diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 815ea7a..ac570a0 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 74647d4..c9c96bd 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17860,10 +17860,10 @@ index 1a03abd..3221f80 100644 allow files_unconfined_type file_type:file execmod; ') diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc -index d7c11a0..6b3331d 100644 +index d7c11a0..efcd377 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc -@@ -1,23 +1,26 @@ +@@ -1,23 +1,29 @@ -/cgroup -d gen_context(system_u:object_r:cgroup_t,s0) -/cgroup/.* <> +# ecryptfs does not support xattr @@ -17882,6 +17882,9 @@ index d7c11a0..6b3331d 100644 +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh) +/dev/shm/.* <> ++/dev/oracleasm -d gen_context(system_u:object_r:oracleasmfs_t,s0) ++/dev/oracleasm/.* <> ++ +/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0) +/usr/lib/udev/devices/hugepages/.* <> +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) @@ -17901,7 +17904,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..20099cd 100644 +index 8416beb..f7a29fe 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18997,7 +19000,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -2253,38 +2606,611 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +2606,686 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -19123,6 +19126,81 @@ index 8416beb..20099cd 100644 + +######################################## +## ++## List oracleasmfs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_list_oracleasmfs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:dir list_dir_perms; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_getattr_oracleasmfs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:file getattr; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_oracleasmfs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:file setattr; ++') ++ ++######################################## ++## ++## Get the attributes of an oracleasmfs ++## filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_setattr_oracleasmfs_dirs',` ++ gen_require(` ++ type oracleasmfs_t; ++ ') ++ ++ allow $1 oracleasmfs_t:dir setattr; ++') ++ ++######################################## ++## +## Search inotifyfs filesystem. +## +## @@ -19621,7 +19699,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -2292,19 +3218,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3293,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19649,7 +19727,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -2312,16 +3240,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3315,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19670,7 +19748,7 @@ index 8416beb..20099cd 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2398,6 +3325,24 @@ interface(`fs_getattr_nfs',` +@@ -2398,6 +3400,24 @@ interface(`fs_getattr_nfs',` ######################################## ## @@ -19695,7 +19773,7 @@ index 8416beb..20099cd 100644 ## Search directories on a NFS filesystem. ## ## -@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3505,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19703,7 +19781,7 @@ index 8416beb..20099cd 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3544,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19711,7 +19789,7 @@ index 8416beb..20099cd 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3571,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19756,7 +19834,7 @@ index 8416beb..20099cd 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3629,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -19765,7 +19843,7 @@ index 8416beb..20099cd 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3649,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19808,7 +19886,7 @@ index 8416beb..20099cd 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3699,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19817,7 +19895,7 @@ index 8416beb..20099cd 100644 ') ######################################## -@@ -2627,7 +3648,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3723,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19826,7 +19904,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -2719,6 +3740,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3815,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -19892,7 +19970,7 @@ index 8416beb..20099cd 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3821,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3896,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19901,7 +19979,7 @@ index 8416beb..20099cd 100644 ## ## # -@@ -2777,7 +3857,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3932,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19910,7 +19988,7 @@ index 8416beb..20099cd 100644 ## ## # -@@ -2970,6 +4050,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4125,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19918,7 +19996,7 @@ index 8416beb..20099cd 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4091,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4166,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19926,7 +20004,7 @@ index 8416beb..20099cd 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4132,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4207,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19934,7 +20012,7 @@ index 8416beb..20099cd 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4220,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4295,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -19959,7 +20037,7 @@ index 8416beb..20099cd 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3182,18 +4283,108 @@ interface(`fs_remount_nfsd_fs',` +@@ -3182,18 +4358,108 @@ interface(`fs_remount_nfsd_fs',` ## ## # @@ -20076,7 +20154,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3201,17 +4392,17 @@ interface(`fs_unmount_nfsd_fs',` +@@ -3201,17 +4467,17 @@ interface(`fs_unmount_nfsd_fs',` ## ## # @@ -20097,7 +20175,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3219,35 +4410,35 @@ interface(`fs_getattr_nfsd_fs',` +@@ -3219,35 +4485,35 @@ interface(`fs_getattr_nfsd_fs',` ## ## # @@ -20147,7 +20225,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3255,17 +4446,17 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,17 +4521,17 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20169,7 +20247,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3273,12 +4464,12 @@ interface(`fs_getattr_nfsd_files',` +@@ -3273,12 +4539,12 @@ interface(`fs_getattr_nfsd_files',` ## ## # @@ -20184,7 +20262,7 @@ index 8416beb..20099cd 100644 ') ######################################## -@@ -3392,7 +4583,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4658,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20193,7 +20271,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3429,7 +4620,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4695,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20202,7 +20280,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3447,7 +4638,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4713,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20211,7 +20289,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3779,6 +4970,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5045,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20236,7 +20314,7 @@ index 8416beb..20099cd 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5024,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5099,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20261,7 +20339,7 @@ index 8416beb..20099cd 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5135,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5210,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20270,7 +20348,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3916,17 +5143,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5218,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20291,7 +20369,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3934,17 +5161,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5236,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20312,7 +20390,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3952,17 +5179,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5254,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20352,7 +20430,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -3970,31 +5216,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5291,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20408,7 +20486,7 @@ index 8416beb..20099cd 100644 ') ######################################## -@@ -4066,33 +5329,161 @@ interface(`fs_tmpfs_filetrans',` +@@ -4066,33 +5404,161 @@ interface(`fs_tmpfs_filetrans',` type tmpfs_t; ') @@ -20579,7 +20657,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -4100,72 +5491,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,72 +5566,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20669,7 +20747,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -4173,17 +5564,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5639,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -20691,7 +20769,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -4191,37 +5583,37 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +5658,37 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -20737,7 +20815,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -4229,18 +5621,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +5696,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -20759,7 +20837,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -4248,18 +5640,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +5715,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -20783,7 +20861,7 @@ index 8416beb..20099cd 100644 ## ## ## -@@ -4267,32 +5660,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +5735,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -20822,7 +20900,7 @@ index 8416beb..20099cd 100644 ') ######################################## -@@ -4407,6 +5799,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5874,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20848,7 +20926,7 @@ index 8416beb..20099cd 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5914,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5989,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20857,7 +20935,7 @@ index 8416beb..20099cd 100644 ') ######################################## -@@ -4549,7 +5962,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6037,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20866,7 +20944,7 @@ index 8416beb..20099cd 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6009,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6084,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20893,7 +20971,7 @@ index 8416beb..20099cd 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6104,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6179,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20919,7 +20997,7 @@ index 8416beb..20099cd 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6364,173 @@ interface(`fs_unconfined',` +@@ -4912,3 +6439,173 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -29732,7 +29810,7 @@ index cc877c7..b8e6e98 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..5f31270 100644 +index 8274418..a47fd0b4 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,39 @@ @@ -29798,7 +29876,7 @@ index 8274418..5f31270 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +80,35 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +80,37 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -29837,10 +29915,12 @@ index 8274418..5f31270 100644 + +/usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) ++ ++/usr/libexec/gsd-backlight-helper -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -91,19 +134,34 @@ ifndef(`distro_debian',` +@@ -91,19 +136,34 @@ ifndef(`distro_debian',` /var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -29879,7 +29959,7 @@ index 8274418..5f31270 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -111,7 +169,18 @@ ifndef(`distro_debian',` +@@ -111,7 +171,18 @@ ifndef(`distro_debian',` /var/run/slim.* gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -37342,7 +37422,7 @@ index 79a45f6..d092e6e 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..01ef803 100644 +index 17eda24..97e35aa 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37467,7 +37547,7 @@ index 17eda24..01ef803 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -108,14 +161,45 @@ allow init_t self:capability ~sys_module; +@@ -108,14 +161,47 @@ allow init_t self:capability ~sys_module; allow init_t self:fifo_file rw_fifo_file_perms; @@ -37506,7 +37586,9 @@ index 17eda24..01ef803 100644 +manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t) +manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t) +manage_fifo_files_pattern(init_t, init_var_run_t, init_var_run_t) -+files_pid_filetrans(init_t, init_var_run_t, { dir file }) ++manage_blk_files_pattern(init_t, init_var_run_t, init_var_run_t) ++manage_chr_files_pattern(init_t, init_var_run_t, init_var_run_t) ++files_pid_filetrans(init_t, init_var_run_t, { dir file blk_file chr_file fifo_file}) +allow init_t init_var_run_t:dir mounton; +allow init_t init_var_run_t:sock_file relabelto; +allow init_t init_var_run_t:blk_file getattr; @@ -37519,7 +37601,7 @@ index 17eda24..01ef803 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -125,13 +209,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -125,13 +211,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -37544,7 +37626,7 @@ index 17eda24..01ef803 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +233,24 @@ domain_signal_all_domains(init_t) +@@ -139,14 +235,24 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) @@ -37570,7 +37652,7 @@ index 17eda24..01ef803 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -155,29 +259,70 @@ fs_list_inotifyfs(init_t) +@@ -155,29 +261,70 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -37646,7 +37728,7 @@ index 17eda24..01ef803 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +331,264 @@ ifdef(`distro_gentoo',` +@@ -186,29 +333,264 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37920,7 +38002,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -216,7 +596,30 @@ optional_policy(` +@@ -216,7 +598,30 @@ optional_policy(` ') optional_policy(` @@ -37952,7 +38034,7 @@ index 17eda24..01ef803 100644 ') ######################################## -@@ -225,9 +628,9 @@ optional_policy(` +@@ -225,9 +630,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37964,7 +38046,7 @@ index 17eda24..01ef803 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +661,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +663,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37981,7 +38063,7 @@ index 17eda24..01ef803 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +686,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +688,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -38024,7 +38106,7 @@ index 17eda24..01ef803 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +723,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +725,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -38036,7 +38118,7 @@ index 17eda24..01ef803 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +735,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +737,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -38047,7 +38129,7 @@ index 17eda24..01ef803 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +746,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +748,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -38057,7 +38139,7 @@ index 17eda24..01ef803 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +755,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +757,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -38065,7 +38147,7 @@ index 17eda24..01ef803 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +762,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +764,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -38073,7 +38155,7 @@ index 17eda24..01ef803 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +770,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +772,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -38091,7 +38173,7 @@ index 17eda24..01ef803 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +788,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +790,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -38105,7 +38187,7 @@ index 17eda24..01ef803 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +803,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +805,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -38119,7 +38201,7 @@ index 17eda24..01ef803 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +816,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +818,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -38130,7 +38212,7 @@ index 17eda24..01ef803 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +829,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +831,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -38138,7 +38220,7 @@ index 17eda24..01ef803 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +848,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +850,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -38162,7 +38244,7 @@ index 17eda24..01ef803 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +881,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +883,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -38170,7 +38252,7 @@ index 17eda24..01ef803 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +915,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +917,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -38181,7 +38263,7 @@ index 17eda24..01ef803 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +939,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +941,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -38190,7 +38272,7 @@ index 17eda24..01ef803 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +954,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +956,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -38198,7 +38280,7 @@ index 17eda24..01ef803 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +975,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +977,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -38206,7 +38288,7 @@ index 17eda24..01ef803 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +985,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +987,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -38251,7 +38333,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -559,14 +1030,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1032,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -38283,7 +38365,7 @@ index 17eda24..01ef803 100644 ') ') -@@ -577,6 +1065,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1067,39 @@ ifdef(`distro_suse',` ') ') @@ -38323,7 +38405,7 @@ index 17eda24..01ef803 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1110,8 @@ optional_policy(` +@@ -589,6 +1112,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -38332,7 +38414,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -610,6 +1133,7 @@ optional_policy(` +@@ -610,6 +1135,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -38340,7 +38422,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -626,6 +1150,17 @@ optional_policy(` +@@ -626,6 +1152,17 @@ optional_policy(` ') optional_policy(` @@ -38358,7 +38440,7 @@ index 17eda24..01ef803 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1177,13 @@ optional_policy(` +@@ -642,9 +1179,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -38372,7 +38454,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -657,15 +1196,11 @@ optional_policy(` +@@ -657,15 +1198,11 @@ optional_policy(` ') optional_policy(` @@ -38390,7 +38472,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -686,6 +1221,15 @@ optional_policy(` +@@ -686,6 +1223,15 @@ optional_policy(` ') optional_policy(` @@ -38406,7 +38488,7 @@ index 17eda24..01ef803 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1270,7 @@ optional_policy(` +@@ -726,6 +1272,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -38414,7 +38496,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -743,7 +1288,13 @@ optional_policy(` +@@ -743,7 +1290,13 @@ optional_policy(` ') optional_policy(` @@ -38429,7 +38511,7 @@ index 17eda24..01ef803 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1317,10 @@ optional_policy(` +@@ -766,6 +1319,10 @@ optional_policy(` ') optional_policy(` @@ -38440,7 +38522,7 @@ index 17eda24..01ef803 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1330,20 @@ optional_policy(` +@@ -775,10 +1332,20 @@ optional_policy(` ') optional_policy(` @@ -38461,7 +38543,7 @@ index 17eda24..01ef803 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1352,10 @@ optional_policy(` +@@ -787,6 +1354,10 @@ optional_policy(` ') optional_policy(` @@ -38472,7 +38554,7 @@ index 17eda24..01ef803 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1377,6 @@ optional_policy(` +@@ -808,8 +1379,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -38481,7 +38563,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -818,6 +1385,10 @@ optional_policy(` +@@ -818,6 +1387,10 @@ optional_policy(` ') optional_policy(` @@ -38492,7 +38574,7 @@ index 17eda24..01ef803 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1398,12 @@ optional_policy(` +@@ -827,10 +1400,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -38505,7 +38587,7 @@ index 17eda24..01ef803 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1430,62 @@ optional_policy(` +@@ -857,21 +1432,62 @@ optional_policy(` ') optional_policy(` @@ -38569,7 +38651,7 @@ index 17eda24..01ef803 100644 ') optional_policy(` -@@ -887,6 +1501,10 @@ optional_policy(` +@@ -887,6 +1503,10 @@ optional_policy(` ') optional_policy(` @@ -38580,7 +38662,7 @@ index 17eda24..01ef803 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1515,218 @@ optional_policy(` +@@ -897,3 +1517,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -51334,7 +51416,7 @@ index db75976..c54480a 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..beadc1e 100644 +index 9dc60c6..af8711d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -54636,7 +54718,7 @@ index 9dc60c6..beadc1e 100644 ## Create keys for all user domains. ##
## -@@ -3435,4 +4628,1799 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4628,1817 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -54846,6 +54928,24 @@ index 9dc60c6..beadc1e 100644 + +######################################## +## ++## dontaudit manage dirs /root ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_manage_admin_dir',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:dir manage_dir_perms; ++') ++ ++######################################## ++## +## RW unpriviledged user SysV sempaphores. +## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index a07bea4..d1cd807 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1275,7 +1275,7 @@ index bd5ec9a..554177c 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 3593510..b6a0f70 100644 +index 3593510..9617b13 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1314,7 +1314,7 @@ index 3593510..b6a0f70 100644 fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) -@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t) +@@ -48,12 +55,15 @@ auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) @@ -1323,7 +1323,15 @@ index 3593510..b6a0f70 100644 logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) -@@ -66,9 +73,16 @@ optional_policy(` + logging_set_loginuid(accountsd_t) + ++userdom_dontaudit_create_admin_dir(accountsd_t) ++userdom_dontaudit_manage_admin_dir(accountsd_t) ++ + userdom_read_user_tmp_files(accountsd_t) + userdom_read_user_home_content_files(accountsd_t) + +@@ -66,9 +76,16 @@ optional_policy(` ') optional_policy(` @@ -12278,7 +12286,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..b824421 100644 +index 550b287..1401e7b 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,18 +18,23 @@ files_type(certmonger_var_lib_t) @@ -12345,7 +12353,7 @@ index 550b287..b824421 100644 fs_search_cgroup_dirs(certmonger_t) -@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t) +@@ -68,18 +83,22 @@ auth_rw_cache(certmonger_t) init_getattr_all_script_files(certmonger_t) @@ -12358,6 +12366,7 @@ index 550b287..b824421 100644 +miscfiles_manage_all_certs(certmonger_t) + +systemd_exec_systemctl(certmonger_t) ++systemd_manage_all_unit_files(certmonger_t) userdom_search_user_home_content(certmonger_t) @@ -12370,7 +12379,7 @@ index 550b287..b824421 100644 ') optional_policy(` -@@ -92,11 +110,60 @@ optional_policy(` +@@ -92,11 +111,60 @@ optional_policy(` ') optional_policy(` @@ -28930,7 +28939,7 @@ index c62c567..a74f123 100644 + allow $1 firewalld_unit_file_t:service all_service_perms; ') diff --git a/firewalld.te b/firewalld.te -index 98072a3..e42654a 100644 +index 98072a3..a30b953 100644 --- a/firewalld.te +++ b/firewalld.te @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t) @@ -28974,7 +28983,7 @@ index 98072a3..e42654a 100644 kernel_read_network_state(firewalld_t) kernel_read_system_state(firewalld_t) -@@ -63,20 +77,25 @@ dev_search_sysfs(firewalld_t) +@@ -63,20 +77,26 @@ dev_search_sysfs(firewalld_t) domain_use_interactive_fds(firewalld_t) @@ -29004,10 +29013,11 @@ index 98072a3..e42654a 100644 +sysnet_relabelto_net_conf(firewalld_t) + +userdom_dontaudit_create_admin_dir(firewalld_t) ++userdom_dontaudit_manage_admin_dir(firewalld_t) optional_policy(` dbus_system_domain(firewalld_t, firewalld_exec_t) -@@ -95,6 +114,10 @@ optional_policy(` +@@ -95,6 +115,10 @@ optional_policy(` ') optional_policy(` @@ -38438,16 +38448,20 @@ index 0000000..61f2003 +userdom_use_user_terminals(iotop_t) diff --git a/ipa.fc b/ipa.fc new file mode 100644 -index 0000000..1131ca0 +index 0000000..419d280 --- /dev/null +++ b/ipa.fc -@@ -0,0 +1,21 @@ +@@ -0,0 +1,25 @@ +/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) + +/usr/lib/systemd/system/ipa-dnskeysyncd.* -- gen_context(system_u:object_r:ipa_dnskey_unit_file_t,s0) + ++/usr/lib/systemd/system/ipa-ods-exporter.* -- gen_context(system_u:object_r:ipa_ods_exporter_unit_file_t,s0) ++ +/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) + ++/usr/libexec/ipa/ipa-ods-exporter -- gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0) ++ +/usr/libexec/ipa/ipa-dnskeysyncd -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) +/usr/libexec/ipa/ipa-dnskeysync-replica -- gen_context(system_u:object_r:ipa_dnskey_exec_t,s0) + @@ -38706,10 +38720,10 @@ index 0000000..1a30961 +') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..81f38fe +index 0000000..e4c5d89 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,202 @@ +@@ -0,0 +1,260 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38730,12 +38744,19 @@ index 0000000..81f38fe +type ipa_dnskey_exec_t; +init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t) + ++type ipa_ods_exporter_t, ipa_domain; ++type ipa_ods_exporter_exec_t; ++init_daemon_domain(ipa_ods_exporter_t, ipa_ods_exporter_exec_t) ++ +type ipa_otpd_unit_file_t; +systemd_unit_file(ipa_otpd_unit_file_t) + +type ipa_dnskey_unit_file_t; +systemd_unit_file(ipa_dnskey_unit_file_t) + ++type ipa_ods_exporter_unit_file_t; ++systemd_unit_file(ipa_ods_exporter_unit_file_t) ++ +type ipa_log_t; +logging_log_file(ipa_log_t) + @@ -38825,6 +38846,10 @@ index 0000000..81f38fe +logging_send_syslog_msg(ipa_helper_t) + +optional_policy(` ++ dirsrv_stream_connect(ipa_helper_t) ++') ++ ++optional_policy(` + ldap_stream_connect(ipa_helper_t) +') + @@ -38912,6 +38937,53 @@ index 0000000..81f38fe + opendnssec_manage_var_files(ipa_dnskey_t) + opendnssec_filetrans_etc_content(ipa_dnskey_t) +') ++ ++######################################## ++# ++# ipa-ods-exporter local policy ++# ++allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read }; ++allow ipa_ods_exporter_t self:udp_socket { connect create getattr }; ++allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt }; ++ ++manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t) ++list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t) ++ ++manage_files_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t) ++manage_dirs_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t) ++files_tmp_filetrans(ipa_ods_exporter_t, ipa_tmp_t, { dir file }) ++ ++kernel_dgram_send(ipa_ods_exporter_t) ++ ++auth_use_nsswitch(ipa_ods_exporter_t) ++ ++corecmd_exec_bin(ipa_ods_exporter_t) ++corecmd_exec_shell(ipa_ods_exporter_t) ++ ++libs_exec_ldconfig(ipa_ods_exporter_t) ++ ++logging_send_syslog_msg(ipa_ods_exporter_t) ++ ++miscfiles_read_certs(ipa_ods_exporter_t) ++ ++sysnet_read_config(ipa_ods_exporter_t) ++ ++optional_policy(` ++ bind_search_cache(ipa_ods_exporter_t) ++') ++ ++optional_policy(` ++ dirsrv_stream_connect(ipa_ods_exporter_t) ++') ++ ++optional_policy(` ++ opendnssec_manage_var_files(ipa_ods_exporter_t) ++ opendnssec_stream_connect(ipa_ods_exporter_t) ++') ++ ++optional_policy(` ++ ldap_stream_connect(ipa_ods_exporter_t) ++') diff --git a/ipmievd.fc b/ipmievd.fc new file mode 100644 index 0000000..0f598ca @@ -64126,10 +64198,10 @@ index 0000000..08d0e79 +/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) diff --git a/opendnssec.if b/opendnssec.if new file mode 100644 -index 0000000..eac3932 +index 0000000..7c08157 --- /dev/null +++ b/opendnssec.if -@@ -0,0 +1,208 @@ +@@ -0,0 +1,228 @@ + +## policy for opendnssec + @@ -64338,6 +64410,26 @@ index 0000000..eac3932 + + files_etc_filetrans($1, opendnssec_conf_t, file) +') ++ ++######################################## ++## ++## Connect to opendnssec over an unix ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`opendnssec_stream_connect',` ++ gen_require(` ++ type opendnssec_t, opendnssec_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t) ++') diff --git a/opendnssec.te b/opendnssec.te new file mode 100644 index 0000000..e246d45 @@ -67604,10 +67696,10 @@ index 0000000..6ae382c + diff --git a/oracleasm.te b/oracleasm.te new file mode 100644 -index 0000000..0493b99 +index 0000000..14d642b --- /dev/null +++ b/oracleasm.te -@@ -0,0 +1,34 @@ +@@ -0,0 +1,57 @@ +policy_module(oracleasm, 1.0.0) + +######################################## @@ -67622,19 +67714,42 @@ index 0000000..0493b99 +type oracleasm_initrc_exec_t; +init_script_file(oracleasm_initrc_exec_t) + ++type oracleasm_tmp_t; ++files_tmp_file(oracleasm_tmp_t) ++ +######################################## +# +# oracleasm local policy +# + ++allow oracleasm_t self:capability { fsetid fowner chown }; +allow oracleasm_t self:fifo_file rw_fifo_file_perms; +allow oracleasm_t self:unix_stream_socket create_stream_socket_perms; + ++manage_dirs_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) ++manage_files_pattern(oracleasm_t, oracleasm_tmp_t, oracleasm_tmp_t) ++files_tmp_filetrans(oracleasm_t, oracleasm_tmp_t, { file dir }) ++ ++kernel_read_system_state(oracleasm_t) ++ ++auth_read_passwd(oracleasm_t) ++ ++dev_rw_sysfs(oracleasm_t) ++ +domain_use_interactive_fds(oracleasm_t) + +corecmd_exec_shell(oracleasm_t) +corecmd_exec_bin(oracleasm_t) + ++fs_getattr_xattr_fs(oracleasm_t) ++fs_list_oracleasmfs(oracleasm_t) ++fs_getattr_oracleasmfs(oracleasm_t) ++fs_setattr_oracleasmfs(oracleasm_t) ++fs_setattr_oracleasmfs_dirs(oracleasm_t) ++ ++storage_raw_read_fixed_disk(oracleasm_t) ++storage_raw_read_removable_device(oracleasm_t) ++ +optional_policy(` + mount_domtrans(oracleasm_t) +') @@ -71162,11 +71277,12 @@ index 0000000..a2cb118 + diff --git a/pki.fc b/pki.fc new file mode 100644 -index 0000000..e6592ea +index 0000000..b2b20f0 --- /dev/null +++ b/pki.fc -@@ -0,0 +1,56 @@ +@@ -0,0 +1,57 @@ +/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) ++/etc/pki/pki-tomcat/ca/(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) +/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) @@ -109710,6 +109826,295 @@ index 7745b72..329c3d8 100644 files_search_var(ucspitcp_t) sysnet_read_config(ucspitcp_t) +diff --git a/udisks2.fc b/udisks2.fc +new file mode 100644 +index 0000000..c8aa54d +--- /dev/null ++++ b/udisks2.fc +@@ -0,0 +1,8 @@ ++/usr/lib/systemd/system/udisks2.* -- gen_context(system_u:object_r:udisks2_unit_file_t,s0) ++ ++/usr/libexec/udisks2/udisksd -- gen_context(system_u:object_r:udisks2_exec_t,s0) ++/usr/bin/udisksctl -- gen_context(system_u:object_r:udisks2_exec_t,s0) ++ ++/var/lib/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_lib_t,s0) ++ ++/var/run/udisks2(/.*)? gen_context(system_u:object_r:udisks2_var_run_t,s0) +diff --git a/udisks2.if b/udisks2.if +new file mode 100644 +index 0000000..45304ea +--- /dev/null ++++ b/udisks2.if +@@ -0,0 +1,206 @@ ++## udisks - Disk Manager ++ ++######################################## ++## ++## Execute udisks2_exec_t in the udisks2 domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`udisks2_domtrans',` ++ gen_require(` ++ type udisks2_t, udisks2_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, udisks2_exec_t, udisks2_t) ++') ++ ++###################################### ++## ++## Execute udisks2 in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udisks2_exec',` ++ gen_require(` ++ type udisks2_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, udisks2_exec_t) ++') ++ ++######################################## ++## ++## Search udisks2 lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udisks2_search_lib',` ++ gen_require(` ++ type udisks2_var_lib_t; ++ ') ++ ++ allow $1 udisks2_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read udisks2 lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udisks2_read_lib_files',` ++ gen_require(` ++ type udisks2_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t) ++') ++ ++######################################## ++## ++## Manage udisks2 lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udisks2_manage_lib_files',` ++ gen_require(` ++ type udisks2_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t) ++') ++ ++######################################## ++## ++## Manage udisks2 lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udisks2_manage_lib_dirs',` ++ gen_require(` ++ type udisks2_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, udisks2_var_lib_t, udisks2_var_lib_t) ++') ++ ++######################################## ++## ++## Read udisks2 PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`udisks2_read_pid_files',` ++ gen_require(` ++ type udisks2_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, udisks2_var_run_t, udisks2_var_run_t) ++') ++ ++######################################## ++## ++## Execute udisks2 server in the udisks2 domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`udisks2_systemctl',` ++ gen_require(` ++ type udisks2_t; ++ type udisks2_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 udisks2_unit_file_t:file read_file_perms; ++ allow $1 udisks2_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, udisks2_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an udisks2 environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`udisks2_admin',` ++ gen_require(` ++ type udisks2_t; ++ type udisks2_var_lib_t; ++ type udisks2_var_run_t; ++ type udisks2_unit_file_t; ++ ') ++ ++ allow $1 udisks2_t:process { signal_perms }; ++ ps_process_pattern($1, udisks2_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 udisks2_t:process ptrace; ++ ') ++ ++ files_search_var_lib($1) ++ admin_pattern($1, udisks2_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, udisks2_var_run_t) ++ ++ udisks2_systemctl($1) ++ admin_pattern($1, udisks2_unit_file_t) ++ allow $1 udisks2_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/udisks2.te b/udisks2.te +new file mode 100644 +index 0000000..5312470 +--- /dev/null ++++ b/udisks2.te +@@ -0,0 +1,57 @@ ++policy_module(udisks2, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type udisks2_t; ++type udisks2_exec_t; ++init_daemon_domain(udisks2_t, udisks2_exec_t) ++ ++type udisks2_var_lib_t; ++files_type(udisks2_var_lib_t) ++ ++type udisks2_var_run_t; ++files_pid_file(udisks2_var_run_t) ++ ++type udisks2_unit_file_t; ++systemd_unit_file(udisks2_unit_file_t) ++ ++######################################## ++# ++# udisks2 local policy ++# ++allow udisks2_t self:capability { sys_rawio }; ++allow udisks2_t self:unix_stream_socket create_stream_socket_perms; ++allow udisks2_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; ++ ++manage_dirs_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t) ++manage_files_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t) ++manage_lnk_files_pattern(udisks2_t, udisks2_var_lib_t, udisks2_var_lib_t) ++files_var_lib_filetrans(udisks2_t, udisks2_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t) ++manage_files_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t) ++manage_lnk_files_pattern(udisks2_t, udisks2_var_run_t, udisks2_var_run_t) ++files_pid_filetrans(udisks2_t, udisks2_var_run_t, { dir file lnk_file }) ++ ++kernel_read_system_state(udisks2_t) ++ ++auth_use_nsswitch(udisks2_t) ++ ++dev_read_sysfs(udisks2_t) ++ ++logging_send_syslog_msg(udisks2_t) ++ ++storage_raw_read_fixed_disk(udisks2_t) ++ ++udev_read_db(udisks2_t) ++ ++optional_policy(` ++ dbus_system_bus_client(udisks2_t) ++') ++ ++optional_policy(` ++ policykit_dbus_chat(udisks2_t) ++') diff --git a/ulogd.if b/ulogd.if index 9b95c3e..a892845 100644 --- a/ulogd.if @@ -111153,10 +111558,10 @@ index 3d11c6a..b19a117 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index a4f20bc..d8b1fd1 100644 +index a4f20bc..f3d5b04 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,51 +1,109 @@ +@@ -1,51 +1,111 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -111299,6 +111704,8 @@ index a4f20bc..d8b1fd1 100644 + +/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) + ++/var/lib/kubelet(/.*)? gen_context(system_u:object_r:svirt_sandbox_file_t,s0) ++ +/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) +/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0) + @@ -113392,7 +113799,7 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..25d26d4 100644 +index f03dcf5..a4e5bf6 100644 --- a/virt.te +++ b/virt.te @@ -1,451 +1,402 @@ @@ -114974,7 +115381,7 @@ index f03dcf5..25d26d4 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1258,355 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1258,357 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -114984,22 +115391,24 @@ index f03dcf5..25d26d4 100644 +sysnet_exec_ifconfig(virtd_lxc_t) -auth_use_nsswitch(virtd_lxc_t) -+userdom_read_admin_home_files(virtd_lxc_t) ++systemd_dbus_chat_machined(virtd_lxc_t) -logging_send_syslog_msg(virtd_lxc_t) ++userdom_read_admin_home_files(virtd_lxc_t) + +-miscfiles_read_localization(virtd_lxc_t) +optional_policy(` + dbus_system_bus_client(virtd_lxc_t) + init_dbus_chat(virtd_lxc_t) --miscfiles_read_localization(virtd_lxc_t) +-seutil_domtrans_setfiles(virtd_lxc_t) +-seutil_read_config(virtd_lxc_t) +-seutil_read_default_contexts(virtd_lxc_t) + optional_policy(` + hal_dbus_chat(virtd_lxc_t) + ') +') - --seutil_domtrans_setfiles(virtd_lxc_t) --seutil_read_config(virtd_lxc_t) --seutil_read_default_contexts(virtd_lxc_t) ++ +optional_policy(` + docker_exec_lib(virtd_lxc_t) +') @@ -115223,20 +115632,18 @@ index f03dcf5..25d26d4 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) -+ gear_read_pid_files(svirt_sandbox_domain) +') + +optional_policy(` ++ gear_read_pid_files(svirt_sandbox_domain) ++') + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + @@ -115270,9 +115677,11 @@ index f03dcf5..25d26d4 100644 + fs_manage_fusefs_dirs(svirt_sandbox_domain) + fs_manage_fusefs_files(svirt_sandbox_domain) + fs_manage_fusefs_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + docker_read_share_files(svirt_sandbox_domain) + docker_exec_share_files(svirt_sandbox_domain) + docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) @@ -115471,7 +115880,7 @@ index f03dcf5..25d26d4 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1619,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1621,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -115486,7 +115895,7 @@ index f03dcf5..25d26d4 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1637,7 @@ optional_policy(` +@@ -1192,7 +1639,7 @@ optional_policy(` ######################################## # @@ -115495,7 +115904,7 @@ index f03dcf5..25d26d4 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1646,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1648,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index a81eca1..483ed2c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 210%{?dist} +Release: 211%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -648,6 +648,23 @@ exit 0 %endif %changelog +* Thu Aug 25 2016 Lukas Vrabec 3.13.1-211 +- Add new domain ipa_ods_exporter_t BZ(1366640) +- Create new interface opendnssec_stream_connect() +- Allow systemd-machined to communicate to lxc container using dbus +- Dontaudit accountsd domain creating dirs in /root +- Add new policy for Disk Manager called udisks2 +- Dontaudit firewalld wants write to /root +- Label /etc/pki/pki-tomcat/ca/ as pki_tomcat_cert_t +- Allow certmonger to manage all systemd unit files +- Allow ipa_helper_t stream connect to dirsrv_t domain +- Update oracleasm SELinux module +- label /var/lib/kubelet as svirt_sandbox_file_t +- Allow systemd to create blk and chr files with correct label in /var/run/systemd/inaccessible BZ(1367280) +- Label /usr/libexec/gsd-backlight-helper as xserver_exec_t. This allows also confined users to manage screen brightness +- Add new userdom_dontaudit_manage_admin_dir() interface +- Label /dev/oracleasmfs as oracleasmfs_t. Add few interfaces related to oracleasmfs_t type + * Tue Aug 23 2016 Lukas Vrabec 3.13.1-210 - Add few interfaces to cloudform.if file - Label /var/run/corosync-qnetd and /var/run/corosync-qdevice as cluster_var_run_t. Note: corosync policy is now par of rhcs module