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +618,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -28286,7 +28388,7 @@ index dd3be8d..97d6597 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +623,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +629,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -28296,7 +28398,7 @@ index dd3be8d..97d6597 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +632,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +638,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -28304,7 +28406,7 @@ index dd3be8d..97d6597 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +639,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +645,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -28312,7 +28414,7 @@ index dd3be8d..97d6597 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +647,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +653,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -28330,7 +28432,7 @@ index dd3be8d..97d6597 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +665,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +671,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -28344,7 +28446,7 @@ index dd3be8d..97d6597 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +680,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +686,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -28358,7 +28460,7 @@ index dd3be8d..97d6597 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +693,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +699,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -28366,7 +28468,7 @@ index dd3be8d..97d6597 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +705,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +711,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -28374,7 +28476,7 @@ index dd3be8d..97d6597 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +724,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +730,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -28398,7 +28500,7 @@ index dd3be8d..97d6597 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +757,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +763,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -28406,7 +28508,7 @@ index dd3be8d..97d6597 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +791,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +797,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -28417,7 +28519,7 @@ index dd3be8d..97d6597 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +815,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +821,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -28426,7 +28528,7 @@ index dd3be8d..97d6597 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +830,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +836,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -28434,7 +28536,7 @@ index dd3be8d..97d6597 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +851,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +857,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -28442,7 +28544,7 @@ index dd3be8d..97d6597 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +861,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +867,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -28487,7 +28589,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -558,14 +906,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +912,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -28519,7 +28621,7 @@ index dd3be8d..97d6597 100644 ') ') -@@ -576,6 +941,39 @@ ifdef(`distro_suse',` +@@ -576,6 +947,39 @@ ifdef(`distro_suse',` ') ') @@ -28559,7 +28661,7 @@ index dd3be8d..97d6597 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +986,8 @@ optional_policy(` +@@ -588,6 +992,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28568,7 +28670,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -609,6 +1009,7 @@ optional_policy(` +@@ -609,6 +1015,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28576,7 +28678,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -625,6 +1026,17 @@ optional_policy(` +@@ -625,6 +1032,17 @@ optional_policy(` ') optional_policy(` @@ -28594,7 +28696,7 @@ index dd3be8d..97d6597 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1053,13 @@ optional_policy(` +@@ -641,9 +1059,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28608,7 +28710,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -656,15 +1072,11 @@ optional_policy(` +@@ -656,15 +1078,11 @@ optional_policy(` ') optional_policy(` @@ -28626,7 +28728,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -685,6 +1097,15 @@ optional_policy(` +@@ -685,6 +1103,15 @@ optional_policy(` ') optional_policy(` @@ -28642,7 +28744,7 @@ index dd3be8d..97d6597 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1146,7 @@ optional_policy(` +@@ -725,6 +1152,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28650,7 +28752,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -742,7 +1164,13 @@ optional_policy(` +@@ -742,7 +1170,13 @@ optional_policy(` ') optional_policy(` @@ -28665,7 +28767,7 @@ index dd3be8d..97d6597 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1193,10 @@ optional_policy(` +@@ -765,6 +1199,10 @@ optional_policy(` ') optional_policy(` @@ -28676,7 +28778,7 @@ index dd3be8d..97d6597 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1206,20 @@ optional_policy(` +@@ -774,10 +1212,20 @@ optional_policy(` ') optional_policy(` @@ -28697,7 +28799,7 @@ index dd3be8d..97d6597 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1228,10 @@ optional_policy(` +@@ -786,6 +1234,10 @@ optional_policy(` ') optional_policy(` @@ -28708,7 +28810,7 @@ index dd3be8d..97d6597 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1253,6 @@ optional_policy(` +@@ -807,8 +1259,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28717,7 +28819,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -817,6 +1261,10 @@ optional_policy(` +@@ -817,6 +1267,10 @@ optional_policy(` ') optional_policy(` @@ -28728,7 +28830,7 @@ index dd3be8d..97d6597 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1274,12 @@ optional_policy(` +@@ -826,10 +1280,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28741,7 +28843,7 @@ index dd3be8d..97d6597 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1306,28 @@ optional_policy(` +@@ -856,12 +1312,28 @@ optional_policy(` ') optional_policy(` @@ -28771,7 +28873,7 @@ index dd3be8d..97d6597 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1337,18 @@ optional_policy(` +@@ -871,6 +1343,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -28790,7 +28892,7 @@ index dd3be8d..97d6597 100644 ') optional_policy(` -@@ -886,6 +1364,10 @@ optional_policy(` +@@ -886,6 +1370,10 @@ optional_policy(` ') optional_policy(` @@ -28801,7 +28903,7 @@ index dd3be8d..97d6597 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1378,196 @@ optional_policy(` +@@ -896,3 +1384,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -35791,10 +35893,13 @@ index b7686d5..087fe08 100644 +') diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc new file mode 100644 -index 0000000..431619e +index 0000000..e9f1096 --- /dev/null +++ b/policy/modules/system/systemd.fc -@@ -0,0 +1,44 @@ +@@ -0,0 +1,47 @@ ++HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) ++/root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) ++ +/etc/hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) +/etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) + @@ -35841,10 +35946,10 @@ index 0000000..431619e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..8f58a33 +index 0000000..5e5f8f9 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1309 @@ +@@ -0,0 +1,1375 @@ +## SELinux policy for systemd components + +###################################### @@ -36855,6 +36960,7 @@ index 0000000..8f58a33 + type systemd_passwd_var_run_t; + type systemd_logind_var_run_t; + type hostname_etc_t; ++ type systemd_home_t; + ') + + files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") @@ -36862,6 +36968,71 @@ index 0000000..8f58a33 + init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") + files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) + files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) ++ ++ #optional_policy (` ++ #gnome_data_filetrans($1, systemd_home_t, dir, "systemd") ++ #') ++') ++ ++######################################## ++## ++## read systemd homedir content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_home_content',` ++ gen_require(` ++ type systemd_home_t; ++ ') ++ ++ gnome_search_gconf_data_dir($1) ++ read_files_pattern($1, systemd_home_t, systemd_home_t) ++ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) ++') ++ ++######################################## ++## ++## Manage systemd homedir content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_home_content',` ++ gen_require(` ++ type systemd_home_t; ++ ') ++ ++ gnome_search_gconf_data_dir($1) ++ manage_dirs_pattern($1, systemd_home_t, systemd_home_t) ++ manage_files_pattern($1, systemd_home_t, systemd_home_t) ++ manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t) ++ ++ systemd_filetrans_home_content($1) ++') ++ ++######################################## ++## ++## Transition to systemd named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_filetrans_home_content',` ++ gen_require(` ++ type systemd_home_t; ++ ') ++ ++ gnome_data_filetrans($1, systemd_home_t, dir, "systemd") +') + +######################################## @@ -37156,10 +37327,10 @@ index 0000000..8f58a33 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..4cc8263 +index 0000000..1d407bf --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,636 @@ +@@ -0,0 +1,642 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37188,6 +37359,9 @@ index 0000000..4cc8263 +type systemd_logind_inhibit_var_run_t; +files_pid_file(systemd_logind_inhibit_var_run_t) + ++type systemd_home_t; ++userdom_user_home_content(systemd_home_t) ++ +type random_seed_t; +files_security_file(random_seed_t) +files_mountpoint(random_seed_t) @@ -37796,6 +37970,9 @@ index 0000000..4cc8263 +optional_policy(` + policykit_dbus_chat(systemd_domain) +') ++ ++read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) ++read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc @@ -39176,7 +39353,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..e5bae1c 100644 +index 3c5dba7..f15c4f0 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40409,7 +40586,7 @@ index 3c5dba7..e5bae1c 100644 ') optional_policy(` -@@ -951,18 +1255,35 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,15 +1255,36 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -40424,6 +40601,10 @@ index 3c5dba7..e5bae1c 100644 + + optional_policy(` + rtkit_scheduled($1_usertype) ++ ') ++ ++ optional_policy(` ++ systemd_filetrans_home_content($1_usertype) ') optional_policy(` @@ -40432,9 +40613,6 @@ index 3c5dba7..e5bae1c 100644 -') -####################################### --## --## The template for creating a unprivileged user roughly --## equivalent to a regular linux user. + optional_policy(` + udev_read_db($1_usertype) + ') @@ -40445,13 +40623,10 @@ index 3c5dba7..e5bae1c 100644 +') + +####################################### -+## -+## The template for creating a unprivileged user roughly -+## equivalent to a regular linux user. - ## - ## - ##

-@@ -990,27 +1311,33 @@ template(`userdom_unpriv_user_template', ` + ##

+ ## The template for creating a unprivileged user roughly + ## equivalent to a regular linux user. +@@ -990,27 +1315,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -40489,7 +40664,7 @@ index 3c5dba7..e5bae1c 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1348,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1352,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -40560,7 +40735,7 @@ index 3c5dba7..e5bae1c 100644 ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1410,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1414,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -40571,7 +40746,7 @@ index 3c5dba7..e5bae1c 100644 ') ') -@@ -1082,7 +1448,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1452,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -40580,7 +40755,7 @@ index 3c5dba7..e5bae1c 100644 ') ############################## -@@ -1109,6 +1475,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1479,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -40588,7 +40763,7 @@ index 3c5dba7..e5bae1c 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1484,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1488,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -40598,7 +40773,7 @@ index 3c5dba7..e5bae1c 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1501,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -40606,7 +40781,7 @@ index 3c5dba7..e5bae1c 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1519,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -40621,7 +40796,7 @@ index 3c5dba7..e5bae1c 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1537,38 @@ template(`userdom_admin_user_template',` +@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -40664,7 +40839,7 @@ index 3c5dba7..e5bae1c 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1578,8 @@ template(`userdom_admin_user_template',` +@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -40673,7 +40848,7 @@ index 3c5dba7..e5bae1c 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1587,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -40692,7 +40867,7 @@ index 3c5dba7..e5bae1c 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1643,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -40701,7 +40876,7 @@ index 3c5dba7..e5bae1c 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1657,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -40713,7 +40888,7 @@ index 3c5dba7..e5bae1c 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1671,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -40756,7 +40931,7 @@ index 3c5dba7..e5bae1c 100644 ') optional_policy(` -@@ -1360,14 +1756,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -40775,7 +40950,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -1408,6 +1807,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -40827,7 +41002,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1956,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -40859,7 +41034,7 @@ index 3c5dba7..e5bae1c 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +2022,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -40874,7 +41049,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -1573,9 +2045,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -40886,7 +41061,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -1632,6 +2106,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -40929,7 +41104,7 @@ index 3c5dba7..e5bae1c 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2221,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -40938,7 +41113,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -1744,10 +2256,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -40953,7 +41128,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -1772,7 +2286,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -40980,7 +41155,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -1782,53 +2314,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -41063,7 +41238,7 @@ index 3c5dba7..e5bae1c 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1848,6 +2397,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -41089,7 +41264,7 @@ index 3c5dba7..e5bae1c 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2446,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -41127,7 +41302,7 @@ index 3c5dba7..e5bae1c 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2486,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -41145,7 +41320,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -1941,7 +2534,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -41154,7 +41329,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -1949,19 +2542,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -41178,7 +41353,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -1969,35 +2560,35 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,35 +2564,35 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -41222,7 +41397,7 @@ index 3c5dba7..e5bae1c 100644 ##
## ## -@@ -2005,45 +2596,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` +@@ -2005,45 +2600,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` ## ## # @@ -41329,7 +41504,7 @@ index 3c5dba7..e5bae1c 100644 ## Do not audit attempts to execute user home files. ##
## -@@ -2123,7 +2761,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -41338,7 +41513,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -2131,19 +2769,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -41362,7 +41537,7 @@ index 3c5dba7..e5bae1c 100644 ##
## ## -@@ -2151,12 +2787,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -41378,7 +41553,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -2393,11 +3029,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -41393,7 +41568,7 @@ index 3c5dba7..e5bae1c 100644 files_search_tmp($1) ') -@@ -2417,7 +3053,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -41402,7 +41577,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -2664,6 +3300,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -41428,7 +41603,7 @@ index 3c5dba7..e5bae1c 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3335,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -41444,7 +41619,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -2707,7 +3363,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -41453,7 +41628,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -2715,14 +3371,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -41488,7 +41663,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -2817,6 +3489,24 @@ interface(`userdom_use_user_ttys',` +@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -41513,7 +41688,7 @@ index 3c5dba7..e5bae1c 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3525,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -41556,7 +41731,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -2859,14 +3561,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -41594,7 +41769,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -2885,8 +3606,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -41624,7 +41799,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -2958,69 +3698,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -41725,7 +41900,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -3028,12 +3767,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -41740,7 +41915,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -3097,7 +3836,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -41749,7 +41924,7 @@ index 3c5dba7..e5bae1c 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3852,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -41783,7 +41958,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -3217,7 +3940,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -41810,7 +41985,7 @@ index 3c5dba7..e5bae1c 100644 ') ######################################## -@@ -3272,12 +4013,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -41826,7 +42001,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -3285,36 +4027,37 @@ interface(`userdom_write_user_tmp_files',` +@@ -3285,36 +4031,37 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -41874,7 +42049,7 @@ index 3c5dba7..e5bae1c 100644 ## ## ## -@@ -3322,17 +4065,73 @@ interface(`userdom_read_all_users_state',` +@@ -3322,25 +4069,81 @@ interface(`userdom_read_all_users_state',` ## ## # @@ -41892,13 +42067,15 @@ index 3c5dba7..e5bae1c 100644 ## -## Inherit the file descriptors from all user domains +## Do not audit attempts to use user ttys. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ##
+ ## + # +-interface(`userdom_use_all_users_fds',` +interface(`userdom_dontaudit_use_user_ttys',` + gen_require(` + type user_tty_device_t; @@ -41948,10 +42125,18 @@ index 3c5dba7..e5bae1c 100644 +######################################## +## +## Inherit the file descriptors from all user domains - ## - ## - ## -@@ -3385,6 +4184,42 @@ interface(`userdom_signal_all_users',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_use_all_users_fds',` + gen_require(` + attribute userdomain; + ') +@@ -3385,6 +4188,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -41994,7 +42179,7 @@ index 3c5dba7..e5bae1c 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4240,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4244,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -42019,7 +42204,7 @@ index 3c5dba7..e5bae1c 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4291,1493 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4295,1493 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -43514,7 +43699,7 @@ index 3c5dba7..e5bae1c 100644 + dontaudit $1 user_home_type:dir_file_class_set audit_access; ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index e2b538b..bbf002c 100644 +index e2b538b..fe99b11 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5) @@ -43762,9 +43947,9 @@ index e2b538b..bbf002c 100644 + #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") +') + -+#optional_policy(` -+# alsa_home_filetrans_alsa_home(userdom_filetrans_type) -+#') ++optional_policy(` ++ alsa_filetrans_home_content(userdom_filetrans_type) ++') + +optional_policy(` + apache_filetrans_home_content(userdom_filetrans_type) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f0d0997..76f9c57 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1868,7 +1868,7 @@ index 5de1e01..e5ab7ff 100644 + +/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0) diff --git a/alsa.if b/alsa.if -index 708b743..c2edd9a 100644 +index 708b743..cc78465 100644 --- a/alsa.if +++ b/alsa.if @@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',` @@ -1879,29 +1879,42 @@ index 708b743..c2edd9a 100644 ') ######################################## -@@ -235,7 +236,7 @@ interface(`alsa_home_filetrans_alsa_home',` - type alsa_home_t; - ') - -- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) -+ userdom_user_home_dir_filetrans($1, alsa_home_t, dir, $3) - ') +@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',` ######################################## -@@ -256,3 +257,69 @@ interface(`alsa_read_lib',` - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) - ') + ## +-## Create objects in user home +-## directories with the generic alsa +-## home type. ++## Read Alsa lib files. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`alsa_read_lib',` ++ gen_require(` ++ type alsa_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ++') + +######################################## +## +## Transition to alsa named content +## +## -+## + ## +-## Class of the object being created. +## Domain allowed access. -+## -+## + ## + ## +-## +# +interface(`alsa_filetrans_home_content',` + gen_require(` @@ -1916,48 +1929,57 @@ index 708b743..c2edd9a 100644 +## Transition to alsa named content +## +## -+## + ## +-## The name of the object being created. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`alsa_home_filetrans_alsa_home',` +interface(`alsa_filetrans_named_content',` -+ gen_require(` -+ type alsa_home_t; + gen_require(` + type alsa_home_t; + type alsa_etc_rw_t; + type alsa_var_lib_t; -+ ') -+ + ') + +- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3) + files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") + files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") + files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound") + files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf") + files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm") + files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read Alsa lib files. +## Execute alsa server in the alsa domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+# + ## + ## + # +-interface(`alsa_read_lib',` +interface(`alsa_systemctl',` -+ gen_require(` + gen_require(` +- type alsa_var_lib_t; + type alsa_t; + type alsa_unit_file_t; -+ ') -+ + ') + +- files_search_var_lib($1) +- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) + systemd_exec_systemctl($1) + allow $1 alsa_unit_file_t:file read_file_perms; + allow $1 alsa_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, alsa_t) -+') + ') diff --git a/alsa.te b/alsa.te index cda6d20..443ce3c 100644 --- a/alsa.te @@ -12310,7 +12332,7 @@ index c223f81..3bcdf6a 100644 - admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t }) ') diff --git a/cobbler.te b/cobbler.te -index 2a71346..486cdb9 100644 +index 2a71346..8c4ac39 100644 --- a/cobbler.te +++ b/cobbler.te @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) @@ -12363,7 +12385,7 @@ index 2a71346..486cdb9 100644 apache_search_sys_content(cobblerd_t) ') -@@ -188,17 +191,21 @@ optional_policy(` +@@ -188,17 +191,25 @@ optional_policy(` ') optional_policy(` @@ -12371,6 +12393,10 @@ index 2a71346..486cdb9 100644 +') + +optional_policy(` ++ mysql_stream_connect(cobblerd_t) ++') ++ ++optional_policy(` rpm_exec(cobblerd_t) ') @@ -17021,22 +17047,10 @@ index 949011e..afe482b 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 06da9a0..6d69a2f 100644 +index 06da9a0..c7834c8 100644 --- a/cups.if +++ b/cups.if -@@ -15,6 +15,11 @@ - ## Type of the program to be used as an entry point to this domain. - ##
- ## -+## -+## -+## Domain allowed access. -+## -+## - # - interface(`cups_backend',` - gen_require(` -@@ -200,10 +205,13 @@ interface(`cups_dbus_chat_config',` +@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',` interface(`cups_read_config',` gen_require(` type cupsd_etc_t, cupsd_rw_etc_t; @@ -17051,7 +17065,7 @@ index 06da9a0..6d69a2f 100644 ') ######################################## -@@ -306,6 +314,29 @@ interface(`cups_stream_connect_ptal',` +@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',` ######################################## ## @@ -17081,7 +17095,7 @@ index 06da9a0..6d69a2f 100644 ## All of the rules required to ## administrate an cups environment. ## -@@ -324,18 +355,23 @@ interface(`cups_stream_connect_ptal',` +@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',` interface(`cups_admin',` gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; @@ -17110,7 +17124,7 @@ index 06da9a0..6d69a2f 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -348,13 +384,63 @@ interface(`cups_admin',` +@@ -348,13 +379,63 @@ interface(`cups_admin',` logging_list_logs($1) admin_pattern($1, cupsd_log_t) @@ -22060,7 +22074,7 @@ index dbcac59..66d42bb 100644 + admin_pattern($1, dovecot_passwd_t) ') diff --git a/dovecot.te b/dovecot.te -index a7bfaf0..9a6a36e 100644 +index a7bfaf0..934045c 100644 --- a/dovecot.te +++ b/dovecot.te @@ -1,4 +1,4 @@ @@ -22419,7 +22433,7 @@ index a7bfaf0..9a6a36e 100644 allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms; append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t) -@@ -289,35 +314,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t +@@ -289,35 +314,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir }) allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms; @@ -22454,6 +22468,7 @@ index a7bfaf0..9a6a36e 100644 -') +fs_getattr_all_fs(dovecot_deliver_t) +fs_dontaudit_getattr_all_fs(dovecot_deliver_t) ++fs_dontaudit_getattr_all_dirs(dovecot_deliver_t) +fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t) + +userdom_manage_user_home_content_dirs(dovecot_deliver_t) @@ -22479,7 +22494,7 @@ index a7bfaf0..9a6a36e 100644 mta_read_queue(dovecot_deliver_t) ') -@@ -326,5 +358,6 @@ optional_policy(` +@@ -326,5 +359,6 @@ optional_policy(` ') optional_policy(` @@ -25951,7 +25966,7 @@ index e39de43..5818f74 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index d03fd43..e814f72 100644 +index d03fd43..e137b73 100644 --- a/gnome.if +++ b/gnome.if @@ -1,123 +1,157 @@ @@ -27035,7 +27050,7 @@ index d03fd43..e814f72 100644 ##
## ## -@@ -704,12 +798,851 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -704,12 +798,872 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -27069,6 +27084,27 @@ index d03fd43..e814f72 100644 + +######################################## +## ++## Search gconf home data dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_search_gconf_data_dir',` ++ gen_require(` ++ type gconf_home_t; ++ type data_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ allow $1 gconf_home_t:dir list_dir_perms; ++ allow $1 data_home_t:dir search_dir_perms; ++') ++ ++######################################## ++## +## Read gconf home files +## +## @@ -29338,10 +29374,10 @@ index 0000000..f4659d1 +/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 -index 0000000..4bd5abf +index 0000000..3ce0ac0 --- /dev/null +++ b/gssproxy.if -@@ -0,0 +1,203 @@ +@@ -0,0 +1,198 @@ + +## policy for gssproxy + @@ -29513,11 +29549,6 @@ index 0000000..4bd5abf +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`gssproxy_admin',` @@ -29525,7 +29556,7 @@ index 0000000..4bd5abf + type gssproxy_t; + type gssproxy_var_lib_t; + type gssproxy_var_run_t; -+ type gssproxy_unit_file_t; ++ type gssproxy_unit_file_t; + ') + + allow $1 gssproxy_t:process { ptrace signal_perms }; @@ -29752,15 +29783,19 @@ index e207823..4e0f8ba 100644 diff --git a/hypervkvp.fc b/hypervkvp.fc new file mode 100644 -index 0000000..3f82945 +index 0000000..e2ae3b2 --- /dev/null +++ b/hypervkvp.fc -@@ -0,0 +1,6 @@ +@@ -0,0 +1,10 @@ +/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0) + ++/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) ++ +/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) +/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) + ++/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) ++ +/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/hypervkvp.if b/hypervkvp.if new file mode 100644 @@ -29881,10 +29916,10 @@ index 0000000..17c3627 +') diff --git a/hypervkvp.te b/hypervkvp.te new file mode 100644 -index 0000000..63591db +index 0000000..d6703c3 --- /dev/null +++ b/hypervkvp.te -@@ -0,0 +1,36 @@ +@@ -0,0 +1,60 @@ +policy_module(hypervkvp, 1.0.0) + +######################################## @@ -29892,25 +29927,44 @@ index 0000000..63591db +# Declarations +# + -+type hypervkvp_t; ++attribute hyperv_domain; ++ ++type hypervkvp_t, hyperv_domain; +type hypervkvp_exec_t; +init_daemon_domain(hypervkvp_t, hypervkvp_exec_t) + +type hypervkvp_initrc_exec_t; +init_script_file(hypervkvp_initrc_exec_t) + ++type hypervkvp_unit_file_t; ++systemd_unit_file(hypervkvp_unit_file_t) ++ +type hypervkvp_var_lib_t; +files_type(hypervkvp_var_lib_t) + ++type hypervvssd_t, hyperv_domain; ++type hypervvssd_exec_t; ++init_daemon_domain(hypervvssd_t, hypervvssd_exec_t) ++ ++type hypervvssd_unit_file_t; ++systemd_unit_file(hypervvssd_unit_file_t) ++ +######################################## +# -+# hypervkvp local policy ++# hyperv domain local policy ++# ++ ++allow hyperv_domain self:fifo_file rw_fifo_file_perms; ++allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; ++ ++ ++######################################## +# ++# hypervkvp local policy +# ++ +allow hypervkvp_t self:capability net_admin; +allow hypervkvp_t self:netlink_socket create_socket_perms; -+allow hypervkvp_t self:fifo_file rw_fifo_file_perms; -+allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) @@ -29918,9 +29972,14 @@ index 0000000..63591db + +logging_send_syslog_msg(hypervkvp_t) + -+miscfiles_read_localization(hypervkvp_t) -+ +sysnet_dns_name_resolve(hypervkvp_t) ++ ++######################################## ++# ++# hypervvssd local policy ++# ++ ++logging_send_syslog_msg(hypervvssd_t) diff --git a/i18n_input.te b/i18n_input.te index 3bed8fa..a738d7f 100644 --- a/i18n_input.te @@ -31922,10 +31981,10 @@ index 0000000..dbe3f03 +') + diff --git a/kdump.fc b/kdump.fc -index a49ae4e..913a0e3 100644 +index a49ae4e..0c0e987 100644 --- a/kdump.fc +++ b/kdump.fc -@@ -1,13 +1,14 @@ +@@ -1,13 +1,16 @@ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0) +/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0) @@ -31947,8 +32006,10 @@ index a49ae4e..913a0e3 100644 -/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0) -/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0) +/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0) ++ ++/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0) diff --git a/kdump.if b/kdump.if -index 3a00b3a..dd70d05 100644 +index 3a00b3a..a60cc05 100644 --- a/kdump.if +++ b/kdump.if @@ -1,4 +1,4 @@ @@ -32090,10 +32151,29 @@ index 3a00b3a..dd70d05 100644 ## ## ## -@@ -76,10 +178,32 @@ interface(`kdump_manage_config',` +@@ -76,10 +178,51 @@ interface(`kdump_manage_config',` allow $1 kdump_etc_t:file manage_file_perms; ') ++##################################### ++## ++## Read and write kdump lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kdump_rw_lock',` ++ gen_require(` ++ type kdump_lock_t; ++ ') ++ ++ files_search_locks($1) ++ rw_files_pattern($1, kdump_lock_t, kdump_lock_t) ++') ++ +################################### +## +## Manage kdump /var/tmp files. @@ -32125,7 +32205,7 @@ index 3a00b3a..dd70d05 100644 ## ## ## -@@ -88,19 +212,24 @@ interface(`kdump_manage_config',` +@@ -88,19 +231,24 @@ interface(`kdump_manage_config',` ## ## ## @@ -32155,7 +32235,7 @@ index 3a00b3a..dd70d05 100644 init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +239,10 @@ interface(`kdump_admin',` +@@ -110,6 +258,10 @@ interface(`kdump_admin',` files_search_etc($1) admin_pattern($1, kdump_etc_t) @@ -32169,7 +32249,7 @@ index 3a00b3a..dd70d05 100644 + allow $1 kdump_unit_file_t:service all_service_perms; ') diff --git a/kdump.te b/kdump.te -index 70f3007..074a2ee 100644 +index 70f3007..f8b68bf 100644 --- a/kdump.te +++ b/kdump.te @@ -1,4 +1,4 @@ @@ -32178,7 +32258,7 @@ index 70f3007..074a2ee 100644 ####################################### # -@@ -12,35 +12,48 @@ init_system_domain(kdump_t, kdump_exec_t) +@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t) type kdump_etc_t; files_config_file(kdump_etc_t) @@ -32191,6 +32271,9 @@ index 70f3007..074a2ee 100644 +type kdump_unit_file_t alias kdumpctl_unit_file_t; +systemd_unit_file(kdump_unit_file_t) + ++type kdump_lock_t; ++files_lock_file(kdump_lock_t) ++ type kdumpctl_t; type kdumpctl_exec_t; init_daemon_domain(kdumpctl_t, kdumpctl_exec_t) @@ -32208,8 +32291,7 @@ index 70f3007..074a2ee 100644 allow kdump_t self:capability { sys_boot dac_override }; +allow kdump_t self:capability2 compromise_kernel; - --allow kdump_t kdump_etc_t:file read_file_perms; ++ +manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) +manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t) @@ -32217,6 +32299,11 @@ index 70f3007..074a2ee 100644 + +read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) +-allow kdump_t kdump_etc_t:file read_file_perms; ++manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t) ++manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t) ++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file }) + -files_read_etc_files(kdump_t) files_read_etc_runtime_files(kdump_t) files_read_kernel_img(kdump_t) @@ -32232,7 +32319,7 @@ index 70f3007..074a2ee 100644 dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) -@@ -48,22 +61,32 @@ term_use_console(kdump_t) +@@ -48,22 +68,32 @@ term_use_console(kdump_t) ####################################### # @@ -32259,18 +32346,18 @@ index 70f3007..074a2ee 100644 manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t) files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file }) +can_exec(kdumpctl_t, kdumpctl_tmp_t) - --domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) ++ +manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) +manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) +manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t) +files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash") -+ + +-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t) +read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t) kernel_read_system_state(kdumpctl_t) -@@ -71,46 +94,56 @@ corecmd_exec_bin(kdumpctl_t) +@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t) corecmd_exec_shell(kdumpctl_t) dev_read_sysfs(kdumpctl_t) @@ -34030,7 +34117,7 @@ index e736c45..4b1e1e4 100644 /var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0) diff --git a/ksmtuned.if b/ksmtuned.if -index c530214..641f494 100644 +index c530214..3ac0b8b 100644 --- a/ksmtuned.if +++ b/ksmtuned.if @@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',` @@ -34063,7 +34150,16 @@ index c530214..641f494 100644 ######################################## ## ## All of the rules required to -@@ -57,21 +80,24 @@ interface(`ksmtuned_initrc_domtrans',` +@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',` + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## + ## # interface(`ksmtuned_admin',` gen_require(` @@ -34160,10 +34256,10 @@ index 38ecb07..451067e 100644 /usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0) diff --git a/ktalk.if b/ktalk.if -index 19777b8..63d46d3 100644 +index 19777b8..55d1556 100644 --- a/ktalk.if +++ b/ktalk.if -@@ -1 +1,81 @@ +@@ -1 +1,76 @@ -## KDE Talk daemon. + +## talk-server - daemon programs for the Internet talk @@ -34221,11 +34317,6 @@ index 19777b8..63d46d3 100644 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`ktalk_admin',` @@ -36285,10 +36376,10 @@ index 0000000..81cd4e0 +/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if new file mode 100644 -index 0000000..e8d4ce2 +index 0000000..da30c5d --- /dev/null +++ b/lsm.if -@@ -0,0 +1,104 @@ +@@ -0,0 +1,99 @@ + +## libStorageMgmt plug-in daemon + @@ -36364,18 +36455,13 @@ index 0000000..e8d4ce2 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`lsmd_admin',` + gen_require(` + type lsmd_t; + type lsmd_var_run_t; -+ type lsmd_unit_file_t; ++ type lsmd_unit_file_t; + ') + + allow $1 lsmd_t:process { ptrace signal_perms }; @@ -38903,7 +38989,7 @@ index a83894c..481dca3 100644 + +/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0) diff --git a/modemmanager.if b/modemmanager.if -index b1ac8b5..d65017f 100644 +index b1ac8b5..9b22bea 100644 --- a/modemmanager.if +++ b/modemmanager.if @@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',` @@ -38937,7 +39023,7 @@ index b1ac8b5..d65017f 100644 ## Send and receive messages from ## modemmanager over dbus. ## -@@ -39,3 +63,38 @@ interface(`modemmanager_dbus_chat',` +@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',` allow $1 modemmanager_t:dbus send_msg; allow modemmanager_t $1:dbus send_msg; ') @@ -38952,11 +39038,6 @@ index b1ac8b5..d65017f 100644 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`modemmanager_admin',` @@ -41108,7 +41189,7 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..41f4352 100644 +index 7c8afcc..33b18c8 100644 --- a/mpd.te +++ b/mpd.te @@ -62,18 +62,25 @@ files_type(mpd_var_lib_t) @@ -41173,18 +41254,36 @@ index 7c8afcc..41f4352 100644 fs_list_inotifyfs(mpd_t) fs_rw_anon_inodefs_files(mpd_t) fs_search_auto_mountpoints(mpd_t) -@@ -150,7 +166,9 @@ auth_use_nsswitch(mpd_t) +@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t) logging_send_syslog_msg(mpd_t) -miscfiles_read_localization(mpd_t) -+userdom_read_home_audio_files(mpd_t) -+userdom_read_user_tmpfs_files(mpd_t) +userdom_home_reader(mpd_t) tunable_policy(`mpd_enable_homedirs',` - userdom_search_user_home_dirs(mpd_t) -@@ -191,7 +209,7 @@ optional_policy(` +- userdom_search_user_home_dirs(mpd_t) ++ userdom_stream_connect(mpd_t) ++ userdom_read_home_audio_files(mpd_t) ++ userdom_list_user_tmp(mpd_t) ++ userdom_read_user_tmpfs_files(mpd_t) ++ userdom_dontaudit_setattr_user_tmp(mpd_t) ++') ++ ++optional_policy(` ++ tunable_policy(`mpd_enable_homedirs',` ++ pulseaudio_read_home_files(mpd_t) ++ ') + ') + + tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',` + fs_read_nfs_files(mpd_t) + fs_read_nfs_symlinks(mpd_t) ++ + ') + + tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',` +@@ -191,7 +218,7 @@ optional_policy(` ') optional_policy(` @@ -41193,7 +41292,7 @@ index 7c8afcc..41f4352 100644 ') optional_policy(` -@@ -199,6 +217,16 @@ optional_policy(` +@@ -199,6 +226,16 @@ optional_policy(` ') optional_policy(` @@ -41211,10 +41310,10 @@ index 7c8afcc..41f4352 100644 ') diff --git a/mplayer.if b/mplayer.if -index 861d5e9..87fd115 100644 +index 861d5e9..1c3d5a5 100644 --- a/mplayer.if +++ b/mplayer.if -@@ -161,3 +161,33 @@ interface(`mplayer_home_filetrans_mplayer_home',` +@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',` userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) ') @@ -41230,16 +41329,6 @@ index 861d5e9..87fd115 100644 +## Domain allowed access. +## +## -+## -+## -+## Class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## +# +interface(`mplayer_filetrans_home_content',` + gen_require(` @@ -44614,10 +44703,10 @@ index 0000000..3a1c423 +/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0) diff --git a/mythtv.if b/mythtv.if new file mode 100644 -index 0000000..6ad142d +index 0000000..171f666 --- /dev/null +++ b/mythtv.if -@@ -0,0 +1,157 @@ +@@ -0,0 +1,152 @@ + +## policy for httpd_mythtv_script + @@ -44749,11 +44838,6 @@ index 0000000..6ad142d +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`mythtv_admin',` @@ -47629,7 +47713,7 @@ index ba64485..429bd79 100644 + +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) diff --git a/nscd.if b/nscd.if -index 8f2ab09..7b8f5ad 100644 +index 8f2ab09..6ab4ea1 100644 --- a/nscd.if +++ b/nscd.if @@ -1,8 +1,8 @@ @@ -47754,13 +47838,13 @@ index 8f2ab09..7b8f5ad 100644 - - allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; - allow $1 nscd_t:fd use; -+ dontaudit $1 nscd_t:sock_file write; -+ dontaudit $1 nscd_var_run_t:sock_file write; - +- - files_search_pids($1) - stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) - dontaudit $1 nscd_var_run_t:file read_file_perms; -- ++ dontaudit $1 nscd_t:sock_file write; ++ dontaudit $1 nscd_var_run_t:sock_file write; + - allow $1 nscd_var_run_t:dir list_dir_perms; - allow $1 nscd_var_run_t:sock_file read_sock_file_perms; ') @@ -47773,7 +47857,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -164,18 +169,35 @@ interface(`nscd_shm_use',` +@@ -164,18 +169,34 @@ interface(`nscd_shm_use',` ## ## # @@ -47789,8 +47873,7 @@ index 8f2ab09..7b8f5ad 100644 ') + + allow $1 nscd_var_run_t:dir list_dir_perms; -+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -+ ++ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv }; + # Receive fd from nscd and map the backing file with read access. + allow $1 nscd_t:fd use; + @@ -47804,7 +47887,7 @@ index 8f2ab09..7b8f5ad 100644 + + stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) + files_search_pids($1) -+ allow $1 nscd_t:nscd { getpwd getgrp gethost }; ++ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv }; + dontaudit $1 nscd_var_run_t:file read_file_perms; ') @@ -47816,7 +47899,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -193,7 +215,7 @@ interface(`nscd_dontaudit_search_pid',` +@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',` ######################################## ## @@ -47825,7 +47908,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -212,7 +234,7 @@ interface(`nscd_read_pid',` +@@ -212,7 +233,7 @@ interface(`nscd_read_pid',` ######################################## ## @@ -47834,7 +47917,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -244,20 +266,20 @@ interface(`nscd_unconfined',` +@@ -244,20 +265,20 @@ interface(`nscd_unconfined',` ## Role allowed access. ## ## @@ -47859,7 +47942,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -275,8 +297,31 @@ interface(`nscd_initrc_domtrans',` +@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',` ######################################## ## @@ -47893,7 +47976,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',` +@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',` ## ## ## @@ -47902,7 +47985,7 @@ index 8f2ab09..7b8f5ad 100644 ## ## ## -@@ -294,10 +339,14 @@ interface(`nscd_admin',` +@@ -294,10 +338,14 @@ interface(`nscd_admin',` gen_require(` type nscd_t, nscd_log_t, nscd_var_run_t; type nscd_initrc_exec_t; @@ -47918,7 +48001,7 @@ index 8f2ab09..7b8f5ad 100644 init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) -@@ -310,5 +359,7 @@ interface(`nscd_admin',` +@@ -310,5 +358,7 @@ interface(`nscd_admin',` files_list_pids($1) admin_pattern($1, nscd_var_run_t) @@ -51908,10 +51991,10 @@ index 0000000..fdc4a03 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..55c843c +index 0000000..1911441 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,549 @@ +@@ -0,0 +1,551 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -52355,6 +52438,8 @@ index 0000000..55c843c + +term_dontaudit_use_generic_ptys(openshift_cgroup_read_t) + ++auth_read_passwd(openshift_cgroup_read_t) ++ +miscfiles_read_localization(openshift_cgroup_read_t) + +optional_policy(` @@ -54164,7 +54249,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 7bcf327..c850b64 100644 +index 7bcf327..073dbf3 100644 --- a/pegasus.te +++ b/pegasus.te @@ -1,17 +1,16 @@ @@ -54188,7 +54273,7 @@ index 7bcf327..c850b64 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,238 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,256 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -54197,6 +54282,9 @@ index 7bcf327..c850b64 100644 +typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t; + +pegasus_openlmi_domain_template(account) ++domain_obj_id_change_exemption(pegasus_openlmi_account_t) ++domain_system_change_exemption(pegasus_openlmi_account_t) ++ +pegasus_openlmi_domain_template(logicalfile) +pegasus_openlmi_domain_template(services) + @@ -54242,7 +54330,7 @@ index 7bcf327..c850b64 100644 +# pegasus openlmi account local policy +# + -+allow pegasus_openlmi_account_t self:capability { chown dac_override }; ++allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid }; +allow pegasus_openlmi_account_t self:process setfscreate; + +auth_manage_passwd(pegasus_openlmi_account_t) @@ -54250,8 +54338,13 @@ index 7bcf327..c850b64 100644 +auth_relabel_shadow(pegasus_openlmi_account_t) +auth_etc_filetrans_shadow(pegasus_openlmi_account_t) + ++logging_send_audit_msgs(pegasus_openlmi_account_t) ++logging_send_syslog_msg(pegasus_openlmi_account_t) ++ +init_rw_utmp(pegasus_openlmi_account_t) + ++seutil_semanage_policy(pegasus_openlmi_account_t) ++ +logging_send_syslog_msg(pegasus_openlmi_account_t) + +seutil_read_config(pegasus_openlmi_account_t) @@ -54357,7 +54450,7 @@ index 7bcf327..c850b64 100644 +# pegasus openlmi storage local policy +# + -+allow pegasus_openlmi_storage_t self:capability sys_admin; ++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio }; + +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) @@ -54373,6 +54466,7 @@ index 7bcf327..c850b64 100644 +dev_read_urand(pegasus_openlmi_storage_t) + +dev_rw_lvm_control(pegasus_openlmi_storage_t) ++dev_rw_sysfs(pegasus_openlmi_storage_t) + +selinux_validate_context(pegasus_openlmi_storage_t) + @@ -54380,15 +54474,22 @@ index 7bcf327..c850b64 100644 + +storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_storage_t) + ++fs_getattr_all_fs(pegasus_openlmi_storage_t) ++ +modutils_domtrans_insmod(pegasus_openlmi_storage_t) + +udev_domtrans(pegasus_openlmi_storage_t) ++udev_read_pid_files(pegasus_openlmi_storage_t) + +optional_policy(` + dmidecode_domtrans(pegasus_openlmi_storage_t) +') + +optional_policy(` ++ fstools_domtrans(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) +') + @@ -54398,6 +54499,8 @@ index 7bcf327..c850b64 100644 + +optional_policy(` + raid_domtrans_mdadm(pegasus_openlmi_storage_t) ++ raid_filetrans_named_content(pegasus_openlmi_storage_t) ++ raid_manage_conf_files(pegasus_openlmi_storage_t) +') + +###################################### @@ -54432,7 +54535,7 @@ index 7bcf327..c850b64 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +271,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +289,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -54463,7 +54566,7 @@ index 7bcf327..c850b64 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +297,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +315,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -54496,7 +54599,7 @@ index 7bcf327..c850b64 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,6 +325,7 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,6 +343,7 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -54504,7 +54607,7 @@ index 7bcf327..c850b64 100644 domain_use_interactive_fds(pegasus_t) domain_read_all_domains_state(pegasus_t) -@@ -128,18 +340,25 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +358,25 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -54536,7 +54639,7 @@ index 7bcf327..c850b64 100644 ') optional_policy(` -@@ -151,16 +370,24 @@ optional_policy(` +@@ -151,16 +388,24 @@ optional_policy(` ') optional_policy(` @@ -54565,7 +54668,7 @@ index 7bcf327..c850b64 100644 ') optional_policy(` -@@ -168,7 +395,7 @@ optional_policy(` +@@ -168,7 +413,7 @@ optional_policy(` ') optional_policy(` @@ -54588,10 +54691,10 @@ index 0000000..7b54c39 +/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0) diff --git a/pesign.if b/pesign.if new file mode 100644 -index 0000000..26b1f0c +index 0000000..abd5dd8 --- /dev/null +++ b/pesign.if -@@ -0,0 +1,103 @@ +@@ -0,0 +1,98 @@ + +## pesign utility for signing UEFI binaries as well as other associated tools + @@ -54667,18 +54770,13 @@ index 0000000..26b1f0c +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`pesign_admin',` + gen_require(` + type pesign_t; + type pesign_var_run_t; -+ type pesign_unit_file_t; ++ type pesign_unit_file_t; + ') + + allow $1 pesign_t:process { ptrace signal_perms }; @@ -62075,10 +62173,10 @@ index 0000000..96a0d9f +/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0) diff --git a/prosody.if b/prosody.if new file mode 100644 -index 0000000..f1e1209 +index 0000000..19c35c1 --- /dev/null +++ b/prosody.if -@@ -0,0 +1,239 @@ +@@ -0,0 +1,234 @@ + +## policy for prosody + @@ -62286,11 +62384,6 @@ index 0000000..f1e1209 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`prosody_admin',` @@ -67629,7 +67722,7 @@ index 5806046..5578653 100644 /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f..7736755 100644 +index 951db7f..98a0758 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -67644,7 +67737,7 @@ index 951db7f..7736755 100644 ## ## ## -@@ -22,82 +21,115 @@ interface(`raid_domtrans_mdadm',` +@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',` ###################################### ## @@ -67677,45 +67770,68 @@ index 951db7f..7736755 100644 + role $1 types mdadm_t; raid_domtrans_mdadm($2) - roleattribute $1 mdadm_roles; ++') ++ ++###################################### ++## ++## Execute mdadm server in the mdadm domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`mdadm_systemctl',` ++ gen_require(` ++ type mdadm_t; ++ type mdadm_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 mdadm_unit_file_t:file read_file_perms; ++ allow $1 mdadm_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, mdadm_t) ') --######################################## -+###################################### + ######################################## ## -## Create, read, write, and delete -## mdadm pid files. -+## Execute mdadm server in the mdadm domain. ++## read the mdadm pid files. ## ## ## --## Domain allowed access. -+## Domain allowed to transition. +@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',` ## ## # -interface(`raid_manage_mdadm_pid',` -+interface(`mdadm_systemctl',` ++interface(`raid_read_mdadm_pid',` gen_require(` -- type mdadm_var_run_t; -+ type mdadm_t; -+ type mdadm_unit_file_t; + type mdadm_var_run_t; ') - files_search_pids($1) - allow $1 mdadm_var_run_t:file manage_file_perms; -+ systemd_exec_systemctl($1) -+ allow $1 mdadm_unit_file_t:file read_file_perms; -+ allow $1 mdadm_unit_file_t:service manage_service_perms; -+ -+ ps_process_pattern($1, mdadm_t) ++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) ') ######################################## ## -## All of the rules required to -## administrate an mdadm environment. -+## read the mdadm pid files. ++## Create, read, write, and delete the mdadm pid files. ## ++## ++##

++## Create, read, write, and delete the mdadm pid files. ++##

++##

++## Added for use in the init module. ++##

++##
## ## ## Domain allowed access. @@ -67723,39 +67839,53 @@ index 951db7f..7736755 100644 ## -## +# -+interface(`raid_read_mdadm_pid',` ++interface(`raid_manage_mdadm_pid',` + gen_require(` + type mdadm_var_run_t; + ') + -+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) ++ # FIXME: maybe should have a type_transition. not ++ # clear what this is doing, from the original ++ # mdadm policy ++ allow $1 mdadm_var_run_t:file manage_file_perms; ++') ++ ++####################################### ++## ++## Check access to the mdadm executable. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_access_check_mdadm',` ++ gen_require(` ++ type mdadm_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ allow $1 mdadm_exec_t:file { getattr_file_perms execute }; +') + +######################################## +## -+## Create, read, write, and delete the mdadm pid files. ++## Manage mdadm config files. +## -+## -+##

-+## Create, read, write, and delete the mdadm pid files. -+##

-+##

-+## Added for use in the init module. -+##

-+##
+## ## -## Role allowed access. -+## Domain allowed access. ++## Domain allowed access. ## ## -## # -interface(`raid_admin_mdadm',` -+interface(`raid_manage_mdadm_pid',` ++interface(`raid_manage_conf_files',` gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; -+ type mdadm_var_run_t; ++ type mdadm_conf_t; ') - allow $1 mdadm_t:process { ptrace signal_perms }; @@ -67765,41 +67895,40 @@ index 951db7f..7736755 100644 - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; - allow $2 system_r; -+ # FIXME: maybe should have a type_transition. not -+ # clear what this is doing, from the original -+ # mdadm policy -+ allow $1 mdadm_var_run_t:file manage_file_perms; ++ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) +') - files_search_pids($1) - admin_pattern($1, mdadm_var_run_t) -+####################################### ++######################################## +## -+## Check access to the mdadm executable. ++## Transition to mdadm named content +## +## -+## ++## +## Domain allowed access. -+## ++## +## +# -+interface(`raid_access_check_mdadm',` ++interface(`raid_filetrans_named_content',` + gen_require(` -+ type mdadm_exec_t; ++ type mdadm_conf_t; + ') - raid_run_mdadm($2, $1) -+ corecmd_search_bin($1) -+ allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ++ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") ') diff --git a/raid.te b/raid.te -index 2c1730b..3c6d751 100644 +index 2c1730b..4699a1e 100644 --- a/raid.te +++ b/raid.te -@@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; +@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t; type mdadm_initrc_exec_t; init_script_file(mdadm_initrc_exec_t) ++type mdadm_conf_t; ++files_config_file(mdadm_conf_t) ++ +type mdadm_unit_file_t; +systemd_unit_file(mdadm_unit_file_t) + @@ -67809,7 +67938,7 @@ index 2c1730b..3c6d751 100644 type mdadm_var_run_t alias mdadm_map_t; files_pid_file(mdadm_var_run_t) dev_associate(mdadm_var_run_t) -@@ -25,23 +31,31 @@ dev_associate(mdadm_var_run_t) +@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t) # allow mdadm_t self:capability { dac_override sys_admin ipc_lock }; @@ -67821,6 +67950,9 @@ index 2c1730b..3c6d751 100644 allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms; +allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto }; + ++manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t) ++files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf") ++ +manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) +manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t) +files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file) @@ -67845,7 +67977,7 @@ index 2c1730b..3c6d751 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +63,28 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -67853,12 +67985,14 @@ index 2c1730b..3c6d751 100644 +dev_read_framebuffer(mdadm_t) dev_read_realtime_clock(mdadm_t) dev_read_raw_memory(mdadm_t) +- +dev_read_kvm(mdadm_t) +dev_read_mei(mdadm_t) +dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) +dev_read_generic_usb_dev(mdadm_t) - ++dev_read_urand(mdadm_t) ++ +domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) @@ -67876,7 +68010,7 @@ index 2c1730b..3c6d751 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +93,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -67898,11 +68032,12 @@ index 2c1730b..3c6d751 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -93,13 +121,29 @@ optional_policy(` +@@ -93,13 +128,30 @@ optional_policy(` ') optional_policy(` + kdump_manage_kdumpctl_tmp_files(mdadm_t) ++ kdump_rw_lock(mdadm_t) +') + +optional_policy(` @@ -75104,7 +75239,7 @@ index d25301b..d92f567 100644 /var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0) diff --git a/rsync.if b/rsync.if -index f1140ef..ebc2190 100644 +index f1140ef..02de8a5 100644 --- a/rsync.if +++ b/rsync.if @@ -1,16 +1,32 @@ @@ -75162,7 +75297,7 @@ index f1140ef..ebc2190 100644 ') ######################################## -@@ -77,76 +92,31 @@ interface(`rsync_entry_spec_domtrans',` +@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',` ## Domain to transition to. ##
## @@ -75180,28 +75315,35 @@ index f1140ef..ebc2190 100644 ######################################## ## -## Execute the rsync program in the rsync domain. --## --## --## ++## Execute rsync in the caller domain domain. + ## + ## + ## -## Domain allowed to transition. --## --## --# ++## Domain allowed access. + ##
+ ## ++## + # -interface(`rsync_domtrans',` -- gen_require(` ++interface(`rsync_exec',` + gen_require(` - type rsync_t, rsync_exec_t; -- ') -- ++ type rsync_exec_t; + ') + - corecmd_search_bin($1) - domtrans_pattern($1, rsync_exec_t, rsync_t) --') -- --######################################## --## ++ can_exec($1, rsync_exec_t) + ') + + ######################################## + ## -## Execute rsync in the rsync domain, and -## allow the specified role the rsync domain. --## --## ++## Read rsync config files. + ## + ## -## -## Domain allowed to transition. -## @@ -75222,47 +75364,41 @@ index f1140ef..ebc2190 100644 -') - -######################################## --## + ## -## Execute rsync in the caller domain. -+## Execute rsync in the caller domain domain. - ## - ## - ## +-## +-## +-## ## Domain allowed access. - ## +-## ++##
## -+## # - interface(`rsync_exec',` +-interface(`rsync_exec',` ++interface(`rsync_read_config',` gen_require(` - type rsync_exec_t; +- type rsync_exec_t; ++ type rsync_etc_t; ') - corecmd_search_bin($1) - can_exec($1, rsync_exec_t) - ') - -@@ -165,13 +135,13 @@ interface(`rsync_read_config',` - type rsync_etc_t; - ') - +- can_exec($1, rsync_exec_t) + read_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) -- allow $1 rsync_etc_t:file read_file_perms; ++ files_search_etc($1) ') ######################################## ## --## Write rsync config files. +-## Read rsync config files. +## Read rsync data files. ## ## ## -@@ -179,19 +149,18 @@ interface(`rsync_read_config',` +@@ -160,23 +149,23 @@ interface(`rsync_exec',` ## ## # --interface(`rsync_write_config',` +-interface(`rsync_read_config',` +interface(`rsync_read_data',` gen_require(` - type rsync_etc_t; @@ -75270,98 +75406,92 @@ index f1140ef..ebc2190 100644 ') - files_search_etc($1) -- allow $1 rsync_etc_t:file write_file_perms; +- allow $1 rsync_etc_t:file read_file_perms; + read_files_pattern($1, rsync_data_t, rsync_data_t) ') + ######################################## ## --## Create, read, write, and delete --## rsync config files. +-## Write rsync config files. +## Write to rsync config files. ## ## - ## -@@ -199,83 +168,54 @@ interface(`rsync_write_config',` - ## +-## ++## + ## Domain allowed access. +-## ++## ## # --interface(`rsync_manage_config_files',` -+interface(`rsync_write_config',` - gen_require(` + interface(`rsync_write_config',` +@@ -184,14 +173,13 @@ interface(`rsync_write_config',` type rsync_etc_t; ') + write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) -- manage_files_pattern($1, rsync_etc_t, rsync_etc_t) +- allow $1 rsync_etc_t:file write_file_perms; ') ######################################## ## --## Create specified objects in etc directories --## with rsync etc type. +-## Create, read, write, and delete +-## rsync config files. +## Manage rsync config files. ## ## ## --## Domain allowed to transition. --## --## --## --## --## Class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain allowed access. +@@ -199,18 +187,18 @@ interface(`rsync_write_config',` ## ## # --interface(`rsync_etc_filetrans_config',` +-interface(`rsync_manage_config_files',` +interface(`rsync_manage_config',` gen_require(` type rsync_etc_t; ') -- files_etc_filetrans($1, rsync_etc_t, $2, $3) -+ manage_files_pattern($1, rsync_etc_t, rsync_etc_t) +- files_search_etc($1) + manage_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) ') ######################################## ## --## All of the rules required to --## administrate an rsync environment. +-## Create specified objects in etc directories +## Create objects in etc directories -+## with rsync etc type. + ## with rsync etc type. ## ## - ## +@@ -236,46 +224,3 @@ interface(`rsync_etc_filetrans_config',` + + files_etc_filetrans($1, rsync_etc_t, $2, $3) + ') +- +-######################################## +-## +-## All of the rules required to +-## administrate an rsync environment. +-## +-## +-## -## Domain allowed access. -+## Domain allowed to transition. - ## - ## +-## +-## -## -+## - ## +-## -## Role allowed access. -+## Class of the object being created. - ## - ## +-## +-## -## - # +-# -interface(`rsync_admin',` -+interface(`rsync_etc_filetrans_config',` - gen_require(` +- gen_require(` - type rsync_t, rsync_etc_t, rsync_data_t; - type rsync_log_t, rsync_tmp_t. rsync_var_run_t; -+ type rsync_etc_t; - ') - +- ') +- - allow $1 rsync_t:process { ptrace signal_perms }; - ps_process_pattern($1, rsync_t) - @@ -75380,8 +75510,7 @@ index f1140ef..ebc2190 100644 - admin_pattern($1, rsync_var_run_t) - - rsync_run($1, $2) -+ files_etc_filetrans($1, rsync_etc_t, $2, $3) - ') +-') diff --git a/rsync.te b/rsync.te index e3e7c96..ec50426 100644 --- a/rsync.te @@ -85618,10 +85747,10 @@ index 0000000..744f0ce +') diff --git a/swift.if b/swift.if new file mode 100644 -index 0000000..015c2c9 +index 0000000..df82c36 --- /dev/null +++ b/swift.if -@@ -0,0 +1,123 @@ +@@ -0,0 +1,118 @@ + +## policy for swift + @@ -85717,11 +85846,6 @@ index 0000000..015c2c9 +## Domain allowed access. +## +## -+## -+## -+## Role allowed access. -+## -+## +## +# +interface(`swift_admin',` @@ -90387,10 +90511,22 @@ index dd3f01e..465c661 100644 ppp_run(usernetctl_t, usernetctl_roles) ') diff --git a/uucp.if b/uucp.if -index af9acc0..0119768 100644 +index af9acc0..cdaf82e 100644 --- a/uucp.if +++ b/uucp.if -@@ -104,14 +104,13 @@ interface(`uucp_admin',` +@@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',` + ## Domain allowed access. + ## + ## +-## +-## +-## Role allowed access. +-## +-## + ## + # + interface(`uucp_admin',` +@@ -104,14 +99,13 @@ interface(`uucp_admin',` type uucpd_var_run_t, uucpd_initrc_exec_t; ') @@ -92643,10 +92779,10 @@ index 9dec06c..73549fd 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index 1f22fba..a35bf47 100644 +index 1f22fba..0a4c5f6 100644 --- a/virt.te +++ b/virt.te -@@ -1,147 +1,166 @@ +@@ -1,147 +1,167 @@ -policy_module(virt, 1.6.10) +policy_module(virt, 1.5.0) @@ -92662,6 +92798,7 @@ index 1f22fba..a35bf47 100644 +attribute virt_tmpfs_type; +attribute svirt_file_type; +attribute virt_file_type; ++attribute sandbox_net_domain; + +type svirt_tmp_t, svirt_file_type; +files_tmp_file(svirt_tmp_t) @@ -92886,7 +93023,7 @@ index 1f22fba..a35bf47 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -150,295 +169,140 @@ ifdef(`enable_mls',` +@@ -150,295 +170,140 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -93266,7 +93403,7 @@ index 1f22fba..a35bf47 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +312,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +313,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -93313,7 +93450,7 @@ index 1f22fba..a35bf47 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +347,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +348,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -93335,7 +93472,7 @@ index 1f22fba..a35bf47 100644 kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +360,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +361,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -93343,7 +93480,7 @@ index 1f22fba..a35bf47 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +368,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +369,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -93371,7 +93508,7 @@ index 1f22fba..a35bf47 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +388,27 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +389,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -93404,7 +93541,7 @@ index 1f22fba..a35bf47 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +439,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +440,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -93424,7 +93561,7 @@ index 1f22fba..a35bf47 100644 selinux_validate_context(virtd_t) -@@ -613,18 +461,26 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +462,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -93461,7 +93598,7 @@ index 1f22fba..a35bf47 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +489,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +490,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -93470,7 +93607,7 @@ index 1f22fba..a35bf47 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,20 +514,12 @@ optional_policy(` +@@ -658,20 +515,12 @@ optional_policy(` ') optional_policy(` @@ -93491,7 +93628,7 @@ index 1f22fba..a35bf47 100644 ') optional_policy(` -@@ -684,14 +532,20 @@ optional_policy(` +@@ -684,14 +533,20 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -93514,7 +93651,7 @@ index 1f22fba..a35bf47 100644 iptables_manage_config(virtd_t) ') -@@ -704,11 +558,13 @@ optional_policy(` +@@ -704,11 +559,13 @@ optional_policy(` ') optional_policy(` @@ -93528,7 +93665,7 @@ index 1f22fba..a35bf47 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -719,10 +575,18 @@ optional_policy(` +@@ -719,10 +576,18 @@ optional_policy(` ') optional_policy(` @@ -93547,7 +93684,7 @@ index 1f22fba..a35bf47 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -737,44 +601,262 @@ optional_policy(` +@@ -737,44 +602,262 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -93709,7 +93846,7 @@ index 1f22fba..a35bf47 100644 +optional_policy(` + ptchown_domtrans(virt_domain) +') - ++ +optional_policy(` + pulseaudio_dontaudit_exec(virt_domain) +') @@ -93738,7 +93875,7 @@ index 1f22fba..a35bf47 100644 + fs_read_fusefs_symlinks(virt_domain) + fs_getattr_fusefs(virt_domain) +') -+ + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(virt_domain) + fs_manage_nfs_files(virt_domain) @@ -93832,7 +93969,7 @@ index 1f22fba..a35bf47 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +867,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +868,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -93859,7 +93996,7 @@ index 1f22fba..a35bf47 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +887,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +888,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -93891,7 +94028,7 @@ index 1f22fba..a35bf47 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +920,20 @@ optional_policy(` +@@ -847,14 +921,20 @@ optional_policy(` ') optional_policy(` @@ -93913,7 +94050,7 @@ index 1f22fba..a35bf47 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,49 +958,65 @@ optional_policy(` +@@ -879,49 +959,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -93997,7 +94134,7 @@ index 1f22fba..a35bf47 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,17 +1028,16 @@ dev_read_urand(virtd_lxc_t) +@@ -933,17 +1029,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -94017,7 +94154,7 @@ index 1f22fba..a35bf47 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,8 +1049,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,8 +1050,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -94041,7 +94178,7 @@ index 1f22fba..a35bf47 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -965,194 +1074,264 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -965,194 +1075,235 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -94277,31 +94414,27 @@ index 1f22fba..a35bf47 100644 +# svirt_lxc_net_t local policy # +virt_sandbox_domain_template(svirt_lxc_net) ++typeattribute svirt_lxc_net_t sandbox_net_domain; -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; +-allow svirt_lxc_net_t self:packet_socket create_socket_perms; +-allow svirt_lxc_net_t self:socket create_socket_perms; +-allow svirt_lxc_net_t self:rawip_socket create_socket_perms; +allow svirt_lxc_net_t self:process { execstack execmem }; -+allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -+allow svirt_lxc_net_t self:udp_socket create_socket_perms; -+allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms; -+allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms; - allow svirt_lxc_net_t self:packet_socket create_socket_perms; - allow svirt_lxc_net_t self:socket create_socket_perms; - allow svirt_lxc_net_t self:rawip_socket create_socket_perms; --allow svirt_lxc_net_t self:netlink_socket create_socket_perms; + allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; +allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; +-kernel_read_network_state(svirt_lxc_net_t) +-kernel_read_irq_sysctls(svirt_lxc_net_t) +allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; +allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; -+ - kernel_read_network_state(svirt_lxc_net_t) - kernel_read_irq_sysctls(svirt_lxc_net_t) -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) @@ -94311,28 +94444,23 @@ index 1f22fba..a35bf47 100644 -corenet_udp_sendrecv_generic_node(svirt_lxc_net_t) -corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -+dev_read_sysfs(svirt_lxc_net_t) -+dev_getattr_mtrr_dev(svirt_lxc_net_t) -+dev_read_rand(svirt_lxc_net_t) -+dev_read_urand(svirt_lxc_net_t) -+ - corenet_tcp_bind_generic_node(svirt_lxc_net_t) - corenet_udp_bind_generic_node(svirt_lxc_net_t) +-corenet_tcp_bind_generic_node(svirt_lxc_net_t) +-corenet_udp_bind_generic_node(svirt_lxc_net_t) - -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -+corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t) -+corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) - corenet_udp_bind_all_ports(svirt_lxc_net_t) - corenet_tcp_bind_all_ports(svirt_lxc_net_t) +-corenet_udp_bind_all_ports(svirt_lxc_net_t) +-corenet_tcp_bind_all_ports(svirt_lxc_net_t) - -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) - corenet_tcp_connect_all_ports(svirt_lxc_net_t) +-corenet_tcp_connect_all_ports(svirt_lxc_net_t) ++kernel_read_irq_sysctls(svirt_lxc_net_t) --dev_getattr_mtrr_dev(svirt_lxc_net_t) --dev_read_rand(svirt_lxc_net_t) ++dev_read_sysfs(svirt_lxc_net_t) + dev_getattr_mtrr_dev(svirt_lxc_net_t) + dev_read_rand(svirt_lxc_net_t) -dev_read_sysfs(svirt_lxc_net_t) --dev_read_urand(svirt_lxc_net_t) -- + dev_read_urand(svirt_lxc_net_t) + files_read_kernel_modules(svirt_lxc_net_t) +fs_noxattr_type(svirt_sandbox_file_t) @@ -94354,7 +94482,7 @@ index 1f22fba..a35bf47 100644 -optional_policy(` - rpm_read_db(svirt_lxc_net_t) -') - +- -####################################### +######################################## # @@ -94362,17 +94490,12 @@ index 1f22fba..a35bf47 100644 +# svirt_lxc_net_t local policy # +virt_sandbox_domain_template(svirt_qemu_net) ++typeattribute svirt_qemu_net_t sandbox_net_domain; + -+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_qemu_net_t self:capability2 block_suspend; +allow svirt_qemu_net_t self:process { execstack execmem }; +allow svirt_qemu_net_t self:netlink_socket create_socket_perms; -+allow svirt_qemu_net_t self:udp_socket create_socket_perms; -+allow svirt_qemu_net_t self:tcp_socket create_stream_socket_perms; -+allow svirt_qemu_net_t self:netlink_route_socket create_netlink_socket_perms; -+allow svirt_qemu_net_t self:packet_socket create_socket_perms; -+allow svirt_qemu_net_t self:socket create_socket_perms; -+allow svirt_qemu_net_t self:rawip_socket create_socket_perms; +allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; + @@ -94388,22 +94511,12 @@ index 1f22fba..a35bf47 100644 + +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + -+kernel_read_network_state(svirt_qemu_net_t) +kernel_read_irq_sysctls(svirt_qemu_net_t) + +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; -+corenet_tcp_bind_generic_node(svirt_qemu_net_t) -+corenet_udp_bind_generic_node(svirt_qemu_net_t) -+corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t) -+corenet_udp_sendrecv_all_ports(svirt_qemu_net_t) -+corenet_udp_bind_all_ports(svirt_qemu_net_t) -+corenet_tcp_bind_all_ports(svirt_qemu_net_t) -+corenet_tcp_connect_all_ports(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) + @@ -94411,7 +94524,8 @@ index 1f22fba..a35bf47 100644 +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +term_pty(svirt_sandbox_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) @@ -94436,7 +94550,7 @@ index 1f22fba..a35bf47 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1344,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1316,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -94451,7 +94565,7 @@ index 1f22fba..a35bf47 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1362,8 @@ optional_policy(` +@@ -1183,9 +1334,8 @@ optional_policy(` ######################################## # @@ -94462,7 +94576,7 @@ index 1f22fba..a35bf47 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1376,124 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1348,194 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -94589,6 +94703,76 @@ index 1f22fba..a35bf47 100644 + userdom_transition(virtd_t) + userdom_transition(virtd_lxc_t) +') ++ ++######################################## ++# ++# svirt_lxc_net_t local policy ++# ++virt_sandbox_domain_template(svirt_kvm_net) ++typeattribute svirt_kvm_net_t sandbox_net_domain; ++ ++allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++dontaudit svirt_kvm_net_t self:capability2 block_suspend; ++allow svirt_kvm_net_t self:netlink_socket create_socket_perms; ++allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++term_use_generic_ptys(svirt_kvm_net_t) ++term_use_ptmx(svirt_kvm_net_t) ++ ++dev_rw_kvm(svirt_kvm_net_t) ++ ++manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t) ++ ++list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) ++read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t) ++ ++append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t) ++ ++kernel_read_network_state(svirt_kvm_net_t) ++kernel_read_irq_sysctls(svirt_kvm_net_t) ++ ++dev_read_sysfs(svirt_kvm_net_t) ++dev_getattr_mtrr_dev(svirt_kvm_net_t) ++dev_read_rand(svirt_kvm_net_t) ++dev_read_urand(svirt_kvm_net_t) ++ ++files_read_kernel_modules(svirt_kvm_net_t) ++ ++fs_noxattr_type(svirt_sandbox_file_t) ++fs_mount_cgroup(svirt_kvm_net_t) ++fs_manage_cgroup_dirs(svirt_kvm_net_t) ++fs_manage_cgroup_files(svirt_kvm_net_t) ++ ++term_pty(svirt_sandbox_file_t) ++ ++auth_use_nsswitch(svirt_kvm_net_t) ++ ++rpm_read_db(svirt_kvm_net_t) ++ ++logging_send_audit_msgs(svirt_kvm_net_t) ++ ++userdom_use_user_ptys(svirt_kvm_net_t) ++ ++kernel_read_network_state(sandbox_net_domain) ++ ++allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service }; ++ ++allow sandbox_net_domain self:udp_socket create_socket_perms; ++allow sandbox_net_domain self:tcp_socket create_stream_socket_perms; ++allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms; ++allow sandbox_net_domain self:packet_socket create_socket_perms; ++allow sandbox_net_domain self:socket create_socket_perms; ++allow sandbox_net_domain self:rawip_socket create_socket_perms; ++ ++corenet_tcp_bind_generic_node(sandbox_net_domain) ++corenet_udp_bind_generic_node(sandbox_net_domain) ++corenet_tcp_sendrecv_all_ports(sandbox_net_domain) ++corenet_udp_sendrecv_all_ports(sandbox_net_domain) ++corenet_udp_bind_all_ports(sandbox_net_domain) ++corenet_tcp_bind_all_ports(sandbox_net_domain) ++corenet_tcp_connect_all_ports(sandbox_net_domain) ++ diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 --- a/vlock.te @@ -97515,10 +97699,10 @@ index 46e4cd3..dea93eb 100644 +') + diff --git a/zarafa.fc b/zarafa.fc -index faf99ed..a451e97 100644 +index faf99ed..fb336ae 100644 --- a/zarafa.fc +++ b/zarafa.fc -@@ -1,20 +1,18 @@ +@@ -1,20 +1,19 @@ -/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) @@ -97528,6 +97712,7 @@ index faf99ed..a451e97 100644 +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) +/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) ++/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) +/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) +/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) @@ -97550,7 +97735,7 @@ index faf99ed..a451e97 100644 /var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) /var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) /var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -@@ -22,11 +20,11 @@ +@@ -22,11 +21,11 @@ /var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) /var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 798dba6..de18270 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 85%{?dist} +Release: 86%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -571,6 +571,38 @@ SELinux Reference policy mls base module. %endif %changelog +- * Fri Oct 4 2013 Miroslav Grepl 3.12.1-86 +- Fix nscd_shm_use() +- Add initial policy for /usr/sbin/hypervvssd in hypervkvp policy which should be renamed to hyperv. Also add hyperv_domain attribute to treat these HyperV services. +- Add hypervkvp_unit_file_t type +- Add additional fixes forpegasus_openlmi_account_t +- Allow mdadm to read /dev/urand +- Allow pegasus_openlmi_storage_t to create mdadm.conf and write it +- Add label/rules for /etc/mdadm.conf +- Allow pegasus_openlmi_storage_t to transition to fsadm_t +- Fixes for interface definition problems +- Dontaudit dovecot-deliver to gettatr on all fs dirs +- Allow domains to search data_home_t directories +- Allow cobblerd to connect to mysql +- Allow mdadm to r/w kdump lock files +- Add support for kdump lock files +- Label zarafa-search as zarafa-indexer +- Openshift cgroup wants to read /etc/passwd +- Add new sandbox domains for kvm +- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on +- Fix labeling for /usr/lib/systemd/system/lvm2.* +- Add labeling for /usr/lib/systemd/system/lvm2.* +- Fix typos to get a new build. We should not cover filename trans rules to prevent duplicate rules +- Add sshd_keygen_t policy for sshd-keygen +- Fix alsa_home_filetrans interface name and definition +- Allow chown for ssh_keygen_t +- Add fs_dontaudit_getattr_all_dirs() +- Allow init_t to manage etc_aliases_t and read xserver_var_lib_t and chrony keys +- Fix up patch to allow systemd to manage home content +- Allow domains to send/recv unlabeled traffic if unlabelednet.pp is enabled +- Allow getty to exec hostname to get info +- Add systemd_home_t for ~/.local/share/systemd directory + * Wed Oct 2 2013 Miroslav Grepl 3.12.1-85 - Fix lxc labeling in config.tgz