diff --git a/policy-F16.patch b/policy-F16.patch index 848fc92..f8bdf5a 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1,5 +1,5 @@ diff --git a/Makefile b/Makefile -index b8486a0..72a53cc 100644 +index b8486a0..eadfda5 100644 --- a/Makefile +++ b/Makefile @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule @@ -19,6 +19,15 @@ index b8486a0..72a53cc 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +@@ -406,7 +407,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke + @echo "#" >> $@ + $(verbose) cat $@.in >> $@ + $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ +- | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \ ++ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ + | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ + + $(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in diff --git a/Rules.modular b/Rules.modular index 168a14f..c2bf491 100644 --- a/Rules.modular @@ -4944,10 +4953,10 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..9a0377f 100644 +index f5afe78..89acd12 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if -@@ -1,44 +1,768 @@ +@@ -1,44 +1,786 @@ ## GNU network object model environment (GNOME) -############################################################ @@ -5395,23 +5404,41 @@ index f5afe78..9a0377f 100644 + +####################################### +## -+## Manage gconf data home files ++## Read generic data home files. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_read_generic_data_home_files',` ++ gen_require(` ++ type data_home_t, gconf_home_t; ++ ') ++ ++ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) ++') ++ ++####################################### ++## ++## Manage gconf data home files ++## ++## ++## ++## Domain allowed access. ++## +## +# +interface(`gnome_manage_data',` -+ gen_require(` -+ type data_home_t; -+ type gconf_home_t; -+ ') ++ gen_require(` ++ type data_home_t; ++ type gconf_home_t; ++ ') + + allow $1 gconf_home_t:dir search_dir_perms; + manage_dirs_pattern($1, data_home_t, data_home_t) -+ manage_files_pattern($1, data_home_t, data_home_t) ++ manage_files_pattern($1, data_home_t, data_home_t) + manage_lnk_files_pattern($1, data_home_t, data_home_t) +') + @@ -5734,7 +5761,7 @@ index f5afe78..9a0377f 100644 ## ## ## -@@ -46,37 +770,60 @@ interface(`gnome_role',` +@@ -46,37 +788,60 @@ interface(`gnome_role',` ## ## # @@ -5806,7 +5833,7 @@ index f5afe78..9a0377f 100644 ## ## ## -@@ -84,37 +831,38 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +849,38 @@ template(`gnome_read_gconf_config',` ## ## # @@ -5856,7 +5883,7 @@ index f5afe78..9a0377f 100644 ## ## ## -@@ -122,17 +870,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +888,17 @@ interface(`gnome_stream_connect_gconf',` ## ## # @@ -5878,7 +5905,7 @@ index f5afe78..9a0377f 100644 ## ## ## -@@ -140,51 +888,335 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +906,335 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -10685,17 +10712,16 @@ index 7590165..7e6f53c 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc -index b07ee19..5d12aa3 100644 +index b07ee19..a275bd6 100644 --- a/policy/modules/apps/telepathy.fc +++ b/policy/modules/apps/telepathy.fc -@@ -1,8 +1,12 @@ +@@ -1,8 +1,11 @@ HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0) -HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) +HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0) -+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) ++HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0) HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) -+HOME_DIR/\.cache/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0) HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0) +HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0) +HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0) @@ -10895,7 +10921,7 @@ index 3cfb128..d49274d 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..58f8728 100644 +index 2533ea0..b4888b3 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -26,12 +26,18 @@ attribute telepathy_executable; @@ -10927,22 +10953,23 @@ index 2533ea0..58f8728 100644 type telepathy_mission_control_cache_home_t; userdom_user_home_content(telepathy_mission_control_cache_home_t) -@@ -67,6 +76,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble +@@ -67,6 +76,15 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) -+# ~/.cache/gabble/caps-cache.db-journal ++# ~/.cache/telepathy/gabble/caps-cache.db-journal +optional_policy(` -+ manage_dirs_pattern(telepathy_gabble_t, { telepathy_cache_home_t telepathy_gabble_cache_home_t } , { telepathy_cache_home_t telepathy_gabble_cache_home_t }) ++ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) + manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t) -+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, { dir file }) -+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_cache_home_t, dir) ++ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir) ++ # ~/.cache/wocky ++ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir) +') + corenet_all_recvfrom_netlabel(telepathy_gabble_t) corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -@@ -112,6 +129,10 @@ optional_policy(` +@@ -112,6 +130,10 @@ optional_policy(` dbus_system_bus_client(telepathy_gabble_t) ') @@ -10953,14 +10980,13 @@ index 2533ea0..58f8728 100644 ####################################### # # Telepathy Idle local policy. -@@ -147,10 +168,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -147,10 +169,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; -+manage_dirs_pattern(telepathy_logger_t, { telepathy_cache_home_t telepathy_logger_cache_home_t }, { telepathy_cache_home_t telepathy_logger_cache_home_t }) ++manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) -+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, { dir file }) -+gnome_cache_filetrans(telepathy_logger_t, telepathy_cache_home_t, dir) ++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir) manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t) @@ -11033,7 +11059,14 @@ index 2533ea0..58f8728 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -365,10 +418,9 @@ dev_read_urand(telepathy_domain) +@@ -361,14 +414,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; + allow telepathy_domain self:tcp_socket create_socket_perms; + allow telepathy_domain self:udp_socket create_socket_perms; + ++manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t) ++gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy") ++ + dev_read_urand(telepathy_domain) kernel_read_system_state(telepathy_domain) @@ -11045,7 +11078,7 @@ index 2533ea0..58f8728 100644 miscfiles_read_localization(telepathy_domain) optional_policy(` -@@ -376,5 +428,23 @@ optional_policy(` +@@ -376,5 +431,23 @@ optional_policy(` ') optional_policy(` @@ -11166,10 +11199,10 @@ index 0000000..b78aa77 + diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..fc5b449 +index 0000000..cc502a0 --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,123 @@ +@@ -0,0 +1,73 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -11182,15 +11215,6 @@ index 0000000..fc5b449 +application_domain(thumb_t, thumb_exec_t) +ubac_constrained(thumb_t) + -+role system_r types thumb_t; # why is system_r needed -+ -+# this is for liborc: ~/orcexec.* -+# these should normally go to /tmp but it goes to ~ if not executable in /tmp -+# there is also a bug in liborc where it does to ~ by default -+# no longer needed orc fix available -+# type thumb_home_t; -+#userdom_user_home_content(thumb_home_t) -+ +type thumb_tmp_t; +files_tmp_file(thumb_tmp_t) +ubac_constrained(thumb_tmp_t) @@ -11200,42 +11224,24 @@ index 0000000..fc5b449 +# thumb local policy +# + -+# execmem is for totem-video-thumbnailer +allow thumb_t self:process { setsched signal setrlimit execmem }; -+ +allow thumb_t self:fifo_file manage_fifo_file_perms; +allow thumb_t self:unix_stream_socket create_stream_socket_perms; -+ -+# please reproduce this, because i cannot -+# manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t) -+# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir) -+ -+# for totem-video-thumbnailer +allow thumb_t self:netlink_route_socket r_netlink_socket_perms; +allow thumb_t self:udp_socket create_socket_perms; +allow thumb_t self:tcp_socket create_socket_perms; + -+# gst-plugin-scanner/liborc, ~/orcexec.* -+# no longer need fix in latest orc package -+# exec_files_pattern(thumb_t, thumb_home_t, thumb_home_t) -+# manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) -+# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file) -+ +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) -+# please reproduce this, because it cannot -+# userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file) +files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir }) + +kernel_read_system_state(thumb_t) + +domain_use_interactive_fds(thumb_t) + -+# /usr/libexec/gstreamer.*/gst-plugin-scanner +corecmd_exec_bin(thumb_t) + -+# gst-plugin-scanner +dev_read_sysfs(thumb_t) + +domain_use_interactive_fds(thumb_t) @@ -11246,51 +11252,28 @@ index 0000000..fc5b449 +miscfiles_read_fonts(thumb_t) +miscfiles_read_localization(thumb_t) + -+# totem-video-thumbnailer +sysnet_read_config(thumb_t) + -+# read files to be thumbed +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) -+# .gnome_desktop_thumbnail.* is created by something in the user domain. -+# probably libgnome. +userdom_write_user_tmp_files(thumb_t) + +userdom_use_inherited_user_ptys(thumb_t) + -+# optional_policy(` -+# gnome_read_gconf_home_files(thumb_t) -+# gnome_read_gstreamer_home_content(thumb_t) -+# ') -+ -+# please reproduce this, because i cannot -+# optional_policy(` -+# gnome_read_gconf_home_files(thumb_t) -+# ') -+ -+# these two are inherited -+# should probably create and call xserver_ra_inherited_xdm_home_files() +xserver_read_xdm_home_files(thumb_t) +xserver_append_xdm_home_files(thumb_t) -+# seems to not be needed +xserver_dontaudit_read_xdm_pid(thumb_t) -+# this is required for totem-video-thumbnailer -+# although thumb does not need to write xserver_tmp_t sock_files -+# we probably want a xserver_connect to support but unix stream socket -+# connections as well tcp connections -+# allow thumb_t xserver_port_t:tcp_socket name_connect; +xserver_stream_connect(thumb_t) + +optional_policy(` -+ # This seems not strictly needed + dbus_dontaudit_stream_connect_session_bus(thumb_t) ++ dbus_dontaudit_chat_session_bus(thumb_t) +') + +optional_policy(` -+ # this seems to work -+ # thumb_t tries to search data_home_t, config_home_t and gconf_home_t ++ # .config + gnome_dontaudit_search_config(thumb_t) -+ # totem-video-thumbnailer ++ gnome_read_generic_data_home_files(thumb_t) + gnome_manage_gstreamer_home_files(thumb_t) +') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te @@ -13563,25 +13546,40 @@ index 99b71cb..17d942f 100644 +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind; +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind; diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4 -index 35fed4f..e0c8f51 100644 +index 35fed4f..51ad69a 100644 --- a/policy/modules/kernel/corenetwork.te.m4 +++ b/policy/modules/kernel/corenetwork.te.m4 -@@ -81,7 +81,13 @@ declare_nodes($1_node_t,shift($*)) - define(`declare_ports',`dnl - ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; - ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') +@@ -77,23 +77,37 @@ type $1_node_t alias node_$1_t, node_type; + declare_nodes($1_node_t,shift($*)) + ') + +-# bindresvport in glibc starts searching for reserved ports at 512 +-define(`declare_ports',`dnl +-ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type; +-ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl') -',`dnl') -+',` -+ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',` -+ ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',` -+ typeattribute $1 ephemeral_port_type; -+ ') -+ ') -+') ++define(`declare_portcons',`dnl portcon $2 $3 gen_context(system_u:object_r:$1,$4) - ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl +-ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl ++ifelse(`$5',`',`',`declare_portcons($1,shiftn(4,$*))')dnl ++') ++ ++define(`add_port_attribute',`dnl ++ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;') ++') ++ ++define(`add_ephemeral_attribute',`dnl ++ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type; ++',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl ++') ++ ++# bindresvport in glibc starts searching for reserved ports at 512 ++define(`add_rpc_attribute',`dnl ++ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type; ++',`ifelse(`$5',`',`',`add_rpc_attribute($1,shiftn(4,$*))')')dnl ') -@@ -90,7 +96,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl + + # # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]]) # define(`network_port',` @@ -13589,7 +13587,14 @@ index 35fed4f..e0c8f51 100644 +type $1_port_t, port_type, defined_port_type; type $1_client_packet_t, packet_type, client_packet_type; type $1_server_packet_t, packet_type, server_packet_type; - declare_ports($1_port_t,shift($*))dnl +-declare_ports($1_port_t,shift($*))dnl ++ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl ++ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl ++ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl ++ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl + ') + + # diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 6cf8784..935a96c 100644 --- a/policy/modules/kernel/devices.fc @@ -15075,10 +15080,45 @@ index 08f01e7..1c2562c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..cf3d50b 100644 +index 6a1e4d1..3ded83e 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if -@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',` +@@ -75,34 +75,6 @@ interface(`domain_base_type',` + interface(`domain_type',` + # start with basic domain + domain_base_type($1) +- +- ifdef(`distro_redhat',` +- optional_policy(` +- unconfined_use_fds($1) +- ') +- ') +- +- # send init a sigchld and signull +- optional_policy(` +- init_sigchld($1) +- init_signull($1) +- ') +- +- # these seem questionable: +- +- optional_policy(` +- rpm_use_fds($1) +- rpm_read_pipes($1) +- ') +- +- optional_policy(` +- selinux_dontaudit_getattr_fs($1) +- selinux_dontaudit_read_fs($1) +- ') +- +- optional_policy(` +- seutil_dontaudit_read_config($1) +- ') + ') + + ######################################## +@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',` ######################################## ## @@ -15087,7 +15127,7 @@ index 6a1e4d1..cf3d50b 100644 ## ## ## -@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',` +@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',` ## ## ## @@ -15096,7 +15136,7 @@ index 6a1e4d1..cf3d50b 100644 ## ## # -@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',` +@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; @@ -15127,7 +15167,7 @@ index 6a1e4d1..cf3d50b 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..00e20f7 100644 +index fae1ab1..db2a183 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15220,7 +15260,7 @@ index fae1ab1..00e20f7 100644 # Act upon any other process. allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap }; -@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *; +@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) @@ -15312,6 +15352,33 @@ index fae1ab1..00e20f7 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; + ++ifdef(`distro_redhat',` ++ optional_policy(` ++ unconfined_use_fds(domain) ++ ') ++') ++ ++# send init a sigchld and signull ++optional_policy(` ++ init_sigchld(domain) ++ init_signull(domain) ++') ++ ++# these seem questionable: ++ ++optional_policy(` ++ rpm_use_fds(domain) ++ rpm_read_pipes(domain) ++') ++ ++optional_policy(` ++ selinux_dontaudit_getattr_fs(domain) ++ selinux_dontaudit_read_fs(domain) ++') ++ ++optional_policy(` ++ seutil_dontaudit_read_config(domain) ++') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index c19518a..12e8e9c 100644 --- a/policy/modules/kernel/files.fc @@ -31557,7 +31624,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 1a1becd..0ca1861 100644 +index 1a1becd..843d5fd 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -31676,11 +31743,11 @@ index 1a1becd..0ca1861 100644 - - seutil_read_config($1_dbusd_t) - seutil_read_default_contexts($1_dbusd_t) - +- - term_use_all_terms($1_dbusd_t) - - userdom_read_user_home_content_files($1_dbusd_t) -- + - ifdef(`hide_broken_symptoms', ` - dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write }; - ') @@ -31848,7 +31915,7 @@ index 1a1becd..0ca1861 100644 ## ## ## -@@ -491,10 +433,31 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -491,10 +433,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -31882,6 +31949,26 @@ index 1a1becd..0ca1861 100644 + ') + + dontaudit $1 session_bus_type:unix_stream_socket connectto; ++') ++ ++######################################## ++## ++## Do not audit attempts to send dbus ++## messages to session bus types. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dbus_dontaudit_chat_session_bus',` ++ gen_require(` ++ attribute session_bus_type; ++ class dbus send_msg; ++ ') ++ ++ dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 1bff6ee..9540fee 100644 @@ -37457,10 +37544,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..86ba356 100644 +index 4fde46b..95d52e4 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -37479,15 +37566,16 @@ index 4fde46b..86ba356 100644 +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) --auth_use_nsswitch(gnomeclock_t) +fs_getattr_xattr_fs(gnomeclock_t) ++ + auth_use_nsswitch(gnomeclock_t) -clock_domtrans(gnomeclock_t) -+auth_use_nsswitch(gnomeclock_t) ++init_stream_send(gnomeclock_t) miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -59192,7 +59280,7 @@ index 7c5d8d8..d711fd5 100644 +') + diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..52df08a 100644 +index 3eca020..812f226 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0) @@ -59736,7 +59824,7 @@ index 3eca020..52df08a 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +635,319 @@ optional_policy(` +@@ -457,8 +635,320 @@ optional_policy(` ') optional_policy(` @@ -59817,6 +59905,7 @@ index 3eca020..52df08a 100644 + xen_manage_image_dirs(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) ++ xen_read_pid_files_xenstored(virsh_t) + xen_stream_connect(virsh_t) + xen_stream_connect_xenstore(virsh_t) +') @@ -76509,10 +76598,37 @@ index a865da7..a5ed06e 100644 ') diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if -index 77d41b6..4aa96c6 100644 +index 77d41b6..7ccb440 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if -@@ -87,6 +87,26 @@ interface(`xen_read_image_files',` +@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',` + dontaudit $1 xend_t:fd use; + ') + ++####################################### ++## ++## Read xend pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xen_read_pid_files_xenstored',` ++ gen_require(` ++ type xenstored_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ ++ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) ++') ++ + ######################################## + ## + ## Read xend image files. +@@ -87,6 +107,26 @@ interface(`xen_read_image_files',` ## ## # @@ -76539,7 +76655,7 @@ index 77d41b6..4aa96c6 100644 interface(`xen_rw_image_files',` gen_require(` type xen_image_t, xend_var_lib_t; -@@ -213,8 +233,9 @@ interface(`xen_stream_connect',` +@@ -213,8 +253,9 @@ interface(`xen_stream_connect',` interface(`xen_domtrans_xm',` gen_require(` type xm_t, xm_exec_t; @@ -76550,7 +76666,7 @@ index 77d41b6..4aa96c6 100644 domtrans_pattern($1, xm_exec_t, xm_t) ') -@@ -230,7 +251,7 @@ interface(`xen_domtrans_xm',` +@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 70e048a..25fe1b9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -246,7 +246,7 @@ Based off of reference policy: Checked out revision 2.20091117 %patch2 -p1 %patch3 -p1 %patch4 -p1 -b .execmem -%patch5 -p1 -b .userdomain +#%patch5 -p1 -b .userdomain %patch6 -p1 -b .apache #%patch7 -p1 -b .ptrace