diff --git a/modules-mls.conf b/modules-mls.conf index d22f31f..8b6117e 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -933,6 +933,24 @@ ntop = module nslcd = module # Layer: apps +<<<<<<< HEAD +||||||| merged common ancestors +# Module: nsplugin +# +# Policy for nspluginwrapper +# +nsplugin = module + +# Layer: apps +======= +# Module: nsplugin +# +# Policy for nspluginwrapper +# +#nsplugin = module + +# Layer: apps +>>>>>>> 51bad8c183c97b813d9b5250ab04c5bb2a3c45f8 # Module: mplayer # # Policy for Mozilla and related web browsers diff --git a/policy-F16.patch b/policy-F16.patch index 8275a64..ca71a31 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1620,7 +1620,7 @@ index 75ce30f..63310a1 100644 + cron_use_system_job_fds(logwatch_mail_t) +') diff --git a/policy/modules/admin/mcelog.fc b/policy/modules/admin/mcelog.fc -index 56c43c0..0641226 100644 +index 56c43c0..409bbfc 100644 --- a/policy/modules/admin/mcelog.fc +++ b/policy/modules/admin/mcelog.fc @@ -1 +1,5 @@ @@ -1628,9 +1628,9 @@ index 56c43c0..0641226 100644 + +/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0) + -+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0) ++/var/run/mcelog.* gen_context(system_u:object_r:mcelog_var_run_t,s0) diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te -index 5671977..ea06507 100644 +index 5671977..8ddc091 100644 --- a/policy/modules/admin/mcelog.te +++ b/policy/modules/admin/mcelog.te @@ -7,8 +7,14 @@ policy_module(mcelog, 1.1.0) @@ -1660,7 +1660,7 @@ index 5671977..ea06507 100644 +manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) +manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t) -+files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file ) ++files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } ) + kernel_read_system_state(mcelog_t) @@ -2151,7 +2151,7 @@ index 93ec175..0e42018 100644 ') ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..ec838bd 100644 +index af55369..5d940f8 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -2219,7 +2219,7 @@ index af55369..ec838bd 100644 +') + +optional_policy(` -+ nsplugin_manage_rw_files(prelink_t) ++ mozilla_plugin_manage_rw_files(prelink_t) +') + +optional_policy(` @@ -7505,10 +7505,31 @@ index 0000000..169421f +') + diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te -index 2dde73a..8ebd16b 100644 +index 2dde73a..1b16fa4 100644 --- a/policy/modules/apps/kdumpgui.te +++ b/policy/modules/apps/kdumpgui.te -@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t) +@@ -9,6 +9,9 @@ type kdumpgui_t; + type kdumpgui_exec_t; + dbus_system_domain(kdumpgui_t, kdumpgui_exec_t) + ++type kdumpgui_tmp_t; ++files_tmp_file(kdumpgui_tmp_t) ++ + ###################################### + # + # system-config-kdump local policy +@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio }; + allow kdumpgui_t self:fifo_file rw_fifo_file_perms; + allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms; + ++manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) ++manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t) ++files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file }) ++ + kernel_read_system_state(kdumpgui_t) + kernel_read_network_state(kdumpgui_t) + +@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t) files_etc_filetrans_etc_runtime(kdumpgui_t, file) files_read_usr_files(kdumpgui_t) @@ -7517,20 +7538,28 @@ index 2dde73a..8ebd16b 100644 storage_raw_read_fixed_disk(kdumpgui_t) storage_raw_write_fixed_disk(kdumpgui_t) -@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t) +@@ -45,8 +54,20 @@ logging_send_syslog_msg(kdumpgui_t) + miscfiles_read_localization(kdumpgui_t) + ++mount_exec(kdumpgui_t) ++ init_dontaudit_read_all_script_files(kdumpgui_t) +userdom_dontaudit_search_admin_dir(kdumpgui_t) + +optional_policy(` ++ bootloader_exec(kdumpgui_t) ++') ++ ++optional_policy(` + consoletype_exec(kdumpgui_t) +') + optional_policy(` consoletype_exec(kdumpgui_t) ') -@@ -58,6 +66,7 @@ optional_policy(` +@@ -58,6 +79,7 @@ optional_policy(` optional_policy(` kdump_manage_config(kdumpgui_t) kdump_initrc_domtrans(kdumpgui_t) @@ -7684,18 +7713,32 @@ index 0bac996..ca2388d 100644 +userdom_use_inherited_user_terminals(lockdev_t) diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc -index 93ac529..35b51ab 100644 +index 93ac529..800b5c8 100644 --- a/policy/modules/apps/mozilla.fc +++ b/policy/modules/apps/mozilla.fc -@@ -1,6 +1,7 @@ +@@ -1,8 +1,14 @@ HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + + # + # /bin +@@ -14,16 +20,24 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) + /usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) + /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) -@@ -18,12 +19,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) # # /lib # @@ -7716,9 +7759,14 @@ index 93ac529..35b51ab 100644 +/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) ++ +/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) ++ ++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0) ++ ++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index fbb5c5a..b9b8ac2 100644 +index fbb5c5a..aa15d05 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -7756,16 +7804,18 @@ index fbb5c5a..b9b8ac2 100644 ') ######################################## -@@ -197,12 +207,21 @@ interface(`mozilla_domtrans',` +@@ -197,12 +207,23 @@ interface(`mozilla_domtrans',` # interface(`mozilla_domtrans_plugin',` gen_require(` - type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t; + type mozilla_plugin_t, mozilla_plugin_exec_t; ++ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; class dbus send_msg; ') domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) ++ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) allow mozilla_plugin_t $1:process signull; + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:fd use; @@ -7779,10 +7829,13 @@ index fbb5c5a..b9b8ac2 100644 ') ######################################## -@@ -230,6 +249,25 @@ interface(`mozilla_run_plugin',` - role $2 types mozilla_plugin_t; - ') +@@ -228,6 +249,27 @@ interface(`mozilla_run_plugin',` + mozilla_domtrans_plugin($1) + role $2 types mozilla_plugin_t; ++ role $2 types mozilla_plugin_config_t; ++') ++ +####################################### +## +## Execute qemu unconfined programs in the role. @@ -7800,12 +7853,11 @@ index fbb5c5a..b9b8ac2 100644 + ') + + role $1 types mozilla_plugin_t; -+') -+ ++ role $1 types mozilla_plugin_config_t; + ') + ######################################## - ## - ## Send and receive messages from -@@ -269,9 +307,27 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -269,9 +311,27 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -7834,7 +7886,7 @@ index fbb5c5a..b9b8ac2 100644 ## ## ## -@@ -279,28 +335,28 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -279,28 +339,48 @@ interface(`mozilla_rw_tcp_sockets',` ## ## # @@ -7865,24 +7917,47 @@ index fbb5c5a..b9b8ac2 100644 gen_require(` - type mozilla_plugin_tmpfs_t; + type mozilla_plugin_t; ++ ') ++ ++ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ++') ++ ++######################################## ++## ++## Create, read, write, and delete ++## mozilla_plugin rw files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_plugin_manage_rw_files',` ++ gen_require(` ++ type mozilla_plugin_rw_t; ') - allow $1 mozilla_plugin_tmpfs_t:file unlink; -+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; ++ allow $1 mozilla_plugin_rw_t:file manage_file_perms; ++ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; ') diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2e9318b..add01a5 100644 +index 2e9318b..344f2e4 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te -@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t) +@@ -23,8 +23,9 @@ type mozilla_conf_t; + files_config_file(mozilla_conf_t) + type mozilla_home_t; - typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; +-typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; ++typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t nsplugin_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; +files_poly_member(mozilla_home_t) userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; -@@ -33,10 +34,12 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) +@@ -33,13 +34,22 @@ application_domain(mozilla_plugin_t, mozilla_plugin_exec_t) role system_r types mozilla_plugin_t; type mozilla_plugin_tmp_t; @@ -7895,7 +7970,17 @@ index 2e9318b..add01a5 100644 files_tmpfs_file(mozilla_plugin_tmpfs_t) ubac_constrained(mozilla_plugin_tmpfs_t) -@@ -111,7 +114,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t) ++type mozilla_plugin_rw_t alias nsplugin_rw_t; ++files_type(mozilla_plugin_rw_t) ++ ++type mozilla_plugin_config_t; ++type mozilla_plugin_config_exec_t; ++application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) ++ + type mozilla_tmp_t; + files_tmp_file(mozilla_tmp_t) + ubac_constrained(mozilla_tmp_t) +@@ -111,7 +121,9 @@ corenet_raw_sendrecv_generic_node(mozilla_t) corenet_tcp_sendrecv_http_port(mozilla_t) corenet_tcp_sendrecv_http_cache_port(mozilla_t) corenet_tcp_sendrecv_squid_port(mozilla_t) @@ -7905,7 +7990,7 @@ index 2e9318b..add01a5 100644 corenet_tcp_sendrecv_ipp_port(mozilla_t) corenet_tcp_connect_http_port(mozilla_t) corenet_tcp_connect_http_cache_port(mozilla_t) -@@ -156,6 +161,8 @@ fs_rw_tmpfs_files(mozilla_t) +@@ -156,6 +168,8 @@ fs_rw_tmpfs_files(mozilla_t) term_dontaudit_getattr_pty_dirs(mozilla_t) @@ -7914,7 +7999,7 @@ index 2e9318b..add01a5 100644 logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -@@ -165,27 +172,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) +@@ -165,27 +179,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) # Browse the web, connect to printer sysnet_dns_name_resolve(mozilla_t) @@ -7948,7 +8033,7 @@ index 2e9318b..add01a5 100644 # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` -@@ -262,6 +263,7 @@ optional_policy(` +@@ -262,6 +270,7 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) gnome_manage_config(mozilla_t) @@ -7956,17 +8041,18 @@ index 2e9318b..add01a5 100644 ') optional_policy(` -@@ -278,7 +280,8 @@ optional_policy(` +@@ -278,10 +287,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(mozilla_t) -+ nsplugin_manage_rw(mozilla_t) -+ nsplugin_manage_home_files(mozilla_t) - ') - - optional_policy(` -@@ -296,16 +299,19 @@ optional_policy(` +-') +- +-optional_policy(` + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) + pulseaudio_manage_home_files(mozilla_t) +@@ -296,16 +301,19 @@ optional_policy(` # mozilla_plugin local policy # @@ -7990,7 +8076,7 @@ index 2e9318b..add01a5 100644 can_exec(mozilla_plugin_t, mozilla_home_t) read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) -@@ -313,8 +319,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) +@@ -313,8 +321,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) @@ -8003,7 +8089,18 @@ index 2e9318b..add01a5 100644 manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) -@@ -332,11 +340,9 @@ kernel_request_load_module(mozilla_plugin_t) +@@ -322,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug + manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + ++allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; ++read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ + can_exec(mozilla_plugin_t, mozilla_exec_t) + + kernel_read_kernel_sysctls(mozilla_plugin_t) +@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -8017,7 +8114,7 @@ index 2e9318b..add01a5 100644 corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -@@ -344,6 +350,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) +@@ -344,6 +356,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) @@ -8029,7 +8126,7 @@ index 2e9318b..add01a5 100644 dev_read_rand(mozilla_plugin_t) dev_read_urand(mozilla_plugin_t) -@@ -385,33 +396,29 @@ term_getattr_all_ttys(mozilla_plugin_t) +@@ -385,33 +402,30 @@ term_getattr_all_ttys(mozilla_plugin_t) term_getattr_all_ptys(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) @@ -8046,6 +8143,7 @@ index 2e9318b..add01a5 100644 userdom_read_user_home_content_symlinks(mozilla_plugin_t) +userdom_read_home_certs(mozilla_plugin_t) +userdom_dontaudit_write_home_certs(mozilla_plugin_t) ++userdom_read_home_audio_files(mozilla_plugin_t) -tunable_policy(`allow_execmem',` - allow mozilla_plugin_t self:process { execmem execstack }; @@ -8055,15 +8153,15 @@ index 2e9318b..add01a5 100644 tunable_policy(`allow_execstack',` - allow mozilla_plugin_t self:process { execstack }; -+ allow mozilla_plugin_t self:process execstack; - ') - +-') +- -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_t) - fs_manage_nfs_files(mozilla_plugin_t) - fs_manage_nfs_symlinks(mozilla_plugin_t) --') -- ++ allow mozilla_plugin_t self:process execstack; + ') + -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(mozilla_plugin_t) - fs_manage_cifs_files(mozilla_plugin_t) @@ -8073,7 +8171,7 @@ index 2e9318b..add01a5 100644 optional_policy(` alsa_read_rw_config(mozilla_plugin_t) -@@ -425,7 +432,13 @@ optional_policy(` +@@ -425,7 +439,13 @@ optional_policy(` ') optional_policy(` @@ -8087,23 +8185,15 @@ index 2e9318b..add01a5 100644 ') optional_policy(` -@@ -438,7 +451,14 @@ optional_policy(` +@@ -438,18 +458,89 @@ optional_policy(` ') optional_policy(` - pcscd_stream_connect(mozilla_plugin_t) -+ nsplugin_domtrans(mozilla_plugin_t) -+ nsplugin_rw_exec(mozilla_plugin_t) -+ nsplugin_manage_home_dirs(mozilla_plugin_t) -+ nsplugin_manage_home_files(mozilla_plugin_t) -+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) -+ nsplugin_user_home_filetrans(mozilla_plugin_t, file) -+ nsplugin_read_rw_files(mozilla_plugin_t); -+ nsplugin_signal(mozilla_plugin_t) - ') - - optional_policy(` -@@ -446,10 +466,27 @@ optional_policy(` +-') +- +-optional_policy(` + pulseaudio_exec(mozilla_plugin_t) pulseaudio_stream_connect(mozilla_plugin_t) pulseaudio_setattr_home_dir(mozilla_plugin_t) pulseaudio_manage_home_files(mozilla_plugin_t) @@ -8129,8 +8219,66 @@ index 2e9318b..add01a5 100644 + xserver_read_user_iceauth(mozilla_plugin_t) + xserver_read_user_xauth(mozilla_plugin_t) + xserver_append_xdm_home_files(mozilla_plugin_t); - ') ++') ++ ++######################################## ++# ++# mozilla_plugin_config local policy ++# ++ ++allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid }; ++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem }; ++ ++allow mozilla_plugin_config_t self:fifo_file rw_file_perms; ++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++ ++dev_search_sysfs(mozilla_plugin_config_t) ++dev_read_urand(mozilla_plugin_config_t) ++dev_dontaudit_read_rand(mozilla_plugin_config_t) ++dev_dontaudit_rw_dri(mozilla_plugin_config_t) + ++fs_search_auto_mountpoints(mozilla_plugin_config_t) ++fs_list_inotifyfs(mozilla_plugin_config_t) ++ ++can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t) ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) ++ ++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t) ++ ++corecmd_exec_bin(mozilla_plugin_config_t) ++corecmd_exec_shell(mozilla_plugin_config_t) ++ ++kernel_read_system_state(mozilla_plugin_config_t) ++kernel_request_load_module(mozilla_plugin_config_t) ++ ++domain_use_interactive_fds(mozilla_plugin_config_t) ++ ++files_read_etc_files(mozilla_plugin_config_t) ++files_read_usr_files(mozilla_plugin_config_t) ++files_dontaudit_search_home(mozilla_plugin_config_t) ++files_list_tmp(mozilla_plugin_config_t) ++ ++auth_use_nsswitch(mozilla_plugin_config_t) ++ ++miscfiles_read_localization(mozilla_plugin_config_t) ++miscfiles_read_fonts(mozilla_plugin_config_t) ++ ++userdom_search_user_home_content(mozilla_plugin_config_t) ++userdom_read_user_home_content_symlinks(mozilla_plugin_config_t) ++userdom_read_user_home_content_files(mozilla_plugin_config_t) ++userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t) ++ ++domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) ++ ++optional_policy(` ++ xserver_use_user_fonts(mozilla_plugin_config_t) + ') diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if index d8ea41d..8bdc526 100644 --- a/policy/modules/apps/mplayer.if @@ -8422,10 +8570,10 @@ index 0000000..8d7c751 +') diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te new file mode 100644 -index 0000000..bb6b61e +index 0000000..a337d62 --- /dev/null +++ b/policy/modules/apps/namespace.te -@@ -0,0 +1,38 @@ +@@ -0,0 +1,42 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -8450,6 +8598,8 @@ index 0000000..bb6b61e + +kernel_read_system_state(namespace_init_t) + ++corecmd_exec_shell(namespace_init_t) ++ +domain_use_interactive_fds(namespace_init_t) + +files_read_etc_files(namespace_init_t) @@ -8459,6 +8609,8 @@ index 0000000..bb6b61e + +miscfiles_read_localization(namespace_init_t) + ++term_use_console(namespace_init_t) ++ +userdom_manage_user_home_content_dirs(namespace_init_t) +userdom_manage_user_home_content_files(namespace_init_t) +userdom_relabelto_user_home_dirs(namespace_init_t) @@ -8961,10 +9113,10 @@ index 0000000..fce899a +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..cc6b555 +index 0000000..eeb5955 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,327 @@ +@@ -0,0 +1,328 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -9131,6 +9283,7 @@ index 0000000..cc6b555 +userdom_read_user_tmp_files(nsplugin_t) +userdom_write_user_tmp_sockets(nsplugin_t) +userdom_dontaudit_append_user_home_content_files(nsplugin_t) ++userdom_read_home_audio_files(nsplugin_t) + +optional_policy(` + alsa_read_rw_config(nsplugin_t) @@ -11622,10 +11775,10 @@ index 0000000..5554dc9 + diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te new file mode 100644 -index 0000000..01584ce +index 0000000..b23b488 --- /dev/null +++ b/policy/modules/apps/thumb.te -@@ -0,0 +1,81 @@ +@@ -0,0 +1,82 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -11663,6 +11816,7 @@ index 0000000..01584ce +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir }) ++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir }) + +kernel_read_system_state(thumb_t) + @@ -12402,7 +12556,7 @@ index 223ad43..d95e720 100644 rsync_exec(yam_t) ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 3fae11a..0b0896b 100644 +index 3fae11a..c82360e 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -97,8 +97,6 @@ ifdef(`distro_redhat',` @@ -12517,20 +12671,20 @@ index 3fae11a..0b0896b 100644 +/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) -+ ++/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) + +/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) @@ -12628,22 +12782,30 @@ index 3fae11a..0b0896b 100644 /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) ') -@@ -375,8 +391,9 @@ ifdef(`distro_suse', ` +@@ -375,8 +391,8 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +-/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + - /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) --/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -385,3 +402,4 @@ ifdef(`distro_suse', ` +@@ -385,3 +401,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') -+/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) ++ ++# ++# /usr/lib ++# ++ ++/usr/lib/iscan/network -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/ruby/gems/.*/agents(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/virtualbox/VBoxManage -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 9e9263a..650e796 100644 --- a/policy/modules/kernel/corecommands.if @@ -12716,7 +12878,7 @@ index 9e9263a..650e796 100644 manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 4f3b542..cf422f4 100644 +index 4f3b542..f4e36ee 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',` @@ -12833,10 +12995,10 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dccp_sendrecv_generic_port',` + gen_require(` -+ type port_t; ++ type port_t, unreserved_port_t; + ') + -+ allow $1 port_t:dccp_socket { send_msg recv_msg }; ++ allow $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg }; +') + +######################################## @@ -12844,10 +13006,19 @@ index 4f3b542..cf422f4 100644 ## Send and receive TCP network traffic on generic ports. ## ## -@@ -1175,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',` - - ######################################## - ## +@@ -1167,10 +1257,30 @@ interface(`corenet_raw_bind_all_nodes',` + # + interface(`corenet_tcp_sendrecv_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## +## Do not audit attempts to send and +## receive DCCP network traffic on +## generic ports. @@ -12860,17 +13031,53 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dontaudit_dccp_sendrecv_generic_port',` + gen_require(` -+ type port_t; -+ ') -+ -+ dontaudit $1 port_t:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Do not audit send and receive TCP network traffic on generic ports. - ## - ## ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:tcp_socket { send_msg recv_msg }; ++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1185,10 +1295,10 @@ interface(`corenet_tcp_sendrecv_generic_port',` + # + interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- dontaudit $1 port_t:tcp_socket { send_msg recv_msg }; ++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket { send_msg recv_msg }; + ') + + ######################################## +@@ -1203,10 +1313,10 @@ interface(`corenet_dontaudit_tcp_sendrecv_generic_port',` + # + interface(`corenet_udp_send_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:udp_socket send_msg; ++ allow $1 { port_t unreserved_port_t }:udp_socket send_msg; + ') + + ######################################## +@@ -1221,10 +1331,10 @@ interface(`corenet_udp_send_generic_port',` + # + interface(`corenet_udp_receive_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:udp_socket recv_msg; ++ allow $1 { port_t unreserved_port_t }:udp_socket recv_msg; + ') + + ######################################## @@ -1244,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',` ######################################## @@ -12885,11 +13092,11 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dccp_bind_generic_port',` + gen_require(` -+ type port_t; ++ type port_t, unreserved_port_t; + attribute defined_port_type; + ') + -+ allow $1 port_t:dccp_socket name_bind; ++ allow $1 { port_t unreserved_port_t }:dccp_socket name_bind; + dontaudit $1 defined_port_type:dccp_socket name_bind; +') + @@ -12898,16 +13105,17 @@ index 4f3b542..cf422f4 100644 ## Bind TCP sockets to generic ports. ## ## -@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',` +@@ -1254,12 +1384,31 @@ interface(`corenet_udp_sendrecv_generic_port',` + # interface(`corenet_tcp_bind_generic_port',` gen_require(` - type port_t; +- type port_t; - attribute port_type; ++ type port_t, unreserved_port_t; + attribute defined_port_type; - ') - - allow $1 port_t:tcp_socket name_bind; -- dontaudit $1 { port_type -port_t }:tcp_socket name_bind; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:tcp_socket name_bind; + dontaudit $1 defined_port_type:tcp_socket name_bind; +') + @@ -12924,23 +13132,39 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dontaudit_dccp_bind_generic_port',` + gen_require(` -+ type port_t; -+ ') -+ -+ dontaudit $1 port_t:dccp_socket name_bind; ++ type port_t, unreserved_port_t; + ') + +- allow $1 port_t:tcp_socket name_bind; +- dontaudit $1 { port_type -port_t }:tcp_socket name_bind; ++ dontaudit $1 { port_t unreserved_port_t }:dccp_socket name_bind; + ') + + ######################################## +@@ -1274,10 +1423,10 @@ interface(`corenet_tcp_bind_generic_port',` + # + interface(`corenet_dontaudit_tcp_bind_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; + ') + +- dontaudit $1 port_t:tcp_socket name_bind; ++ dontaudit $1 { port_t unreserved_port_t }:tcp_socket name_bind; ') ######################################## -@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` +@@ -1292,12 +1441,30 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',` + # interface(`corenet_udp_bind_generic_port',` gen_require(` - type port_t; +- type port_t; - attribute port_type; ++ type port_t, unreserved_port_t; + attribute defined_port_type; - ') - - allow $1 port_t:udp_socket name_bind; -- dontaudit $1 { port_type -port_t }:udp_socket name_bind; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:udp_socket name_bind; + dontaudit $1 defined_port_type:udp_socket name_bind; +') + @@ -12956,17 +13180,28 @@ index 4f3b542..cf422f4 100644 +# +interface(`corenet_dccp_connect_generic_port',` + gen_require(` -+ type port_t; -+ ') -+ -+ allow $1 port_t:dccp_socket name_connect; - ') ++ type port_t, unreserved_port_t; + ') - ######################################## -@@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',` +- allow $1 port_t:udp_socket name_bind; +- dontaudit $1 { port_type -port_t }:udp_socket name_bind; ++ allow $1 { port_t unreserved_port_t }:dccp_socket name_connect; + ') ######################################## - ## +@@ -1312,10 +1479,28 @@ interface(`corenet_udp_bind_generic_port',` + # + interface(`corenet_tcp_connect_generic_port',` + gen_require(` +- type port_t; ++ type port_t, unreserved_port_t; ++ ') ++ ++ allow $1 { port_t unreserved_port_t }:tcp_socket name_connect; ++') ++ ++######################################## ++## +## Send and receive DCCP network traffic on all ports. +## +## @@ -12978,16 +13213,13 @@ index 4f3b542..cf422f4 100644 +interface(`corenet_dccp_sendrecv_all_ports',` + gen_require(` + attribute port_type; -+ ') -+ + ') + +- allow $1 port_t:tcp_socket name_connect; + allow $1 port_type:dccp_socket { send_msg recv_msg }; -+') -+ -+######################################## -+## - ## Send and receive TCP network traffic on all ports. - ## - ## + ') + + ######################################## @@ -1439,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',` ######################################## @@ -13212,7 +13444,7 @@ index 4f3b542..cf422f4 100644 ## ## ## -@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` +@@ -1729,17 +2007,17 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',` ## ## # @@ -13221,14 +13453,36 @@ index 4f3b542..cf422f4 100644 gen_require(` - attribute reserved_port_type; + type reserved_port_t; -+ ') -+ + ') + +- allow $1 reserved_port_type:udp_socket send_msg; + allow $1 reserved_port_t:tcp_socket name_connect; + ') + + ######################################## + ## +-## Receive UDP network traffic on all reserved ports. ++## Send and receive DCCP network traffic on all reserved ports. + ## + ## + ## +@@ -1747,12 +2025,66 @@ interface(`corenet_udp_send_all_reserved_ports',` + ## + ## + # +-interface(`corenet_udp_receive_all_reserved_ports',` ++interface(`corenet_dccp_sendrecv_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + +- allow $1 reserved_port_type:udp_socket recv_msg; ++ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; +') + +######################################## +## -+## Send and receive DCCP network traffic on all reserved ports. ++## Send and receive TCP network traffic on all reserved ports. +## +## +## @@ -13236,17 +13490,17 @@ index 4f3b542..cf422f4 100644 +## +## +# -+interface(`corenet_dccp_sendrecv_all_reserved_ports',` ++interface(`corenet_tcp_sendrecv_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + -+ allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; ++ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; +') + +######################################## +## -+## Send and receive TCP network traffic on all reserved ports. ++## Send UDP network traffic on all reserved ports. +## +## +## @@ -13254,17 +13508,17 @@ index 4f3b542..cf422f4 100644 +## +## +# -+interface(`corenet_tcp_sendrecv_all_reserved_ports',` ++interface(`corenet_udp_send_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; + ') + -+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; ++ allow $1 reserved_port_type:udp_socket send_msg; +') + +######################################## +## -+## Send UDP network traffic on all reserved ports. ++## Receive UDP network traffic on all reserved ports. +## +## +## @@ -13272,12 +13526,15 @@ index 4f3b542..cf422f4 100644 +## +## +# -+interface(`corenet_udp_send_all_reserved_ports',` ++interface(`corenet_udp_receive_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; - ') ++ ') ++ ++ allow $1 reserved_port_type:udp_socket recv_msg; + ') - allow $1 reserved_port_type:udp_socket send_msg; + ######################################## @@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',` ######################################## @@ -13373,9 +13630,8 @@ index 4f3b542..cf422f4 100644 gen_require(` - attribute port_type, reserved_port_type; + attribute unreserved_port_type; - ') - -- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; ++ ') ++ + allow $1 unreserved_port_type:udp_socket name_bind; +') + @@ -13428,8 +13684,9 @@ index 4f3b542..cf422f4 100644 +interface(`corenet_dccp_connect_all_reserved_ports',` + gen_require(` + attribute reserved_port_type; -+ ') -+ + ') + +- allow $1 { port_type -reserved_port_type }:udp_socket name_bind; + allow $1 reserved_port_type:dccp_socket name_connect; ') @@ -14280,7 +14537,7 @@ index 6cf8784..b48524e 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f820f3b..39b1056 100644 +index f820f3b..cc3f02e 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -14786,33 +15043,39 @@ index f820f3b..39b1056 100644 ## Search the sysfs directories. ## ## -@@ -3902,25 +4176,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3902,21 +4176,26 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ######################################## ## -## Create, read, write, and delete sysfs -## directories. --## --## --## --## Domain allowed access. --## --## --# ++## Read cpu online hardware state information. + ## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++## + ## + ## + ## Domain allowed access. + ## + ## + # -interface(`dev_manage_sysfs_dirs',` -- gen_require(` ++interface(`dev_read_cpu_online',` + gen_require(` - type sysfs_t; -- ') -- ++ type cpu_online_t; + ') + - manage_dirs_pattern($1, sysfs_t, sysfs_t) --') -- --######################################## --## - ## Read hardware state information. - ## - ## -@@ -3972,6 +4227,42 @@ interface(`dev_rw_sysfs',` ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) + ') + + ######################################## +@@ -3972,6 +4251,42 @@ interface(`dev_rw_sysfs',` ######################################## ## @@ -14855,7 +15118,7 @@ index f820f3b..39b1056 100644 ## Read and write the TPM device. ## ## -@@ -4069,6 +4360,25 @@ interface(`dev_write_urand',` +@@ -4069,6 +4384,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -14881,7 +15144,7 @@ index f820f3b..39b1056 100644 ## Getattr generic the USB devices. ## ## -@@ -4103,6 +4413,24 @@ interface(`dev_setattr_generic_usb_dev',` +@@ -4103,6 +4437,24 @@ interface(`dev_setattr_generic_usb_dev',` setattr_chr_files_pattern($1, device_t, usb_device_t) ') @@ -14906,7 +15169,7 @@ index f820f3b..39b1056 100644 ######################################## ## ## Read generic the USB devices. -@@ -4495,6 +4823,24 @@ interface(`dev_rw_vhost',` +@@ -4495,6 +4847,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -14931,7 +15194,7 @@ index f820f3b..39b1056 100644 ## Read and write VMWare devices. ## ## -@@ -4695,6 +5041,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4695,6 +5065,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -14958,7 +15221,7 @@ index f820f3b..39b1056 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4784,3 +5150,812 @@ interface(`dev_unconfined',` +@@ -4784,3 +5174,812 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -15772,7 +16035,7 @@ index f820f3b..39b1056 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 08f01e7..1c2562c 100644 +index 08f01e7..112bebb 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -108,6 +108,7 @@ dev_node(ksm_device_t) @@ -15796,7 +16059,18 @@ index 08f01e7..1c2562c 100644 type lvm_control_t; dev_node(lvm_control_t) -@@ -265,6 +272,7 @@ dev_node(v4l_device_t) +@@ -218,6 +225,10 @@ files_mountpoint(sysfs_t) + fs_type(sysfs_t) + genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) + ++type cpu_online_t; ++allow cpu_online_t sysfs_t:filesystem associate; ++genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) ++ + # + # Type for /dev/tpm + # +@@ -265,6 +276,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -15804,7 +16078,7 @@ index 08f01e7..1c2562c 100644 # Type for vmware devices. type vmware_device_t; -@@ -310,5 +318,5 @@ files_associate_tmp(device_node) +@@ -310,5 +322,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -15899,7 +16173,7 @@ index 6a1e4d1..3ded83e 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index fae1ab1..f9a1bcc 100644 +index fae1ab1..facd6a8 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1) @@ -15924,7 +16198,7 @@ index fae1ab1..f9a1bcc 100644 ## ##

-@@ -87,14 +102,17 @@ allow domain self:dir list_dir_perms; +@@ -87,22 +102,36 @@ allow domain self:dir list_dir_perms; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; kernel_read_proc_symlinks(domain) @@ -15942,8 +16216,10 @@ index fae1ab1..f9a1bcc 100644 +allow domain self:process { fork getsched sigchld }; # Use trusted objects in /dev ++dev_read_cpu_online(domain) dev_rw_null(domain) -@@ -103,6 +121,16 @@ term_use_controlling_term(domain) + dev_rw_zero(domain) + term_use_controlling_term(domain) # list the root directory files_list_root(domain) @@ -15960,7 +16236,7 @@ index fae1ab1..f9a1bcc 100644 tunable_policy(`global_ssp',` # enable reading of urandom for all domains: -@@ -113,8 +141,13 @@ tunable_policy(`global_ssp',` +@@ -113,8 +142,13 @@ tunable_policy(`global_ssp',` ') optional_policy(` @@ -15974,7 +16250,7 @@ index fae1ab1..f9a1bcc 100644 ') optional_policy(` -@@ -125,6 +158,8 @@ optional_policy(` +@@ -125,6 +159,8 @@ optional_policy(` optional_policy(` xserver_dontaudit_use_xdm_fds(domain) xserver_dontaudit_rw_xdm_pipes(domain) @@ -15983,7 +16259,7 @@ index fae1ab1..f9a1bcc 100644 ') ######################################## -@@ -143,8 +178,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; +@@ -143,8 +179,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *; allow unconfined_domain_type domain:fd use; allow unconfined_domain_type domain:fifo_file rw_file_perms; @@ -15998,7 +16274,7 @@ index fae1ab1..f9a1bcc 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -158,5 +198,217 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -158,5 +199,219 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -16012,7 +16288,9 @@ index fae1ab1..f9a1bcc 100644 +term_filetrans_all_named_dev(unconfined_domain_type) + +optional_policy(` -+ authlogin_filetrans_named_content(unconfined_domain_type) ++ auth_filetrans_named_content(unconfined_domain_type) ++ auth_filetrans_admin_home_content(unconfined_domain_type) ++ auth_filetrans_home_content(unconfined_domain_type) +') + +optional_policy(` @@ -18178,7 +18456,7 @@ index ff006ea..b682bcf 100644 + dontaudit $1 file_type:dir_file_class_set write; +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 22821ff..20251b0 100644 +index 22821ff..4e8d594 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -10,7 +10,9 @@ attribute files_unconfined_type; @@ -18214,7 +18492,15 @@ index 22821ff..20251b0 100644 files_type(etc_runtime_t) #Temporarily in policy until FC5 dissappears typealias etc_runtime_t alias firstboot_rw_t; -@@ -167,6 +178,7 @@ files_mountpoint(var_lib_t) +@@ -133,6 +144,7 @@ files_mountpoint(src_t) + # + type system_map_t; + files_type(system_map_t) ++procs_type(system_map_t) + genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) + + # +@@ -167,6 +179,7 @@ files_mountpoint(var_lib_t) # type var_lock_t; files_lock_file(var_lock_t) @@ -18222,7 +18508,7 @@ index 22821ff..20251b0 100644 # # var_run_t is the type of /var/run, usually -@@ -181,6 +193,7 @@ files_mountpoint(var_run_t) +@@ -181,6 +194,7 @@ files_mountpoint(var_run_t) # type var_spool_t; files_tmp_file(var_spool_t) @@ -18863,7 +19149,7 @@ index f125dc2..3c6e827 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 6346378..8c500cd 100644 +index 6346378..4845190 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -345,13 +345,8 @@ interface(`kernel_load_module',` @@ -19042,7 +19328,7 @@ index 6346378..8c500cd 100644 ## Unconfined access to kernel module resources. ##

## -@@ -2962,4 +3057,25 @@ interface(`kernel_unconfined',` +@@ -2962,4 +3057,43 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -19068,6 +19354,24 @@ index 6346378..8c500cd 100644 + allow $1 kernel_t:unix_stream_socket connectto; +') + ++######################################## ++## ++## Make the specified type usable for regular entries in proc ++## ++## ++## ++## Type to be used for /proc entries. ++## ++## ++# ++interface(`procs_type',` ++ gen_require(` ++ attribute proc_type ++ ') ++ ++ typeattribute $1 proc_type; ++') ++ diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index d91c62f..8852535 100644 --- a/policy/modules/kernel/kernel.te @@ -21252,7 +21556,7 @@ index 2be17d2..de3c13e 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..0d1af63 100644 +index e14b961..37bdf8d 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,13 +5,6 @@ policy_module(sysadm, 2.2.1) @@ -21356,12 +21660,13 @@ index e14b961..0d1af63 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -110,11 +140,19 @@ optional_policy(` +@@ -110,11 +140,20 @@ optional_policy(` ') optional_policy(` - consoletype_run(sysadm_t, sysadm_r) + cron_admin_role(sysadm_r, sysadm_t) ++ #cron_role(sysadm_r, sysadm_t) ') optional_policy(` @@ -21378,7 +21683,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -128,6 +166,10 @@ optional_policy(` +@@ -128,6 +167,10 @@ optional_policy(` ') optional_policy(` @@ -21389,7 +21694,7 @@ index e14b961..0d1af63 100644 dmesg_exec(sysadm_t) ') -@@ -163,6 +205,13 @@ optional_policy(` +@@ -163,6 +206,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -21403,7 +21708,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -170,15 +219,20 @@ optional_policy(` +@@ -170,15 +220,20 @@ optional_policy(` ') optional_policy(` @@ -21427,7 +21732,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -198,22 +252,20 @@ optional_policy(` +@@ -198,22 +253,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -21456,7 +21761,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -225,25 +277,47 @@ optional_policy(` +@@ -225,25 +278,47 @@ optional_policy(` ') optional_policy(` @@ -21504,7 +21809,7 @@ index e14b961..0d1af63 100644 portage_run(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) ') -@@ -253,31 +327,32 @@ optional_policy(` +@@ -253,31 +328,32 @@ optional_policy(` ') optional_policy(` @@ -21544,7 +21849,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -302,12 +377,18 @@ optional_policy(` +@@ -302,12 +378,18 @@ optional_policy(` ') optional_policy(` @@ -21564,7 +21869,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -332,7 +413,10 @@ optional_policy(` +@@ -332,7 +414,10 @@ optional_policy(` ') optional_policy(` @@ -21576,7 +21881,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -343,19 +427,15 @@ optional_policy(` +@@ -343,19 +428,15 @@ optional_policy(` ') optional_policy(` @@ -21598,7 +21903,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -367,45 +447,45 @@ optional_policy(` +@@ -367,45 +448,45 @@ optional_policy(` ') optional_policy(` @@ -21655,7 +21960,7 @@ index e14b961..0d1af63 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -418,10 +498,6 @@ ifndef(`distro_redhat',` +@@ -418,10 +499,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -21666,7 +21971,7 @@ index e14b961..0d1af63 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -439,6 +515,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +516,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -21674,7 +21979,7 @@ index e14b961..0d1af63 100644 ') optional_policy(` -@@ -446,11 +523,66 @@ ifndef(`distro_redhat',` +@@ -446,11 +524,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -22361,10 +22666,10 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..11ad8fb +index 0000000..35524d6 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,394 @@ +@@ -0,0 +1,379 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -22375,13 +22680,6 @@ index 0000000..11ad8fb + +## +##

-+## allow unconfined users to transition to the nsplugin domains when running nspluginviewer -+##

-+## -+gen_tunable(allow_unconfined_nsplugin_transition, false) -+ -+## -+##

+## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +##

+## @@ -22495,14 +22793,6 @@ index 0000000..11ad8fb + attribute unconfined_usertype; + ') + -+ nsplugin_role_notrans(unconfined_r, unconfined_usertype) -+ optional_policy(` -+ tunable_policy(`allow_unconfined_nsplugin_transition',` -+ nsplugin_domtrans(unconfined_usertype) -+ nsplugin_domtrans_config(unconfined_usertype) -+ ') -+ ') -+ + optional_policy(` + abrt_dbus_chat(unconfined_usertype) + abrt_run_helper(unconfined_usertype, unconfined_r) @@ -22937,7 +23227,7 @@ index 0ecc786..3e7e984 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..6f176f9 100644 +index e88b95f..0258e24 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -23007,7 +23297,7 @@ index e88b95f..6f176f9 100644 ') ') -@@ -76,23 +86,101 @@ optional_policy(` +@@ -76,23 +86,97 @@ optional_policy(` ') optional_policy(` @@ -23028,9 +23318,10 @@ index e88b95f..6f176f9 100644 optional_policy(` - java_role(xguest_r, xguest_t) + apache_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) + gnome_role(xguest_r, xguest_t) +') + @@ -23043,11 +23334,6 @@ index e88b95f..6f176f9 100644 +') + +optional_policy(` -+ nsplugin_role(xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) + pcscd_read_pub_files(xguest_usertype) + pcscd_stream_connect(xguest_usertype) +') @@ -23096,7 +23382,7 @@ index e88b95f..6f176f9 100644 + corenet_tcp_connect_speech_port(xguest_usertype) + corenet_tcp_sendrecv_transproxy_port(xguest_usertype) + corenet_tcp_connect_transproxy_port(xguest_usertype) -+ ') + ') + + #optional_policy(` + # telepathy_dbus_session_role(xguest_r, xguest_t) @@ -23106,7 +23392,7 @@ index e88b95f..6f176f9 100644 +optional_policy(` + gen_require(` + type mozilla_t; - ') ++ ') + + allow xguest_t mozilla_t:process transition; + role xguest_r types mozilla_t; @@ -23392,7 +23678,7 @@ index 0b827c5..d83d4dc 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..d5a9038 100644 +index 30861ec..a1cbdb4 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -23539,7 +23825,7 @@ index 30861ec..d5a9038 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,22 +185,31 @@ fs_read_nfs_files(abrt_t) +@@ -131,22 +185,26 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -23559,24 +23845,20 @@ index 30861ec..d5a9038 100644 +tunable_policy(`abrt_anon_write',` + miscfiles_manage_public_files(abrt_t) +') -+ -+optional_policy(` -+ apache_list_modules(abrt_t) -+ apache_read_modules(abrt_t) -+') optional_policy(` - dbus_system_domain(abrt_t, abrt_exec_t) +- dbus_system_domain(abrt_t, abrt_exec_t) ++ apache_list_modules(abrt_t) ++ apache_read_modules(abrt_t) ') optional_policy(` - nis_use_ypbind(abrt_t) -+ nsplugin_read_rw_files(abrt_t) -+ nsplugin_read_home(abrt_t) ++ dbus_system_domain(abrt_t, abrt_exec_t) ') optional_policy(` -@@ -167,6 +230,7 @@ optional_policy(` +@@ -167,6 +225,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -23584,7 +23866,7 @@ index 30861ec..d5a9038 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +242,35 @@ optional_policy(` +@@ -178,12 +237,35 @@ optional_policy(` ') optional_policy(` @@ -23621,7 +23903,7 @@ index 30861ec..d5a9038 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +287,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +282,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -23650,7 +23932,7 @@ index 30861ec..d5a9038 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +310,128 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +305,128 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -23658,7 +23940,7 @@ index 30861ec..d5a9038 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') -+') + ') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -23736,7 +24018,7 @@ index 30861ec..d5a9038 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) - ') ++') + +######################################## +# @@ -26981,7 +27263,7 @@ index 44a1e3d..7cc67ec 100644 + named_systemctl($1) ') diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te -index 4deca04..fc86505 100644 +index 4deca04..7859fa1 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0) @@ -27055,18 +27337,20 @@ index 4deca04..fc86505 100644 tunable_policy(`named_write_master_zones',` manage_dirs_pattern(named_t, named_zone_t, named_zone_t) manage_files_pattern(named_t, named_zone_t, named_zone_t) -@@ -154,6 +170,10 @@ tunable_policy(`named_write_master_zones',` +@@ -154,6 +170,12 @@ tunable_policy(`named_write_master_zones',` ') optional_policy(` ++ # needed by FreeIPA with DNS support + dirsrv_stream_connect(named_t) ++ ldap_stream_connect(named_t) +') + +optional_policy(` init_dbus_chat_script(named_t) sysnet_dbus_chat_dhcpc(named_t) -@@ -198,18 +218,18 @@ allow ndc_t self:process { fork signal_perms }; +@@ -198,18 +220,18 @@ allow ndc_t self:process { fork signal_perms }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms }; allow ndc_t self:tcp_socket create_socket_perms; @@ -27088,7 +27372,7 @@ index 4deca04..fc86505 100644 kernel_read_kernel_sysctls(ndc_t) corenet_all_recvfrom_unlabeled(ndc_t) -@@ -228,6 +248,8 @@ files_search_pids(ndc_t) +@@ -228,6 +250,8 @@ files_search_pids(ndc_t) fs_getattr_xattr_fs(ndc_t) @@ -27097,7 +27381,7 @@ index 4deca04..fc86505 100644 init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -@@ -235,24 +257,13 @@ logging_send_syslog_msg(ndc_t) +@@ -235,24 +259,13 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) @@ -29638,7 +29922,7 @@ index 1f11572..717fb8d 100644 init_labeled_script_domtrans($1, clamd_initrc_exec_t) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te -index f758323..4bc077f 100644 +index f758323..4c06224 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -1,9 +1,16 @@ @@ -29712,7 +29996,7 @@ index f758323..4bc077f 100644 optional_policy(` amavis_read_lib_files(clamd_t) amavis_read_spool_files(clamd_t) -@@ -142,13 +147,30 @@ optional_policy(` +@@ -142,13 +147,31 @@ optional_policy(` ') optional_policy(` @@ -29732,6 +30016,7 @@ index f758323..4bc077f 100644 + +optional_policy(` + spamd_stream_connect(clamd_t) ++ spamd_read_pid(clamd_t) +') + tunable_policy(`clamd_use_jit',` @@ -29744,7 +30029,7 @@ index f758323..4bc077f 100644 ') ######################################## -@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) +@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file) # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) @@ -29763,7 +30048,7 @@ index f758323..4bc077f 100644 corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) +@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t) corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -29771,7 +30056,7 @@ index f758323..4bc077f 100644 corenet_sendrecv_http_client_packets(freshclam_t) dev_read_rand(freshclam_t) -@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t) +@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t) clamav_stream_connect(freshclam_t) @@ -29794,7 +30079,7 @@ index f758323..4bc077f 100644 ######################################## # # clamscam local policy -@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) +@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir }) manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t) allow clamscan_t clamd_var_lib_t:dir list_dir_perms; @@ -29824,7 +30109,7 @@ index f758323..4bc077f 100644 files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t) +@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t) clamav_stream_connect(clamscan_t) @@ -29923,7 +30208,7 @@ index 0000000..f2968f8 +/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0) diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if new file mode 100644 -index 0000000..6451167 +index 0000000..7f55959 --- /dev/null +++ b/policy/modules/services/cloudform.if @@ -0,0 +1,40 @@ @@ -29960,12 +30245,12 @@ index 0000000..6451167 +## +## +# -+template(`cloudform_exec_mongod',` ++interface(`cloudform_exec_mongod',` + gen_require(` -+ type mogod_exec_t; ++ type mongod_exec_t; + ') + -+ can_exec($1, mogod_exec_t) ++ can_exec($1, mongod_exec_t) +') diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te new file mode 100644 @@ -30896,10 +31181,10 @@ index 0000000..40a0157 + diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 -index 0000000..2ee2be0 +index 0000000..ca71d08 --- /dev/null +++ b/policy/modules/services/collectd.te -@@ -0,0 +1,77 @@ +@@ -0,0 +1,80 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -30974,14 +31259,31 @@ index 0000000..2ee2be0 +optional_policy(` + apache_content_template(collectd) + ++ files_search_var_lib(httpd_collectd_script_t) ++ read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) ++ list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t) + miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) +') + diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te -index 74505cc..e7c70b5 100644 +index 74505cc..246bbf9 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te -@@ -23,6 +23,7 @@ files_type(colord_var_lib_t) +@@ -5,6 +5,13 @@ policy_module(colord, 1.0.0) + # Declarations + # + ++## ++##

++## Allow colord domain to connect to the network using TCP. ++##

++## ++gen_tunable(colord_can_network_connect, false) ++ + type colord_t; + type colord_exec_t; + dbus_system_domain(colord_t, colord_exec_t) +@@ -23,9 +30,11 @@ files_type(colord_var_lib_t) # colord local policy # allow colord_t self:capability { dac_read_search dac_override }; @@ -30989,7 +31291,11 @@ index 74505cc..e7c70b5 100644 allow colord_t self:process signal; allow colord_t self:fifo_file rw_fifo_file_perms; allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -41,8 +42,13 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) ++allow colord_t self:tcp_socket create_stream_socket_perms; + allow colord_t self:udp_socket create_socket_perms; + allow colord_t self:unix_dgram_socket create_socket_perms; + +@@ -41,8 +50,14 @@ manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) @@ -31001,10 +31307,11 @@ index 74505cc..e7c70b5 100644 + +# reads *.ini files +corecmd_exec_bin(colord_t) ++corecmd_exec_shell(colord_t) corenet_all_recvfrom_unlabeled(colord_t) corenet_all_recvfrom_netlabel(colord_t) -@@ -50,6 +56,8 @@ corenet_udp_bind_generic_node(colord_t) +@@ -50,6 +65,8 @@ corenet_udp_bind_generic_node(colord_t) corenet_udp_bind_ipp_port(colord_t) corenet_tcp_connect_ipp_port(colord_t) @@ -31013,7 +31320,7 @@ index 74505cc..e7c70b5 100644 dev_read_video_dev(colord_t) dev_write_video_dev(colord_t) dev_rw_printer(colord_t) -@@ -65,21 +73,23 @@ files_list_mnt(colord_t) +@@ -65,19 +82,36 @@ files_list_mnt(colord_t) files_read_etc_files(colord_t) files_read_usr_files(colord_t) @@ -31032,31 +31339,39 @@ index 74505cc..e7c70b5 100644 miscfiles_read_localization(colord_t) -sysnet_dns_name_resolve(colord_t) ++fs_getattr_tmpfs(colord_t) +userdom_rw_user_tmpfs_files(colord_t) - --tunable_policy(`use_nfs_home_dirs',` -- fs_read_nfs_files(colord_t) --') -- --tunable_policy(`use_samba_home_dirs',` -- fs_read_cifs_files(colord_t) --') ++ +userdom_home_reader(colord_t) ++ ++tunable_policy(`colord_can_network_connect',` ++ corenet_tcp_connect_all_ports(colord_t) ++') - optional_policy(` - cups_read_config(colord_t) -@@ -89,6 +99,10 @@ optional_policy(` + tunable_policy(`use_nfs_home_dirs',` ++ fs_getattr_nfs(colord_t) + fs_read_nfs_files(colord_t) + ') + + tunable_policy(`use_samba_home_dirs',` ++ fs_getattr_cifs(colord_t) + fs_read_cifs_files(colord_t) + ') + +@@ -89,6 +123,12 @@ optional_policy(` ') optional_policy(` + gnome_read_home_icc_data_content(colord_t) ++ # Fixes lots of breakage in F16 on upgrade ++ gnome_read_generic_data_home_files(colord_t) +') + +optional_policy(` policykit_dbus_chat(colord_t) policykit_domtrans_auth(colord_t) policykit_read_lib(colord_t) -@@ -96,5 +110,16 @@ optional_policy(` +@@ -96,5 +136,16 @@ optional_policy(` ') optional_policy(` @@ -31185,10 +31500,10 @@ index fd15dfe..d33cc41 100644 + ps_process_pattern($1, consolekit_t) +') diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te -index e67a003..d45381d 100644 +index e67a003..8bd4751 100644 --- a/policy/modules/services/consolekit.te +++ b/policy/modules/services/consolekit.te -@@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t) +@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t) type consolekit_var_run_t; files_pid_file(consolekit_var_run_t) @@ -31202,11 +31517,14 @@ index e67a003..d45381d 100644 -allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; +allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice }; ++tunable_policy(`deny_ptrace',`',` ++ allow consolekit_t self:capability sys_ptrace; ++') + allow consolekit_t self:process { getsched signal }; allow consolekit_t self:fifo_file rw_fifo_file_perms; allow consolekit_t self:unix_stream_socket create_stream_socket_perms; -@@ -69,17 +73,23 @@ logging_send_audit_msgs(consolekit_t) +@@ -69,17 +76,23 @@ logging_send_audit_msgs(consolekit_t) miscfiles_read_localization(consolekit_t) @@ -31235,7 +31553,7 @@ index e67a003..d45381d 100644 ') optional_policy(` -@@ -99,6 +109,10 @@ optional_policy(` +@@ -99,6 +112,10 @@ optional_policy(` ') optional_policy(` @@ -31246,7 +31564,7 @@ index e67a003..d45381d 100644 policykit_dbus_chat(consolekit_t) policykit_domtrans_auth(consolekit_t) policykit_read_lib(consolekit_t) -@@ -106,9 +120,10 @@ optional_policy(` +@@ -106,9 +123,10 @@ optional_policy(` ') optional_policy(` @@ -31259,7 +31577,7 @@ index e67a003..d45381d 100644 xserver_read_xdm_pid(consolekit_t) xserver_read_user_xauth(consolekit_t) xserver_non_drawing_client(consolekit_t) -@@ -125,5 +140,8 @@ optional_policy(` +@@ -125,5 +143,8 @@ optional_policy(` optional_policy(` #reading .Xauthity @@ -32147,7 +32465,7 @@ index 35241ed..7a0913c 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..a2e960c 100644 +index f7583ab..230cbb2 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -32310,13 +32628,24 @@ index f7583ab..a2e960c 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -203,11 +223,17 @@ files_list_usr(crond_t) +@@ -203,11 +223,28 @@ files_list_usr(crond_t) files_search_var_lib(crond_t) files_search_default(crond_t) +fs_manage_cgroup_dirs(crond_t) +fs_manage_cgroup_files(crond_t) + ++# needed by "crontab -e" ++mls_file_read_all_levels(crond_t) ++mls_file_write_all_levels(crond_t) ++ ++# needed because of kernel check of transition ++mls_process_set_level(crond_t) ++ ++# to make cronjob working ++mls_fd_share_all_levels(crond_t) ++mls_trusted_object(crond_t) ++ +init_read_state(crond_t) init_rw_utmp(crond_t) init_spec_domtrans_script(crond_t) @@ -32328,7 +32657,7 @@ index f7583ab..a2e960c 100644 logging_send_syslog_msg(crond_t) logging_set_loginuid(crond_t) -@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t) +@@ -220,8 +257,11 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -32340,7 +32669,7 @@ index f7583ab..a2e960c 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -233,7 +262,7 @@ ifdef(`distro_debian',` +@@ -233,7 +273,7 @@ ifdef(`distro_debian',` ') ') @@ -32349,7 +32678,7 @@ index f7583ab..a2e960c 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -250,11 +279,27 @@ tunable_policy(`fcron_crond', ` +@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', ` ') optional_policy(` @@ -32377,7 +32706,7 @@ index f7583ab..a2e960c 100644 amanda_search_var_lib(crond_t) ') -@@ -264,6 +309,8 @@ optional_policy(` +@@ -264,6 +320,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -32386,7 +32715,7 @@ index f7583ab..a2e960c 100644 ') optional_policy(` -@@ -286,15 +333,25 @@ optional_policy(` +@@ -286,15 +344,25 @@ optional_policy(` ') optional_policy(` @@ -32412,7 +32741,7 @@ index f7583ab..a2e960c 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -32433,7 +32762,7 @@ index f7583ab..a2e960c 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -32441,7 +32770,7 @@ index f7583ab..a2e960c 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -340,9 +418,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -32456,7 +32785,7 @@ index f7583ab..a2e960c 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -365,6 +447,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -32464,7 +32793,7 @@ index f7583ab..a2e960c 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -32472,7 +32801,7 @@ index f7583ab..a2e960c 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -32484,7 +32813,7 @@ index f7583ab..a2e960c 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -439,6 +514,8 @@ optional_policy(` +@@ -439,6 +525,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -32493,7 +32822,7 @@ index f7583ab..a2e960c 100644 ') optional_policy(` -@@ -446,6 +523,14 @@ optional_policy(` +@@ -446,6 +534,14 @@ optional_policy(` ') optional_policy(` @@ -32508,7 +32837,7 @@ index f7583ab..a2e960c 100644 ftp_read_log(system_cronjob_t) ') -@@ -456,6 +541,10 @@ optional_policy(` +@@ -456,6 +552,10 @@ optional_policy(` ') optional_policy(` @@ -32519,7 +32848,7 @@ index f7583ab..a2e960c 100644 lpd_list_spool(system_cronjob_t) ') -@@ -464,7 +553,9 @@ optional_policy(` +@@ -464,7 +564,9 @@ optional_policy(` ') optional_policy(` @@ -32529,7 +32858,7 @@ index f7583ab..a2e960c 100644 ') optional_policy(` -@@ -480,7 +571,7 @@ optional_policy(` +@@ -480,7 +582,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -32538,7 +32867,7 @@ index f7583ab..a2e960c 100644 ') optional_policy(` -@@ -495,6 +586,7 @@ optional_policy(` +@@ -495,6 +597,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -32546,7 +32875,7 @@ index f7583ab..a2e960c 100644 ') optional_policy(` -@@ -502,7 +594,13 @@ optional_policy(` +@@ -502,7 +605,13 @@ optional_policy(` ') optional_policy(` @@ -32560,7 +32889,7 @@ index f7583ab..a2e960c 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +693,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +704,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -33376,7 +33705,7 @@ index c43ff4c..5da88b5 100644 init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te -index 88e7e97..e18dc0b 100644 +index 88e7e97..1546703 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -6,9 +6,9 @@ policy_module(cvs, 1.9.0) @@ -33406,7 +33735,16 @@ index 88e7e97..e18dc0b 100644 manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t) manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t) -@@ -112,4 +112,5 @@ optional_policy(` +@@ -81,6 +81,8 @@ files_read_etc_runtime_files(cvs_t) + # for identd; cjp: this should probably only be inetd_child rules? + files_search_home(cvs_t) + ++init_dontaudit_read_utmp(cvs_t) ++ + logging_send_syslog_msg(cvs_t) + logging_send_audit_msgs(cvs_t) + +@@ -112,4 +114,5 @@ optional_policy(` read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t) manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t) @@ -36117,7 +36455,7 @@ index 9bd812b..144cbb7 100644 + dnsmasq_systemctl($1) ') diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te -index fdaeeba..8542225 100644 +index fdaeeba..b1ea136 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -36130,7 +36468,7 @@ index fdaeeba..8542225 100644 ######################################## # # Local policy -@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +@@ -48,11 +51,14 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) @@ -36141,11 +36479,12 @@ index fdaeeba..8542225 100644 kernel_read_kernel_sysctls(dnsmasq_t) kernel_read_system_state(dnsmasq_t) ++kernel_read_network_state(dnsmasq_t) +kernel_request_load_module(dnsmasq_t) corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) -@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t) +@@ -88,6 +94,8 @@ logging_send_syslog_msg(dnsmasq_t) miscfiles_read_localization(dnsmasq_t) @@ -36154,7 +36493,7 @@ index fdaeeba..8542225 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -96,7 +103,20 @@ optional_policy(` +@@ -96,7 +104,20 @@ optional_policy(` ') optional_policy(` @@ -36175,7 +36514,7 @@ index fdaeeba..8542225 100644 ') optional_policy(` -@@ -114,4 +134,5 @@ optional_policy(` +@@ -114,4 +135,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) @@ -43025,7 +43364,7 @@ index 67c7fdd..d7338be 100644 ## ## Execute mailman CGI scripts in the diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te -index af4d572..cea085e 100644 +index af4d572..0c0925e 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -19,6 +19,9 @@ logging_log_file(mailman_log_t) @@ -43038,7 +43377,7 @@ index af4d572..cea085e 100644 mailman_domain_template(mail) init_daemon_domain(mailman_mail_t, mailman_mail_exec_t) -@@ -61,14 +64,22 @@ optional_policy(` +@@ -61,14 +64,24 @@ optional_policy(` # Mailman mail local policy # @@ -43060,10 +43399,12 @@ index af4d572..cea085e 100644 +corenet_tcp_connect_innd_port(mailman_mail_t) +corenet_tcp_connect_spamd_port(mailman_mail_t) + ++dev_read_urand(mailman_mail_t) ++ files_search_spool(mailman_mail_t) fs_rw_anon_inodefs_files(mailman_mail_t) -@@ -81,11 +92,16 @@ optional_policy(` +@@ -81,11 +94,16 @@ optional_policy(` ') optional_policy(` @@ -43080,7 +43421,7 @@ index af4d572..cea085e 100644 ') ######################################## -@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) +@@ -104,6 +122,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t) kernel_read_proc_symlinks(mailman_queue_t) @@ -43089,7 +43430,7 @@ index af4d572..cea085e 100644 auth_domtrans_chk_passwd(mailman_queue_t) files_dontaudit_search_pids(mailman_queue_t) -@@ -125,4 +143,4 @@ optional_policy(` +@@ -125,4 +145,4 @@ optional_policy(` optional_policy(` su_exec(mailman_queue_t) @@ -49897,10 +50238,10 @@ index 48ff1e8..be00a65 100644 + allow $1 policykit_auth_t:process signal; ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te -index 1e7169d..a16f7d7 100644 +index 1e7169d..c2771dd 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te -@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0) +@@ -5,47 +5,73 @@ policy_module(policykit, 1.1.0) # Declarations # @@ -49967,6 +50308,10 @@ index 1e7169d..a16f7d7 100644 -allow policykit_t self:process getattr; -allow policykit_t self:fifo_file rw_file_perms; +allow policykit_t self:capability { dac_override dac_read_search setgid setuid }; ++tunable_policy(`deny_ptrace',`',` ++ allow policykit_t self:capability sys_ptrace; ++') ++ +allow policykit_t self:process { getsched signal }; allow policykit_t self:unix_dgram_socket create_socket_perms; -allow policykit_t self:unix_stream_socket create_stream_socket_perms; @@ -49982,7 +50327,7 @@ index 1e7169d..a16f7d7 100644 rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t) policykit_domtrans_resolve(policykit_t) -@@ -56,56 +78,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) +@@ -56,56 +82,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t) files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir }) @@ -50096,7 +50441,7 @@ index 1e7169d..a16f7d7 100644 dbus_session_bus_client(policykit_auth_t) optional_policy(` -@@ -118,14 +185,21 @@ optional_policy(` +@@ -118,14 +189,21 @@ optional_policy(` hal_read_state(policykit_auth_t) ') @@ -50120,7 +50465,7 @@ index 1e7169d..a16f7d7 100644 allow policykit_grant_t self:unix_dgram_socket create_socket_perms; allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms; -@@ -145,19 +219,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t +@@ -145,19 +223,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t files_read_etc_files(policykit_grant_t) files_read_usr_files(policykit_grant_t) @@ -50145,7 +50490,7 @@ index 1e7169d..a16f7d7 100644 consolekit_dbus_chat(policykit_grant_t) ') ') -@@ -167,9 +240,8 @@ optional_policy(` +@@ -167,9 +244,8 @@ optional_policy(` # polkit_resolve local policy # @@ -50157,7 +50502,7 @@ index 1e7169d..a16f7d7 100644 allow policykit_resolve_t self:unix_dgram_socket create_socket_perms; allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms; -@@ -185,13 +257,9 @@ corecmd_search_bin(policykit_resolve_t) +@@ -185,13 +261,9 @@ corecmd_search_bin(policykit_resolve_t) files_read_etc_files(policykit_resolve_t) files_read_usr_files(policykit_resolve_t) @@ -50172,7 +50517,7 @@ index 1e7169d..a16f7d7 100644 userdom_read_all_users_state(policykit_resolve_t) -@@ -207,4 +275,3 @@ optional_policy(` +@@ -207,4 +279,3 @@ optional_policy(` kernel_search_proc(policykit_resolve_t) hal_read_state(policykit_resolve_t) ') @@ -52888,7 +53233,7 @@ index 2855a44..58bb459 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..fb500de 100644 +index 64c5f95..fa3c113 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -53084,7 +53429,7 @@ index 64c5f95..fb500de 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +258,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +258,36 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -53117,13 +53462,14 @@ index 64c5f95..fb500de 100644 +allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) ++kernel_read_network_state(puppetmaster_t) kernel_read_system_state(puppetmaster_t) kernel_read_crypto_sysctls(puppetmaster_t) +kernel_read_kernel_sysctls(puppetmaster_t) corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +299,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +300,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -53173,7 +53519,7 @@ index 64c5f95..fb500de 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +349,9 @@ optional_policy(` +@@ -231,3 +350,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -57635,7 +57981,7 @@ index 82cb169..48c023e 100644 + samba_systemctl($1) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..d893f99 100644 +index e30bb63..bac0112 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -85,6 +85,9 @@ files_config_file(samba_etc_t) @@ -57951,7 +58297,22 @@ index e30bb63..d893f99 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -863,6 +888,12 @@ userdom_manage_user_home_content_pipes(winbind_t) +@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t) + + files_read_etc_files(winbind_t) + files_read_usr_symlinks(winbind_t) ++files_list_var_lib(winbind_t) + + logging_send_syslog_msg(winbind_t) + + miscfiles_read_localization(winbind_t) ++miscfiles_read_generic_certs(winbind_t) ++ ++sysnet_use_ldap(winbind_t) + + userdom_dontaudit_use_unpriv_user_fds(winbind_t) + userdom_manage_user_home_content_dirs(winbind_t) +@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t) userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) @@ -57964,7 +58325,7 @@ index e30bb63..d893f99 100644 optional_policy(` kerberos_use(winbind_t) ') -@@ -904,7 +935,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -57973,7 +58334,7 @@ index e30bb63..d893f99 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +953,18 @@ optional_policy(` +@@ -922,6 +957,18 @@ optional_policy(` # optional_policy(` @@ -57992,7 +58353,7 @@ index e30bb63..d893f99 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +975,12 @@ optional_policy(` +@@ -932,9 +979,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -58175,10 +58536,10 @@ index 0000000..0d53457 +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..0c1e385 +index 0000000..96adff5 --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,72 @@ +@@ -0,0 +1,100 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -58186,6 +58547,20 @@ index 0000000..0c1e385 +# Declarations +# + ++## ++##

++## Allow confined virtual guests to manage nfs files ++##

++## ++gen_tunable(sanlock_use_nfs, false) ++ ++## ++##

++## Allow confined virtual guests to manage cifs files ++##

++## ++gen_tunable(sanlock_use_samba, false) ++ +type sanlock_t; +type sanlock_exec_t; +init_daemon_domain(sanlock_t, sanlock_exec_t) @@ -58242,6 +58617,20 @@ index 0000000..0c1e385 + +miscfiles_read_localization(sanlock_t) + ++tunable_policy(`sanlock_use_nfs',` ++ fs_manage_nfs_dirs(sanlock_t) ++ fs_manage_nfs_files(sanlock_t) ++ fs_manage_nfs_named_sockets(sanlock_t) ++ fs_read_nfs_symlinks(sanlock_t) ++') ++ ++tunable_policy(`sanlock_use_samba',` ++ fs_manage_cifs_dirs(sanlock_t) ++ fs_manage_cifs_files(sanlock_t) ++ fs_manage_cifs_named_sockets(sanlock_t) ++ fs_read_cifs_symlinks(sanlock_t) ++') ++ +optional_policy(` + wdmd_stream_connect(sanlock_t) +') @@ -58283,7 +58672,7 @@ index f1aea88..3e6a93f 100644 admin_pattern($1, saslauthd_var_run_t) ') diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te -index cfc60dd..791c5b3 100644 +index cfc60dd..71d76cf 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t) @@ -58320,7 +58709,15 @@ index cfc60dd..791c5b3 100644 corenet_all_recvfrom_unlabeled(saslauthd_t) corenet_all_recvfrom_netlabel(saslauthd_t) -@@ -94,6 +94,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` +@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t) + corenet_tcp_sendrecv_generic_node(saslauthd_t) + corenet_tcp_sendrecv_all_ports(saslauthd_t) + corenet_tcp_connect_pop_port(saslauthd_t) ++corenet_tcp_connect_zarafa_port(saslauthd_t) + corenet_sendrecv_pop_client_packets(saslauthd_t) + + dev_read_urand(saslauthd_t) +@@ -94,6 +95,7 @@ tunable_policy(`allow_saslauthd_read_shadow',` optional_policy(` kerberos_keytab_template(saslauthd, saslauthd_t) @@ -59333,7 +59730,7 @@ index 6b3abf9..a785741 100644 +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if -index c954f31..85e8212 100644 +index c954f31..4aac595 100644 --- a/policy/modules/services/spamassassin.if +++ b/policy/modules/services/spamassassin.if @@ -14,6 +14,7 @@ @@ -59452,7 +59849,7 @@ index c954f31..85e8212 100644 allow $1 spamd_tmp_t:file read_file_perms; ') -@@ -223,5 +291,75 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` +@@ -223,5 +291,94 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` type spamd_tmp_t; ') @@ -59460,6 +59857,25 @@ index c954f31..85e8212 100644 + dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; +') + ++####################################### ++## ++## Read spamd pid file. ++## ++## ++## ++## Domain allowed to connect. ++## ++## ++# ++interface(`spamd_read_pid',` ++ gen_require(` ++ type spamd_t, spamd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) ++') ++ +######################################## +## +## Connect to run spamd. @@ -59530,7 +59946,7 @@ index c954f31..85e8212 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..fdb471a 100644 +index ec1eb1e..9d10f0b 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0) @@ -59950,7 +60366,15 @@ index ec1eb1e..fdb471a 100644 ') optional_policy(` -@@ -451,3 +531,51 @@ optional_policy(` +@@ -444,6 +524,7 @@ optional_policy(` + ') + + optional_policy(` ++ mta_send_mail(spamd_t) + sendmail_stub(spamd_t) + mta_read_config(spamd_t) + ') +@@ -451,3 +532,51 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -60118,21 +60542,22 @@ index 4b2230e..950e65a 100644 + kerberos_manage_host_rcache(squid_t) +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 078bcd7..2d60774 100644 +index 078bcd7..84d29ee 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,4 +1,10 @@ +@@ -1,4 +1,11 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + +/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) -+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -14,3 +20,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -14,3 +21,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) @@ -60674,7 +61099,7 @@ index 22adaca..d6a4b77 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..e93db05 100644 +index 2dad3c8..12ad27c 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -60830,7 +61255,7 @@ index 2dad3c8..e93db05 100644 dev_read_urand(ssh_t) fs_getattr_all_fs(ssh_t) -@@ -162,31 +186,29 @@ logging_read_generic_logs(ssh_t) +@@ -162,31 +186,24 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) miscfiles_read_localization(ssh_t) @@ -60862,19 +61287,16 @@ index 2dad3c8..e93db05 100644 -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(ssh_t) - fs_manage_nfs_files(ssh_t) -+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) - ') - +-') +- -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_dirs(ssh_t) - fs_manage_cifs_files(ssh_t) -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_manage_fusefs_dirs(ssh_t) -+ fs_manage_fusefs_files(ssh_t) ++ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) ') # for port forwarding -@@ -196,10 +218,15 @@ tunable_policy(`user_tcp_server',` +@@ -196,10 +213,15 @@ tunable_policy(`user_tcp_server',` ') optional_policy(` @@ -60890,7 +61312,7 @@ index 2dad3c8..e93db05 100644 ############################## # # ssh_keysign_t local policy -@@ -209,19 +236,14 @@ tunable_policy(`allow_ssh_keysign',` +@@ -209,19 +231,14 @@ tunable_policy(`allow_ssh_keysign',` allow ssh_keysign_t self:capability { setgid setuid }; allow ssh_keysign_t self:unix_stream_socket create_socket_perms; @@ -60912,7 +61334,7 @@ index 2dad3c8..e93db05 100644 ################################# # # sshd local policy -@@ -232,33 +254,44 @@ optional_policy(` +@@ -232,33 +249,44 @@ optional_policy(` # so a tunnel can point to another ssh tunnel allow sshd_t self:netlink_route_socket r_netlink_socket_perms; allow sshd_t self:key { search link write }; @@ -60966,7 +61388,7 @@ index 2dad3c8..e93db05 100644 ') optional_policy(` -@@ -266,11 +299,24 @@ optional_policy(` +@@ -266,11 +294,24 @@ optional_policy(` ') optional_policy(` @@ -60992,7 +61414,7 @@ index 2dad3c8..e93db05 100644 ') optional_policy(` -@@ -284,6 +330,15 @@ optional_policy(` +@@ -284,6 +325,15 @@ optional_policy(` ') optional_policy(` @@ -61008,7 +61430,7 @@ index 2dad3c8..e93db05 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +347,26 @@ optional_policy(` +@@ -292,26 +342,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -61021,10 +61443,6 @@ index 2dad3c8..e93db05 100644 - - optional_policy(` - domain_trans(sshd_t, xauth_exec_t, userdomain) -- ') --',` -- optional_policy(` -- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) + tunable_policy(`ssh_sysadm_login',` + # Relabel and access ptys created by sshd + # ioctl is necessary for logout() processing for utmp entry and for w to @@ -61045,6 +61463,10 @@ index 2dad3c8..e93db05 100644 + # some versions of sshd on the new SE Linux require setattr + allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; ') +-',` +- optional_policy(` +- domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) +- ') - # Relabel and access ptys created by sshd - # ioctl is necessary for logout() processing for utmp entry and for w to - # display the tty. @@ -61054,7 +61476,7 @@ index 2dad3c8..e93db05 100644 ') dnl endif TODO ######################################## -@@ -322,19 +377,26 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +372,26 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -61082,7 +61504,7 @@ index 2dad3c8..e93db05 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,15 +413,84 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,15 +408,86 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -61157,7 +61579,9 @@ index 2dad3c8..e93db05 100644 +') + +tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` ++ fs_manage_fusefs_dirs(chroot_user_t) + fs_manage_fusefs_files(chroot_user_t) ++ fs_manage_fusefs_symlinks(chroot_user_t) +') + +tunable_policy(`use_samba_home_dirs',` @@ -65979,7 +66403,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..ab908aa 100644 +index 143c893..a3e787d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -66204,7 +66628,7 @@ index 143c893..ab908aa 100644 ') ######################################## -@@ -252,45 +310,82 @@ tunable_policy(`use_samba_home_dirs',` +@@ -252,45 +310,78 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -66281,10 +66705,6 @@ index 143c893..ab908aa 100644 -tunable_policy(`use_samba_home_dirs',` - fs_manage_cifs_files(xauth_t) -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_manage_fusefs_files(xauth_t) -+') -+ +userdom_home_manager(xauth_t) + +ifdef(`hide_broken_symptoms',` @@ -66297,7 +66717,7 @@ index 143c893..ab908aa 100644 ') optional_policy(` -@@ -305,19 +400,40 @@ optional_policy(` +@@ -305,19 +396,40 @@ optional_policy(` # allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service }; @@ -66341,7 +66761,7 @@ index 143c893..ab908aa 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +441,63 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +437,63 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -66411,7 +66831,7 @@ index 143c893..ab908aa 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +506,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +502,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -66439,7 +66859,7 @@ index 143c893..ab908aa 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +537,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +533,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -66493,7 +66913,7 @@ index 143c893..ab908aa 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +590,25 @@ files_list_mnt(xdm_t) +@@ -435,9 +586,25 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -66519,7 +66939,7 @@ index 143c893..ab908aa 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +617,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +613,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -66559,7 +66979,7 @@ index 143c893..ab908aa 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,24 +656,48 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,24 +652,43 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -66583,11 +67003,6 @@ index 143c893..ab908aa 100644 +ifdef(`distro_rhel4',` + allow xdm_t self:process { execheap execmem }; +') -+ -+tunable_policy(`use_fusefs_home_dirs',` -+ fs_manage_fusefs_dirs(xdm_t) -+ fs_manage_fusefs_files(xdm_t) -+') tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(xdm_t) @@ -66614,7 +67029,7 @@ index 143c893..ab908aa 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +702,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -66636,7 +67051,7 @@ index 143c893..ab908aa 100644 ') optional_policy(` -@@ -519,12 +733,63 @@ optional_policy(` +@@ -519,12 +724,63 @@ optional_policy(` ') optional_policy(` @@ -66700,7 +67115,7 @@ index 143c893..ab908aa 100644 hostname_exec(xdm_t) ') -@@ -542,28 +807,69 @@ optional_policy(` +@@ -542,28 +798,69 @@ optional_policy(` ') optional_policy(` @@ -66779,7 +67194,7 @@ index 143c893..ab908aa 100644 ') optional_policy(` -@@ -575,6 +881,14 @@ optional_policy(` +@@ -575,6 +872,14 @@ optional_policy(` ') optional_policy(` @@ -66794,7 +67209,7 @@ index 143c893..ab908aa 100644 xfs_stream_connect(xdm_t) ') -@@ -600,6 +914,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -600,6 +905,7 @@ allow xserver_t input_xevent_t:x_event send; # NVIDIA Needs execstack allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service }; @@ -66802,7 +67217,7 @@ index 143c893..ab908aa 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +928,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -66818,7 +67233,7 @@ index 143c893..ab908aa 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +955,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -66840,7 +67255,7 @@ index 143c893..ab908aa 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +975,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -66848,7 +67263,7 @@ index 143c893..ab908aa 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,21 +1002,28 @@ dev_rw_apm_bios(xserver_t) +@@ -672,21 +993,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -66879,7 +67294,7 @@ index 143c893..ab908aa 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -66893,7 +67308,7 @@ index 143c893..ab908aa 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1053,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1044,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -66902,7 +67317,7 @@ index 143c893..ab908aa 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1060,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1051,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -66917,7 +67332,7 @@ index 143c893..ab908aa 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1119,40 @@ optional_policy(` +@@ -778,16 +1110,40 @@ optional_policy(` ') optional_policy(` @@ -66959,7 +67374,7 @@ index 143c893..ab908aa 100644 unconfined_domtrans(xserver_t) ') -@@ -796,6 +1161,10 @@ optional_policy(` +@@ -796,6 +1152,10 @@ optional_policy(` ') optional_policy(` @@ -66970,7 +67385,7 @@ index 143c893..ab908aa 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1180,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -66984,7 +67399,7 @@ index 143c893..ab908aa 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1191,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -66993,7 +67408,7 @@ index 143c893..ab908aa 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,26 +1204,21 @@ init_use_fds(xserver_t) +@@ -835,26 +1195,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -67028,7 +67443,7 @@ index 143c893..ab908aa 100644 ') optional_policy(` -@@ -862,6 +1226,10 @@ optional_policy(` +@@ -862,6 +1217,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -67039,7 +67454,7 @@ index 143c893..ab908aa 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1273,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -67048,7 +67463,7 @@ index 143c893..ab908aa 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1327,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1318,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -67080,7 +67495,7 @@ index 143c893..ab908aa 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1373,31 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1364,31 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -67549,10 +67964,16 @@ index c6fdab7..41198a4 100644 cron_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 28ad538..bb64dec 100644 +index 28ad538..c547c84 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc -@@ -5,7 +5,12 @@ +@@ -1,3 +1,5 @@ ++HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) + + /bin/login -- gen_context(system_u:object_r:login_exec_t,s0) + +@@ -5,7 +7,12 @@ /etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0) /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0) @@ -67565,22 +67986,23 @@ index 28ad538..bb64dec 100644 /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) -@@ -30,6 +35,7 @@ ifdef(`distro_gentoo', ` +@@ -30,6 +37,8 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) +/var/lib/pam_shield(/.*)? gen_context(system_u:object_r:var_auth_t,s0) ++/var/lib/google-authenticator(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) -@@ -45,5 +51,4 @@ ifdef(`distro_gentoo', ` +@@ -45,5 +54,4 @@ ifdef(`distro_gentoo', ` /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 73554ec..131195d 100644 +index 73554ec..5551d16 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -57,6 +57,8 @@ interface(`auth_use_pam',` @@ -67611,11 +68033,12 @@ index 73554ec..131195d 100644 ') ######################################## -@@ -95,9 +107,12 @@ interface(`auth_use_pam',` +@@ -95,9 +107,13 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; + attribute polydomain; ++ type auth_home_t; ') domain_type($1) @@ -67624,7 +68047,7 @@ index 73554ec..131195d 100644 domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) -@@ -105,14 +120,17 @@ interface(`auth_login_pgm_domain',` +@@ -105,14 +121,17 @@ interface(`auth_login_pgm_domain',` # Needed for pam_selinux_permit to cleanup properly domain_read_all_domains_state($1) @@ -67642,7 +68065,15 @@ index 73554ec..131195d 100644 manage_files_pattern($1, var_auth_t, var_auth_t) manage_dirs_pattern($1, auth_cache_t, auth_cache_t) -@@ -123,13 +141,20 @@ interface(`auth_login_pgm_domain',` +@@ -120,16 +139,28 @@ interface(`auth_login_pgm_domain',` + manage_sock_files_pattern($1, auth_cache_t, auth_cache_t) + files_var_filetrans($1, auth_cache_t, dir) + ++ manage_dirs_pattern($1, auth_home_t, auth_home_t) ++ manage_files_pattern($1, auth_home_t, auth_home_t) ++ auth_filetrans_admin_home_content($1) ++ auth_filetrans_home_content($1) ++ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 kernel_rw_afs_state($1) @@ -67664,7 +68095,7 @@ index 73554ec..131195d 100644 selinux_get_fs_mount($1) selinux_validate_context($1) -@@ -145,6 +170,8 @@ interface(`auth_login_pgm_domain',` +@@ -145,6 +176,8 @@ interface(`auth_login_pgm_domain',` mls_process_set_level($1) mls_fd_share_all_levels($1) @@ -67673,7 +68104,7 @@ index 73554ec..131195d 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +182,87 @@ interface(`auth_login_pgm_domain',` +@@ -155,13 +188,87 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -67763,7 +68194,7 @@ index 73554ec..131195d 100644 ## Use the login program as an entry point program. ## ## -@@ -368,13 +469,15 @@ interface(`auth_domtrans_chk_passwd',` +@@ -368,13 +475,15 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -67780,7 +68211,7 @@ index 73554ec..131195d 100644 ') ######################################## -@@ -421,6 +524,25 @@ interface(`auth_run_chk_passwd',` +@@ -421,6 +530,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -67806,7 +68237,7 @@ index 73554ec..131195d 100644 ') ######################################## -@@ -440,7 +562,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -440,7 +568,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -67814,7 +68245,7 @@ index 73554ec..131195d 100644 ') ######################################## -@@ -637,6 +758,10 @@ interface(`auth_manage_shadow',` +@@ -637,6 +764,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -67825,7 +68256,7 @@ index 73554ec..131195d 100644 ') ####################################### -@@ -736,7 +861,50 @@ interface(`auth_rw_faillog',` +@@ -736,7 +867,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -67877,7 +68308,7 @@ index 73554ec..131195d 100644 ') ####################################### -@@ -932,9 +1100,30 @@ interface(`auth_manage_var_auth',` +@@ -932,9 +1106,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -67911,7 +68342,7 @@ index 73554ec..131195d 100644 ') ######################################## -@@ -1387,6 +1576,25 @@ interface(`auth_setattr_login_records',` +@@ -1387,6 +1582,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -67937,7 +68368,7 @@ index 73554ec..131195d 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1537,37 +1745,49 @@ interface(`auth_manage_login_records',` +@@ -1537,37 +1751,49 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -67997,7 +68428,7 @@ index 73554ec..131195d 100644 ##

## ## -@@ -1575,87 +1795,150 @@ interface(`auth_relabel_login_records',` +@@ -1575,87 +1801,189 @@ interface(`auth_relabel_login_records',` ## Domain allowed access. ## ## @@ -68006,11 +68437,6 @@ index 73554ec..131195d 100644 -interface(`auth_use_nsswitch',` - - files_list_var_lib($1) -- -- # read /etc/nsswitch.conf -- files_read_etc_files($1) -- -- miscfiles_read_generic_certs($1) +interface(`auth_unconfined',` + gen_require(` + attribute can_read_shadow_passwords; @@ -68018,15 +68444,14 @@ index 73554ec..131195d 100644 + attribute can_relabelto_shadow_passwords; + ') -- sysnet_dns_name_resolve($1) -- sysnet_use_ldap($1) +- # read /etc/nsswitch.conf +- files_read_etc_files($1) + typeattribute $1 can_read_shadow_passwords; + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; +') -- optional_policy(` -- avahi_stream_connect($1) +- miscfiles_read_generic_certs($1) +######################################## +## +## Transition to authlogin named content @@ -68037,17 +68462,16 @@ index 73554ec..131195d 100644 +## +## +# -+interface(`authlogin_filetrans_named_content',` ++interface(`auth_filetrans_named_content',` + gen_require(` + type shadow_t; + type passwd_file_t; + type faillog_t; + type wtmp_t; - ') ++ ') -- optional_policy(` -- ldap_stream_connect($1) -- ') +- sysnet_dns_name_resolve($1) +- sysnet_use_ldap($1) + files_etc_filetrans($1, passwd_file_t, file, "group") + files_etc_filetrans($1, passwd_file_t, file, "group-") + files_etc_filetrans($1, passwd_file_t, file, "passwd") @@ -68065,8 +68489,8 @@ index 73554ec..131195d 100644 + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") +') -- optional_policy(` -- likewise_stream_connect_lsassd($1) +- optional_policy(` +- avahi_stream_connect($1) +######################################## +## +## Get the attributes of the passwd passwords file. @@ -68083,14 +68507,14 @@ index 73554ec..131195d 100644 ') - optional_policy(` -- kerberos_use($1) +- ldap_stream_connect($1) - ') + files_search_etc($1) + allow $1 passwd_file_t:file getattr; +') -- optional_policy(` -- nis_use_ypbind($1) +- optional_policy(` +- likewise_stream_connect_lsassd($1) +######################################## +## +## Do not audit attempts to get the attributes @@ -68108,13 +68532,13 @@ index 73554ec..131195d 100644 ') - optional_policy(` -- nscd_socket_use($1) +- kerberos_use($1) - ') + dontaudit $1 passwd_file_t:file getattr; +') - optional_policy(` -- nslcd_stream_connect($1) +- nis_use_ypbind($1) +######################################## +## +## Read the passwd passwords file (/etc/passwd) @@ -68131,15 +68555,13 @@ index 73554ec..131195d 100644 ') - optional_policy(` -- sssd_stream_connect($1) +- nscd_socket_use($1) - ') + allow $1 passwd_file_t:file read_file_perms; +') - optional_policy(` -- samba_stream_connect_winbind($1) -- samba_read_var_files($1) -- samba_dontaudit_write_var_files($1) +- nslcd_stream_connect($1) +######################################## +## +## Do not audit attempts to read the passwd @@ -68155,15 +68577,65 @@ index 73554ec..131195d 100644 + gen_require(` + type passwd_file_t; ') -+ + +- optional_policy(` +- sssd_stream_connect($1) + dontaudit $1 passwd_file_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete the passwd ++## password file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_passwd',` ++ gen_require(` ++ type passwd_file_t; + ') + +- optional_policy(` +- samba_stream_connect_winbind($1) +- samba_read_var_files($1) +- samba_dontaudit_write_var_files($1) ++ files_rw_etc_dirs($1) ++ allow $1 passwd_file_t:file manage_file_perms; ++ files_etc_filetrans($1, passwd_file_t, file, "passwd") ++ files_etc_filetrans($1, passwd_file_t, file, "passwd-") ++ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") ++ files_etc_filetrans($1, passwd_file_t, file, "group") ++ files_etc_filetrans($1, passwd_file_t, file, "group-") ++') ++ ++######################################## ++## ++## Create auth directory in the /root directory ++## with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_filetrans_admin_home_content',` ++ gen_require(` ++ type auth_home_t; + ') ++ ++ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") ') ######################################## ## -## Unconfined access to the authlogin module. -+## Create, read, write, and delete the passwd -+## password file. ++## Create auth directory in the user home directory ++## with an correct label. ## -## -##

@@ -68182,30 +68654,25 @@ index 73554ec..131195d 100644 ## # -interface(`auth_unconfined',` -+interface(`auth_manage_passwd',` ++interface(`auth_filetrans_home_content',` ++ gen_require(` - attribute can_read_shadow_passwords; - attribute can_write_shadow_passwords; - attribute can_relabelto_shadow_passwords; -+ type passwd_file_t; ++ type auth_home_t; ') - typeattribute $1 can_read_shadow_passwords; - typeattribute $1 can_write_shadow_passwords; - typeattribute $1 can_relabelto_shadow_passwords; -+ files_rw_etc_dirs($1) -+ allow $1 passwd_file_t:file manage_file_perms; -+ files_etc_filetrans($1, passwd_file_t, file, "passwd") -+ files_etc_filetrans($1, passwd_file_t, file, "passwd-") -+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") -+ files_etc_filetrans($1, passwd_file_t, file, "group") -+ files_etc_filetrans($1, passwd_file_t, file, "group-") ++ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index b7a5f00..39d91d4 100644 +index b7a5f00..93188ef 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1) +@@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1) # Declarations # @@ -68227,11 +68694,21 @@ index b7a5f00..39d91d4 100644 attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +attribute polydomain; -+attribute nsswitch_domain; ++attribute nsswitch_domain;< type auth_cache_t; logging_log_file(auth_cache_t) -@@ -21,6 +37,7 @@ role system_r types chkpwd_t; + ++type auth_home_t; ++userdom_user_home_content(auth_home_t) ++ + type chkpwd_t, can_read_shadow_passwords; + type chkpwd_exec_t; + typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; +-typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t }; ++typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t }; + application_domain(chkpwd_t, chkpwd_exec_t) + role system_r types chkpwd_t; type faillog_t; logging_log_file(faillog_t) @@ -68239,7 +68716,7 @@ index b7a5f00..39d91d4 100644 type lastlog_t; logging_log_file(lastlog_t) -@@ -55,6 +72,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; +@@ -55,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; @@ -68249,7 +68726,7 @@ index b7a5f00..39d91d4 100644 type updpwd_t; type updpwd_exec_t; domain_type(updpwd_t) -@@ -100,6 +120,8 @@ dev_read_urand(chkpwd_t) +@@ -100,6 +123,8 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd files_dontaudit_search_var(chkpwd_t) @@ -68258,7 +68735,7 @@ index b7a5f00..39d91d4 100644 fs_dontaudit_getattr_xattr_fs(chkpwd_t) -@@ -118,7 +140,7 @@ miscfiles_read_localization(chkpwd_t) +@@ -118,7 +143,7 @@ miscfiles_read_localization(chkpwd_t) seutil_read_config(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) @@ -68267,7 +68744,7 @@ index b7a5f00..39d91d4 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -332,6 +354,7 @@ kernel_read_system_state(updpwd_t) +@@ -332,6 +357,7 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) files_manage_etc_files(updpwd_t) @@ -68275,7 +68752,7 @@ index b7a5f00..39d91d4 100644 term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) -@@ -343,7 +366,7 @@ logging_send_syslog_msg(updpwd_t) +@@ -343,7 +369,7 @@ logging_send_syslog_msg(updpwd_t) miscfiles_read_localization(updpwd_t) @@ -68284,7 +68761,7 @@ index b7a5f00..39d91d4 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -371,13 +394,15 @@ term_dontaudit_use_all_ttys(utempter_t) +@@ -371,13 +397,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) @@ -68301,7 +68778,7 @@ index b7a5f00..39d91d4 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -388,10 +413,74 @@ ifdef(`distro_ubuntu',` +@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -68785,7 +69262,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..2409206 100644 +index 94fd8dd..ef5a3c8 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,44 @@ interface(`init_script_domain',` @@ -68823,10 +69300,10 @@ index 94fd8dd..2409206 100644 + domtrans_pattern(init_t,$2,$1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow init_t $1:unix_dgram_socket create_socket_perms; -+ allow $1 init_t:unix_stream_socket ioctl; ++ allow $1 init_t:unix_stream_socket ioctl; + allow $1 init_t:unix_dgram_socket sendto; -+ # need write to /var/run/systemd/notify -+ init_write_pid_socket($1) ++ # need write to /var/run/systemd/notify ++ init_write_pid_socket($1) + ') +') + @@ -69715,7 +70192,7 @@ index 94fd8dd..2409206 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..5ee6a57 100644 +index 29a9565..4e87d49 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -70666,7 +71143,7 @@ index 29a9565..5ee6a57 100644 + allow daemon init_t:unix_dgram_socket sendto; + # need write to /var/run/systemd/notify + init_write_pid_socket(daemon) -+ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr }; ++ allow daemon init_t:unix_stream_socket { append write read getattr ioctl }; +') + +# daemons started from init will @@ -70712,7 +71189,7 @@ index 29a9565..5ee6a57 100644 + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; + allow init_t systemprocess:unix_dgram_socket create_socket_perms; + allow systemprocess init_t:unix_dgram_socket sendto; -+ dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl }; ++ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl }; +') + +ifdef(`hide_broken_symptoms',` @@ -73615,7 +74092,7 @@ index 8b5c196..da41726 100644 + role $2 types showmount_t; ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 15832c7..f1121f7 100644 +index 15832c7..a50ceba 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -17,17 +17,29 @@ type mount_exec_t; @@ -73658,8 +74135,8 @@ index 15832c7..f1121f7 100644 # setuid/setgid needed to mount cifs -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; -+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid }; -+allow mount_t self:process { getcap getsched setcap setrlimit signal }; ++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; ++allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; +tunable_policy(`deny_ptrace',`',` + allow mount_t self:process ptrace; +') @@ -73696,7 +74173,7 @@ index 15832c7..f1121f7 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -57,65 +92,93 @@ kernel_request_load_module(mount_t) +@@ -57,65 +92,94 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -73705,6 +74182,7 @@ index 15832c7..f1121f7 100644 dev_list_all_dev_nodes(mount_t) +dev_read_usbfs(mount_t) +dev_read_rand(mount_t) ++dev_read_urand(mount_t) dev_read_sysfs(mount_t) dev_dontaudit_write_sysfs_dirs(mount_t) dev_rw_lvm_control(mount_t) @@ -73720,7 +74198,7 @@ index 15832c7..f1121f7 100644 dev_dontaudit_rw_generic_chr_files(mount_t) domain_use_interactive_fds(mount_t) -+domain_dontaudit_search_all_domains_state(mount_t) ++domain_read_all_domains_state(mount_t) files_search_all(mount_t) files_read_etc_files(mount_t) @@ -73799,7 +74277,7 @@ index 15832c7..f1121f7 100644 logging_send_syslog_msg(mount_t) -@@ -126,6 +189,8 @@ sysnet_use_portmap(mount_t) +@@ -126,6 +190,8 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -73808,7 +74286,7 @@ index 15832c7..f1121f7 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -141,26 +206,28 @@ ifdef(`distro_ubuntu',` +@@ -141,26 +207,28 @@ ifdef(`distro_ubuntu',` ') ') @@ -73847,7 +74325,7 @@ index 15832c7..f1121f7 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -174,6 +241,8 @@ optional_policy(` +@@ -174,6 +242,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -73856,7 +74334,7 @@ index 15832c7..f1121f7 100644 ') optional_policy(` -@@ -181,6 +250,28 @@ optional_policy(` +@@ -181,6 +251,28 @@ optional_policy(` ') optional_policy(` @@ -73885,7 +74363,7 @@ index 15832c7..f1121f7 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -188,21 +279,87 @@ optional_policy(` +@@ -188,21 +280,87 @@ optional_policy(` ') ') @@ -77889,7 +78367,7 @@ index db75976..ce61aed 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..0b3811d 100644 +index 4b2878a..290f54e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -78403,7 +78881,7 @@ index 4b2878a..0b3811d 100644 ############################## # -@@ -500,73 +595,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +595,83 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -78503,6 +78981,8 @@ index 4b2878a..0b3811d 100644 + auth_read_login_records($1_usertype) + auth_run_pam($1_t,$1_r) + auth_run_utempter($1_t,$1_r) ++ auth_filetrans_admin_home_content($1_t) ++ auth_filetrans_home_content($1_t) - init_read_utmp($1_t) + init_read_utmp($1_usertype) @@ -78527,7 +79007,7 @@ index 4b2878a..0b3811d 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +677,117 @@ template(`userdom_common_user_template',` +@@ -574,67 +679,113 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -78659,14 +79139,10 @@ index 4b2878a..0b3811d 100644 + mta_rw_spool($1_usertype) + mta_manage_queue($1_usertype) + mta_filetrans_home_content($1_usertype) -+ ') -+ -+ optional_policy(` -+ nsplugin_role($1_r, $1_usertype) ') optional_policy(` -@@ -650,40 +803,52 @@ template(`userdom_common_user_template',` +@@ -650,40 +801,52 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -78730,18 +79206,18 @@ index 4b2878a..0b3811d 100644 ') ') -@@ -712,13 +877,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +875,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) - userdom_manage_home_role($1_r, $1_t) + userdom_manage_home_role($1_r, $1_usertype) ++ ++ userdom_manage_tmp_role($1_r, $1_usertype) ++ userdom_manage_tmpfs_role($1_r, $1_usertype) - userdom_manage_tmp_role($1_r, $1_t) - userdom_manage_tmpfs_role($1_r, $1_t) -+ userdom_manage_tmp_role($1_r, $1_usertype) -+ userdom_manage_tmpfs_role($1_r, $1_usertype) -+ + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) + @@ -78762,7 +79238,7 @@ index 4b2878a..0b3811d 100644 userdom_change_password_template($1) -@@ -730,78 +908,82 @@ template(`userdom_login_user_template', ` +@@ -730,78 +906,82 @@ template(`userdom_login_user_template', ` allow $1_t self:capability { setgid chown fowner }; dontaudit $1_t self:capability { sys_nice fsetid }; @@ -78837,10 +79313,10 @@ index 4b2878a..0b3811d 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ -+ seutil_read_config($1_usertype) - seutil_read_config($1_t) ++ seutil_read_config($1_usertype) ++ + optional_policy(` + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) @@ -78879,7 +79355,7 @@ index 4b2878a..0b3811d 100644 ') ') -@@ -833,6 +1015,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +1013,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -78889,7 +79365,7 @@ index 4b2878a..0b3811d 100644 ############################## # # Local policy -@@ -874,45 +1059,114 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1057,114 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -79015,7 +79491,7 @@ index 4b2878a..0b3811d 100644 ') ') -@@ -947,7 +1201,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -79024,7 +79500,7 @@ index 4b2878a..0b3811d 100644 userdom_common_user_template($1) ############################## -@@ -956,12 +1210,15 @@ template(`userdom_unpriv_user_template', ` +@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -79042,7 +79518,7 @@ index 4b2878a..0b3811d 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1235,60 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1233,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -79112,7 +79588,7 @@ index 4b2878a..0b3811d 100644 ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1297,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1295,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -79123,7 +79599,7 @@ index 4b2878a..0b3811d 100644 ') ') -@@ -1039,7 +1335,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1333,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -79132,7 +79608,7 @@ index 4b2878a..0b3811d 100644 ') ############################## -@@ -1065,7 +1361,11 @@ template(`userdom_admin_user_template',` +@@ -1065,7 +1359,11 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -79145,7 +79621,7 @@ index 4b2878a..0b3811d 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1372,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -79155,7 +79631,7 @@ index 4b2878a..0b3811d 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1389,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -79163,7 +79639,7 @@ index 4b2878a..0b3811d 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1407,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -79177,7 +79653,7 @@ index 4b2878a..0b3811d 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1426,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1424,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -79220,7 +79696,7 @@ index 4b2878a..0b3811d 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1465,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -79229,7 +79705,7 @@ index 4b2878a..0b3811d 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1526,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -79238,7 +79714,7 @@ index 4b2878a..0b3811d 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1542,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1540,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -79249,7 +79725,7 @@ index 4b2878a..0b3811d 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1553,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -79278,7 +79754,7 @@ index 4b2878a..0b3811d 100644 ') optional_policy(` -@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1581,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -79294,7 +79770,7 @@ index 4b2878a..0b3811d 100644 ') optional_policy(` -@@ -1279,11 +1611,60 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1609,60 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -79355,7 +79831,7 @@ index 4b2878a..0b3811d 100644 ubac_constrained($1) ') -@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1774,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -79363,15 +79839,11 @@ index 4b2878a..0b3811d 100644 files_search_home($1) ') -@@ -1441,11 +1823,19 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1821,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) --') - --######################################## --##

--## Do not audit attempts to list user home subdirectories. ++ + tunable_policy(`use_nfs_home_dirs',` + fs_list_nfs($1) + ') @@ -79379,15 +79851,10 @@ index 4b2878a..0b3811d 100644 + tunable_policy(`use_samba_home_dirs',` + fs_list_cifs($1) + ') -+') -+ -+######################################## -+## -+## Do not audit attempts to list user home subdirectories. - ## - ## - ## -@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',` + ') + + ######################################## +@@ -1456,9 +1844,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -79399,7 +79866,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1905,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -79442,7 +79909,7 @@ index 4b2878a..0b3811d 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2015,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -79451,7 +79918,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2031,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -79466,7 +79933,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2079,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -79510,7 +79977,7 @@ index 4b2878a..0b3811d 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2135,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -79536,7 +80003,7 @@ index 4b2878a..0b3811d 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2186,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -79569,7 +80036,7 @@ index 4b2878a..0b3811d 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2222,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -79587,7 +80054,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2288,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -79648,7 +80115,7 @@ index 4b2878a..0b3811d 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2373,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -79658,7 +80125,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -1827,21 +2391,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2389,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -79672,19 +80139,18 @@ index 4b2878a..0b3811d 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2497,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -79709,7 +80175,7 @@ index 4b2878a..0b3811d 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2582,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -79718,7 +80184,7 @@ index 4b2878a..0b3811d 100644 files_search_home($1) ') -@@ -2039,7 +2615,7 @@ interface(`userdom_user_home_content_filetrans',` +@@ -2039,7 +2613,7 @@ interface(`userdom_user_home_content_filetrans',` type user_home_dir_t, user_home_t; ') @@ -79727,7 +80193,7 @@ index 4b2878a..0b3811d 100644 allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) ') -@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2756,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -79736,7 +80202,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -2390,7 +2966,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2964,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -79745,7 +80211,7 @@ index 4b2878a..0b3811d 100644 files_search_tmp($1) ') -@@ -2419,6 +2995,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2419,6 +2993,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2) ') @@ -79771,7 +80237,7 @@ index 4b2878a..0b3811d 100644 ######################################## ## ## Read user tmpfs files. -@@ -2435,13 +3030,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3028,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -79787,7 +80253,7 @@ index 4b2878a..0b3811d 100644 ## ## ## -@@ -2462,7 +3058,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,7 +3056,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -79796,7 +80262,7 @@ index 4b2878a..0b3811d 100644 ## ## ## -@@ -2470,14 +3066,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2470,14 +3064,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -79831,7 +80297,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -2572,6 +3184,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +3182,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -79856,7 +80322,7 @@ index 4b2878a..0b3811d 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +3220,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +3218,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -79899,7 +80365,7 @@ index 4b2878a..0b3811d 100644 ## ## ## -@@ -2614,14 +3256,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3254,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -79937,7 +80403,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -2640,36 +3301,32 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2640,8 +3299,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -79945,129 +80411,50 @@ index 4b2878a..0b3811d 100644 - dontaudit $1 user_devpts_t:chr_file rw_term_perms; + dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; - ') - ++') + - ######################################## - ## --## Execute a shell in all user domains. This --## is an explicit transition, requiring the --## caller to use setexeccon(). ++ ++######################################## ++## +## Get attributes of user domain tty and pty. - ## - ## - ## --## Domain allowed to transition. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`userdom_spec_domtrans_all_users',` ++## ++## ++# +interface(`userdom_getattr_user_terminals',` - gen_require(` -- attribute userdomain; ++ gen_require(` + type user_tty_device_t, user_devpts_t; - ') - -- corecmd_shell_spec_domtrans($1, userdomain) -- allow userdomain $1:fd use; -- allow userdomain $1:fifo_file rw_file_perms; -- allow userdomain $1:process sigchld; ++ ') ++ + allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; ') ######################################## - ## --## Execute an Xserver session in all unprivileged user domains. This -+## Execute a shell in all user domains. This - ## is an explicit transition, requiring the - ## caller to use setexeccon(). - ## -@@ -2679,12 +3336,12 @@ interface(`userdom_spec_domtrans_all_users',` - ## - ## - # --interface(`userdom_xsession_spec_domtrans_all_users',` -+interface(`userdom_spec_domtrans_all_users',` - gen_require(` - attribute userdomain; - ') - -- xserver_xsession_spec_domtrans($1, userdomain) -+ corecmd_shell_spec_domtrans($1, userdomain) - allow userdomain $1:fd use; - allow userdomain $1:fifo_file rw_file_perms; - allow userdomain $1:process sigchld; -@@ -2692,7 +3349,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',` - - ######################################## - ## --## Execute a shell in all unprivileged user domains. This -+## Execute an Xserver session in all unprivileged user domains. This - ## is an explicit transition, requiring the - ## caller to use setexeccon(). - ## -@@ -2702,20 +3359,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',` - ## - ## - # --interface(`userdom_spec_domtrans_unpriv_users',` -+interface(`userdom_xsession_spec_domtrans_all_users',` - gen_require(` -- attribute unpriv_userdomain; -+ attribute userdomain; - ') - -- corecmd_shell_spec_domtrans($1, unpriv_userdomain) -- allow unpriv_userdomain $1:fd use; -- allow unpriv_userdomain $1:fifo_file rw_file_perms; -- allow unpriv_userdomain $1:process sigchld; -+ xserver_xsession_spec_domtrans($1, userdomain) -+ allow userdomain $1:fd use; -+ allow userdomain $1:fifo_file rw_file_perms; -+ allow userdomain $1:process sigchld; - ') - - ######################################## - ## --## Execute an Xserver session in all unprivileged user domains. This -+## Execute a shell in all unprivileged user domains. This - ## is an explicit transition, requiring the - ## caller to use setexeccon(). - ## -@@ -2725,57 +3382,61 @@ interface(`userdom_spec_domtrans_unpriv_users',` - ## - ## - # --interface(`userdom_xsession_spec_domtrans_unpriv_users',` -+interface(`userdom_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - -- xserver_xsession_spec_domtrans($1, unpriv_userdomain) -+ corecmd_shell_spec_domtrans($1, unpriv_userdomain) - allow unpriv_userdomain $1:fd use; - allow unpriv_userdomain $1:fifo_file rw_file_perms; +@@ -2713,45 +3391,45 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') --####################################### +-######################################## +##################################### ## --## Read and write unpriviledged user SysV sempaphores. +-## Execute an Xserver session in all unprivileged user domains. This +-## is an explicit transition, requiring the +-## caller to use setexeccon(). +## Allow domain dyntrans to unpriv userdomain. ## ## -## --## Domain allowed access. +-## Domain allowed to transition. -## +## +## Domain allowed access. +## ## # --interface(`userdom_rw_unpriv_user_semaphores',` +-interface(`userdom_xsession_spec_domtrans_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') @@ -80076,13 +80463,17 @@ index 4b2878a..0b3811d 100644 + attribute unpriv_userdomain; + ') -- allow $1 unpriv_userdomain:sem rw_sem_perms; +- xserver_xsession_spec_domtrans($1, unpriv_userdomain) +- allow unpriv_userdomain $1:fd use; +- allow unpriv_userdomain $1:fifo_file rw_file_perms; +- allow unpriv_userdomain $1:process sigchld; + allow $1 unpriv_userdomain:process dyntransition; ') - ######################################## +-####################################### ++######################################## ## --## Manage unpriviledged user SysV sempaphores. +-## Read and write unpriviledged user SysV sempaphores. +## Execute an Xserver session in all unprivileged user domains. This +## is an explicit transition, requiring the +## caller to use setexeccon(). @@ -80094,44 +80485,47 @@ index 4b2878a..0b3811d 100644 ## ## # --interface(`userdom_manage_unpriv_user_semaphores',` +-interface(`userdom_rw_unpriv_user_semaphores',` +interface(`userdom_xsession_spec_domtrans_unpriv_users',` gen_require(` attribute unpriv_userdomain; ') -- allow $1 unpriv_userdomain:sem create_sem_perms; +- allow $1 unpriv_userdomain:sem rw_sem_perms; + xserver_xsession_spec_domtrans($1, unpriv_userdomain) + allow unpriv_userdomain $1:fd use; + allow unpriv_userdomain $1:fifo_file rw_file_perms; + allow unpriv_userdomain $1:process sigchld; ') + ######################################## +@@ -2772,25 +3450,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` + allow $1 unpriv_userdomain:sem create_sem_perms; + ') + -####################################### -+######################################## - ## +-## -## Read and write unpriviledged user SysV shared -## memory segments. -+## Manage unpriviledged user SysV sempaphores. - ## - ## - ## -@@ -2783,12 +3444,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` - ## - ## - # +-## +-## +-## +-## Domain allowed access. +-## +-## +-# -interface(`userdom_rw_unpriv_user_shared_mem',` -+interface(`userdom_manage_unpriv_user_semaphores',` - gen_require(` - attribute unpriv_userdomain; - ') - +- gen_require(` +- attribute unpriv_userdomain; +- ') +- - allow $1 unpriv_userdomain:shm rw_shm_perms; -+ allow $1 unpriv_userdomain:sem create_sem_perms; - ') - +-') +- ######################################## -@@ -2852,7 +3513,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` + ## + ## Manage unpriviledged user SysV shared +@@ -2852,7 +3511,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -80140,7 +80534,7 @@ index 4b2878a..0b3811d 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3529,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3527,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -80174,7 +80568,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -2972,7 +3617,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3615,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -80183,7 +80577,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -3027,7 +3672,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3670,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -80230,7 +80624,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -3045,7 +3728,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3045,7 +3726,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -80239,7 +80633,7 @@ index 4b2878a..0b3811d 100644 ') ######################################## -@@ -3064,6 +3747,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3745,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -80247,7 +80641,7 @@ index 4b2878a..0b3811d 100644 kernel_search_proc($1) ') -@@ -3142,6 +3826,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3824,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -80272,7 +80666,7 @@ index 4b2878a..0b3811d 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3160,6 +3862,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3160,6 +3860,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -80297,7 +80691,7 @@ index 4b2878a..0b3811d 100644 ## Create keys for all user domains. ## ## -@@ -3194,3 +3914,1186 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3912,1186 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2b1ae32..ec365e3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 58%{?dist} +Release: 61%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -470,6 +470,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Nov 23 2011 Miroslav Grepl 3.10.0-59 +- Allow mcelog_t to create dir and file in /var/run and label it correctly +- Allow dbus to manage fusefs +- Mount needs to read process state when mounting gluster file systems +- Allow collectd-web to read collectd lib files +- Allow daemons and system processes started by init to read/write the unix_stream_socket passed in from as stdin/stdout/stderr +- Allow colord to get the attributes of tmpfs filesystem +- Add sanlock_use_nfs and sanlock_use_samba booleans +- Add bin_t label for /usr/lib/virtualbox/VBoxManage + * Wed Nov 16 2011 Miroslav Grepl 3.10.0-58 - Add ssh_dontaudit_search_home_dir - Changes to allow namespace_init_t to work