diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 6debbcb..4f1a81f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -668,7 +668,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index 28802c5..943c42e 100644 +index 28802c5..ee01d6e 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -679,7 +679,7 @@ index 28802c5..943c42e 100644 } -@@ -393,6 +394,10 @@ class system +@@ -393,6 +394,13 @@ class system syslog_mod syslog_console module_request @@ -687,10 +687,13 @@ index 28802c5..943c42e 100644 + reboot + status + undefined ++ enable ++ disable ++ reload } # -@@ -443,10 +448,12 @@ class capability +@@ -443,10 +451,12 @@ class capability class capability2 { mac_override # unused by SELinux @@ -704,7 +707,7 @@ index 28802c5..943c42e 100644 } # -@@ -827,6 +834,9 @@ class kernel_service +@@ -827,6 +837,9 @@ class kernel_service class tun_socket inherits socket @@ -714,7 +717,7 @@ index 28802c5..943c42e 100644 class x_pointer inherits x_device -@@ -862,3 +872,20 @@ inherits database +@@ -862,3 +875,20 @@ inherits database implement execute } @@ -2376,7 +2379,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..9365051 100644 +index d555767..68f6887 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2724,7 +2727,7 @@ index d555767..9365051 100644 # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; -+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource }; ++allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot }; + dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; @@ -5171,7 +5174,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..8fd1cbb 100644 +index 4edc40d..6f8cc7f 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5257,7 +5260,7 @@ index 4edc40d..8fd1cbb 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,6 +118,7 @@ network_port(boinc, tcp,31416,s0) +@@ -96,18 +118,18 @@ network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5265,7 +5268,12 @@ index 4edc40d..8fd1cbb 100644 network_port(chronyd, udp,323,s0) network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) -@@ -107,7 +130,6 @@ network_port(commplex_main, tcp,5000,s0, udp,5000,s0) + network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) + network_port(cma, tcp,1050,s0, udp,1050,s0) + network_port(cobbler, tcp,25151,s0) +-network_port(commplex_link, tcp,5001,s0, udp,5001,s0) ++network_port(commplex_link, tcp,4331,s0, tcp,5001,s0, udp,5001,s0) + network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) @@ -5273,7 +5281,7 @@ index 4edc40d..8fd1cbb 100644 network_port(ctdb, tcp,4379,s0, udp,4397,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) -@@ -119,19 +141,25 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, +@@ -119,19 +141,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5288,6 +5296,7 @@ index 4edc40d..8fd1cbb 100644 network_port(epmd, tcp,4369,s0, udp,4369,s0) network_port(fingerd, tcp,79,s0) -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) ++network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) @@ -5301,7 +5310,7 @@ index 4edc40d..8fd1cbb 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -139,45 +167,51 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -139,45 +168,51 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5367,7 +5376,7 @@ index 4edc40d..8fd1cbb 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -185,24 +219,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -185,24 +220,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5403,7 +5412,7 @@ index 4edc40d..8fd1cbb 100644 network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0) network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) -@@ -214,38 +256,43 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5429,8 +5438,10 @@ index 4edc40d..8fd1cbb 100644 network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) -network_port(rtsp, tcp,554,s0, udp,554,s0) ++network_port(rtp_media, tcp,5004-5005,s0, udp,5004-5005,s0) +network_port(rtsp, tcp,554,s0, udp,554,s0, tcp,8554,s0, udp,8554,s0) network_port(rwho, udp,513,s0) ++network_port(salt, tcp,4505,s0, tcp,4506,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) +network_port(saphostctrl, tcp,1128,s0, tcp,1129,s0) network_port(servistaitsm, tcp,3636,s0, udp,3636,s0) @@ -5454,7 +5465,7 @@ index 4edc40d..8fd1cbb 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -257,8 +304,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -257,8 +307,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5465,7 +5476,7 @@ index 4edc40d..8fd1cbb 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(ups, tcp,3493,s0) -@@ -268,10 +316,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -268,10 +319,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5478,7 +5489,7 @@ index 4edc40d..8fd1cbb 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -292,12 +340,16 @@ network_port(zope, tcp,8021,s0) +@@ -292,12 +343,16 @@ network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; # these entries just cover any remaining reserved ports not otherwise declared. @@ -5497,7 +5508,7 @@ index 4edc40d..8fd1cbb 100644 ######################################## # -@@ -330,6 +382,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -330,6 +385,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5506,7 +5517,7 @@ index 4edc40d..8fd1cbb 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -342,9 +396,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -342,9 +399,24 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -8261,7 +8272,7 @@ index 6529bd9..831344c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..c691385 100644 +index 6a1e4d1..1e738dd 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -8379,7 +8390,32 @@ index 6a1e4d1..c691385 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1530,4 +1543,27 @@ interface(`domain_unconfined',` +@@ -1508,6 +1521,24 @@ interface(`domain_unconfined_signal',` + + ######################################## + ## ++## Named Filetrans Domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`domain_named_filetrans',` ++ gen_require(` ++ attribute named_filetrans_domain; ++ ') ++ ++ typeattribute $1 named_filetrans_domain; ++') ++ ++######################################## ++## + ## Unconfined access to domains. + ## + ## +@@ -1530,4 +1561,27 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -8408,7 +8444,7 @@ index 6a1e4d1..c691385 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..d02fa9e 100644 +index cf04cb5..5367299 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8441,7 +8477,15 @@ index cf04cb5..d02fa9e 100644 ## ##

-@@ -86,23 +109,45 @@ neverallow ~{ domain unlabeled_t } *:process *; +@@ -15,6 +38,7 @@ gen_tunable(mmap_low_allowed, false) + + # Mark process types as domains + attribute domain; ++attribute named_filetrans_domain; + + # Transitions only allowed from domains to other domains + neverallow domain ~domain:process { transition dyntransition }; +@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *; allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; @@ -8488,7 +8532,7 @@ index cf04cb5..d02fa9e 100644 ifdef(`hide_broken_symptoms',` # This check is in the general socket -@@ -121,8 +166,18 @@ tunable_policy(`global_ssp',` +@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -8507,7 +8551,7 @@ index cf04cb5..d02fa9e 100644 ') optional_policy(` -@@ -133,6 +188,8 @@ optional_policy(` +@@ -133,6 +189,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -8516,7 +8560,7 @@ index cf04cb5..d02fa9e 100644 ') ######################################## -@@ -147,12 +204,18 @@ optional_policy(` +@@ -147,12 +205,18 @@ optional_policy(` # Use/sendto/connectto sockets created by any domain. allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; @@ -8536,165 +8580,168 @@ index cf04cb5..d02fa9e 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,292 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +230,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; -+corenet_filetrans_all_named_dev(unconfined_domain_type) ++corenet_filetrans_all_named_dev(named_filetrans_domain) + -+dev_filetrans_all_named_dev(unconfined_domain_type) ++dev_filetrans_all_named_dev(named_filetrans_domain)) + # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + -+files_filetrans_named_content(unconfined_domain_type) -+files_filetrans_system_conf_named_files(unconfined_domain_type) ++files_filetrans_named_content(named_filetrans_domain) ++files_filetrans_system_conf_named_files(named_filetrans_domain) +files_config_all_files(unconfined_domain_type) +dev_config_null_dev_service(unconfined_domain_type) + +optional_policy(` -+ locallogin_filetrans_home_content(unconfined_domain_type) ++ locallogin_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` -+ mandb_filetrans_named_home_content(unconfined_domain_type) ++ mandb_filetrans_named_home_content(named_filetrans_domain) +') + +optional_policy(` -+ seutil_filetrans_named_content(unconfined_domain_type) ++ seutil_filetrans_named_content(named_filetrans_domain) +') + -+storage_filetrans_all_named_dev(unconfined_domain_type) ++storage_filetrans_all_named_dev(named_filetrans_domain) + -+term_filetrans_all_named_dev(unconfined_domain_type) ++term_filetrans_all_named_dev(named_filetrans_domain) + +optional_policy(` ++ init_disable_services(unconfined_domain_type) ++ init_enable_services(unconfined_domain_type) ++ init_reload_services(unconfined_domain_type) + init_status(unconfined_domain_type) + init_reboot(unconfined_domain_type) + init_halt(unconfined_domain_type) + init_undefined(unconfined_domain_type) -+ init_filetrans_named_content(unconfined_domain_type) ++ init_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ auth_filetrans_named_content(unconfined_domain_type) -+ auth_filetrans_admin_home_content(unconfined_domain_type) ++ auth_filetrans_named_content(named_filetrans_domain) ++ auth_filetrans_admin_home_content(named_filetrans_domain) +') + +optional_policy(` -+ libs_filetrans_named_content(unconfined_domain_type) ++ libs_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ logging_filetrans_named_content(unconfined_domain_type) ++ logging_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ miscfiles_filetrans_named_content(unconfined_domain_type) ++ miscfiles_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ abrt_filetrans_named_content(unconfined_domain_type) ++ abrt_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ alsa_filetrans_named_content(unconfined_domain_type) ++ alsa_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ apache_filetrans_named_content(unconfined_domain_type) ++ apache_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ apcupsd_filetrans_named_content(unconfined_domain_type) ++ apcupsd_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ bootloader_filetrans_config(unconfined_domain_type) ++ bootloader_filetrans_config(named_filetrans_domain) +') + +optional_policy(` -+ clock_filetrans_named_content(unconfined_domain_type) ++ clock_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ cups_filetrans_named_content(unconfined_domain_type) ++ cups_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ devicekit_filetrans_named_content(unconfined_domain_type) ++ devicekit_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ dnsmasq_filetrans_named_content(unconfined_domain_type) ++ dnsmasq_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ gnome_filetrans_admin_home_content(unconfined_domain_type) ++ gnome_filetrans_admin_home_content(named_filetrans_domain) +') + +optional_policy(` -+ iscsi_filetrans_named_content(unconfined_domain_type) ++ iscsi_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ kerberos_filetrans_named_content(unconfined_domain_type) ++ kerberos_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ mta_filetrans_named_content(unconfined_domain_type) ++ mta_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ mplayer_filetrans_home_content(unconfined_domain_type) ++ mplayer_filetrans_home_content(named_filetrans_domain) +') + +optional_policy(` -+ modules_filetrans_named_content(unconfined_domain_type) ++ modules_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ mysql_filetrans_named_content(unconfined_domain_type) ++ mysql_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ networkmanager_filetrans_named_content(unconfined_domain_type) ++ networkmanager_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ ntp_filetrans_named_content(unconfined_domain_type) ++ ntp_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ nx_filetrans_named_content(unconfined_domain_type) ++ nx_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ postgresql_filetrans_named_content(unconfined_domain_type) ++ postgresql_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ postfix_filetrans_named_content(unconfined_domain_type) ++ postfix_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ prelink_filetrans_named_content(unconfined_domain_type) ++ prelink_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ pulseaudio_filetrans_admin_home_content(unconfined_domain_type) ++ pulseaudio_filetrans_admin_home_content(named_filetrans_domain) +') + +optional_policy(` -+ quota_filetrans_named_content(unconfined_domain_type) ++ quota_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ rpcbind_filetrans_named_content(unconfined_domain_type) ++ rpcbind_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ sysnet_filetrans_named_content(unconfined_domain_type) ++ sysnet_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` @@ -8702,24 +8749,24 @@ index cf04cb5..d02fa9e 100644 + systemd_login_reboot(unconfined_domain_type) + systemd_login_halt(unconfined_domain_type) + systemd_login_undefined(unconfined_domain_type) -+ systemd_filetrans_named_hostname(unconfined_domain_type) ++ systemd_filetrans_named_hostname(named_filetrans_domain) +') + +optional_policy(` -+ tftp_filetrans_named_content(unconfined_domain_type) ++ tftp_filetrans_named_content(named_filetrans_domain) +') + +optional_policy(` -+ userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file }) ++ userdom_user_home_dir_filetrans_user_home_content(named_filetrans_domain, { dir file lnk_file fifo_file sock_file }) +') + +optional_policy(` -+ ssh_filetrans_admin_home_content(unconfined_domain_type) -+ ssh_filetrans_keys(unconfined_domain_type) ++ ssh_filetrans_admin_home_content(named_filetrans_domain) ++ ssh_filetrans_keys(unconfined_domain_type) +') + +optional_policy(` -+ virt_filetrans_named_content(unconfined_domain_type) ++ virt_filetrans_named_content(named_filetrans_domain) +') + +selinux_getattr_fs(domain) @@ -16685,7 +16732,7 @@ index 234a940..d340f20 100644 ######################################## ##

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..1a2de40 100644 +index 5da7870..28cfc6a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) @@ -16757,7 +16804,7 @@ index 5da7870..1a2de40 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +79,102 @@ optional_policy(` +@@ -23,11 +79,106 @@ optional_policy(` ') optional_policy(` @@ -16858,10 +16905,14 @@ index 5da7870..1a2de40 100644 + polipo_role(staff_r, staff_t) + polipo_named_filetrans_cache_home_dirs(staff_t) + polipo_named_filetrans_config_home_files(staff_t) ++') ++ ++optional_policy(` ++ openvpn_exec(staff_t) ') optional_policy(` -@@ -35,15 +182,31 @@ optional_policy(` +@@ -35,15 +186,31 @@ optional_policy(` ') optional_policy(` @@ -16895,7 +16946,7 @@ index 5da7870..1a2de40 100644 ') optional_policy(` -@@ -52,10 +215,55 @@ optional_policy(` +@@ -52,10 +219,55 @@ optional_policy(` ') optional_policy(` @@ -16951,7 +17002,7 @@ index 5da7870..1a2de40 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +273,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +277,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16962,7 +17013,7 @@ index 5da7870..1a2de40 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +282,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +286,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -16973,7 +17024,7 @@ index 5da7870..1a2de40 100644 ') optional_policy(` -@@ -101,10 +301,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +305,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16984,7 +17035,7 @@ index 5da7870..1a2de40 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +321,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +325,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16995,7 +17046,7 @@ index 5da7870..1a2de40 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +333,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +337,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17006,7 +17057,7 @@ index 5da7870..1a2de40 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +364,22 @@ ifndef(`distro_redhat',` +@@ -176,3 +368,22 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -17058,10 +17109,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..e7c0869 100644 +index 88d0028..0459d20 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,82 @@ policy_module(sysadm, 2.5.1) +@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1) # Declarations # @@ -17117,6 +17168,9 @@ index 88d0028..e7c0869 100644 +application_exec(sysadm_t) + +init_filetrans_named_content(sysadm_t) ++init_disable_services(sysadm_t) ++init_enable_services(sysadm_t) ++init_reload_services(sysadm_t) init_exec(sysadm_t) +init_exec_script_files(sysadm_t) +init_dbus_chat(sysadm_t) @@ -17155,7 +17209,7 @@ index 88d0028..e7c0869 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +98,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +101,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -17170,7 +17224,7 @@ index 88d0028..e7c0869 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +108,9 @@ optional_policy(` +@@ -71,9 +111,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -17181,7 +17235,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -87,6 +124,7 @@ optional_policy(` +@@ -87,6 +127,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -17189,7 +17243,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -110,11 +148,17 @@ optional_policy(` +@@ -110,11 +151,17 @@ optional_policy(` ') optional_policy(` @@ -17207,7 +17261,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -122,11 +166,19 @@ optional_policy(` +@@ -122,11 +169,19 @@ optional_policy(` ') optional_policy(` @@ -17229,7 +17283,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -140,6 +192,10 @@ optional_policy(` +@@ -140,6 +195,10 @@ optional_policy(` ') optional_policy(` @@ -17240,7 +17294,7 @@ index 88d0028..e7c0869 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +212,11 @@ optional_policy(` +@@ -156,11 +215,11 @@ optional_policy(` ') optional_policy(` @@ -17254,7 +17308,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -179,6 +235,13 @@ optional_policy(` +@@ -179,6 +238,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -17268,7 +17322,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -186,15 +249,20 @@ optional_policy(` +@@ -186,15 +252,20 @@ optional_policy(` ') optional_policy(` @@ -17292,7 +17346,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -214,22 +282,20 @@ optional_policy(` +@@ -214,22 +285,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -17321,7 +17375,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -241,14 +307,27 @@ optional_policy(` +@@ -241,14 +310,27 @@ optional_policy(` ') optional_policy(` @@ -17349,7 +17403,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -256,10 +335,20 @@ optional_policy(` +@@ -256,10 +338,20 @@ optional_policy(` ') optional_policy(` @@ -17370,7 +17424,7 @@ index 88d0028..e7c0869 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +359,36 @@ optional_policy(` +@@ -270,31 +362,36 @@ optional_policy(` ') optional_policy(` @@ -17414,7 +17468,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -319,12 +413,18 @@ optional_policy(` +@@ -319,12 +416,18 @@ optional_policy(` ') optional_policy(` @@ -17434,7 +17488,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -349,7 +449,18 @@ optional_policy(` +@@ -349,7 +452,18 @@ optional_policy(` ') optional_policy(` @@ -17454,7 +17508,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -360,19 +471,15 @@ optional_policy(` +@@ -360,19 +474,15 @@ optional_policy(` ') optional_policy(` @@ -17476,7 +17530,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -384,10 +491,6 @@ optional_policy(` +@@ -384,10 +494,6 @@ optional_policy(` ') optional_policy(` @@ -17487,7 +17541,7 @@ index 88d0028..e7c0869 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +498,9 @@ optional_policy(` +@@ -395,6 +501,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -17497,7 +17551,7 @@ index 88d0028..e7c0869 100644 ') optional_policy(` -@@ -402,31 +508,34 @@ optional_policy(` +@@ -402,31 +511,34 @@ optional_policy(` ') optional_policy(` @@ -17538,7 +17592,7 @@ index 88d0028..e7c0869 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +548,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +551,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17549,7 +17603,7 @@ index 88d0028..e7c0869 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +568,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +571,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18308,10 +18362,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..c8f13da +index 0000000..9de7a1f --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,329 @@ +@@ -0,0 +1,330 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18390,6 +18444,7 @@ index 0000000..c8f13da +systemd_config_all_services(unconfined_t) + +unconfined_domain_noaudit(unconfined_t) ++domain_named_filetrans(unconfined_t) + +usermanage_run_passwd(unconfined_t, unconfined_r) + @@ -22453,7 +22508,7 @@ index 6bf0ecc..266289c 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..fcf58c6 100644 +index 2696452..7e081fb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -22798,7 +22853,7 @@ index 2696452..fcf58c6 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +408,106 @@ optional_policy(` +@@ -299,64 +408,107 @@ optional_policy(` # XDM Local policy # @@ -22890,6 +22945,7 @@ index 2696452..fcf58c6 100644 manage_dirs_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) ++manage_lnk_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) manage_fifo_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) -files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file }) +manage_sock_files_pattern(xdm_t, xdm_var_run_t, xdm_var_run_t) @@ -22915,7 +22971,7 @@ index 2696452..fcf58c6 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -22945,7 +23001,7 @@ index 2696452..fcf58c6 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -22998,7 +23054,7 @@ index 2696452..fcf58c6 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +598,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +599,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -23027,7 +23083,7 @@ index 2696452..fcf58c6 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23074,7 +23130,7 @@ index 2696452..fcf58c6 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +673,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23225,7 +23281,7 @@ index 2696452..fcf58c6 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +824,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23252,7 +23308,7 @@ index 2696452..fcf58c6 100644 ') optional_policy(` -@@ -514,12 +851,72 @@ optional_policy(` +@@ -514,12 +852,72 @@ optional_policy(` ') optional_policy(` @@ -23325,7 +23381,7 @@ index 2696452..fcf58c6 100644 hostname_exec(xdm_t) ') -@@ -537,28 +934,78 @@ optional_policy(` +@@ -537,28 +935,78 @@ optional_policy(` ') optional_policy(` @@ -23413,7 +23469,7 @@ index 2696452..fcf58c6 100644 ') optional_policy(` -@@ -570,6 +1017,14 @@ optional_policy(` +@@ -570,6 +1018,14 @@ optional_policy(` ') optional_policy(` @@ -23428,7 +23484,7 @@ index 2696452..fcf58c6 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23441,7 +23497,7 @@ index 2696452..fcf58c6 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23457,7 +23513,7 @@ index 2696452..fcf58c6 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23468,7 +23524,7 @@ index 2696452..fcf58c6 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23490,7 +23546,7 @@ index 2696452..fcf58c6 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23504,7 +23560,7 @@ index 2696452..fcf58c6 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23536,7 +23592,7 @@ index 2696452..fcf58c6 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23554,7 +23610,7 @@ index 2696452..fcf58c6 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1198,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1199,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23578,7 +23634,7 @@ index 2696452..fcf58c6 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23587,7 +23643,7 @@ index 2696452..fcf58c6 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1261,44 @@ optional_policy(` +@@ -775,16 +1262,44 @@ optional_policy(` ') optional_policy(` @@ -23633,7 +23689,7 @@ index 2696452..fcf58c6 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1307,10 @@ optional_policy(` +@@ -793,6 +1308,10 @@ optional_policy(` ') optional_policy(` @@ -23644,7 +23700,7 @@ index 2696452..fcf58c6 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23658,7 +23714,7 @@ index 2696452..fcf58c6 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23667,7 +23723,7 @@ index 2696452..fcf58c6 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1350,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1351,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23702,7 +23758,7 @@ index 2696452..fcf58c6 100644 ') optional_policy(` -@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23711,7 +23767,7 @@ index 2696452..fcf58c6 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23743,7 +23799,7 @@ index 2696452..fcf58c6 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -25995,7 +26051,7 @@ index 9a4d3a7..9d960bb 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 24e7804..d0780a9 100644 +index 24e7804..c4155c7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -26880,7 +26936,7 @@ index 24e7804..d0780a9 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1819,3 +2284,306 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1819,3 +2284,360 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -27131,6 +27187,60 @@ index 24e7804..d0780a9 100644 + +######################################## +## ++## Tell init to enable the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_enable_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system enable; ++') ++ ++######################################## ++## ++## Tell init to disable the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_disable_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system disable; ++') ++ ++######################################## ++## ++## Tell init to reload the services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_reload_services',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:system reload; ++') ++ ++######################################## ++## +## Tell init to halt the system. +## +## @@ -27188,7 +27298,7 @@ index 24e7804..d0780a9 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..8cda2bb 100644 +index dd3be8d..6ad72c0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27619,7 +27729,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -216,6 +456,27 @@ optional_policy(` +@@ -216,7 +456,29 @@ optional_policy(` ') optional_policy(` @@ -27645,9 +27755,11 @@ index dd3be8d..8cda2bb 100644 + +optional_policy(` unconfined_domain(init_t) ++ domain_named_filetrans(init_t) ') -@@ -225,8 +486,9 @@ optional_policy(` + ######################################## +@@ -225,8 +487,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -27659,7 +27771,7 @@ index dd3be8d..8cda2bb 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +520,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -27676,7 +27788,7 @@ index dd3be8d..8cda2bb 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +545,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -27719,7 +27831,7 @@ index dd3be8d..8cda2bb 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +582,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -27731,7 +27843,7 @@ index dd3be8d..8cda2bb 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +594,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -27742,7 +27854,7 @@ index dd3be8d..8cda2bb 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +605,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -27752,7 +27864,7 @@ index dd3be8d..8cda2bb 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +614,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -27760,7 +27872,7 @@ index dd3be8d..8cda2bb 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +621,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -27768,7 +27880,7 @@ index dd3be8d..8cda2bb 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +629,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -27786,7 +27898,7 @@ index dd3be8d..8cda2bb 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +647,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -27800,7 +27912,7 @@ index dd3be8d..8cda2bb 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +662,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -27814,7 +27926,7 @@ index dd3be8d..8cda2bb 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +675,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -27822,7 +27934,7 @@ index dd3be8d..8cda2bb 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +687,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -27830,7 +27942,7 @@ index dd3be8d..8cda2bb 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +706,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -27854,7 +27966,7 @@ index dd3be8d..8cda2bb 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +739,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -27862,7 +27974,7 @@ index dd3be8d..8cda2bb 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +773,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -27873,7 +27985,7 @@ index dd3be8d..8cda2bb 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +796,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +797,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -27882,7 +27994,7 @@ index dd3be8d..8cda2bb 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +811,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +812,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -27890,7 +28002,7 @@ index dd3be8d..8cda2bb 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +832,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +833,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -27898,7 +28010,7 @@ index dd3be8d..8cda2bb 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +842,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +843,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -27943,7 +28055,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -558,14 +887,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +888,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -27975,7 +28087,7 @@ index dd3be8d..8cda2bb 100644 ') ') -@@ -576,6 +922,39 @@ ifdef(`distro_suse',` +@@ -576,6 +923,39 @@ ifdef(`distro_suse',` ') ') @@ -28015,7 +28127,7 @@ index dd3be8d..8cda2bb 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +967,8 @@ optional_policy(` +@@ -588,6 +968,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -28024,7 +28136,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -609,6 +990,7 @@ optional_policy(` +@@ -609,6 +991,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -28032,7 +28144,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -625,6 +1007,17 @@ optional_policy(` +@@ -625,6 +1008,17 @@ optional_policy(` ') optional_policy(` @@ -28050,7 +28162,7 @@ index dd3be8d..8cda2bb 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1034,13 @@ optional_policy(` +@@ -641,9 +1035,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -28064,7 +28176,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -656,15 +1053,11 @@ optional_policy(` +@@ -656,15 +1054,11 @@ optional_policy(` ') optional_policy(` @@ -28082,7 +28194,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -685,6 +1078,15 @@ optional_policy(` +@@ -685,6 +1079,15 @@ optional_policy(` ') optional_policy(` @@ -28098,7 +28210,7 @@ index dd3be8d..8cda2bb 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1127,7 @@ optional_policy(` +@@ -725,6 +1128,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -28106,7 +28218,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -742,7 +1145,14 @@ optional_policy(` +@@ -742,7 +1146,14 @@ optional_policy(` ') optional_policy(` @@ -28121,7 +28233,7 @@ index dd3be8d..8cda2bb 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1175,10 @@ optional_policy(` +@@ -765,6 +1176,10 @@ optional_policy(` ') optional_policy(` @@ -28132,7 +28244,7 @@ index dd3be8d..8cda2bb 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1188,20 @@ optional_policy(` +@@ -774,10 +1189,20 @@ optional_policy(` ') optional_policy(` @@ -28153,7 +28265,7 @@ index dd3be8d..8cda2bb 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1210,10 @@ optional_policy(` +@@ -786,6 +1211,10 @@ optional_policy(` ') optional_policy(` @@ -28164,7 +28276,7 @@ index dd3be8d..8cda2bb 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1235,6 @@ optional_policy(` +@@ -807,8 +1236,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -28173,7 +28285,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -817,6 +1243,10 @@ optional_policy(` +@@ -817,6 +1244,10 @@ optional_policy(` ') optional_policy(` @@ -28184,7 +28296,7 @@ index dd3be8d..8cda2bb 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1256,12 @@ optional_policy(` +@@ -826,10 +1257,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -28197,7 +28309,7 @@ index dd3be8d..8cda2bb 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1288,27 @@ optional_policy(` +@@ -856,12 +1289,28 @@ optional_policy(` ') optional_policy(` @@ -28220,13 +28332,14 @@ index dd3be8d..8cda2bb 100644 optional_policy(` unconfined_domain(initrc_t) ++ domain_named_filetrans(initrc_t) + domain_role_change_exemption(initrc_t) + + files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1318,18 @@ optional_policy(` +@@ -871,6 +1320,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -28245,7 +28358,7 @@ index dd3be8d..8cda2bb 100644 ') optional_policy(` -@@ -886,6 +1345,10 @@ optional_policy(` +@@ -886,6 +1347,10 @@ optional_policy(` ') optional_policy(` @@ -28256,7 +28369,7 @@ index dd3be8d..8cda2bb 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1359,196 @@ optional_policy(` +@@ -896,3 +1361,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28690,7 +28803,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..9a068f6 100644 +index 9e54bf9..a0ba260 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28703,24 +28816,37 @@ index 9e54bf9..9a068f6 100644 type ipsec_mgmt_lock_t; files_lock_file(ipsec_mgmt_lock_t) -@@ -73,13 +76,15 @@ role system_r types setkey_t; +@@ -72,14 +75,18 @@ role system_r types setkey_t; + # ipsec Local policy # - allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; +-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice }; -dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config }; ++allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid }; +dontaudit ipsec_t self:capability sys_tty_config; allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; ++allow ipsec_t self:packet_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t self:netlink_selinux_socket create_socket_perms; +allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; ++allow ipsec_t self:netlink_route_socket { create_netlink_socket_perms write }; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; -@@ -128,20 +133,21 @@ corecmd_exec_shell(ipsec_t) +@@ -113,7 +120,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write }; + allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld }; + + kernel_read_kernel_sysctls(ipsec_t) +-kernel_read_net_sysctls(ipsec_t) ++kernel_rw_net_sysctls(ipsec_t) + kernel_list_proc(ipsec_t) + kernel_read_proc_symlinks(ipsec_t) + # allow pluto to access /proc/net/ipsec_eroute; +@@ -128,20 +135,22 @@ corecmd_exec_shell(ipsec_t) corecmd_exec_bin(ipsec_t) # Pluto needs network access @@ -28742,6 +28868,7 @@ index 9e54bf9..9a068f6 100644 corenet_tcp_bind_isakmp_port(ipsec_t) corenet_udp_bind_isakmp_port(ipsec_t) corenet_udp_bind_ipsecnat_port(ipsec_t) ++corenet_udp_bind_dhcpc_port(ipsec_t) corenet_sendrecv_generic_server_packets(ipsec_t) corenet_sendrecv_isakmp_server_packets(ipsec_t) +corenet_tcp_connect_http_port(ipsec_t) @@ -28749,7 +28876,7 @@ index 9e54bf9..9a068f6 100644 dev_read_sysfs(ipsec_t) dev_read_rand(ipsec_t) -@@ -157,6 +163,8 @@ files_dontaudit_search_home(ipsec_t) +@@ -157,6 +166,8 @@ files_dontaudit_search_home(ipsec_t) fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) @@ -28758,7 +28885,7 @@ index 9e54bf9..9a068f6 100644 term_use_console(ipsec_t) term_dontaudit_use_all_ttys(ipsec_t) -@@ -165,11 +173,13 @@ auth_use_nsswitch(ipsec_t) +@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t) init_use_fds(ipsec_t) init_use_script_ptys(ipsec_t) @@ -28773,7 +28900,7 @@ index 9e54bf9..9a068f6 100644 userdom_dontaudit_use_unpriv_user_fds(ipsec_t) userdom_dontaudit_search_user_home_dirs(ipsec_t) -@@ -187,10 +197,10 @@ optional_policy(` +@@ -187,10 +200,10 @@ optional_policy(` # ipsec_mgmt Local policy # @@ -28788,7 +28915,7 @@ index 9e54bf9..9a068f6 100644 allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; -@@ -210,6 +220,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; +@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms; files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file) manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) @@ -28796,7 +28923,7 @@ index 9e54bf9..9a068f6 100644 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t) allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms; -@@ -246,6 +257,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) +@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t) kernel_getattr_core_if(ipsec_mgmt_t) kernel_getattr_message_if(ipsec_mgmt_t) @@ -28813,7 +28940,7 @@ index 9e54bf9..9a068f6 100644 files_read_kernel_symbol_table(ipsec_mgmt_t) files_getattr_kernel_modules(ipsec_mgmt_t) -@@ -255,6 +276,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) +@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t) corecmd_exec_bin(ipsec_mgmt_t) corecmd_exec_shell(ipsec_mgmt_t) @@ -28822,7 +28949,7 @@ index 9e54bf9..9a068f6 100644 dev_read_rand(ipsec_mgmt_t) dev_read_urand(ipsec_mgmt_t) -@@ -278,9 +301,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) +@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t) fs_list_tmpfs(ipsec_mgmt_t) term_use_console(ipsec_mgmt_t) @@ -28834,7 +28961,7 @@ index 9e54bf9..9a068f6 100644 init_read_utmp(ipsec_mgmt_t) init_use_script_ptys(ipsec_mgmt_t) -@@ -290,15 +314,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) +@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t) logging_send_syslog_msg(ipsec_mgmt_t) @@ -28858,7 +28985,7 @@ index 9e54bf9..9a068f6 100644 optional_policy(` consoletype_exec(ipsec_mgmt_t) -@@ -322,6 +349,10 @@ optional_policy(` +@@ -322,6 +352,10 @@ optional_policy(` ') optional_policy(` @@ -28869,7 +28996,16 @@ index 9e54bf9..9a068f6 100644 modutils_domtrans_insmod(ipsec_mgmt_t) ') -@@ -370,13 +401,12 @@ kernel_request_load_module(racoon_t) +@@ -335,7 +369,7 @@ optional_policy(` + # + + allow racoon_t self:capability { net_admin net_bind_service }; +-allow racoon_t self:netlink_route_socket create_netlink_socket_perms; ++allow racoon_t self:netlink_route_socket { create_netlink_socket_perms }; + allow racoon_t self:unix_dgram_socket { connect create ioctl write }; + allow racoon_t self:netlink_selinux_socket { bind create read }; + allow racoon_t self:udp_socket create_socket_perms; +@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t) corecmd_exec_shell(racoon_t) corecmd_exec_bin(racoon_t) @@ -28889,7 +29025,7 @@ index 9e54bf9..9a068f6 100644 corenet_udp_bind_isakmp_port(racoon_t) corenet_udp_bind_ipsecnat_port(racoon_t) -@@ -401,10 +431,11 @@ locallogin_use_fds(racoon_t) +@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t) logging_send_syslog_msg(racoon_t) logging_send_audit_msgs(racoon_t) @@ -28902,7 +29038,7 @@ index 9e54bf9..9a068f6 100644 auth_can_read_shadow_passwords(racoon_t) tunable_policy(`racoon_read_shadow',` auth_tunable_read_shadow(racoon_t) -@@ -438,9 +469,9 @@ corenet_setcontext_all_spds(setkey_t) +@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t) locallogin_use_fds(setkey_t) @@ -29619,7 +29755,7 @@ index 808ba93..9d8f729 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 23a645e..1982e9c 100644 +index 23a645e..f0cbd38 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t) @@ -29694,17 +29830,19 @@ index 23a645e..1982e9c 100644 ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage -@@ -114,6 +126,9 @@ ifdef(`hide_broken_symptoms',` +@@ -114,6 +126,11 @@ ifdef(`hide_broken_symptoms',` ') ') + dev_dontaudit_rw_lvm_control(ldconfig_t) ++ dev_dontaudit_read_all_chr_files(ldconfig_t) ++ dev_dontaudit_read_all_blk_files(ldconfig_t) + term_dontaudit_use_unallocated_ttys(ldconfig_t) + optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) ') -@@ -131,6 +146,14 @@ optional_policy(` +@@ -131,6 +148,14 @@ optional_policy(` ') optional_policy(` @@ -29719,7 +29857,7 @@ index 23a645e..1982e9c 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +164,3 @@ optional_policy(` +@@ -141,6 +166,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') @@ -30496,7 +30634,7 @@ index 4e94884..55d2481 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 39ea221..7094526 100644 +index 39ea221..692b00d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6) @@ -30591,13 +30729,12 @@ index 39ea221..7094526 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +204,16 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) -miscfiles_read_localization(auditd_t) +auth_use_nsswitch(auditd_t) -+ mls_file_read_all_levels(auditd_t) mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory @@ -30608,11 +30745,13 @@ index 39ea221..7094526 100644 sysnet_dns_name_resolve(auditd_t) -userdom_use_user_terminals(auditd_t) ++systemd_start_systemd_services(auditd_t) ++ +userdom_use_inherited_user_terminals(auditd_t) userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,19 +258,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -30643,7 +30782,7 @@ index 39ea221..7094526 100644 ') ######################################## -@@ -268,7 +299,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) +@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) corecmd_exec_bin(audisp_remote_t) @@ -30651,7 +30790,7 @@ index 39ea221..7094526 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,10 +310,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -30671,7 +30810,7 @@ index 39ea221..7094526 100644 sysnet_dns_name_resolve(audisp_remote_t) -@@ -326,7 +364,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -30679,7 +30818,7 @@ index 39ea221..7094526 100644 mls_file_read_all_levels(klogd_t) -@@ -354,12 +391,12 @@ optional_policy(` +@@ -354,12 +392,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -30695,7 +30834,7 @@ index 39ea221..7094526 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,6 +406,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; @@ -30703,7 +30842,7 @@ index 39ea221..7094526 100644 # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -377,6 +415,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -30711,7 +30850,7 @@ index 39ea221..7094526 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -386,22 +425,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -30746,7 +30885,7 @@ index 39ea221..7094526 100644 corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_generic_if(syslogd_t) corenet_udp_sendrecv_generic_node(syslogd_t) -@@ -427,9 +475,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -30774,7 +30913,7 @@ index 39ea221..7094526 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -442,14 +507,19 @@ files_read_kernel_symbol_table(syslogd_t) +@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -30794,7 +30933,7 @@ index 39ea221..7094526 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -461,11 +531,10 @@ init_use_fds(syslogd_t) +@@ -461,11 +532,10 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -30808,7 +30947,7 @@ index 39ea221..7094526 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -502,15 +571,36 @@ optional_policy(` +@@ -502,15 +572,36 @@ optional_policy(` ') optional_policy(` @@ -30845,7 +30984,7 @@ index 39ea221..7094526 100644 ') optional_policy(` -@@ -521,3 +611,26 @@ optional_policy(` +@@ -521,3 +612,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -35097,10 +35236,10 @@ index 0000000..2cd29ba +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..6862d53 +index 0000000..8a61b65 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1231 @@ +@@ -0,0 +1,1286 @@ +## SELinux policy for systemd components + +###################################### @@ -35906,6 +36045,61 @@ index 0000000..6862d53 + init_config_all_script_files($1) +') + ++######################################## ++## ++## Allow the specified domain to start systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_start_systemd_services',` ++ gen_require(` ++ attribute systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service start; ++') ++ ++####################################### ++## ++## Allow the specified domain to reload all systemd services. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_reload_systemd_services',` ++ gen_require(` ++ attribute systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service reload; ++') ++ ++######################################## ++## ++## Allow the specified domain to modify the systemd configuration of ++## all systemd services ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_config_systemd_services',` ++ gen_require(` ++ attribute systemd_unit_file_t; ++ ') ++ ++ allow $1 systemd_unit_file_t:service all_service_perms; ++ init_config_all_script_files($1) ++') + +######################################## +## @@ -36334,10 +36528,10 @@ index 0000000..6862d53 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..b43a6c1 +index 0000000..13712f9 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,654 @@ +@@ -0,0 +1,661 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -36720,6 +36914,7 @@ index 0000000..b43a6c1 +') + +optional_policy(` ++ lpd_manage_spool(systemd_tmpfiles_t) + lpd_relabel_spool(systemd_tmpfiles_t) +') + @@ -36747,6 +36942,7 @@ index 0000000..b43a6c1 + +allow systemd_notify_t self:fifo_file rw_fifo_file_perms; +allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_notify_t self:unix_dgram_socket create_socket_perms; + +domain_use_interactive_fds(systemd_notify_t) + @@ -36757,6 +36953,10 @@ index 0000000..b43a6c1 +init_rw_stream_sockets(systemd_notify_t) + +optional_policy(` ++ rhcs_read_log_cluster(systemd_notify_t) ++') ++ ++optional_policy(` + readahead_manage_pid_files(systemd_notify_t) +') + @@ -36972,6 +37172,8 @@ index 0000000..b43a6c1 + +init_stream_connect(systemd_sysctl_t) + ++logging_send_syslog_msg(systemd_sysctl_t) ++ +######################################## +# +# Common rules for systemd domains @@ -36991,7 +37193,6 @@ index 0000000..b43a6c1 +optional_policy(` + policykit_dbus_chat(systemd_domain) +') -+ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 5d30ac9..9800f7e 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1468,7 +1468,7 @@ index 01cbb67..94a4a24 100644 files_list_etc($1) diff --git a/aide.te b/aide.te -index 4b28ab3..6e8746f 100644 +index 4b28ab3..f781a7a 100644 --- a/aide.te +++ b/aide.te @@ -10,6 +10,7 @@ attribute_role aide_roles; @@ -1479,16 +1479,21 @@ index 4b28ab3..6e8746f 100644 role aide_roles types aide_t; type aide_log_t; -@@ -23,7 +24,7 @@ files_type(aide_db_t) +@@ -23,22 +24,30 @@ files_type(aide_db_t) # Local policy # -allow aide_t self:capability { dac_override fowner }; -+allow aide_t self:capability { dac_override fowner ipc_lock }; ++allow aide_t self:capability { dac_override fowner ipc_lock sys_admin }; manage_files_pattern(aide_t, aide_db_t, aide_db_t) ++files_var_lib_filetrans(aide_t, aide_db_t, { dir file }) -@@ -34,11 +35,20 @@ logging_log_filetrans(aide_t, aide_log_t, file) +-create_files_pattern(aide_t, aide_log_t, aide_log_t) +-append_files_pattern(aide_t, aide_log_t, aide_log_t) +-setattr_files_pattern(aide_t, aide_log_t, aide_log_t) ++manage_files_pattern(aide_t, aide_log_t, aide_log_t) + logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) files_read_all_symlinks(aide_t) @@ -4528,7 +4533,7 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..ffff859 100644 +index 1a82e29..a68bd53 100644 --- a/apache.te +++ b/apache.te @@ -1,297 +1,367 @@ @@ -5216,7 +5221,7 @@ index 1a82e29..ffff859 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5298,6 +5303,7 @@ index 1a82e29..ffff859 100644 -files_read_usr_files(httpd_t) +files_exec_usr_files(httpd_t) files_list_mnt(httpd_t) ++files_read_mnt_symlinks(httpd_t) files_search_spool(httpd_t) files_read_var_symlinks(httpd_t) files_read_var_lib_files(httpd_t) @@ -5445,7 +5451,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +718,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5505,7 +5511,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +770,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5590,7 +5596,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +811,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5671,7 +5677,7 @@ index 1a82e29..ffff859 100644 ') optional_policy(` -@@ -743,14 +863,6 @@ optional_policy(` +@@ -743,14 +864,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5686,7 +5692,7 @@ index 1a82e29..ffff859 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +877,23 @@ optional_policy(` +@@ -765,6 +878,23 @@ optional_policy(` ') optional_policy(` @@ -5710,7 +5716,7 @@ index 1a82e29..ffff859 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +910,42 @@ optional_policy(` +@@ -781,34 +911,42 @@ optional_policy(` ') optional_policy(` @@ -5764,7 +5770,7 @@ index 1a82e29..ffff859 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +953,18 @@ optional_policy(` +@@ -816,8 +954,18 @@ optional_policy(` ') optional_policy(` @@ -5783,7 +5789,7 @@ index 1a82e29..ffff859 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +973,7 @@ optional_policy(` +@@ -826,6 +974,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5791,7 +5797,7 @@ index 1a82e29..ffff859 100644 ') optional_policy(` -@@ -836,20 +984,39 @@ optional_policy(` +@@ -836,20 +985,39 @@ optional_policy(` ') optional_policy(` @@ -5837,7 +5843,7 @@ index 1a82e29..ffff859 100644 ') optional_policy(` -@@ -857,19 +1024,35 @@ optional_policy(` +@@ -857,19 +1025,35 @@ optional_policy(` ') optional_policy(` @@ -5873,7 +5879,7 @@ index 1a82e29..ffff859 100644 udev_read_db(httpd_t) ') -@@ -877,65 +1060,170 @@ optional_policy(` +@@ -877,65 +1061,170 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6066,7 +6072,7 @@ index 1a82e29..ffff859 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1232,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6221,7 +6227,7 @@ index 1a82e29..ffff859 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1316,104 @@ optional_policy(` +@@ -1077,172 +1317,104 @@ optional_policy(` ') ') @@ -6457,7 +6463,7 @@ index 1a82e29..ffff859 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1421,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6554,7 +6560,7 @@ index 1a82e29..ffff859 100644 ######################################## # -@@ -1315,8 +1496,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6571,7 +6577,7 @@ index 1a82e29..ffff859 100644 ') ######################################## -@@ -1324,49 +1512,36 @@ optional_policy(` +@@ -1324,49 +1513,36 @@ optional_policy(` # User content local policy # @@ -6635,7 +6641,7 @@ index 1a82e29..ffff859 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1551,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -8988,7 +8994,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 7c92aa1..f177ca5 100644 +index 7c92aa1..6b6cd51 100644 --- a/boinc.te +++ b/boinc.te @@ -1,11 +1,13 @@ @@ -9180,13 +9186,14 @@ index 7c92aa1..f177ca5 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -130,55 +141,65 @@ init_read_utmp(boinc_t) +@@ -130,55 +141,67 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) -miscfiles_read_fonts(boinc_t) -miscfiles_read_localization(boinc_t) -- ++xserver_stream_connect(boinc_t) + optional_policy(` mta_send_mail(boinc_t) ') @@ -12297,7 +12304,7 @@ index 954309e..f4db2ca 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8..ace40ae 100644 +index 6471fa8..b2709d1 100644 --- a/collectd.te +++ b/collectd.te @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t) @@ -12357,7 +12364,16 @@ index 6471fa8..ace40ae 100644 logging_send_syslog_msg(collectd_t) -@@ -80,11 +90,17 @@ optional_policy(` +@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',` + ') + + optional_policy(` ++ netutils_domtrans_ping(collectd_t) ++') ++ ++optional_policy(` + virt_read_config(collectd_t) + ') ######################################## # @@ -24110,7 +24126,7 @@ index d062080..97fb494 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..d9dca45 100644 +index e50f33c..6edd471 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -24140,7 +24156,7 @@ index e50f33c..d9dca45 100644 + +## +##

-+## Allow samba to export ntfs/fusefs volumes. ++## Allow ftpd to use ntfs/fusefs volumes. +##

+##
+gen_tunable(ftpd_use_fusefs, false) @@ -25003,10 +25019,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..6ceb963 +index 0000000..cbe51a9 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,160 @@ +@@ -0,0 +1,164 @@ +policy_module(glusterfs, 1.0.1) + +## @@ -25065,7 +25081,8 @@ index 0000000..6ceb963 +# + +allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner setuid }; -+allow glusterd_t self:process { getcap setcap setrlimit signal }; ++allow glusterd_t self:capability2 block_suspend; ++allow glusterd_t self:process { getcap setcap setrlimit signal_perms }; +allow glusterd_t self:fifo_file rw_fifo_file_perms; +allow glusterd_t self:tcp_socket { accept listen }; +allow glusterd_t self:unix_stream_socket { accept listen connectto }; @@ -25096,6 +25113,9 @@ index 0000000..6ceb963 +can_exec(glusterd_t, glusterd_exec_t) + +kernel_read_system_state(glusterd_t) ++kernel_read_network_state(glusterd_t) ++kernel_read_net_sysctls(glusterd_t) ++kernel_request_load_module(glusterd_t) + +corecmd_exec_bin(glusterd_t) +corecmd_exec_shell(glusterd_t) @@ -31543,7 +31563,7 @@ index 182ab8b..8b1d9c2 100644 +') + diff --git a/kdumpgui.te b/kdumpgui.te -index e7f5c81..8ff6f51 100644 +index e7f5c81..1a8d69e 100644 --- a/kdumpgui.te +++ b/kdumpgui.te @@ -1,4 +1,4 @@ @@ -31601,7 +31621,7 @@ index e7f5c81..8ff6f51 100644 files_etc_filetrans_etc_runtime(kdumpgui_t, file) -files_read_usr_files(kdumpgui_t) -+fs_read_dos_files(kdumpgui_t) ++fs_manage_dos_files(kdumpgui_t) fs_getattr_all_fs(kdumpgui_t) fs_list_hugetlbfs(kdumpgui_t) -fs_read_dos_files(kdumpgui_t) @@ -33762,7 +33782,7 @@ index bc25c95..6692d91 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index ee0c7cc..446c507 100644 +index ee0c7cc..c54e3d2 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -33804,10 +33824,9 @@ index ee0c7cc..446c507 100644 + + init_labeled_script_domtrans($1, slapd_initrc_exec_t) +') - - ######################################## - ## --## List ldap database directories. ++ ++######################################## ++## +## Execute slapd server in the slapd domain. +## +## @@ -33828,9 +33847,10 @@ index ee0c7cc..446c507 100644 + + ps_process_pattern($1, slapd_t) +') -+ -+######################################## -+## + + ######################################## + ## +-## List ldap database directories. +## Read the contents of the OpenLDAP +## database directories. ## @@ -33870,41 +33890,82 @@ index ee0c7cc..446c507 100644 ## ## ## -@@ -55,8 +133,7 @@ interface(`ldap_use',` +@@ -41,22 +119,27 @@ interface(`ldap_read_config',` + + ######################################## + ## +-## Use LDAP over TCP connection. (Deprecated) ++## Read the OpenLDAP cert files. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`ldap_use',` +- refpolicywarn(`$0($*) has been deprecated.') ++interface(`ldap_read_certs',` ++ gen_require(` ++ type slapd_cert_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, slapd_cert_t, slapd_cert_t) + ') ######################################## ## -## Connect to slapd over an unix -## stream socket. -+## Connect to slapd over an unix stream socket. ++## Use LDAP over TCP connection. (Deprecated) ## ## ## -@@ -75,29 +152,8 @@ interface(`ldap_stream_connect',` +@@ -64,18 +147,13 @@ interface(`ldap_use',` + ## + ## + # +-interface(`ldap_stream_connect',` +- gen_require(` +- type slapd_t, slapd_var_run_t; +- ') +- +- files_search_pids($1) +- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) ++interface(`ldap_use',` ++ refpolicywarn(`$0($*) has been deprecated.') + ') ######################################## ## -## Connect to ldap over the network. --## --## --## --## Domain allowed access. --## --## --# ++## Connect to slapd over an unix stream socket. + ## + ## + ## +@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',` + ## + ## + # -interface(`ldap_tcp_connect',` -- gen_require(` ++interface(`ldap_stream_connect',` + gen_require(` - type slapd_t; -- ') -- ++ type slapd_t, slapd_var_run_t; + ') + - corenet_sendrecv_ldap_client_packets($1) - corenet_tcp_connect_ldap_port($1) - corenet_tcp_recvfrom_labeled($1, slapd_t) - corenet_tcp_sendrecv_ldap_port($1) --') -- --######################################## --## ++ files_search_pids($1) ++ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) + ') + + ######################################## + ## -## All of the rules required to -## administrate an ldap environment. +## All of the rules required to administrate @@ -33912,7 +33973,7 @@ index ee0c7cc..446c507 100644 ## ## ## -@@ -106,7 +162,7 @@ interface(`ldap_tcp_connect',` +@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',` ## ## ## @@ -33921,7 +33982,7 @@ index ee0c7cc..446c507 100644 ## ## ## -@@ -115,28 +171,28 @@ interface(`ldap_admin',` +@@ -115,28 +191,28 @@ interface(`ldap_admin',` gen_require(` type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; @@ -33959,7 +34020,7 @@ index ee0c7cc..446c507 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -144,4 +200,8 @@ interface(`ldap_admin',` +@@ -144,4 +220,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -38048,7 +38109,7 @@ index 6ffaba2..154cade 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..f54f1e8 100644 +index 6194b80..97e35b2 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -38364,7 +38425,7 @@ index 6194b80..f54f1e8 100644 ') ######################################## -@@ -303,102 +195,98 @@ interface(`mozilla_domtrans',` +@@ -303,102 +195,99 @@ interface(`mozilla_domtrans',` type mozilla_t, mozilla_exec_t; ') @@ -38398,6 +38459,7 @@ index 6194b80..f54f1e8 100644 + domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) + allow mozilla_plugin_t $1:process signull; + dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms; ++ dontaudit mozilla_plugin_t $1:process signal; + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:fd use; + @@ -38514,7 +38576,7 @@ index 6194b80..f54f1e8 100644 ') ######################################## -@@ -424,8 +312,7 @@ interface(`mozilla_dbus_chat',` +@@ -424,8 +313,7 @@ interface(`mozilla_dbus_chat',` ######################################## ## @@ -38524,7 +38586,7 @@ index 6194b80..f54f1e8 100644 ## ## ## -@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',` +@@ -433,76 +321,108 @@ interface(`mozilla_dbus_chat',` ## ## # @@ -38662,7 +38724,7 @@ index 6194b80..f54f1e8 100644 ## ## ## -@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` +@@ -510,19 +430,18 @@ interface(`mozilla_plugin_read_tmpfs_files',` ## ## # @@ -38687,7 +38749,7 @@ index 6194b80..f54f1e8 100644 ## ## ## -@@ -530,45 +448,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +449,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -39842,7 +39904,7 @@ index 5fa77c7..2e01c7d 100644 domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; diff --git a/mpd.te b/mpd.te -index 7c8afcc..97f2b6f 100644 +index 7c8afcc..2f41af9 100644 --- a/mpd.te +++ b/mpd.te @@ -62,6 +62,9 @@ files_type(mpd_var_lib_t) @@ -39905,6 +39967,15 @@ index 7c8afcc..97f2b6f 100644 tunable_policy(`mpd_enable_homedirs',` userdom_search_user_home_dirs(mpd_t) +@@ -191,7 +202,7 @@ optional_policy(` + ') + + optional_policy(` +- pulseaudio_domtrans(mpd_t) ++ pulseaudio_exec(mpd_t) + ') + + optional_policy(` @@ -199,6 +210,16 @@ optional_policy(` ') @@ -51088,20 +51159,54 @@ index 0000000..c1eed44 + ssh_dontaudit_read_server_keys(openshift_cron_t) +') diff --git a/openvpn.fc b/openvpn.fc -index 300213f..6f0d2e4 100644 +index 300213f..4cdfe09 100644 --- a/openvpn.fc +++ b/openvpn.fc -@@ -1,4 +1,5 @@ +@@ -1,10 +1,13 @@ /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) +/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0) /etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) + + /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) + ++/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0) ++ + /var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0) + /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + diff --git a/openvpn.if b/openvpn.if -index 6837e9a..af8f9d0 100644 +index 6837e9a..21e6dae 100644 --- a/openvpn.if +++ b/openvpn.if -@@ -147,9 +147,13 @@ interface(`openvpn_admin',` +@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',` + ######################################## + ## + ## Execute openvpn clients in the ++## caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`openvpn_exec',` ++ gen_require(` ++ type openvpn_exec_t; ++ ') ++ ++ can_exec($1, openvpn_exec_t) ++') ++ ++######################################## ++## ++## Execute openvpn clients in the + ## openvpn domain, and allow the + ## specified role the openvpn domain. + ## +@@ -147,9 +166,13 @@ interface(`openvpn_admin',` type openvpn_status_t; ') @@ -51117,7 +51222,7 @@ index 6837e9a..af8f9d0 100644 domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; diff --git a/openvpn.te b/openvpn.te -index 3270ff9..8e252e4 100644 +index 3270ff9..8a6fbc2 100644 --- a/openvpn.te +++ b/openvpn.te @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3) @@ -51134,7 +51239,7 @@ index 3270ff9..8e252e4 100644 ##

## Determine whether openvpn can ## read generic user home content files. -@@ -26,6 +33,9 @@ files_config_file(openvpn_etc_t) +@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t) type openvpn_etc_rw_t; files_config_file(openvpn_etc_rw_t) @@ -51144,7 +51249,16 @@ index 3270ff9..8e252e4 100644 type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -@@ -43,7 +53,7 @@ files_pid_file(openvpn_var_run_t) + type openvpn_status_t; + logging_log_file(openvpn_status_t) + ++type openvpn_var_lib_t; ++files_type(openvpn_var_lib_t) ++ + type openvpn_var_log_t; + logging_log_file(openvpn_var_log_t) + +@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t) # Local policy # @@ -51153,17 +51267,20 @@ index 3270ff9..8e252e4 100644 allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; allow openvpn_t self:unix_dgram_socket sendto; -@@ -62,6 +72,9 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) +@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) allow openvpn_t openvpn_status_t:file manage_file_perms; logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log") +manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t) +files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file) + ++manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t) ++files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file }) ++ manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) -@@ -83,7 +96,6 @@ kernel_request_load_module(openvpn_t) +@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -51171,7 +51288,7 @@ index 3270ff9..8e252e4 100644 corenet_all_recvfrom_netlabel(openvpn_t) corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) -@@ -105,11 +117,12 @@ corenet_tcp_bind_http_port(openvpn_t) +@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t) corenet_sendrecv_http_client_packets(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) corenet_tcp_sendrecv_http_port(openvpn_t) @@ -51185,7 +51302,7 @@ index 3270ff9..8e252e4 100644 corenet_rw_tun_tap_dev(openvpn_t) dev_read_rand(openvpn_t) -@@ -121,18 +134,24 @@ fs_search_auto_mountpoints(openvpn_t) +@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t) auth_use_pam(openvpn_t) @@ -51213,7 +51330,7 @@ index 3270ff9..8e252e4 100644 ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` -@@ -155,3 +174,27 @@ optional_policy(` +@@ -155,3 +180,27 @@ optional_policy(` networkmanager_dbus_chat(openvpn_t) ') ') @@ -65786,7 +65903,7 @@ index 951db7f..7736755 100644 + allow $1 mdadm_exec_t:file { getattr_file_perms execute }; ') diff --git a/raid.te b/raid.te -index 2c1730b..f60c494 100644 +index 2c1730b..1e9ad6b 100644 --- a/raid.te +++ b/raid.te @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t; @@ -65838,7 +65955,7 @@ index 2c1730b..f60c494 100644 corecmd_exec_bin(mdadm_t) corecmd_exec_shell(mdadm_t) -@@ -49,19 +63,25 @@ corecmd_exec_shell(mdadm_t) +@@ -49,19 +63,26 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -65849,6 +65966,7 @@ index 2c1730b..f60c494 100644 +dev_read_kvm(mdadm_t) +dev_read_nvram(mdadm_t) +dev_read_generic_files(mdadm_t) ++dev_read_generic_usb_dev(mdadm_t) +domain_read_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) @@ -65866,7 +65984,7 @@ index 2c1730b..f60c494 100644 mls_file_read_all_levels(mdadm_t) mls_file_write_all_levels(mdadm_t) -@@ -70,15 +90,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) +@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t) storage_manage_fixed_disk(mdadm_t) storage_read_scsi_generic(mdadm_t) storage_write_scsi_generic(mdadm_t) @@ -65887,7 +66005,7 @@ index 2c1730b..f60c494 100644 userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t) -@@ -97,9 +121,17 @@ optional_policy(` +@@ -97,9 +122,17 @@ optional_policy(` ') optional_policy(` @@ -67559,10 +67677,10 @@ index b418d1c..1ad9c12 100644 xen_domtrans_xm(rgmanager_t) ') diff --git a/rhcs.fc b/rhcs.fc -index 47de2d6..347ddf7 100644 +index 47de2d6..98a4280 100644 --- a/rhcs.fc +++ b/rhcs.fc -@@ -1,31 +1,80 @@ +@@ -1,31 +1,85 @@ -/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0) -/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0) +/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0) @@ -67633,6 +67751,7 @@ index 47de2d6..347ddf7 100644 + +/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) +/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) ++/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0) + +/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0) @@ -67644,12 +67763,15 @@ index 47de2d6..347ddf7 100644 +/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0) +/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0) + ++/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0) ++ +/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0) +/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) ++/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) +/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0) + +/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0) @@ -67666,6 +67788,7 @@ index 47de2d6..347ddf7 100644 +/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) +/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0) ++/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0) diff --git a/rhcs.if b/rhcs.if index 56bc01f..4699b1b 100644 --- a/rhcs.if @@ -68373,7 +68496,7 @@ index 56bc01f..4699b1b 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..1e8d8dc 100644 +index 2c2de9a..a4a6d82 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -68796,12 +68919,15 @@ index 2c2de9a..1e8d8dc 100644 ####################################### # # foghorn local policy -@@ -223,14 +505,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) +@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t) + corenet_tcp_connect_agentx_port(foghorn_t) + corenet_tcp_sendrecv_agentx_port(foghorn_t) ++corenet_tcp_connect_snmp_port(foghorn_t) ++ dev_read_urand(foghorn_t) -files_read_usr_files(foghorn_t) -+ +logging_send_syslog_msg(foghorn_t) optional_policy(` @@ -68810,7 +68936,6 @@ index 2c2de9a..1e8d8dc 100644 optional_policy(` - snmp_read_snmp_var_lib_files(foghorn_t) -+ #snmp_manage_var_lib_dirs(foghorn_t) + snmp_manage_var_lib_files(foghorn_t) snmp_stream_connect(foghorn_t) ') @@ -68824,7 +68949,7 @@ index 2c2de9a..1e8d8dc 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +561,36 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -68858,12 +68983,15 @@ index 2c2de9a..1e8d8dc 100644 +corenet_tcp_connect_commplex_main_port(haproxy_t) +corenet_tcp_bind_commplex_main_port(haproxy_t) + ++corenet_tcp_connect_fmpro_internal_port(haproxy_t) ++corenet_tcp_connect_rtp_media_port(haproxy_t) ++ +sysnet_dns_name_resolve(haproxy_t) + ###################################### # # qdiskd local policy -@@ -321,6 +633,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -72020,7 +72148,7 @@ index 0628d50..84f2fd7 100644 + allow rpm_script_t $1:process sigchld; ') diff --git a/rpm.te b/rpm.te -index 5cbe81c..90177fd 100644 +index 5cbe81c..5b28e97 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -72401,11 +72529,11 @@ index 5cbe81c..90177fd 100644 logging_send_syslog_msg(rpm_script_t) -miscfiles_read_localization(rpm_script_t) -+miscfiles_filetrans_named_content(rpm_script_t) - +- -modutils_run_depmod(rpm_script_t, rpm_roles) -modutils_run_insmod(rpm_script_t, rpm_roles) -- ++miscfiles_filetrans_named_content(rpm_script_t) + -seutil_run_loadpolicy(rpm_script_t, rpm_roles) -seutil_run_setfiles(rpm_script_t, rpm_roles) -seutil_run_semanage(rpm_script_t, rpm_roles) @@ -72419,7 +72547,7 @@ index 5cbe81c..90177fd 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,40 +379,58 @@ ifdef(`distro_redhat',` +@@ -363,41 +379,61 @@ ifdef(`distro_redhat',` ') ') @@ -72486,9 +72614,12 @@ index 5cbe81c..90177fd 100644 optional_policy(` + unconfined_domain_noaudit(rpm_script_t) unconfined_domtrans(rpm_script_t) ++ domain_named_filetrans(rpm_script_t) ++ optional_policy(` -@@ -409,6 +443,6 @@ optional_policy(` + java_domtrans_unconfined(rpm_script_t) +@@ -409,6 +445,6 @@ optional_policy(` ') optional_policy(` @@ -77085,7 +77216,7 @@ index 98c9e0a..df51942 100644 files_search_pids($1) admin_pattern($1, sblim_var_run_t) diff --git a/sblim.te b/sblim.te -index 4a23d84..49c7362 100644 +index 4a23d84..d90604c 100644 --- a/sblim.te +++ b/sblim.te @@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3) @@ -77115,7 +77246,7 @@ index 4a23d84..49c7362 100644 corenet_tcp_sendrecv_generic_if(sblim_domain) corenet_tcp_sendrecv_generic_node(sblim_domain) -@@ -44,19 +37,13 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) +@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain) dev_read_sysfs(sblim_domain) @@ -77124,7 +77255,8 @@ index 4a23d84..49c7362 100644 -files_read_etc_files(sblim_domain) - -miscfiles_read_localization(sblim_domain) -- ++auth_read_passwd(sblim_domain) + ######################################## # # Gatherd local policy @@ -77137,7 +77269,7 @@ index 4a23d84..49c7362 100644 allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; allow sblim_gatherd_t self:unix_stream_socket { accept listen }; -@@ -84,6 +71,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) +@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t) init_read_utmp(sblim_gatherd_t) @@ -77146,7 +77278,7 @@ index 4a23d84..49c7362 100644 sysnet_dns_name_resolve(sblim_gatherd_t) term_getattr_pty_fs(sblim_gatherd_t) -@@ -103,8 +92,9 @@ optional_policy(` +@@ -103,8 +94,9 @@ optional_policy(` ') optional_policy(` @@ -77157,8 +77289,12 @@ index 4a23d84..49c7362 100644 ') optional_policy(` -@@ -119,4 +109,6 @@ optional_policy(` +@@ -117,6 +109,10 @@ optional_policy(` + # Reposd local policy + # ++corenet_tcp_bind_generic_node(sblim_reposd_t) ++ corenet_sendrecv_repository_server_packets(sblim_reposd_t) corenet_tcp_bind_repository_port(sblim_reposd_t) -corenet_tcp_bind_generic_node(sblim_domain) @@ -82364,7 +82500,7 @@ index a240455..54c5c1f 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 8b537aa..eaa7a83 100644 +index 8b537aa..e9632c3 100644 --- a/sssd.te +++ b/sssd.te @@ -1,4 +1,4 @@ @@ -82453,7 +82589,7 @@ index 8b537aa..eaa7a83 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) auth_manage_cache(sssd_t) -@@ -112,18 +105,30 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -82483,6 +82619,7 @@ index 8b537aa..eaa7a83 100644 + +optional_policy(` + ldap_stream_connect(sssd_t) ++ ldap_read_certs(sssd_t) +') + +userdom_home_reader(sssd_t) @@ -85747,7 +85884,7 @@ index 67ca5c5..a1ef2d2 100644 fs_search_auto_mountpoints(timidity_t) diff --git a/tmpreaper.te b/tmpreaper.te -index a4a949c..e56b59e 100644 +index a4a949c..9ae28c6 100644 --- a/tmpreaper.te +++ b/tmpreaper.te @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3) @@ -85815,13 +85952,12 @@ index a4a949c..e56b59e 100644 apache_list_cache(tmpreaper_t) apache_delete_cache_dirs(tmpreaper_t) apache_delete_cache_files(tmpreaper_t) -@@ -69,7 +78,20 @@ optional_policy(` +@@ -69,7 +78,19 @@ optional_policy(` ') optional_policy(` - lpd_manage_spool(tmpreaper_t) -+ lpd_list_spool(tmpreaper_t) -+ lpd_read_spool(tmpreaper_t) ++ lpd_manage_spool(tmpreaper_t) +') + +optional_policy(` @@ -89995,7 +90131,7 @@ index 9dec06c..378880d 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..a8d17af 100644 +index 1f22fba..6b715d6 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,97 @@ @@ -91362,7 +91498,7 @@ index 1f22fba..a8d17af 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1041,40 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -91405,13 +91541,12 @@ index 1f22fba..a8d17af 100644 - -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; -+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock }; +allow svirt_lxc_domain self:key manage_key_perms; -+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit }; ++allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1082,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -91438,7 +91573,7 @@ index 1f22fba..a8d17af 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1100,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -91458,7 +91593,7 @@ index 1f22fba..a8d17af 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1119,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -91485,7 +91620,7 @@ index 1f22fba..a8d17af 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1144,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -91531,11 +91666,12 @@ index 1f22fba..a8d17af 100644 +virt_lxc_domain_template(svirt_lxc_net) -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap }; -+allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_admin sys_nice sys_ptrace sys_resource setpcap }; ++allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; dontaudit svirt_lxc_net_t self:capability2 block_suspend; -allow svirt_lxc_net_t self:process setrlimit; -allow svirt_lxc_net_t self:tcp_socket { accept listen }; -allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write; ++allow svirt_lxc_net_t self:process { execstack execmem }; +allow svirt_lxc_net_t self:netlink_socket create_socket_perms; +allow svirt_lxc_net_t self:udp_socket create_socket_perms; +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms; diff --git a/policy-rawhide-roleattribute.patch b/policy-rawhide-roleattribute.patch deleted file mode 100644 index ee99cdb..0000000 --- a/policy-rawhide-roleattribute.patch +++ /dev/null @@ -1,1128 +0,0 @@ -commit cfa63bfedb3b94a2b78bc3ee394cf7132167e45b -Author: Miroslav Grepl -Date: Thu Jun 7 02:18:29 2012 +0200 - - roleattribute patch - -diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if -index 4a50807..5e914db 100644 ---- a/policy/modules/admin/bootloader.if -+++ b/policy/modules/admin/bootloader.if -@@ -56,11 +56,21 @@ interface(`bootloader_exec',` - # - interface(`bootloader_run',` - gen_require(` -- attribute_role bootloader_roles; -+ type bootloader_t; -+ #attribute_role bootloader_roles; - ') - -+ #bootloader_domtrans($1) -+ #roleattribute $2 bootloader_roles; -+ - bootloader_domtrans($1) -- roleattribute $2 bootloader_roles; -+ -+ role $2 types bootloader_t; -+ -+ ifdef(`distro_redhat',` -+ # for mke2fs -+ mount_run(bootloader_t, $2) -+ ') - ') - - ######################################## -diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index 81a08e4..e717a21 100644 ---- a/policy/modules/admin/bootloader.te -+++ b/policy/modules/admin/bootloader.te -@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0) - # Declarations - # - --attribute_role bootloader_roles; --roleattribute system_r bootloader_roles; -+#attribute_role bootloader_roles; -+#roleattribute system_r bootloader_roles; - - # - # boot_runtime_t is the type for /boot/kernel.h, -@@ -19,7 +19,8 @@ files_type(boot_runtime_t) - type bootloader_t; - type bootloader_exec_t; - application_domain(bootloader_t, bootloader_exec_t) --role bootloader_roles types bootloader_t; -+#role bootloader_roles types bootloader_t; -+role system_r types bootloader_t; - - # - # bootloader_etc_t is the configuration file, -@@ -174,7 +175,8 @@ ifdef(`distro_redhat',` - files_manage_isid_type_chr_files(bootloader_t) - - # for mke2fs -- mount_run(bootloader_t, bootloader_roles) -+ #mount_run(bootloader_t, bootloader_roles) -+ mount_domtrans(bootloader_t) - - optional_policy(` - unconfined_domain(bootloader_t) -diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 4d387af..764260e 100644 ---- a/policy/modules/admin/usermanage.if -+++ b/policy/modules/admin/usermanage.if -@@ -37,11 +37,16 @@ interface(`usermanage_domtrans_chfn',` - # - interface(`usermanage_run_chfn',` - gen_require(` -- attribute_role chfn_roles; -+ #attribute_role chfn_roles; -+ type chfn_t; - ') - -+ #usermanage_domtrans_chfn($1) -+ #roleattribute $2 chfn_roles; -+ - usermanage_domtrans_chfn($1) -- roleattribute $2 chfn_roles; -+ role $2 types chfn_t; -+ - ') - - ######################################## -@@ -101,11 +106,19 @@ interface(`usermanage_access_check_groupadd',` - # - interface(`usermanage_run_groupadd',` - gen_require(` -- attribute_role groupadd_roles; -+ type groupadd_t; -+ #attribute_role groupadd_roles; - ') - -+ #usermanage_domtrans_groupadd($1) -+ #roleattribute $2 groupadd_roles; - usermanage_domtrans_groupadd($1) -- roleattribute $2 groupadd_roles; -+ role $2 types groupadd_t; -+ -+ optional_policy(` -+ nscd_run(groupadd_t, $2) -+ ') -+ - ') - - ######################################## -@@ -163,11 +176,17 @@ interface(`usermanage_kill_passwd',` - # - interface(`usermanage_run_passwd',` - gen_require(` -- attribute_role passwd_roles; -+ type type passwd_t; -+ #attribute_role passwd_roles; - ') - -+ #usermanage_domtrans_passwd($1) -+ #roleattribute $2 passwd_roles; -+ - usermanage_domtrans_passwd($1) -- roleattribute $2 passwd_roles; -+ role $2 types passwd_t; -+ auth_run_chk_passwd(passwd_t, $2) -+ - ') - - ######################################## -@@ -229,11 +248,20 @@ interface(`usermanage_domtrans_admin_passwd',` - # - interface(`usermanage_run_admin_passwd',` - gen_require(` -- attribute_role sysadm_passwd_roles; -+ type sysadm_passwd_t; -+ #attribute_role sysadm_passwd_roles; - ') - -+ #usermanage_domtrans_admin_passwd($1) -+ #roleattribute $2 sysadm_passwd_roles; -+ - usermanage_domtrans_admin_passwd($1) -- roleattribute $2 sysadm_passwd_roles; -+ role $2 types sysadm_passwd_t; -+ -+ optional_policy(` -+ nscd_run(sysadm_passwd_t, $2) -+ ') -+ - ') - - ######################################## -@@ -292,11 +320,20 @@ interface(`usermanage_domtrans_useradd',` - # - interface(`usermanage_run_useradd',` - gen_require(` -- attribute_role useradd_roles; -+ #attribute_role useradd_roles; -+ type sysadm_passwd_t; - ') - -- usermanage_domtrans_useradd($1) -- roleattribute $2 useradd_roles; -+ #usermanage_domtrans_useradd($1) -+ #roleattribute $2 useradd_roles; -+ -+ usermanage_domtrans_admin_passwd($1) -+ role $2 types sysadm_passwd_t; -+ -+ optional_policy(` -+ nscd_run(sysadm_passwd_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 446b743..a077b28 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) - # Declarations - # - --attribute_role chfn_roles; --role system_r types chfn_t; -+#attribute_role chfn_roles; -+#role system_r types chfn_t; - --attribute_role groupadd_roles; -+#attribute_role groupadd_roles; - --attribute_role passwd_roles; --roleattribute system_r passwd_roles; -+#attribute_role passwd_roles; -+#roleattribute system_r passwd_roles; - --attribute_role sysadm_passwd_roles; --roleattribute system_r sysadm_passwd_roles; -+#attribute_role sysadm_passwd_roles; -+#roleattribute system_r sysadm_passwd_roles; - --attribute_role useradd_roles; -+#attribute_role useradd_roles; - - type admin_passwd_exec_t; - files_type(admin_passwd_exec_t) -@@ -25,7 +25,8 @@ type chfn_t; - type chfn_exec_t; - domain_obj_id_change_exemption(chfn_t) - application_domain(chfn_t, chfn_exec_t) --role chfn_roles types chfn_t; -+#role chfn_roles types chfn_t; -+role system_r types chfn_t; - - type crack_t; - type crack_exec_t; -@@ -42,18 +43,21 @@ type groupadd_t; - type groupadd_exec_t; - domain_obj_id_change_exemption(groupadd_t) - init_system_domain(groupadd_t, groupadd_exec_t) --role groupadd_roles types groupadd_t; -+#role groupadd_roles types groupadd_t; -+ - - type passwd_t; - type passwd_exec_t; - domain_obj_id_change_exemption(passwd_t) - application_domain(passwd_t, passwd_exec_t) --role passwd_roles types passwd_t; -+#role passwd_roles types passwd_t; -+role system_r types passwd_t; - - type sysadm_passwd_t; - domain_obj_id_change_exemption(sysadm_passwd_t) - application_domain(sysadm_passwd_t, admin_passwd_exec_t) --role sysadm_passwd_roles types sysadm_passwd_t; -+#role sysadm_passwd_roles types sysadm_passwd_t; -+role system_r types sysadm_passwd_t; - - type sysadm_passwd_tmp_t; - files_tmp_file(sysadm_passwd_tmp_t) -@@ -62,7 +66,8 @@ type useradd_t; - type useradd_exec_t; - domain_obj_id_change_exemption(useradd_t) - init_system_domain(useradd_t, useradd_exec_t) --role useradd_roles types useradd_t; -+#role useradd_roles types useradd_t; -+role system_r types useradd_t; - - ######################################## - # -@@ -106,11 +111,11 @@ fs_search_auto_mountpoints(chfn_t) - dev_read_urand(chfn_t) - dev_dontaudit_getattr_all(chfn_t) - --#auth_manage_passwd(chfn_t) --#auth_use_pam(chfn_t) --auth_run_chk_passwd(chfn_t, chfn_roles) --auth_dontaudit_read_shadow(chfn_t) --auth_use_nsswitch(chfn_t) -+auth_manage_passwd(chfn_t) -+auth_use_pam(chfn_t) -+#auth_run_chk_passwd(chfn_t, chfn_roles) -+#auth_dontaudit_read_shadow(chfn_t) -+#auth_use_nsswitch(chfn_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(chfn_t) -@@ -250,7 +255,8 @@ logging_send_syslog_msg(groupadd_t) - - miscfiles_read_localization(groupadd_t) - --auth_run_chk_passwd(groupadd_t, groupadd_roles) -+#auth_run_chk_passwd(groupadd_t, groupadd_roles) -+auth_domtrans_chk_passwd(groupadd_t) - auth_rw_lastlog(groupadd_t) - auth_use_nsswitch(groupadd_t) - auth_manage_passwd(groupadd_t) -@@ -273,7 +279,8 @@ optional_policy(` - ') - - optional_policy(` -- nscd_run(groupadd_t, groupadd_roles) -+# nscd_run(groupadd_t, groupadd_roles) -+ nscd_domtrans(groupadd_t) - ') - - optional_policy(` -@@ -332,18 +339,18 @@ selinux_compute_user_contexts(passwd_t) - term_use_all_inherited_terms(passwd_t) - term_getattr_all_ptys(passwd_t) - --#auth_manage_passwd(passwd_t) --#auth_manage_shadow(passwd_t) --#auth_relabel_shadow(passwd_t) --#auth_etc_filetrans_shadow(passwd_t) --#auth_use_pam(passwd_t) -- --auth_run_chk_passwd(passwd_t, passwd_roles) - auth_manage_passwd(passwd_t) - auth_manage_shadow(passwd_t) - auth_relabel_shadow(passwd_t) - auth_etc_filetrans_shadow(passwd_t) --auth_use_nsswitch(passwd_t) -+auth_use_pam(passwd_t) -+ -+#auth_run_chk_passwd(passwd_t, passwd_roles) -+#auth_manage_passwd(passwd_t) -+#auth_manage_shadow(passwd_t) -+#auth_relabel_shadow(passwd_t) -+#auth_etc_filetrans_shadow(passwd_t) -+#auth_use_nsswitch(passwd_t) - - # allow checking if a shell is executable - corecmd_check_exec_shell(passwd_t) -@@ -385,7 +392,8 @@ userdom_dontaudit_search_user_home_content(passwd_t) - userdom_stream_connect(passwd_t) - - optional_policy(` -- nscd_run(passwd_t, passwd_roles) -+ #nscd_run(passwd_t, passwd_roles) -+ nscd_domtrans(passwd_t) - ') - - ######################################## -@@ -469,7 +477,8 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) - userdom_dontaudit_search_user_home_content(sysadm_passwd_t) - - optional_policy(` -- nscd_run(sysadm_passwd_t, sysadm_passwd_roles) -+ nscd_domtrans(sysadm_passwd_t) -+ #nscd_run(sysadm_passwd_t, sysadm_passwd_roles) - ') - - ######################################## -@@ -525,7 +534,8 @@ seutil_manage_default_contexts(useradd_t) - term_use_all_inherited_terms(useradd_t) - term_getattr_all_ptys(useradd_t) - --auth_run_chk_passwd(useradd_t, useradd_roles) -+#auth_run_chk_passwd(useradd_t, useradd_roles) -+auth_domtrans_chk_passwd(useradd_t) - auth_rw_lastlog(useradd_t) - auth_rw_faillog(useradd_t) - auth_use_nsswitch(useradd_t) -@@ -547,15 +557,15 @@ miscfiles_read_localization(useradd_t) - seutil_read_config(useradd_t) - seutil_read_file_contexts(useradd_t) - seutil_read_default_contexts(useradd_t) --#seutil_domtrans_semanage(useradd_t) --#seutil_domtrans_setfiles(useradd_t) --#seutil_domtrans_loadpolicy(useradd_t) --#seutil_manage_bin_policy(useradd_t) --#seutil_manage_module_store(useradd_t) --#seutil_get_semanage_trans_lock(useradd_t) --#seutil_get_semanage_read_lock(useradd_t) --seutil_run_semanage(useradd_t, useradd_roles) --seutil_run_setfiles(useradd_t, useradd_roles) -+seutil_domtrans_semanage(useradd_t) -+seutil_domtrans_setfiles(useradd_t) -+seutil_domtrans_loadpolicy(useradd_t) -+seutil_manage_bin_policy(useradd_t) -+seutil_manage_module_store(useradd_t) -+seutil_get_semanage_trans_lock(useradd_t) -+seutil_get_semanage_read_lock(useradd_t) -+#seutil_run_semanage(useradd_t, useradd_roles) -+#seutil_run_setfiles(useradd_t, useradd_roles) - - userdom_use_unpriv_users_fds(useradd_t) - # Add/remove user home directories -@@ -576,7 +586,8 @@ optional_policy(` - ') - - optional_policy(` -- nscd_run(useradd_t, useradd_roles) -+ nscd_domtrans(useradd_t) -+# nscd_run(useradd_t, useradd_roles) - ') - - optional_policy(` -diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index 174cfdb..7071460 100644 ---- a/policy/modules/system/iptables.if -+++ b/policy/modules/system/iptables.if -@@ -38,11 +38,22 @@ interface(`iptables_domtrans',` - # - interface(`iptables_run',` - gen_require(` -- attribute_role iptables_roles; -+ #attribute_role iptables_roles; -+ type iptables_t; - ') - -+ #iptables_domtrans($1) -+ #roleattribute $2 iptables_roles; -+ - iptables_domtrans($1) -- roleattribute $2 iptables_roles; -+ role $2 types iptables_t; -+ -+ sysnet_run_ifconfig(iptables_t, $2) -+ -+ optional_policy(` -+ modutils_run_insmod(iptables_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index cc8d773..36e02fa 100644 ---- a/policy/modules/system/iptables.te -+++ b/policy/modules/system/iptables.te -@@ -5,13 +5,14 @@ policy_module(iptables, 1.13.0) - # Declarations - # - --attribute_role iptables_roles; --roleattribute system_r iptables_roles; -+#attribute_role iptables_roles; -+#roleattribute system_r iptables_roles; - - type iptables_t; - type iptables_exec_t; - init_system_domain(iptables_t, iptables_exec_t) --role iptables_roles types iptables_t; -+#role iptables_roles types iptables_t; -+role system_r types iptables_t; - - type iptables_initrc_exec_t; - init_script_file(iptables_initrc_exec_t) -@@ -97,7 +98,8 @@ logging_send_syslog_msg(iptables_t) - - miscfiles_read_localization(iptables_t) - --sysnet_run_ifconfig(iptables_t, iptables_roles) -+#sysnet_run_ifconfig(iptables_t, iptables_roles) -+sysnet_domtrans_ifconfig(iptables_t) - sysnet_dns_name_resolve(iptables_t) - - userdom_use_inherited_user_terminals(iptables_t) -@@ -119,7 +121,8 @@ optional_policy(` - ') - - optional_policy(` -- modutils_run_insmod(iptables_t, iptables_roles) -+ modutils_domtrans_insmod(iptables_t) -+ #modutils_run_insmod(iptables_t, iptables_roles) - ') - - optional_policy(` -diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 786f87a..2debedc 100644 ---- a/policy/modules/system/modutils.if -+++ b/policy/modules/system/modutils.if -@@ -345,11 +345,18 @@ interface(`modutils_domtrans_update_mods',` - # - interface(`modutils_run_update_mods',` - gen_require(` -- attribute_role update_modules_roles; -+ #attribute_role update_modules_roles; -+ type update_modules_t; - ') - -+ #modutils_domtrans_update_mods($1) -+ #roleattribute $2 update_modules_roles; -+ - modutils_domtrans_update_mods($1) -- roleattribute $2 update_modules_roles; -+ role $2 types update_modules_t; -+ -+ modutils_run_insmod(update_modules_t, $2) -+ - ') - - ######################################## -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index b83608d..86a7107 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) - # Declarations - # - --attribute_role update_modules_roles; -+#attribute_role update_modules_roles; - - type depmod_t; - type depmod_exec_t; -@@ -30,8 +30,9 @@ files_type(modules_dep_t) - type update_modules_t; - type update_modules_exec_t; - init_system_domain(update_modules_t, update_modules_exec_t) --roleattribute system_r update_modules_roles; --role update_modules_roles types update_modules_t; -+#roleattribute system_r update_modules_roles; -+#role update_modules_roles types update_modules_t; -+role system_r types update_modules_t; - - type update_modules_tmp_t; - files_tmp_file(update_modules_tmp_t) -@@ -318,7 +319,7 @@ logging_send_syslog_msg(update_modules_t) - - miscfiles_read_localization(update_modules_t) - --modutils_run_insmod(update_modules_t, update_modules_roles) -+#modutils_run_insmod(update_modules_t, update_modules_roles) - - userdom_use_inherited_user_terminals(update_modules_t) - userdom_dontaudit_search_user_home_dirs(update_modules_t) -diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if -index 52e78b8..4881d86 100644 ---- a/policy/modules/system/mount.if -+++ b/policy/modules/system/mount.if -@@ -44,11 +44,36 @@ interface(`mount_domtrans',` - # - interface(`mount_run',` - gen_require(` -- attribute_role mount_roles; -+ #attribute_role mount_roles; -+ type mount_t; - ') - -+ #mount_domtrans($1) -+ #roleattribute $2 mount_roles; -+ - mount_domtrans($1) -- roleattribute $2 mount_roles; -+ role $2 types mount_t; -+ -+ optional_policy(` -+ fstools_run(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ lvm_run(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ modutils_run_insmod(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ rpc_run_rpcd(mount_t, $2) -+ ') -+ -+ optional_policy(` -+ samba_run_smbmount(mount_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index cc76452..14320fe 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -12,13 +12,14 @@ policy_module(mount, 1.14.2) - ## - gen_tunable(allow_mount_anyfile, false) - --attribute_role mount_roles; --roleattribute system_r mount_roles; -+#attribute_role mount_roles; -+#roleattribute system_r mount_roles; - - type mount_t; - type mount_exec_t; - init_system_domain(mount_t, mount_exec_t) --role mount_roles types mount_t; -+#role mount_roles types mount_t; -+role system_r types mount_t; - - type fusermount_exec_t; - domain_entry_file(mount_t, fusermount_exec_t) -@@ -286,25 +287,28 @@ optional_policy(` - - # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 - optional_policy(` -- lvm_run(mount_t, mount_roles) -+# lvm_run(mount_t, mount_roles) -+ lvm_domtrans(mount_t) - ') - - optional_policy(` -- modutils_run_insmod(mount_t, mount_roles) -+ #modutils_run_insmod(mount_t, mount_roles) -+ modutils_domtrans_insmod(mount_t) - modutils_read_module_deps(mount_t) - ') - - optional_policy(` -- fstools_run(mount_t, mount_roles) -+ fstools_domtrans(mount_t) -+ #fstools_run(mount_t, mount_roles) - ') - - optional_policy(` - rhcs_stream_connect_gfs_controld(mount_t) - ') - --optional_policy(` -- rpc_run_rpcd(mount_t, mount_roles) --') -+#optional_policy(` -+# rpc_run_rpcd(mount_t, mount_roles) -+#') - - # for kernel package installation - optional_policy(` -@@ -314,7 +318,8 @@ optional_policy(` - - optional_policy(` - samba_read_config(mount_t) -- samba_run_smbmount(mount_t, mount_roles) -+ samba_domtrans_smbmount(mount_t) -+ #samba_run_smbmount(mount_t, mount_roles) - ') - - optional_policy(` -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index a853819..cebf588 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',` - # - interface(`seutil_run_newrole',` - gen_require(` -- attribute_role newrole_roles; -+ type newrole_t; -+ #attribute_role newrole_roles; - ') - -+ #seutil_domtrans_newrole($1) -+ #roleattribute $2 newrole_roles; -+ - seutil_domtrans_newrole($1) -- roleattribute $2 newrole_roles; -+ role $2 types newrole_t; -+ -+ auth_run_upd_passwd(newrole_t, $2) -+ -+ optional_policy(` -+ namespace_init_run(newrole_t, $2) -+ ') -+ - ') - - ######################################## -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 2aee0c0..4c24e3e 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -14,7 +14,7 @@ attribute can_relabelto_binary_policy; - attribute setfiles_domain; - attribute seutil_semanage_domain; - --attribute_role newrole_roles; -+#attribute_role newrole_roles; - - attribute_role run_init_roles; - role system_r types run_init_t; -@@ -65,7 +65,8 @@ application_domain(newrole_t, newrole_exec_t) - domain_role_change_exemption(newrole_t) - domain_obj_id_change_exemption(newrole_t) - domain_interactive_fd(newrole_t) --role newrole_roles types newrole_t; -+#role newrole_roles types newrole_t; -+role system_r types newrole_t; - - # - # policy_config_t is the type of /etc/security/selinux/* -@@ -299,10 +300,11 @@ term_relabel_all_ptys(newrole_t) - term_getattr_unallocated_ttys(newrole_t) - term_dontaudit_use_unallocated_ttys(newrole_t) - --auth_use_nsswitch(newrole_t) --auth_run_chk_passwd(newrole_t, newrole_roles) --auth_run_upd_passwd(newrole_t, newrole_roles) --auth_rw_faillog(newrole_t) -+#auth_use_nsswitch(newrole_t) -+#auth_run_chk_passwd(newrole_t, newrole_roles) -+#auth_run_upd_passwd(newrole_t, newrole_roles) -+#auth_rw_faillog(newrole_t) -+auth_use_pam(newrole_t) - - # Write to utmp. - init_rw_utmp(newrole_t) -@@ -322,9 +324,9 @@ optional_policy(` - dbus_system_bus_client(newrole_t) - ') - --optional_policy(` -- namespace_init_run(newrole_t, newrole_roles) --') -+#optional_policy(` -+# namespace_init_run(newrole_t, newrole_roles) -+#') - - - optional_policy(` -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 7b08f77..949fdcc 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',` - # - interface(`sysnet_run_dhcpc',` - gen_require(` -- attribute_role dhcpc_roles; -+ type dhcpc_t; -+ #attribute_role dhcpc_roles; - ') - -+ #sysnet_domtrans_dhcpc($1) -+ #roleattribute $2 dhcpc_roles; -+ - sysnet_domtrans_dhcpc($1) -- roleattribute $2 dhcpc_roles; -+ role $2 types dhcpc_t; -+ -+ modutils_run_insmod(dhcpc_t, $2) -+ -+ sysnet_run_ifconfig(dhcpc_t, $2) -+ -+ optional_policy(` -+ hostname_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ netutils_run(dhcpc_t, $2) -+ netutils_run_ping(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ networkmanager_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nis_run_ypbind(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ nscd_run(dhcpc_t, $2) -+ ') -+ -+ optional_policy(` -+ ntp_run(dhcpc_t, $2) -+ ') -+ -+ seutil_run_setfiles(dhcpc_t, $2) -+ - ') - - ######################################## -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 2d2b6ef..1bfcd4f 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -12,8 +12,8 @@ policy_module(sysnetwork, 1.13.2) - ## - gen_tunable(dhcpc_exec_iptables, false) - --attribute_role dhcpc_roles; --roleattribute system_r dhcpc_roles; -+#attribute_role dhcpc_roles; -+#roleattribute system_r dhcpc_roles; - - # this is shared between dhcpc and dhcpd: - type dhcp_etc_t; -@@ -27,7 +27,8 @@ files_type(dhcp_state_t) - type dhcpc_t; - type dhcpc_exec_t; - init_daemon_domain(dhcpc_t, dhcpc_exec_t) --role dhcpc_roles types dhcpc_t; -+#role dhcpc_roles types dhcpc_t; -+role system_r types dhcpc_t; - - type dhcpc_helper_exec_t; - init_script_file(dhcpc_helper_exec_t) -@@ -159,9 +160,10 @@ logging_send_syslog_msg(dhcpc_t) - miscfiles_read_generic_certs(dhcpc_t) - miscfiles_read_localization(dhcpc_t) - --modutils_run_insmod(dhcpc_t, dhcpc_roles) -+#modutils_run_insmod(dhcpc_t, dhcpc_roles) -+modutils_domtrans_insmod(dhcpc_t) -+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) - --sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) - - userdom_use_user_terminals(dhcpc_t) - userdom_dontaudit_search_user_home_dirs(dhcpc_t) -@@ -176,9 +178,9 @@ ifdef(`distro_ubuntu',` - ') - ') - --optional_policy(` -- consoletype_run(dhcpc_t, dhcpc_roles) --') -+#optional_policy(` -+# consoletype_run(dhcpc_t, dhcpc_roles) -+#') - - optional_policy(` - chronyd_initrc_domtrans(dhcpc_t) -@@ -203,7 +205,8 @@ optional_policy(` - ') - - optional_policy(` -- hostname_run(dhcpc_t, dhcpc_roles) -+ hostname_domtrans(dhcpc_t) -+# hostname_run(dhcpc_t, dhcpc_roles) - ') - - optional_policy(` -commit 0a0c8b9d35398f3662db1b0bdb2f4c7761121ba1 -Author: Miroslav Grepl -Date: Thu Jun 7 02:26:53 2012 +0200 - - roleattribute patch for passwd_t - -diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if -index 764260e..da75471 100644 ---- a/policy/modules/admin/usermanage.if -+++ b/policy/modules/admin/usermanage.if -@@ -176,7 +176,7 @@ interface(`usermanage_kill_passwd',` - # - interface(`usermanage_run_passwd',` - gen_require(` -- type type passwd_t; -+ type passwd_t; - #attribute_role passwd_roles; - ') - -commit 0b71245f63ddbb6ca00790fa5318db798286d8d8 -Author: Miroslav Grepl -Date: Thu Jun 7 02:38:28 2012 +0200 - - Fix also for sysnetwork.te - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 1bfcd4f..3a94d52 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -226,8 +226,10 @@ optional_policy(` - - # for the dhcp client to run ping to check IP addresses - optional_policy(` -- netutils_run_ping(dhcpc_t, dhcpc_roles) -- netutils_run(dhcpc_t, dhcpc_roles) -+ #netutils_run_ping(dhcpc_t, dhcpc_roles) -+ #netutils_run(dhcpc_t, dhcpc_roles) -+ netutils_domtrans_ping(dhcpc_t) -+ netutils_domtrans(dhcpc_t - ',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; -commit fdfc3cf8dbc69bda177afe16e78a52891cb6da4a -Author: Miroslav Grepl -Date: Thu Jun 7 02:41:48 2012 +0200 - - Other - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 3a94d52..6a6f03f 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -229,7 +229,7 @@ optional_policy(` - #netutils_run_ping(dhcpc_t, dhcpc_roles) - #netutils_run(dhcpc_t, dhcpc_roles) - netutils_domtrans_ping(dhcpc_t) -- netutils_domtrans(dhcpc_t -+ netutils_domtrans(dhcpc_t) - ',` - allow dhcpc_t self:capability setuid; - allow dhcpc_t self:rawip_socket create_socket_perms; -commit 2ea19d46d563741f998001a38f9d4dbb4d1fdd06 -Author: Miroslav Grepl -Date: Thu Jun 7 08:10:01 2012 +0200 - - Fix passwd - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index a077b28..396909c 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -526,11 +526,6 @@ fs_getattr_xattr_fs(useradd_t) - mls_file_upgrade(useradd_t) - mls_process_read_to_clearance(useradd_t) - --seutil_semanage_policy(useradd_t) --seutil_manage_file_contexts(useradd_t) --seutil_manage_config(useradd_t) --seutil_manage_default_contexts(useradd_t) -- - term_use_all_inherited_terms(useradd_t) - term_getattr_all_ptys(useradd_t) - -@@ -554,14 +549,19 @@ logging_send_syslog_msg(useradd_t) - - miscfiles_read_localization(useradd_t) - -+seutil_semanage_policy(useradd_t) -+seutil_manage_file_contexts(useradd_t) -+seutil_manage_config(useradd_t) -+seutil_manage_default_contexts(useradd_t) -+ - seutil_read_config(useradd_t) - seutil_read_file_contexts(useradd_t) - seutil_read_default_contexts(useradd_t) - seutil_domtrans_semanage(useradd_t) - seutil_domtrans_setfiles(useradd_t) - seutil_domtrans_loadpolicy(useradd_t) --seutil_manage_bin_policy(useradd_t) --seutil_manage_module_store(useradd_t) -+#seutil_manage_bin_policy(useradd_t) -+#seutil_manage_module_store(useradd_t) - seutil_get_semanage_trans_lock(useradd_t) - seutil_get_semanage_read_lock(useradd_t) - #seutil_run_semanage(useradd_t, useradd_roles) -commit db92f5bcb6fe7f86aae12dffe64ec3d920815343 -Author: Miroslav Grepl -Date: Thu Jun 7 08:30:34 2012 +0200 - - Also for semanage_roles - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index cebf588..7e38077 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -1140,11 +1140,18 @@ interface(`seutil_domtrans_setsebool',` - # - interface(`seutil_run_semanage',` - gen_require(` -- attribute_role semanage_roles; -+ #attribute_role semanage_roles; -+ type semanage_t; - ') - -+ #seutil_domtrans_semanage($1) -+ #roleattribute $2 semanage_roles; -+ - seutil_domtrans_semanage($1) -- roleattribute $2 semanage_roles; -+ seutil_run_setfiles(semanage_t, $2) -+ seutil_run_loadpolicy(semanage_t, $2) -+ role $2 types semanage_t; -+ - ') - - ######################################## -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 4c24e3e..90498cd 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -19,8 +19,8 @@ attribute seutil_semanage_domain; - attribute_role run_init_roles; - role system_r types run_init_t; - --attribute_role semanage_roles; --roleattribute system_r semanage_roles; -+#attribute_role semanage_roles; -+#roleattribute system_r semanage_roles; - - # - # selinux_config_t is the type applied to -@@ -110,7 +110,8 @@ application_domain(semanage_t, semanage_exec_t) - dbus_system_domain(semanage_t, semanage_exec_t) - init_daemon_domain(semanage_t, semanage_exec_t) - domain_interactive_fd(semanage_t) --role semanage_roles types semanage_t; -+#role semanage_roles types semanage_t; -+role system_r types semanage_t; - - type setsebool_t; - type setsebool_exec_t; -@@ -530,14 +531,15 @@ files_read_non_security_files(semanage_t) - - seutil_manage_file_contexts(semanage_t) - seutil_manage_config(semanage_t) -- --seutil_run_setfiles(semanage_t, semanage_roles) --seutil_run_loadpolicy(semanage_t, semanage_roles) --seutil_manage_bin_policy(semanage_t) --seutil_use_newrole_fds(semanage_t) --seutil_manage_module_store(semanage_t) --seutil_get_semanage_trans_lock(semanage_t) --seutil_get_semanage_read_lock(semanage_t) -+seutil_domtrans_setfiles(semanage_t) -+ -+#seutil_run_setfiles(semanage_t, semanage_roles) -+#seutil_run_loadpolicy(semanage_t, semanage_roles) -+#seutil_manage_bin_policy(semanage_t) -+#seutil_use_newrole_fds(semanage_t) -+#seutil_manage_module_store(semanage_t) -+#seutil_get_semanage_trans_lock(semanage_t) -+#seutil_get_semanage_read_lock(semanage_t) - # netfilter_contexts: - seutil_manage_default_contexts(semanage_t) - -commit aebf9204ec2a7cfb943327eb3aace2a9b4130769 -Author: Miroslav Grepl -Date: Thu Jun 7 08:38:22 2012 +0200 - - run_init roles - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 7e38077..6903c5e 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -457,11 +457,20 @@ interface(`seutil_init_script_domtrans_runinit',` - # - interface(`seutil_run_runinit',` - gen_require(` -- attribute_role run_init_roles; -+ #attribute_role run_init_roles; -+ type run_init_t; -+ role system_r; - ') - -- seutil_domtrans_runinit($1) -- roleattribute $2 run_init_roles; -+ #seutil_domtrans_runinit($1) -+ #roleattribute $2 run_init_roles; -+ -+ auth_run_chk_passwd(run_init_t, $2) -+ seutil_domtrans_runinit($1) -+ role $2 types run_init_t; -+ -+ allow $2 system_r; -+ - ') - - ######################################## -diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 90498cd..06b4e9a 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -16,8 +16,8 @@ attribute seutil_semanage_domain; - - #attribute_role newrole_roles; - --attribute_role run_init_roles; --role system_r types run_init_t; -+#attribute_role run_init_roles; -+#role system_r types run_init_t; - - #attribute_role semanage_roles; - #roleattribute system_r semanage_roles; -@@ -102,7 +102,8 @@ type run_init_t; - type run_init_exec_t; - application_domain(run_init_t, run_init_exec_t) - domain_system_change_exemption(run_init_t) --role run_init_roles types run_init_t; -+#role run_init_roles types run_init_t; -+role system_r types run_init_t; - - type semanage_t; - type semanage_exec_t; -@@ -412,7 +413,7 @@ optional_policy(` - # Run_init local policy - # - --allow run_init_roles system_r; -+#allow run_init_roles system_r; - - allow run_init_t self:process setexec; - allow run_init_t self:capability setuid; -@@ -449,11 +450,17 @@ selinux_compute_user_contexts(run_init_t) - - term_use_console(run_init_t) - -+#auth_use_nsswitch(run_init_t) -+#auth_run_chk_passwd(run_init_t, run_init_roles) -+#auth_run_upd_passwd(run_init_t, run_init_roles) -+#auth_dontaudit_read_shadow(run_init_t) -+ - auth_use_nsswitch(run_init_t) --auth_run_chk_passwd(run_init_t, run_init_roles) --auth_run_upd_passwd(run_init_t, run_init_roles) -+auth_domtrans_chk_passwd(run_init_t) -+auth_domtrans_upd_passwd(run_init_t) - auth_dontaudit_read_shadow(run_init_t) - -+ - init_spec_domtrans_script(run_init_t) - # for utmp - init_rw_utmp(run_init_t) -commit 4803dd3583e4c84e24a7f6974e195bb8145f1bb5 -Author: Miroslav Grepl -Date: Thu Jun 7 10:01:51 2012 +0200 - - One more for run_init - -diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if -index 6903c5e..b64a37a 100644 ---- a/policy/modules/system/selinuxutil.if -+++ b/policy/modules/system/selinuxutil.if -@@ -502,11 +502,19 @@ interface(`seutil_run_runinit',` - # - interface(`seutil_init_script_run_runinit',` - gen_require(` -- attribute_role run_init_roles; -+ #attribute_role run_init_roles; -+ type run_init_t; -+ role system_r; - ') - -- seutil_init_script_domtrans_runinit($1) -- roleattribute $2 run_init_roles; -+ #seutil_init_script_domtrans_runinit($1) -+ #roleattribute $2 run_init_roles; -+ auth_run_chk_passwd(run_init_t, $2) -+ seutil_init_script_domtrans_runinit($1) -+ role $2 types run_init_t; -+ -+ allow $2 system_r; -+ - ') - - ######################################## diff --git a/policy_contrib-rawhide-roleattribute.patch b/policy_contrib-rawhide-roleattribute.patch deleted file mode 100644 index cbdb104..0000000 --- a/policy_contrib-rawhide-roleattribute.patch +++ /dev/null @@ -1,854 +0,0 @@ -commit f53f820fe366940d4fdecaef80de4e5b1178fac6 -Author: Miroslav Grepl -Date: Thu Jun 7 01:38:59 2012 +0200 - - roleattribute patch - -diff --git a/livecd.if b/livecd.if -index bfbf676..fb7869e 100644 ---- a/livecd.if -+++ b/livecd.if -@@ -38,12 +38,19 @@ interface(`livecd_run',` - gen_require(` - type livecd_t; - type livecd_exec_t; -- attribute_role livecd_roles; -+ #attribute_role livecd_roles; - ') - - livecd_domtrans($1) -- roleattribute $2 livecd_roles; -+ #roleattribute $2 livecd_roles; -+ role $2 types livecd_t; - role_transition $2 livecd_exec_t system_r; -+ -+ seutil_run_setfiles_mac(livecd_t, system_r) -+ -+ optional_policy(` -+ mount_run(livecd_t, $2) -+ ') - ') - - ######################################## -diff --git a/livecd.te b/livecd.te -index 65efdae..7a944b5 100644 ---- a/livecd.te -+++ b/livecd.te -@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.0) - # Declarations - # - --attribute_role livecd_roles; --roleattribute system_r livecd_roles; -+#attribute_role livecd_roles; -+#roleattribute system_r livecd_roles; - - type livecd_t; - type livecd_exec_t; - application_domain(livecd_t, livecd_exec_t) --role livecd_roles types livecd_t; -+role system_r types livecd_t; -+#role livecd_roles types livecd_t; - - type livecd_tmp_t; - files_tmp_file(livecd_tmp_t) -@@ -35,10 +36,10 @@ term_filetrans_all_named_dev(livecd_t) - - sysnet_filetrans_named_content(livecd_t) - --optional_policy(` -- mount_run(livecd_t, livecd_roles) -- seutil_run_setfiles_mac(livecd_t, livecd_roles) --') -+#optional_policy(` -+# mount_run(livecd_t, livecd_roles) -+# seutil_run_setfiles_mac(livecd_t, livecd_roles) -+#') - - optional_policy(` - ssh_filetrans_admin_home_content(livecd_t) -diff --git a/mozilla.if b/mozilla.if -index 30b0241..30bfefb 100644 ---- a/mozilla.if -+++ b/mozilla.if -@@ -18,10 +18,11 @@ - interface(`mozilla_role',` - gen_require(` - type mozilla_t, mozilla_exec_t, mozilla_home_t; -- attribute_role mozilla_roles; -+ #attribute_role mozilla_roles; - ') - -- roleattribute $1 mozilla_roles; -+ #roleattribute $1 mozilla_roles; -+ role $1 types mozilla_t; - - domain_auto_trans($2, mozilla_exec_t, mozilla_t) - # Unrestricted inheritance from the caller. -@@ -47,6 +48,8 @@ interface(`mozilla_role',` - relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) - relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) - -+ #should be remove then with adding of roleattribute -+ mozilla_run_plugin(mozilla_t, $1) - mozilla_dbus_chat($2) - - userdom_manage_tmp_role($1, mozilla_t) -@@ -63,7 +66,6 @@ interface(`mozilla_role',` - - mozilla_filetrans_home_content($2) - -- mozilla_dbus_chat($2) - ') - - ######################################## -diff --git a/mozilla.te b/mozilla.te -index 7bf56bf..56700a4 100644 ---- a/mozilla.te -+++ b/mozilla.te -@@ -19,14 +19,15 @@ gen_tunable(mozilla_read_content, false) - ## - gen_tunable(mozilla_plugin_enable_homedirs, false) - --attribute_role mozilla_roles; -+#attribute_role mozilla_roles; - - type mozilla_t; - type mozilla_exec_t; - typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; - typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; - userdom_user_application_domain(mozilla_t, mozilla_exec_t) --role mozilla_roles types mozilla_t; -+#role mozilla_roles types mozilla_t; -+role system_r types mozilla_t; - - type mozilla_conf_t; - files_config_file(mozilla_conf_t) -@@ -39,7 +40,8 @@ userdom_user_home_content(mozilla_home_t) - type mozilla_plugin_t; - type mozilla_plugin_exec_t; - application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) --role mozilla_roles types mozilla_plugin_t; -+#role mozilla_roles types mozilla_plugin_t; -+role system_r types mozilla_plugin_t; - - type mozilla_plugin_tmp_t; - userdom_user_tmp_content(mozilla_plugin_tmp_t) -@@ -55,7 +57,8 @@ files_type(mozilla_plugin_rw_t) - type mozilla_plugin_config_t; - type mozilla_plugin_config_exec_t; - application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) --role mozilla_roles types mozilla_plugin_config_t; -+#role mozilla_roles types mozilla_plugin_config_t; -+role system_r types mozilla_plugin_config_t; - - type mozilla_tmp_t; - userdom_user_tmp_file(mozilla_tmp_t) -@@ -186,7 +189,7 @@ sysnet_dns_name_resolve(mozilla_t) - - userdom_use_inherited_user_ptys(mozilla_t) - --mozilla_run_plugin(mozilla_t, mozilla_roles) -+#mozilla_run_plugin(mozilla_t, mozilla_roles) - - xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t) - xserver_dontaudit_read_xdm_tmp_files(mozilla_t) -@@ -298,7 +301,8 @@ optional_policy(` - ') - - optional_policy(` -- pulseaudio_role(mozilla_roles, mozilla_t) -+ #pulseaudio_role(mozilla_roles, mozilla_t) -+ pulseaudio_exec(mozilla_t) - pulseaudio_stream_connect(mozilla_t) - pulseaudio_manage_home_files(mozilla_t) - ') -@@ -476,9 +480,9 @@ optional_policy(` - java_exec(mozilla_plugin_t) - ') - --optional_policy(` -- lpd_run_lpr(mozilla_plugin_t, mozilla_roles) --') -+#optional_policy(` -+# lpd_run_lpr(mozilla_plugin_t, mozilla_roles) -+#') - - optional_policy(` - mplayer_exec(mozilla_plugin_t) -diff --git a/ncftool.if b/ncftool.if -index 1520b6c..3a4455f 100644 ---- a/ncftool.if -+++ b/ncftool.if -@@ -36,10 +36,18 @@ interface(`ncftool_domtrans',` - # - interface(`ncftool_run',` - gen_require(` -- attribute_role ncftool_roles; -+ type ncftool_t; -+ #attribute_role ncftool_roles; - ') - -- ncftool_domtrans($1) -- roleattribute $2 ncftool_roles; -+ #ncftool_domtrans($1) -+ #roleattribute $2 ncftool_roles; -+ -+ role $1 types ncftool_t; -+ -+ ncftool_domtrans($2) -+ -+ ps_process_pattern($2, ncftool_t) -+ allow $2 ncftool_t:process signal; - ') - -diff --git a/ncftool.te b/ncftool.te -index 91ab36d..8c48c33 100644 ---- a/ncftool.te -+++ b/ncftool.te -@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.0) - # Declarations - # - --attribute_role ncftool_roles; --roleattribute system_r ncftool_roles; -+#attribute_role ncftool_roles; -+#roleattribute system_r ncftool_roles; - - type ncftool_t; - type ncftool_exec_t; - application_domain(ncftool_t, ncftool_exec_t) - domain_obj_id_change_exemption(ncftool_t) - domain_system_change_exemption(ncftool_t) --role ncftool_roles types ncftool_t; -+#role ncftool_roles types ncftool_t; -+role system_r types ncftool_t; - - ######################################## - # -@@ -53,8 +54,10 @@ term_use_all_inherited_terms(ncftool_t) - - miscfiles_read_localization(ncftool_t) - sysnet_delete_dhcpc_pid(ncftool_t) --sysnet_run_dhcpc(ncftool_t, ncftool_roles) --sysnet_run_ifconfig(ncftool_t, ncftool_roles) -+sysnet_domtrans_dhcpc(ncftool_t) -+sysnet_domtrans_ifconfig(ncftool_t) -+#sysnet_run_dhcpc(ncftool_t, ncftool_roles) -+#sysnet_run_ifconfig(ncftool_t, ncftool_roles) - sysnet_etc_filetrans_config(ncftool_t) - sysnet_manage_config(ncftool_t) - sysnet_read_dhcpc_state(ncftool_t) -@@ -66,9 +69,9 @@ sysnet_signal_dhcpc(ncftool_t) - userdom_use_user_terminals(ncftool_t) - userdom_read_user_tmp_files(ncftool_t) - --optional_policy(` -- brctl_run(ncftool_t, ncftool_roles) --') -+#optional_policy(` -+# brctl_run(ncftool_t, ncftool_roles) -+#') - - optional_policy(` - consoletype_exec(ncftool_t) -@@ -85,9 +88,12 @@ optional_policy(` - - optional_policy(` - modutils_read_module_config(ncftool_t) -- modutils_run_insmod(ncftool_t, ncftool_roles) -+ modutils_domtrans_insmod(ncftool_t) -+ #modutils_run_insmod(ncftool_t, ncftool_roles) -+ - ') - - optional_policy(` -- netutils_run(ncftool_t, ncftool_roles) -+ netutils_domtrans(ncftool_t) -+ #netutils_run(ncftool_t, ncftool_roles) - ') -diff --git a/ppp.if b/ppp.if -index c174b05..a4cad0b 100644 ---- a/ppp.if -+++ b/ppp.if -@@ -175,11 +175,18 @@ interface(`ppp_run_cond',` - # - interface(`ppp_run',` - gen_require(` -- attribute_role pppd_roles; -+ #attribute_role pppd_roles; -+ type pppd_t; - ') - -- ppp_domtrans($1) -- roleattribute $2 pppd_roles; -+ #ppp_domtrans($1) -+ #roleattribute $2 pppd_roles; -+ -+ role $2 types pppd_t; -+ -+ tunable_policy(`pppd_for_user',` -+ ppp_domtrans($1) -+ ') - ') - - ######################################## -diff --git a/ppp.te b/ppp.te -index 17e10a2..92cec2b 100644 ---- a/ppp.te -+++ b/ppp.te -@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false) - ## - gen_tunable(pppd_for_user, false) - --attribute_role pppd_roles; -+#attribute_role pppd_roles; - - # pppd_t is the domain for the pppd program. - # pppd_exec_t is the type of the pppd executable. - type pppd_t; - type pppd_exec_t; - init_daemon_domain(pppd_t, pppd_exec_t) --role pppd_roles types pppd_t; -+#role pppd_roles types pppd_t; -+role system_r types pppd_t; - - type pppd_devpts_t; - term_pty(pppd_devpts_t) -@@ -64,7 +65,8 @@ files_pid_file(pppd_var_run_t) - type pptp_t; - type pptp_exec_t; - init_daemon_domain(pptp_t, pptp_exec_t) --role pppd_roles types pptp_t; -+#role pppd_roles types pptp_t; -+role system_r types pptp_t; - - type pptp_log_t; - logging_log_file(pptp_log_t) -@@ -176,7 +178,8 @@ init_dontaudit_write_utmp(pppd_t) - init_signal_script(pppd_t) - - auth_use_nsswitch(pppd_t) --auth_run_chk_passwd(pppd_t,pppd_roles) -+auth_domtrans_chk_passwd(pppd_t) -+#auth_run_chk_passwd(pppd_t,pppd_roles) - auth_write_login_records(pppd_t) - - logging_send_syslog_msg(pppd_t) -@@ -196,7 +199,8 @@ userdom_search_admin_dir(pppd_t) - ppp_exec(pppd_t) - - optional_policy(` -- ddclient_run(pppd_t, pppd_roles) -+ #ddclient_run(pppd_t, pppd_roles) -+ ddclient_domtrans(pppd_t) - ') - - optional_policy(` -diff --git a/usernetctl.if b/usernetctl.if -index d45c715..2d4f1ba 100644 ---- a/usernetctl.if -+++ b/usernetctl.if -@@ -37,9 +37,26 @@ interface(`usernetctl_domtrans',` - # - interface(`usernetctl_run',` - gen_require(` -- attribute_role usernetctl_roles; -+ type usernetctl_t; -+ #attribute_role usernetctl_roles; - ') - -- usernetctl_domtrans($1) -- roleattribute $2 usernetctl_roles; -+ #usernetctl_domtrans($1) -+ #roleattribute $2 usernetctl_roles; -+ -+ sysnet_run_ifconfig(usernetctl_t, $2) -+ sysnet_run_dhcpc(usernetctl_t, $2) -+ -+ optional_policy(` -+ iptables_run(usernetctl_t, $2) -+ ') -+ -+ optional_policy(` -+ modutils_run_insmod(usernetctl_t, $2) -+ ') -+ -+ optional_policy(` -+ ppp_run(usernetctl_t, $2) -+ ') -+ - ') -diff --git a/usernetctl.te b/usernetctl.te -index 8604c1c..35b12a6 100644 ---- a/usernetctl.te -+++ b/usernetctl.te -@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0) - # Declarations - # - --attribute_role usernetctl_roles; -+#attribute_role usernetctl_roles; - - type usernetctl_t; - type usernetctl_exec_t; - application_domain(usernetctl_t, usernetctl_exec_t) - domain_interactive_fd(usernetctl_t) --role usernetctl_roles types usernetctl_t; -+#role usernetctl_roles types usernetctl_t; -+role system_r types usernetctl_t; - - ######################################## - # -@@ -63,29 +64,30 @@ sysnet_read_config(usernetctl_t) - - userdom_use_inherited_user_terminals(usernetctl_t) - --sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) --sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) -+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles) -+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles) - - optional_policy(` -- consoletype_run(usernetctl_t, usernetctl_roles) -+ #consoletype_run(usernetctl_t, usernetctl_roles) -+ consoletype_exec(usernetctl_t) - ') - - optional_policy(` - hostname_exec(usernetctl_t) - ') - --optional_policy(` -- iptables_run(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# iptables_run(usernetctl_t, usernetctl_roles) -+#') - --optional_policy(` -- modutils_run_insmod(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# modutils_run_insmod(usernetctl_t, usernetctl_roles) -+#') - - optional_policy(` - nis_use_ypbind(usernetctl_t) - ') - --optional_policy(` -- ppp_run(usernetctl_t, usernetctl_roles) --') -+#optional_policy(` -+# ppp_run(usernetctl_t, usernetctl_roles) -+#') -diff --git a/vpn.if b/vpn.if -index 7b93e07..a4e2f60 100644 ---- a/vpn.if -+++ b/vpn.if -@@ -37,11 +37,16 @@ interface(`vpn_domtrans',` - # - interface(`vpn_run',` - gen_require(` -- attribute_role vpnc_roles; -+ #attribute_role vpnc_roles; -+ type vpnc_t; - ') - -+ #vpn_domtrans($1) -+ #roleattribute $2 vpnc_roles; -+ - vpn_domtrans($1) -- roleattribute $2 vpnc_roles; -+ role $2 types vpnc_t; -+ sysnet_run_ifconfig(vpnc_t, $2) - ') - - ######################################## -diff --git a/vpn.te b/vpn.te -index 99fd457..d2585bb 100644 ---- a/vpn.te -+++ b/vpn.te -@@ -5,14 +5,15 @@ policy_module(vpn, 1.15.0) - # Declarations - # - --attribute_role vpnc_roles; --roleattribute system_r vpnc_roles; -+#attribute_role vpnc_roles; -+#roleattribute system_r vpnc_roles; - - type vpnc_t; - type vpnc_exec_t; - init_system_domain(vpnc_t, vpnc_exec_t) - application_domain(vpnc_t, vpnc_exec_t) --role vpnc_roles types vpnc_t; -+#role vpnc_roles types vpnc_t; -+role system_r types vpnc_t; - - type vpnc_tmp_t; - files_tmp_file(vpnc_tmp_t) -@@ -108,7 +109,7 @@ miscfiles_read_localization(vpnc_t) - seutil_dontaudit_search_config(vpnc_t) - seutil_use_newrole_fds(vpnc_t) - --sysnet_run_ifconfig(vpnc_t, vpnc_roles) -+#sysnet_run_ifconfig(vpnc_t, vpnc_roles) - sysnet_etc_filetrans_config(vpnc_t) - sysnet_manage_config(vpnc_t) - -commit 88b64bdd71ef734271b9370fc37e02785f354f7f -Author: Miroslav Grepl -Date: Thu Jun 7 02:33:40 2012 +0200 - - Fix ncftool.if - -diff --git a/ncftool.if b/ncftool.if -index 3a4455f..59f096b 100644 ---- a/ncftool.if -+++ b/ncftool.if -@@ -43,11 +43,12 @@ interface(`ncftool_run',` - #ncftool_domtrans($1) - #roleattribute $2 ncftool_roles; - -- role $1 types ncftool_t; -+ ncftool_domtrans($1) -+ role $2 types ncftool_t; - -- ncftool_domtrans($2) -+ optional_policy(` -+ brctl_run(ncftool_t, $2) -+ ') - -- ps_process_pattern($2, ncftool_t) -- allow $2 ncftool_t:process signal; - ') - -commit 1d49e7e1383a578e75d16b0b7f58dbe25351b1d9 -Author: Miroslav Grepl -Date: Thu Jun 7 10:47:57 2012 +0200 - - roleattriburte temp fixes for portage and dpkg - -diff --git a/dpkg.if b/dpkg.if -index 4d32b42..d945bd0 100644 ---- a/dpkg.if -+++ b/dpkg.if -@@ -62,11 +62,18 @@ interface(`dpkg_domtrans_script',` - # - interface(`dpkg_run',` - gen_require(` -- attribute_role dpkg_roles; -+ #attribute_role dpkg_roles; -+ type dpkg_t, dpkg_script_t - ') - -+ #dpkg_domtrans($1) -+ #roleattribute $2 dpkg_roles; -+ - dpkg_domtrans($1) -- roleattribute $2 dpkg_roles; -+ role $2 types dpkg_t; -+ role $2 types dpkg_script_t; -+ seutil_run_loadpolicy(dpkg_script_t, $2) -+ - ') - - ######################################## -diff --git a/dpkg.te b/dpkg.te -index a1b8f92..9ac1b80 100644 ---- a/dpkg.te -+++ b/dpkg.te -@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) - # Declarations - # - --attribute_role dpkg_roles; --roleattribute system_r dpkg_roles; -+#attribute_role dpkg_roles; -+#roleattribute system_r dpkg_roles; - - type dpkg_t; - type dpkg_exec_t; -@@ -17,7 +17,8 @@ domain_obj_id_change_exemption(dpkg_t) - domain_role_change_exemption(dpkg_t) - domain_system_change_exemption(dpkg_t) - domain_interactive_fd(dpkg_t) --role dpkg_roles types dpkg_t; -+#role dpkg_roles types dpkg_t; -+role system_r types dpkg_t; - - # lockfile - type dpkg_lock_t; -@@ -41,7 +42,8 @@ corecmd_shell_entry_type(dpkg_script_t) - domain_obj_id_change_exemption(dpkg_script_t) - domain_system_change_exemption(dpkg_script_t) - domain_interactive_fd(dpkg_script_t) --role dpkg_roles types dpkg_script_t; -+#role dpkg_roles types dpkg_script_t; -+role system_r types dpkg_script_t; - - type dpkg_script_tmp_t; - files_tmp_file(dpkg_script_tmp_t) -@@ -152,9 +154,12 @@ files_exec_etc_files(dpkg_t) - init_domtrans_script(dpkg_t) - init_use_script_ptys(dpkg_t) - -+#libs_exec_ld_so(dpkg_t) -+#libs_exec_lib_files(dpkg_t) -+#libs_run_ldconfig(dpkg_t, dpkg_roles) - libs_exec_ld_so(dpkg_t) - libs_exec_lib_files(dpkg_t) --libs_run_ldconfig(dpkg_t, dpkg_roles) -+libs_domtrans_ldconfig(dpkg_t) - - logging_send_syslog_msg(dpkg_t) - -@@ -196,19 +201,30 @@ domain_signull_all_domains(dpkg_t) - files_read_etc_runtime_files(dpkg_t) - files_exec_usr_files(dpkg_t) - miscfiles_read_localization(dpkg_t) --modutils_run_depmod(dpkg_t, dpkg_roles) --modutils_run_insmod(dpkg_t, dpkg_roles) --seutil_run_loadpolicy(dpkg_t, dpkg_roles) --seutil_run_setfiles(dpkg_t, dpkg_roles) -+#modutils_run_depmod(dpkg_t, dpkg_roles) -+#modutils_run_insmod(dpkg_t, dpkg_roles) -+#seutil_run_loadpolicy(dpkg_t, dpkg_roles) -+#seutil_run_setfiles(dpkg_t, dpkg_roles) - userdom_use_all_users_fds(dpkg_t) - optional_policy(` - mta_send_mail(dpkg_t) - ') -+ -+ - optional_policy(` -- usermanage_run_groupadd(dpkg_t, dpkg_roles) -- usermanage_run_useradd(dpkg_t, dpkg_roles) -+ modutils_domtrans_depmod(dpkg_t) -+ modutils_domtrans_insmod(dpkg_t) -+ seutil_domtrans_loadpolicy(dpkg_t) -+ seutil_domtrans_setfiles(dpkg_t) -+ usermanage_domtrans_groupadd(dpkg_t) -+ usermanage_domtrans_useradd(dpkg_t) - ') - -+#optional_policy(` -+# usermanage_run_groupadd(dpkg_t, dpkg_roles) -+# usermanage_run_useradd(dpkg_t, dpkg_roles) -+#') -+ - ######################################## - # - # dpkg-script Local policy -@@ -302,11 +318,11 @@ logging_send_syslog_msg(dpkg_script_t) - - miscfiles_read_localization(dpkg_script_t) - --modutils_run_depmod(dpkg_script_t, dpkg_roles) --modutils_run_insmod(dpkg_script_t, dpkg_roles) -+#modutils_run_depmod(dpkg_script_t, dpkg_roles) -+#modutils_run_insmod(dpkg_script_t, dpkg_roles) - --seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) --seutil_run_setfiles(dpkg_script_t, dpkg_roles) -+#seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) -+#seutil_run_setfiles(dpkg_script_t, dpkg_roles) - - userdom_use_all_users_fds(dpkg_script_t) - -@@ -319,9 +335,9 @@ optional_policy(` - apt_use_fds(dpkg_script_t) - ') - --optional_policy(` -- bootloader_run(dpkg_script_t, dpkg_roles) --') -+#optional_policy(` -+# bootloader_run(dpkg_script_t, dpkg_roles) -+#') - - optional_policy(` - mta_send_mail(dpkg_script_t) -@@ -335,7 +351,7 @@ optional_policy(` - unconfined_domain(dpkg_script_t) - ') - --optional_policy(` -- usermanage_run_groupadd(dpkg_script_t, dpkg_roles) -- usermanage_run_useradd(dpkg_script_t, dpkg_roles) --') -+#optional_policy(` -+# usermanage_run_groupadd(dpkg_script_t, dpkg_roles) -+# usermanage_run_useradd(dpkg_script_t, dpkg_roles) -+#') -diff --git a/portage.if b/portage.if -index b4bb48a..e5e8f12 100644 ---- a/portage.if -+++ b/portage.if -@@ -43,11 +43,15 @@ interface(`portage_domtrans',` - # - interface(`portage_run',` - gen_require(` -- attribute_role portage_roles; -+ type portage_t, portage_fetch_t, portage_sandbox_t; -+ #attribute_role portage_roles; - ') - -- portage_domtrans($1) -- roleattribute $2 portage_roles; -+ #portage_domtrans($1) -+ #roleattribute $2 portage_roles; -+ portage_domtrans($1) -+ role $2 types { portage_t portage_fetch_t portage_sandbox_t } -+ - ') - - ######################################## -diff --git a/portage.te b/portage.te -index 22bdf7d..f726e1d 100644 ---- a/portage.te -+++ b/portage.te -@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) - ## - gen_tunable(portage_use_nfs, false) - --attribute_role portage_roles; -+#attribute_role portage_roles; - - type gcc_config_t; - type gcc_config_exec_t; -@@ -25,7 +25,8 @@ application_domain(portage_t, portage_exec_t) - domain_obj_id_change_exemption(portage_t) - rsync_entry_type(portage_t) - corecmd_shell_entry_type(portage_t) --role portage_roles types portage_t; -+#role portage_roles types portage_t; -+role system_r types portage_t; - - # portage compile sandbox domain - type portage_sandbox_t; -@@ -33,7 +34,8 @@ application_domain(portage_sandbox_t, portage_exec_t) - # the shell is the entrypoint if regular sandbox is disabled - # portage_exec_t is the entrypoint if regular sandbox is enabled - corecmd_shell_entry_type(portage_sandbox_t) --role portage_roles types portage_sandbox_t; -+#role portage_roles types portage_sandbox_t; -+role system_r types portage_sandbox_t; - - # portage package fetching domain - type portage_fetch_t; -@@ -41,7 +43,8 @@ type portage_fetch_exec_t; - application_domain(portage_fetch_t, portage_fetch_exec_t) - corecmd_shell_entry_type(portage_fetch_t) - rsync_entry_type(portage_fetch_t) --role portage_roles types portage_fetch_t; -+#role portage_roles types portage_fetch_t; -+role system_r types portage_fetch_t; - - type portage_devpts_t; - term_pty(portage_devpts_t) -@@ -115,7 +118,8 @@ files_list_all(gcc_config_t) - init_dontaudit_read_script_status_files(gcc_config_t) - - libs_read_lib_files(gcc_config_t) --libs_run_ldconfig(gcc_config_t, portage_roles) -+#libs_run_ldconfig(gcc_config_t, portage_roles) -+libs_domtrans_ldconfig(gcc_config_t) - libs_manage_shared_libs(gcc_config_t) - # gcc-config creates a temp dir for the libs - libs_manage_lib_dirs(gcc_config_t) -@@ -196,33 +200,41 @@ auth_manage_shadow(portage_t) - init_exec(portage_t) - - # run setfiles -r --seutil_run_setfiles(portage_t, portage_roles) -+#seutil_run_setfiles(portage_t, portage_roles) - # run semodule --seutil_run_semanage(portage_t, portage_roles) -+#seutil_run_semanage(portage_t, portage_roles) - --portage_run_gcc_config(portage_t, portage_roles) -+#portage_run_gcc_config(portage_t, portage_roles) - # if sesandbox is disabled, compiling is performed in this domain - portage_compile_domain(portage_t) - --optional_policy(` -- bootloader_run(portage_t, portage_roles) --') -+#optional_policy(` -+# bootloader_run(portage_t, portage_roles) -+#') - - optional_policy(` - cron_system_entry(portage_t, portage_exec_t) - cron_system_entry(portage_fetch_t, portage_fetch_exec_t) - ') - --optional_policy(` -- modutils_run_depmod(portage_t, portage_roles) -- modutils_run_update_mods(portage_t, portage_roles) -+#optional_policy(` -+# modutils_run_depmod(portage_t, portage_roles) -+# modutils_run_update_mods(portage_t, portage_roles) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; - ') - --optional_policy(` -- usermanage_run_groupadd(portage_t, portage_roles) -- usermanage_run_useradd(portage_t, portage_roles) --') -+#optional_policy(` -+# usermanage_run_groupadd(portage_t, portage_roles) -+# usermanage_run_useradd(portage_t, portage_roles) -+#') -+ -+seutil_domtrans_setfiles(portage_t) -+seutil_domtrans_semanage(portage_t) -+bootloader_domtrans(portage_t) -+modutils_domtrans_depmod(portage_t) -+modutils_domtrans_update_mods(portage_t) -+usermanage_domtrans_groupadd(portage_t) -+usermanage_domtrans_useradd(portage_t) - - ifdef(`TODO',` - # seems to work ok without these -commit 1797b35f16d5c863a0083148dee4ee3f93c4c4ef -Author: Miroslav Grepl -Date: Thu Jun 7 10:52:09 2012 +0200 - - Fix typo - -diff --git a/portage.if b/portage.if -index e5e8f12..7098ded 100644 ---- a/portage.if -+++ b/portage.if -@@ -50,7 +50,7 @@ interface(`portage_run',` - #portage_domtrans($1) - #roleattribute $2 portage_roles; - portage_domtrans($1) -- role $2 types { portage_t portage_fetch_t portage_sandbox_t } -+ role $2 types { portage_t portage_fetch_t portage_sandbox_t }; - - ') - -commit cf999ca29d2a4401c481e28c169e10d676d73526 -Author: Miroslav Grepl -Date: Thu Jun 7 10:59:22 2012 +0200 - - One more typo - -diff --git a/dpkg.if b/dpkg.if -index d945bd0..78736d8 100644 ---- a/dpkg.if -+++ b/dpkg.if -@@ -63,7 +63,7 @@ interface(`dpkg_domtrans_script',` - interface(`dpkg_run',` - gen_require(` - #attribute_role dpkg_roles; -- type dpkg_t, dpkg_script_t -+ type dpkg_t, dpkg_script_t; - ') - - #dpkg_domtrans($1) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6364a4a..b950318 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,13 +19,12 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 65%{?dist} +Release: 66%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-rawhide-base.patch patch1: policy-rawhide-contrib.patch -patch2: policy_contrib-rawhide-roleattribute.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -539,6 +538,42 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Jul 22 2013 Miroslav Grepl 3.12.1-66 +- Allow systemd-tmpfile to handle tmp content in print spool dir +- Allow systemd-sysctl to send system log messages +- Add support for RTP media ports and fmpro-internal +- Make auditd working if audit is configured to perform SINGLE action on disk error +- Add interfaces to handle systemd units +- Make systemd-notify working if pcsd is used +- Add support for netlabel and label /usr/sbin/netlabelctl as iptables_exec_t +- Instead of having all unconfined domains get all of the named transition rules, +- Only allow unconfined_t, init_t, initrc_t and rpm_script_t by default. +- Add definition for the salt ports +- Allow xdm_t to create link files in xdm_var_run_t +- Dontaudit reads of blk files or chr files leaked into ldconfig_t +- Allow sys_chroot for useradd_t +- Allow net_raw cap for ipsec_t +- Allow sysadm_t to reload services +- Add additional fixes to make strongswan working with a simple conf +- Allow sysadm_t to enable/disable init_t services +- Add additional glusterd perms +- Allow apache to read lnk files in the /mnt directory +- Allow glusterd to ask the kernel to load a module +- Fix description of ftpd_use_fusefs boolean +- Allow svirt_lxc_net_t to sys_chroot, modify policy to tighten up svirt_lxc_domain capabilties and process controls, but add them to svirt_lxc_net_t +- Allow glusterds to request load a kernel module +- Allow boinc to stream connect to xserver_t +- Allow sblim domains to read /etc/passwd +- Allow mdadm to read usb devices +- Allow collectd to use ping plugin +- Make foghorn working with SNMP +- Allow sssd to read ldap certs +- Allow haproxy to connect to RTP media ports +- Add additional trans rules for aide_db +- Add labeling for /usr/lib/pcsd/pcsd +- Add labeling for /var/log/pcsd +- Add support for pcs which is a corosync and pacemaker configuration tool + * Wed Jul 17 2013 Miroslav Grepl 3.12.1-65 - Label /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t - Add labeling for /usr/libexec/kde4/polkit-kde-authentication-agent-1