diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 73387ff..b8c55f3 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -765,7 +765,7 @@ index 66e85ea..d02654d 100644 ## user domains. ##

diff --git a/policy/global_tunables b/policy/global_tunables -index 4705ab6..629fe1b 100644 +index 4705ab6..b7e7ea5 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -6,52 +6,59 @@ @@ -854,7 +854,7 @@ index 4705ab6..629fe1b 100644 ## Allow any files/directories to be exported read/write via NFS. ##

## -@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false) +@@ -105,9 +103,30 @@ gen_tunable(use_samba_home_dirs,false) ## ##

@@ -880,6 +880,12 @@ index 4705ab6..629fe1b 100644 -gen_tunable(user_tcp_server,false) +gen_tunable(selinuxuser_tcp_server,false) + ++## ++##

++## Allow the mount commands to mount any directory or file. ++##

++##
++gen_tunable(mount_anyfile, false) diff --git a/policy/mcs b/policy/mcs index 216b3d1..81bc8c4 100644 --- a/policy/mcs @@ -2865,7 +2871,7 @@ index d555767..4165b4d 100644 + stapserver_manage_lib(useradd_t) +') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if -index 1dc7a85..dcc6337 100644 +index 1dc7a85..c6f4da0 100644 --- a/policy/modules/apps/seunshare.if +++ b/policy/modules/apps/seunshare.if @@ -43,18 +43,18 @@ interface(`seunshare_run',` @@ -2894,7 +2900,7 @@ index 1dc7a85..dcc6337 100644 ## ## ## Role allowed access. -@@ -66,15 +66,43 @@ interface(`seunshare_run',` +@@ -66,15 +66,44 @@ interface(`seunshare_run',` ## ## # @@ -2933,6 +2939,7 @@ index 1dc7a85..dcc6337 100644 + ') + + ps_process_pattern($3, $1_seunshare_t) ++ dontaudit $1_seunshare_t $3:file read; + allow $3 $1_seunshare_t:process signal_perms; + allow $3 $1_seunshare_t:fd use; + @@ -8382,7 +8389,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..5376a48 100644 +index cf04cb5..19c3e01 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8510,7 +8517,7 @@ index cf04cb5..5376a48 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,287 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8531,6 +8538,10 @@ index cf04cb5..5376a48 100644 +') + +optional_policy(` ++ mandb_filetrans_named_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + seutil_filetrans_named_content(unconfined_domain_type) +') + @@ -8600,6 +8611,10 @@ index cf04cb5..5376a48 100644 +') + +optional_policy(` ++ iscsi_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + kerberos_filetrans_named_content(unconfined_domain_type) +') + @@ -8608,6 +8623,10 @@ index cf04cb5..5376a48 100644 +') + +optional_policy(` ++ mplayer_filetrans_home_content(unconfined_domain_type) ++') ++ ++optional_policy(` + modules_filetrans_named_content(unconfined_domain_type) +') + @@ -20774,7 +20793,7 @@ index d1f64a0..97140ee 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..f0080ba 100644 +index 6bf0ecc..18223e7 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -21246,7 +21265,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -765,11 +904,71 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +904,91 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -21262,6 +21281,26 @@ index 6bf0ecc..f0080ba 100644 + +######################################## +## ++## Allow domain to append XDM unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++ ++interface(`xserver_append_xdm_stream_socket',` ++ gen_require(` ++ type xdm_t; ++ ') ++ ++ allow $1 xdm_t:unix_stream_socket append; ++') ++ ++######################################## ++## +## Read XDM files in user home directories. +## +## @@ -21320,7 +21359,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -793,6 +992,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +1012,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -21346,7 +21385,7 @@ index 6bf0ecc..f0080ba 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1024,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +1044,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -21373,7 +21412,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -846,7 +1082,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1102,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -21401,7 +21440,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -869,6 +1124,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1144,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -21426,7 +21465,7 @@ index 6bf0ecc..f0080ba 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1211,26 @@ interface(`xserver_getattr_log',` +@@ -938,7 +1231,26 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -21454,7 +21493,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -957,7 +1249,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -957,7 +1269,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -21463,7 +21502,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -1004,6 +1296,45 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1316,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -21509,7 +21548,7 @@ index 6bf0ecc..f0080ba 100644 ## Read xdm temporary files. ## ## -@@ -1017,7 +1348,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -1017,7 +1368,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -21518,113 +21557,73 @@ index 6bf0ecc..f0080ba 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1079,53 +1410,91 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1079,7 +1430,43 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## -## Do not audit attempts to get the attributes of --## xdm temporary named sockets. +## Create, read, write, and delete xdm temporary dirs. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` ++## ++## ++# +interface(`xserver_relabel_xdm_tmp_dirs',` - gen_require(` - type xdm_tmp_t; - ') - -- dontaudit $1 xdm_tmp_t:sock_file getattr; -+ allow $1 xdm_tmp_t:dir relabel_dir_perms; - ') - - ######################################## - ## --## Execute the X server in the X server domain. -+## Create, read, write, and delete xdm temporary dirs. - ## - ## - ## --## Domain allowed to transition. -+## Domain allowed access. - ## - ## - # --interface(`xserver_domtrans',` -+interface(`xserver_manage_xdm_tmp_dirs',` - gen_require(` -- type xserver_t, xserver_exec_t; -+ type xdm_tmp_t; - ') - -- allow $1 xserver_t:process siginh; -- domtrans_pattern($1, xserver_exec_t, xserver_t) -+ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) - ') - - ######################################## - ## --## Signal X servers -+## Do not audit attempts to get the attributes of -+## xdm temporary named sockets. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`xserver_signal',` -+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + gen_require(` + type xdm_tmp_t; + ') + -+ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; ++ allow $1 xdm_tmp_t:dir relabel_dir_perms; +') + +######################################## +## -+## Execute the X server in the X server domain. ++## Create, read, write, and delete xdm temporary dirs. +## +## +## -+## Domain allowed to transition. ++## Domain allowed access. +## +## +# -+interface(`xserver_domtrans',` ++interface(`xserver_manage_xdm_tmp_dirs',` + gen_require(` -+ type xserver_t, xserver_exec_t; ++ type xdm_tmp_t; + ') + -+ allow $1 xserver_t:process siginh; -+ domtrans_pattern($1, xserver_exec_t, xserver_t) -+ -+ allow xserver_t $1:process getpgid; ++ manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) +') + +######################################## +## -+## Signal X servers -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`xserver_signal',` - gen_require(` - type xserver_t; ++## Do not audit attempts to get the attributes of + ## xdm temporary named sockets. + ## + ## +@@ -1093,7 +1480,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + type xdm_tmp_t; ') -@@ -1210,6 +1579,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` + +- dontaudit $1 xdm_tmp_t:sock_file getattr; ++ dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; + ') + + ######################################## +@@ -1111,8 +1498,10 @@ interface(`xserver_domtrans',` + type xserver_t, xserver_exec_t; + ') + +- allow $1 xserver_t:process siginh; ++ allow $1 xserver_t:process siginh; + domtrans_pattern($1, xserver_exec_t, xserver_t) ++ ++ allow xserver_t $1:process getpgid; + ') + + ######################################## +@@ -1210,6 +1599,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -21650,7 +21649,7 @@ index 6bf0ecc..f0080ba 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1614,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1634,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -21677,7 +21676,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -1251,7 +1659,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1679,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -21686,7 +21685,7 @@ index 6bf0ecc..f0080ba 100644 ## ## ## -@@ -1261,13 +1669,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1689,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -21711,7 +21710,7 @@ index 6bf0ecc..f0080ba 100644 ') ######################################## -@@ -1284,10 +1702,604 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1722,604 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -26945,7 +26944,7 @@ index 24e7804..d0780a9 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dd3be8d..71d7cb6 100644 +index dd3be8d..8cda2bb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,24 @@ gen_require(` @@ -27185,7 +27184,7 @@ index dd3be8d..71d7cb6 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +273,178 @@ ifdef(`distro_gentoo',` +@@ -186,29 +273,182 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -27213,9 +27212,14 @@ index dd3be8d..71d7cb6 100644 + +optional_policy(` + gnome_filetrans_home_content(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) ++ iscsi_read_lib_files(init_t) + ') + + optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) +') @@ -27344,14 +27348,13 @@ index dd3be8d..71d7cb6 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + consolekit_manage_log(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -27372,7 +27375,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -216,6 +452,27 @@ optional_policy(` +@@ -216,6 +456,27 @@ optional_policy(` ') optional_policy(` @@ -27400,7 +27403,7 @@ index dd3be8d..71d7cb6 100644 unconfined_domain(init_t) ') -@@ -225,8 +482,9 @@ optional_policy(` +@@ -225,8 +486,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -27412,7 +27415,7 @@ index dd3be8d..71d7cb6 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -257,12 +515,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -257,12 +519,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -27429,7 +27432,7 @@ index dd3be8d..71d7cb6 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -278,23 +540,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -278,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -27472,7 +27475,7 @@ index dd3be8d..71d7cb6 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -302,9 +577,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -302,9 +581,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -27484,7 +27487,7 @@ index dd3be8d..71d7cb6 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -312,8 +589,10 @@ dev_write_framebuffer(initrc_t) +@@ -312,8 +593,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -27495,7 +27498,7 @@ index dd3be8d..71d7cb6 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -321,8 +600,7 @@ dev_manage_generic_files(initrc_t) +@@ -321,8 +604,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -27505,7 +27508,7 @@ index dd3be8d..71d7cb6 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -331,7 +609,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -331,7 +613,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -27513,7 +27516,7 @@ index dd3be8d..71d7cb6 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -339,6 +616,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -339,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -27521,7 +27524,7 @@ index dd3be8d..71d7cb6 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -346,14 +624,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -346,14 +628,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -27539,7 +27542,7 @@ index dd3be8d..71d7cb6 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -363,8 +646,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -27553,7 +27556,7 @@ index dd3be8d..71d7cb6 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -374,10 +657,11 @@ fs_mount_all_fs(initrc_t) +@@ -374,10 +661,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -27567,7 +27570,7 @@ index dd3be8d..71d7cb6 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -386,6 +670,7 @@ mls_process_read_up(initrc_t) +@@ -386,6 +674,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -27575,7 +27578,7 @@ index dd3be8d..71d7cb6 100644 selinux_get_enforce_mode(initrc_t) -@@ -397,6 +682,7 @@ term_use_all_terms(initrc_t) +@@ -397,6 +686,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -27583,7 +27586,7 @@ index dd3be8d..71d7cb6 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -415,20 +701,18 @@ logging_read_all_logs(initrc_t) +@@ -415,20 +705,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -27607,7 +27610,7 @@ index dd3be8d..71d7cb6 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -450,7 +734,6 @@ ifdef(`distro_gentoo',` +@@ -450,7 +738,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -27615,7 +27618,7 @@ index dd3be8d..71d7cb6 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -485,6 +768,10 @@ ifdef(`distro_gentoo',` +@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -27626,7 +27629,7 @@ index dd3be8d..71d7cb6 100644 alsa_read_lib(initrc_t) ') -@@ -505,7 +792,7 @@ ifdef(`distro_redhat',` +@@ -505,7 +796,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -27635,7 +27638,7 @@ index dd3be8d..71d7cb6 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -520,6 +807,7 @@ ifdef(`distro_redhat',` +@@ -520,6 +811,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -27643,7 +27646,7 @@ index dd3be8d..71d7cb6 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -540,6 +828,7 @@ ifdef(`distro_redhat',` +@@ -540,6 +832,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -27651,7 +27654,7 @@ index dd3be8d..71d7cb6 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -549,8 +838,44 @@ ifdef(`distro_redhat',` +@@ -549,8 +842,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -27696,7 +27699,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -558,14 +883,31 @@ ifdef(`distro_redhat',` +@@ -558,14 +887,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -27728,7 +27731,7 @@ index dd3be8d..71d7cb6 100644 ') ') -@@ -576,6 +918,39 @@ ifdef(`distro_suse',` +@@ -576,6 +922,39 @@ ifdef(`distro_suse',` ') ') @@ -27768,7 +27771,7 @@ index dd3be8d..71d7cb6 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -588,6 +963,8 @@ optional_policy(` +@@ -588,6 +967,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -27777,7 +27780,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -609,6 +986,7 @@ optional_policy(` +@@ -609,6 +990,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -27785,7 +27788,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -625,6 +1003,17 @@ optional_policy(` +@@ -625,6 +1007,17 @@ optional_policy(` ') optional_policy(` @@ -27803,7 +27806,7 @@ index dd3be8d..71d7cb6 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -641,9 +1030,13 @@ optional_policy(` +@@ -641,9 +1034,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -27817,7 +27820,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -656,15 +1049,11 @@ optional_policy(` +@@ -656,15 +1053,11 @@ optional_policy(` ') optional_policy(` @@ -27835,7 +27838,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -685,6 +1074,15 @@ optional_policy(` +@@ -685,6 +1078,15 @@ optional_policy(` ') optional_policy(` @@ -27851,7 +27854,7 @@ index dd3be8d..71d7cb6 100644 inn_exec_config(initrc_t) ') -@@ -725,6 +1123,7 @@ optional_policy(` +@@ -725,6 +1127,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -27859,7 +27862,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -742,7 +1141,14 @@ optional_policy(` +@@ -742,7 +1145,14 @@ optional_policy(` ') optional_policy(` @@ -27874,7 +27877,7 @@ index dd3be8d..71d7cb6 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -765,6 +1171,10 @@ optional_policy(` +@@ -765,6 +1175,10 @@ optional_policy(` ') optional_policy(` @@ -27885,7 +27888,7 @@ index dd3be8d..71d7cb6 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -774,10 +1184,20 @@ optional_policy(` +@@ -774,10 +1188,20 @@ optional_policy(` ') optional_policy(` @@ -27906,7 +27909,7 @@ index dd3be8d..71d7cb6 100644 quota_manage_flags(initrc_t) ') -@@ -786,6 +1206,10 @@ optional_policy(` +@@ -786,6 +1210,10 @@ optional_policy(` ') optional_policy(` @@ -27917,7 +27920,7 @@ index dd3be8d..71d7cb6 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -807,8 +1231,6 @@ optional_policy(` +@@ -807,8 +1235,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -27926,7 +27929,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -817,6 +1239,10 @@ optional_policy(` +@@ -817,6 +1243,10 @@ optional_policy(` ') optional_policy(` @@ -27937,7 +27940,7 @@ index dd3be8d..71d7cb6 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -826,10 +1252,12 @@ optional_policy(` +@@ -826,10 +1256,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -27950,7 +27953,7 @@ index dd3be8d..71d7cb6 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -856,12 +1284,27 @@ optional_policy(` +@@ -856,12 +1288,27 @@ optional_policy(` ') optional_policy(` @@ -27979,7 +27982,7 @@ index dd3be8d..71d7cb6 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -871,6 +1314,18 @@ optional_policy(` +@@ -871,6 +1318,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -27998,7 +28001,7 @@ index dd3be8d..71d7cb6 100644 ') optional_policy(` -@@ -886,6 +1341,10 @@ optional_policy(` +@@ -886,6 +1345,10 @@ optional_policy(` ') optional_policy(` @@ -28009,7 +28012,7 @@ index dd3be8d..71d7cb6 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -896,3 +1355,196 @@ optional_policy(` +@@ -896,3 +1359,196 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -28436,7 +28439,7 @@ index 0d4c8d3..a89c4a2 100644 + ps_process_pattern($1, ipsec_mgmt_t) +') diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 9e54bf9..b6e9ebc 100644 +index 9e54bf9..468dc31 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t) @@ -28462,7 +28465,7 @@ index 9e54bf9..b6e9ebc 100644 allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; +allow ipsec_t self:netlink_selinux_socket create_socket_perms; -+allow ipsec_t self:unix_stream_socket create_stream_socket_perms; ++allow ipsec_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ipsec_t ipsec_initrc_exec_t:file read_file_perms; @@ -28737,7 +28740,7 @@ index c42fbc3..174cfdb 100644 ## ## Set the attributes of iptables config files. diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 5dfa44b..022d91d 100644 +index 5dfa44b..2502d06 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -16,15 +16,15 @@ role iptables_roles types iptables_t; @@ -28834,15 +28837,20 @@ index 5dfa44b..022d91d 100644 ') optional_policy(` -@@ -124,6 +129,7 @@ optional_policy(` +@@ -124,6 +129,12 @@ optional_policy(` optional_policy(` psad_rw_tmp_files(iptables_t) + psad_write_log(iptables_t) ++') ++ ++optional_policy(` ++ quantum_rw_inherited_pipes(iptables_t) ++ quantum_sigchld(iptables_t) ') optional_policy(` -@@ -135,9 +141,9 @@ optional_policy(` +@@ -135,9 +146,9 @@ optional_policy(` ') optional_policy(` @@ -29526,7 +29534,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index c04ac46..e06286c 100644 +index c04ac46..799d194 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -29650,15 +29658,19 @@ index c04ac46..e06286c 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms; +@@ -215,37 +211,55 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; +kernel_read_crypto_sysctls(sulogin_t) kernel_read_system_state(sulogin_t) ++dev_getattr_all_chr_files(sulogin_t) ++dev_getattr_all_blk_files(sulogin_t) ++ fs_search_auto_mountpoints(sulogin_t) -@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t) + fs_rw_tmpfs_chr_files(sulogin_t) + files_read_etc_files(sulogin_t) # because file systems are not mounted: files_dontaudit_search_isid_type_dirs(sulogin_t) @@ -29675,7 +29687,9 @@ index c04ac46..e06286c 100644 seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) -@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t) + userdom_use_unpriv_users_fds(sulogin_t) + ++userdom_search_admin_dir(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -29702,7 +29716,7 @@ index c04ac46..e06286c 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -31325,7 +31339,7 @@ index fc28bc3..2960ed7 100644 + files_var_filetrans($1, public_content_t, dir, "ftp") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index d6293de..3225647 100644 +index d6293de..8f8d80d 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2) @@ -31336,6 +31350,19 @@ index d6293de..3225647 100644 attribute cert_type; # +@@ -48,10 +47,10 @@ files_type(man_cache_t) + # Types for public content + # + type public_content_t; #, customizable; +-files_type(public_content_t) ++files_mountpoint(public_content_t) + + type public_content_rw_t; #, customizable; +-files_type(public_content_rw_t) ++files_mountpoint(public_content_rw_t) + + # + # Base type for the tests directory. diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index 9933677..b155a0d 100644 --- a/policy/modules/system/modutils.fc @@ -32054,16 +32081,20 @@ index 4584457..e432df3 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6a50270..8288fd0 100644 +index 6a50270..fa545e7 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1) - ## Allow the mount command to mount any directory or file. - ##

- ## --gen_tunable(allow_mount_anyfile, false) -+gen_tunable(mount_anyfile, false) +@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1) + # Declarations + # +-## +-##

+-## Allow the mount command to mount any directory or file. +-##

+-##
+-gen_tunable(allow_mount_anyfile, false) +- -attribute_role mount_roles; -roleattribute system_r mount_roles; +#attribute_role mount_roles; @@ -32129,7 +32160,7 @@ index 6a50270..8288fd0 100644 allow mount_t mount_loopback_t:file read_file_perms; -@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t) +@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) @@ -32155,7 +32186,7 @@ index 6a50270..8288fd0 100644 kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module -@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t) +@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -32206,7 +32237,7 @@ index 6a50270..8288fd0 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +148,39 @@ files_list_mnt(mount_t) +@@ -92,28 +141,39 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -32252,7 +32283,7 @@ index 6a50270..8288fd0 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t) +@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -32276,7 +32307,7 @@ index 6a50270..8288fd0 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -32316,7 +32347,7 @@ index 6a50270..8288fd0 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +252,9 @@ optional_policy(` +@@ -179,6 +245,9 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -32326,7 +32357,7 @@ index 6a50270..8288fd0 100644 ') optional_policy(` -@@ -186,6 +262,40 @@ optional_policy(` +@@ -186,6 +255,40 @@ optional_policy(` ') optional_policy(` @@ -32367,7 +32398,7 @@ index 6a50270..8288fd0 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -194,24 +304,128 @@ optional_policy(` +@@ -194,24 +297,128 @@ optional_policy(` ') optional_policy(` @@ -34346,7 +34377,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..fda9b8a 100644 +index b7686d5..9c7aa79 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -34678,7 +34709,7 @@ index b7686d5..fda9b8a 100644 ') optional_policy(` -@@ -339,7 +423,11 @@ optional_policy(` +@@ -339,7 +423,15 @@ optional_policy(` ') optional_policy(` @@ -34687,16 +34718,24 @@ index b7686d5..fda9b8a 100644 +') + +optional_policy(` ++ libs_exec_ldconfig(ifconfig_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(ifconfig_t) ') optional_policy(` -@@ -360,3 +448,9 @@ optional_policy(` +@@ -360,3 +452,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') + +optional_policy(` ++ iptables_domtrans(ifconfig_t) ++') ++ ++optional_policy(` + tunable_policy(`dhcpc_exec_iptables',` + iptables_domtrans(dhcpc_t) + ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index f091d89..68c500f 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -518,7 +518,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..5e60ff3 100644 +index cc43d25..b4c749b 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -668,8 +668,9 @@ index cc43d25..5e60ff3 100644 # -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; +-dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace }; - dontaudit abrt_t self:capability sys_rawio; ++dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + allow abrt_t self:fifo_file rw_fifo_file_perms; @@ -1097,7 +1098,7 @@ index bd5ec9a..a5ed692 100644 + allow $1 accountsd_unit_file_t:service all_service_perms; ') diff --git a/accountsd.te b/accountsd.te -index 313b33f..f9d3343 100644 +index 313b33f..6e0a894 100644 --- a/accountsd.te +++ b/accountsd.te @@ -4,6 +4,10 @@ gen_require(` @@ -1136,16 +1137,18 @@ index 313b33f..f9d3343 100644 fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) -@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t) +@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t) auth_read_login_records(accountsd_t) auth_read_shadow(accountsd_t) -miscfiles_read_localization(accountsd_t) +init_dbus_chat(accountsd_t) ++logging_list_logs(accountsd_t) logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) -@@ -65,9 +72,16 @@ optional_policy(` + +@@ -65,9 +73,16 @@ optional_policy(` ') optional_policy(` @@ -1883,24 +1886,41 @@ index cda6d20..fbe259e 100644 userdom_manage_unpriv_user_semaphores(alsa_t) userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) +diff --git a/amanda.fc b/amanda.fc +index 7f4dfbc..4d750fa 100644 +--- a/amanda.fc ++++ b/amanda.fc +@@ -13,6 +13,8 @@ + /usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + ++/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0) ++ + /usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0) + /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) + diff --git a/amanda.te b/amanda.te -index ed45974..46e2c0d 100644 +index ed45974..95b56a6 100644 --- a/amanda.te +++ b/amanda.te -@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles; +@@ -9,11 +9,13 @@ attribute_role amanda_recover_roles; roleattribute system_r amanda_recover_roles; type amanda_t; +type amanda_exec_t; type amanda_inetd_exec_t; - inetd_service_domain(amanda_t, amanda_inetd_exec_t) +-inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++init_daemon_domain(amanda_t, amanda_exec_t) ++role system_r types amanda_t; -type amanda_exec_t; -domain_entry_file(amanda_t, amanda_exec_t) ++type amanda_unit_file_t; ++systemd_unit_file(amanda_unit_file_t) type amanda_log_t; logging_log_file(amanda_log_t) -@@ -60,7 +59,7 @@ optional_policy(` +@@ -60,7 +62,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -1909,7 +1929,7 @@ index ed45974..46e2c0d 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +73,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -1917,7 +1937,7 @@ index ed45974..46e2c0d 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +103,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -1925,7 +1945,15 @@ index ed45974..46e2c0d 100644 corenet_all_recvfrom_netlabel(amanda_t) corenet_tcp_sendrecv_generic_if(amanda_t) corenet_tcp_sendrecv_generic_node(amanda_t) -@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t) + corenet_tcp_sendrecv_all_ports(amanda_t) + corenet_tcp_bind_generic_node(amanda_t) + ++corenet_tcp_bind_amanda_port(amanda_t) ++ + corenet_sendrecv_all_server_packets(amanda_t) + corenet_tcp_bind_all_rpc_ports(amanda_t) + corenet_tcp_bind_generic_port(amanda_t) +@@ -170,7 +174,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -1933,7 +1961,7 @@ index ed45974..46e2c0d 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +198,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -1949,6 +1977,10 @@ index ed45974..46e2c0d 100644 userdom_search_user_home_content(amanda_recover_t) + +optional_policy(` ++ inetd_service_domain(amanda_t, amanda_inetd_exec_t) ++') ++ ++optional_policy(` + fstools_domtrans(amanda_t) + fstools_signal(amanda_t) +') @@ -2527,10 +2559,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..1a35e88 +index 0000000..36cb011 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,248 @@ +@@ -0,0 +1,252 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2753,6 +2785,10 @@ index 0000000..1a35e88 +') + +optional_policy(` ++ mysql_stream_connect(antivirus_domain) ++') ++ ++optional_policy(` + postfix_read_config(antivirus_domain) + postfix_list_spool(antivirus_domain) +') @@ -4475,10 +4511,10 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..3a12c26 100644 +index 1a82e29..a434dfd 100644 --- a/apache.te +++ b/apache.te -@@ -1,297 +1,360 @@ +@@ -1,297 +1,367 @@ -policy_module(apache, 2.6.10) +policy_module(apache, 2.4.0) + @@ -4895,6 +4931,13 @@ index 1a82e29..3a12c26 100644 -## nfs file systems. -##

+##

++## Allow httpd to connect to sasl ++##

++## ++gen_tunable(httpd_use_sasl, false) ++ ++## ++##

+## Allow httpd to access nfs file systems +##

##
@@ -4988,7 +5031,7 @@ index 1a82e29..3a12c26 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5001,7 +5044,7 @@ index 1a82e29..3a12c26 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t; +@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5023,7 +5066,7 @@ index 1a82e29..3a12c26 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -5043,7 +5086,7 @@ index 1a82e29..3a12c26 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5094,7 +5137,7 @@ index 1a82e29..3a12c26 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms; +@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5136,7 +5179,7 @@ index 1a82e29..3a12c26 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5145,7 +5188,7 @@ index 1a82e29..3a12c26 100644 allow httpd_t httpd_rotatelogs_t:process signal_perms; manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -5156,7 +5199,7 @@ index 1a82e29..3a12c26 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5384,7 +5427,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5444,7 +5487,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5490,18 +5533,18 @@ index 1a82e29..3a12c26 100644 - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') --') -- --optional_policy(` -- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -- spamassassin_domtrans_client(httpd_t) -- ') +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ') +-optional_policy(` +- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` +- spamassassin_domtrans_client(httpd_t) +- ') +-') +- -tunable_policy(`httpd_graceful_shutdown',` - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) @@ -5529,7 +5572,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +810,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5557,26 +5600,22 @@ index 1a82e29..3a12c26 100644 - fs_manage_cifs_dirs(httpd_t) - fs_manage_cifs_files(httpd_t) - fs_manage_cifs_symlinks(httpd_t) --') -- --tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` -- fs_exec_cifs_files(httpd_t) + userdom_use_inherited_user_terminals(httpd_t) + userdom_use_inherited_user_terminals(httpd_suexec_t) ') --tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_fusefs_dirs(httpd_t) -- fs_manage_fusefs_files(httpd_t) -- fs_read_fusefs_symlinks(httpd_t) +-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` +- fs_exec_cifs_files(httpd_t) -') +optional_policy(` + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) +-tunable_policy(`httpd_use_fusefs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_fusefs_dirs(httpd_t) +- fs_manage_fusefs_files(httpd_t) +- fs_read_fusefs_symlinks(httpd_t) -') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) @@ -5585,13 +5624,21 @@ index 1a82e29..3a12c26 100644 + cobbler_search_lib(httpd_t) + ') +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) ++ tunable_policy(`httpd_can_network_connect_cobbler',` ++ corenet_tcp_connect_cobbler_port(httpd_t) ++ ') + ') + -tunable_policy(`httpd_use_nfs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_nfs_dirs(httpd_t) - fs_manage_nfs_files(httpd_t) - fs_manage_nfs_symlinks(httpd_t) -+ tunable_policy(`httpd_can_network_connect_cobbler',` -+ corenet_tcp_connect_cobbler_port(httpd_t) ++optional_policy(` ++ tunable_policy(`httpd_use_sasl',` ++ sasl_connect(httpd_t) + ') ') @@ -5606,7 +5653,7 @@ index 1a82e29..3a12c26 100644 ') optional_policy(` -@@ -743,14 +849,6 @@ optional_policy(` +@@ -743,14 +862,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5621,7 +5668,7 @@ index 1a82e29..3a12c26 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +863,23 @@ optional_policy(` +@@ -765,6 +876,23 @@ optional_policy(` ') optional_policy(` @@ -5645,7 +5692,7 @@ index 1a82e29..3a12c26 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +896,42 @@ optional_policy(` +@@ -781,34 +909,42 @@ optional_policy(` ') optional_policy(` @@ -5699,7 +5746,7 @@ index 1a82e29..3a12c26 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +939,18 @@ optional_policy(` +@@ -816,8 +952,18 @@ optional_policy(` ') optional_policy(` @@ -5718,7 +5765,7 @@ index 1a82e29..3a12c26 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +959,7 @@ optional_policy(` +@@ -826,6 +972,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5726,7 +5773,7 @@ index 1a82e29..3a12c26 100644 ') optional_policy(` -@@ -836,20 +970,38 @@ optional_policy(` +@@ -836,20 +983,38 @@ optional_policy(` ') optional_policy(` @@ -5771,7 +5818,7 @@ index 1a82e29..3a12c26 100644 ') optional_policy(` -@@ -857,6 +1009,16 @@ optional_policy(` +@@ -857,6 +1022,16 @@ optional_policy(` ') optional_policy(` @@ -5788,7 +5835,7 @@ index 1a82e29..3a12c26 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,6 +1027,7 @@ optional_policy(` +@@ -865,11 +1040,16 @@ optional_policy(` ') optional_policy(` @@ -5796,7 +5843,16 @@ index 1a82e29..3a12c26 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -877,65 +1040,166 @@ optional_policy(` + + optional_policy(` ++ thin_stream_connect(httpd_t) ++') ++ ++optional_policy(` + udev_read_db(httpd_t) + ') + +@@ -877,65 +1057,166 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5985,7 +6041,7 @@ index 1a82e29..3a12c26 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1225,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6140,7 +6196,7 @@ index 1a82e29..3a12c26 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1292,104 @@ optional_policy(` +@@ -1077,172 +1309,104 @@ optional_policy(` ') ') @@ -6162,11 +6218,11 @@ index 1a82e29..3a12c26 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -+allow httpd_sys_script_t self:process getsched; - +- -append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) -- ++allow httpd_sys_script_t self:process getsched; + -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6319,10 +6375,10 @@ index 1a82e29..3a12c26 100644 -allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms; - -kernel_read_kernel_sysctls(httpd_sys_script_t) -- --fs_search_auto_mountpoints(httpd_sys_script_t) +corenet_all_recvfrom_netlabel(httpd_sys_script_t) +-fs_search_auto_mountpoints(httpd_sys_script_t) +- -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) @@ -6376,7 +6432,7 @@ index 1a82e29..3a12c26 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1414,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6473,7 +6529,7 @@ index 1a82e29..3a12c26 100644 ######################################## # -@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1489,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6490,7 +6546,7 @@ index 1a82e29..3a12c26 100644 ') ######################################## -@@ -1324,49 +1488,36 @@ optional_policy(` +@@ -1324,49 +1505,36 @@ optional_policy(` # User content local policy # @@ -6554,7 +6610,7 @@ index 1a82e29..3a12c26 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1544,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -7504,7 +7560,7 @@ index 089430a..7cd037b 100644 + allow $1 automount_unit_file_t:service all_service_perms; ') diff --git a/automount.te b/automount.te -index a579c3b..512d6b1 100644 +index a579c3b..294b5f4 100644 --- a/automount.te +++ b/automount.te @@ -22,12 +22,16 @@ type automount_tmp_t; @@ -7564,6 +7620,15 @@ index a579c3b..512d6b1 100644 fstools_domtrans(automount_t) ') +@@ -160,3 +165,8 @@ optional_policy(` + optional_policy(` + udev_read_db(automount_t) + ') ++ ++tunable_policy(`mount_anyfile',` ++ files_mounton_non_security(automount_t) ++') ++ diff --git a/avahi.fc b/avahi.fc index e9fe2ca..4c2d076 100644 --- a/avahi.fc @@ -8331,7 +8396,7 @@ index 16ec525..1dd4059 100644 ######################################## diff --git a/blueman.te b/blueman.te -index bc5c984..d8af68f 100644 +index bc5c984..63a4b1d 100644 --- a/blueman.te +++ b/blueman.te @@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4) @@ -8353,7 +8418,16 @@ index bc5c984..d8af68f 100644 allow blueman_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -@@ -41,29 +42,40 @@ corecmd_exec_bin(blueman_t) +@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) + manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t) + files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file }) + +-kernel_read_net_sysctls(blueman_t) ++kernel_rw_net_sysctls(blueman_t) + kernel_read_system_state(blueman_t) + kernel_request_load_module(blueman_t) + +@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t) dev_read_rand(blueman_t) dev_read_urand(blueman_t) dev_rw_wireless(blueman_t) @@ -8378,6 +8452,10 @@ index bc5c984..d8af68f 100644 ') optional_policy(` ++ bluetooth_read_config(blueman_t) ++') ++ ++optional_policy(` + dbus_system_domain(blueman_t, blueman_exec_t) +') + @@ -11437,10 +11515,10 @@ index 0000000..8ac848b +') diff --git a/cloudform.te b/cloudform.te new file mode 100644 -index 0000000..def8328 +index 0000000..c158ef5 --- /dev/null +++ b/cloudform.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,196 @@ +policy_module(cloudform, 1.0) +######################################## +# @@ -11618,6 +11696,7 @@ index 0000000..def8328 + +corenet_tcp_bind_generic_node(mongod_t) +corenet_tcp_bind_mongod_port(mongod_t) ++corenet_tcp_connect_mongod_port(mongod_t) +corenet_tcp_connect_postgresql_port(mongod_t) + +kernel_read_vm_sysctls(mongod_t) @@ -13352,10 +13431,36 @@ index c086302..4f33119 100644 /etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0) diff --git a/couchdb.if b/couchdb.if -index 83d6744..627ab43 100644 +index 83d6744..6afc08d 100644 --- a/couchdb.if +++ b/couchdb.if -@@ -10,6 +10,89 @@ +@@ -2,6 +2,25 @@ + + ######################################## + ## ++## Allow to read couchdb lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_lib_files',` ++ gen_require(` ++ type couchdb_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) ++') ++ ++######################################## ++## + ## All of the rules required to + ## administrate an couchdb environment. + ## +@@ -10,6 +29,108 @@ ## Domain allowed access. ##
## @@ -13390,6 +13495,25 @@ index 83d6744..627ab43 100644 + +######################################## +## ++## Allow to read couchdb conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`couchdb_read_conf_files',` ++ gen_require(` ++ type couchdb_conf_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) ++') ++ ++######################################## ++## +## Read couchdb PID files. +## +## @@ -13445,7 +13569,7 @@ index 83d6744..627ab43 100644 ## ## ## Role allowed access. -@@ -19,14 +102,19 @@ +@@ -19,14 +140,19 @@ # interface(`couchdb_admin',` gen_require(` @@ -13466,7 +13590,7 @@ index 83d6744..627ab43 100644 init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; -@@ -46,4 +134,13 @@ interface(`couchdb_admin',` +@@ -46,4 +172,13 @@ interface(`couchdb_admin',` files_search_pids($1) admin_pattern($1, couchdb_var_run_t) @@ -13537,10 +13661,10 @@ index 8a4b596..cbecde8 100644 /var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) /var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0) diff --git a/courier.if b/courier.if -index 10f820f..4040ec2 100644 +index 10f820f..acdb179 100644 --- a/courier.if +++ b/courier.if -@@ -1,41 +1,50 @@ +@@ -1,12 +1,12 @@ -## Courier IMAP and POP3 email servers. +## Courier IMAP and POP3 email servers @@ -13558,19 +13682,16 @@ index 10f820f..4040ec2 100644 ## ## # - template(`courier_domain_template',` -- gen_require(` -- attribute courier_domain; -- ') +@@ -15,7 +15,7 @@ template(`courier_domain_template',` + attribute courier_domain; + ') - ######################################## + ############################## # # Declarations # - -- type courier_$1_t, courier_domain; -+ type courier_$1_t; +@@ -24,18 +24,30 @@ template(`courier_domain_template',` type courier_$1_exec_t; init_daemon_domain(courier_$1_t, courier_$1_exec_t) @@ -13605,7 +13726,7 @@ index 10f820f..4040ec2 100644 ##
## ## -@@ -48,34 +57,32 @@ interface(`courier_domtrans_authdaemon',` +@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',` type courier_authdaemon_t, courier_authdaemon_exec_t; ') @@ -13650,7 +13771,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -88,13 +95,12 @@ interface(`courier_domtrans_pop',` +@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',` type courier_pop_t, courier_pop_exec_t; ') @@ -13665,7 +13786,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -127,7 +133,7 @@ interface(`courier_manage_spool_dirs',` +@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',` type courier_spool_t; ') @@ -13674,7 +13795,7 @@ index 10f820f..4040ec2 100644 manage_dirs_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -136,7 +142,7 @@ interface(`courier_manage_spool_dirs',` +@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',` ## Create, read, write, and delete courier ## spool files. ## @@ -13683,7 +13804,7 @@ index 10f820f..4040ec2 100644 ## ## Domain allowed access. ## -@@ -147,7 +153,7 @@ interface(`courier_manage_spool_files',` +@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',` type courier_spool_t; ') @@ -13692,7 +13813,7 @@ index 10f820f..4040ec2 100644 manage_files_pattern($1, courier_spool_t, courier_spool_t) ') -@@ -166,13 +172,13 @@ interface(`courier_read_spool',` +@@ -166,13 +175,13 @@ interface(`courier_read_spool',` type courier_spool_t; ') @@ -13708,7 +13829,7 @@ index 10f820f..4040ec2 100644 ## ## ## -@@ -185,6 +191,5 @@ interface(`courier_rw_spool_pipes',` +@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',` type courier_spool_t; ') @@ -13716,7 +13837,7 @@ index 10f820f..4040ec2 100644 allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; ') diff --git a/courier.te b/courier.te -index 77bb077..76b93d2 100644 +index 77bb077..1499c3f 100644 --- a/courier.te +++ b/courier.te @@ -18,7 +18,7 @@ type courier_etc_t; @@ -13752,7 +13873,26 @@ index 77bb077..76b93d2 100644 sysnet_read_config(courier_domain) userdom_dontaudit_use_unpriv_user_fds(courier_domain) -@@ -112,7 +107,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) +@@ -77,6 +72,10 @@ optional_policy(` + ') + + optional_policy(` ++ mysql_stream_connect(courier_domain) ++') ++ ++optional_policy(` + udev_read_db(courier_domain) + ') + +@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen }; + create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t) + ++manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t) + + allow courier_authdaemon_t courier_tcpd_t:process sigchld; +@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t) libs_read_lib_files(courier_authdaemon_t) @@ -13760,7 +13900,7 @@ index 77bb077..76b93d2 100644 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) -@@ -135,7 +129,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; +@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; @@ -13769,7 +13909,7 @@ index 77bb077..76b93d2 100644 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) -@@ -172,7 +166,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) +@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t) dev_read_rand(courier_tcpd_t) dev_read_urand(courier_tcpd_t) @@ -16288,7 +16428,7 @@ index 949011e..afe482b 100644 +/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) +/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --git a/cups.if b/cups.if -index 06da9a0..ca832e1 100644 +index 06da9a0..6d69a2f 100644 --- a/cups.if +++ b/cups.if @@ -15,6 +15,11 @@ @@ -16348,7 +16488,13 @@ index 06da9a0..ca832e1 100644 ## All of the rules required to ## administrate an cups environment. ## -@@ -329,13 +360,18 @@ interface(`cups_admin',` +@@ -324,18 +355,23 @@ interface(`cups_stream_connect_ptal',` + interface(`cups_admin',` + gen_require(` + type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; +- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t; ++ type cupsd_etc_t, cupsd_log_t; + type cupsd_config_var_run_t, cupsd_lpd_var_run_t; type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; @@ -16371,8 +16517,13 @@ index 06da9a0..ca832e1 100644 init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) -@@ -353,8 +389,61 @@ interface(`cups_admin',` +@@ -348,13 +384,63 @@ interface(`cups_admin',` + logging_list_logs($1) + admin_pattern($1, cupsd_log_t) +- files_list_spool($1) +- admin_pattern($1, cupsd_spool_t) +- files_list_tmp($1) admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) - @@ -20478,7 +20629,7 @@ index 23ab808..4a801b5 100644 /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..b303b37 100644 +index 19aa0b8..531cf03 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -20489,7 +20640,7 @@ index 19aa0b8..b303b37 100644 interface(`dnsmasq_domtrans',` gen_require(` type dnsmasq_exec_t, dnsmasq_t; -@@ -20,6 +19,24 @@ interface(`dnsmasq_domtrans',` +@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',` domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) ') @@ -20511,10 +20662,28 @@ index 19aa0b8..b303b37 100644 + can_exec($1, dnsmasq_exec_t) +') + ++######################################## ++## ++## Allow read/write dnsmasq pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_rw_inherited_pipes',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ######################################## ## ## Execute the dnsmasq init script in -@@ -42,6 +59,29 @@ interface(`dnsmasq_initrc_domtrans',` +@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',` ######################################## ## @@ -20541,10 +20710,29 @@ index 19aa0b8..b303b37 100644 + +######################################## +## ++## Send sigchld to dnsmasq. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++# ++interface(`dnsmasq_sigchld',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ++ allow $1 dnsmasq_t:process sigchld; ++') ++ ++######################################## ++## ## Send generic signals to dnsmasq. ## ## -@@ -145,12 +185,12 @@ interface(`dnsmasq_write_config',` +@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',` ## ## # @@ -20558,7 +20746,11 @@ index 19aa0b8..b303b37 100644 delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -176,7 +216,7 @@ interface(`dnsmasq_manage_pid_files',` ++ + ######################################## + ## + ## Create, read, write, and delete +@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',` ######################################## ## @@ -20567,7 +20759,7 @@ index 19aa0b8..b303b37 100644 ## ## ## -@@ -184,12 +224,12 @@ interface(`dnsmasq_manage_pid_files',` +@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',` ## ## # @@ -20581,7 +20773,7 @@ index 19aa0b8..b303b37 100644 read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -214,37 +254,46 @@ interface(`dnsmasq_create_pid_dirs',` +@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',` ######################################## ## @@ -20593,22 +20785,22 @@ index 19aa0b8..b303b37 100644 ## ## -## Domain allowed access. -+## Domain allowed access. - ## - ## +-## +-## -## -+## - ## +-## -## Directory to transition on. -## -## -## -## -## The object class of the object being created. --## --## ++## Domain allowed access. + ## + ## -## --## ++## + ## -## The name of the object being created. +## The type of the directory for the object to be created. ## @@ -20646,7 +20838,7 @@ index 19aa0b8..b303b37 100644 ') ######################################## -@@ -267,12 +316,17 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +354,17 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; @@ -20666,7 +20858,13 @@ index 19aa0b8..b303b37 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -286,4 +340,8 @@ interface(`dnsmasq_admin',` +@@ -281,9 +373,13 @@ interface(`dnsmasq_admin',` + files_list_var_lib($1) + admin_pattern($1, dnsmasq_lease_t) + +- logging_seearch_logs($1) ++ logging_search_logs($1) + admin_pattern($1, dnsmasq_var_log_t) files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) @@ -20676,7 +20874,7 @@ index 19aa0b8..b303b37 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index ba14bcf..869bba7 100644 +index ba14bcf..0a3179c 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -20689,7 +20887,12 @@ index ba14bcf..869bba7 100644 ######################################## # # Local policy -@@ -56,7 +59,9 @@ kernel_read_network_state(dnsmasq_t) +@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) + files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) + + kernel_read_kernel_sysctls(dnsmasq_t) ++kernel_read_net_sysctls(dnsmasq_t) + kernel_read_network_state(dnsmasq_t) kernel_read_system_state(dnsmasq_t) kernel_request_load_module(dnsmasq_t) @@ -20700,7 +20903,7 @@ index ba14bcf..869bba7 100644 corenet_all_recvfrom_netlabel(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -86,9 +91,9 @@ fs_search_auto_mountpoints(dnsmasq_t) +@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t) auth_use_nsswitch(dnsmasq_t) @@ -20712,7 +20915,7 @@ index ba14bcf..869bba7 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,12 +103,21 @@ optional_policy(` +@@ -98,12 +104,21 @@ optional_policy(` ') optional_policy(` @@ -20735,7 +20938,7 @@ index ba14bcf..869bba7 100644 ') optional_policy(` -@@ -124,6 +138,13 @@ optional_policy(` +@@ -124,6 +139,14 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -20746,6 +20949,7 @@ index ba14bcf..869bba7 100644 + +optional_policy(` + quantum_manage_lib_files(dnsmasq_t) ++ quantum_stream_connect(dnsmasq_t) + quantum_rw_fifo_file(dnsmasq_t) + quantum_sigchld(dnsmasq_t) +') @@ -22681,7 +22885,7 @@ index 50d0084..6565422 100644 fail2ban_run_client($1, $2) diff --git a/fail2ban.te b/fail2ban.te -index 0872e50..d49f5ad 100644 +index 0872e50..5d49b4f 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t) @@ -22726,7 +22930,7 @@ index 0872e50..d49f5ad 100644 iptables_domtrans(fail2ban_t) ') -@@ -137,14 +137,10 @@ corecmd_exec_bin(fail2ban_client_t) +@@ -137,14 +137,12 @@ corecmd_exec_bin(fail2ban_client_t) domain_use_interactive_fds(fail2ban_client_t) @@ -22734,6 +22938,8 @@ index 0872e50..d49f5ad 100644 -files_read_usr_files(fail2ban_client_t) files_search_pids(fail2ban_client_t) ++auth_read_passwd(fail2ban_client_t) ++ logging_getattr_all_logs(fail2ban_client_t) logging_search_all_logs(fail2ban_client_t) @@ -28229,17 +28435,18 @@ index 25f09ae..3085534 100644 chronyd_stream_connect(gpsd_t) diff --git a/gssproxy.fc b/gssproxy.fc new file mode 100644 -index 0000000..404ae4f +index 0000000..f4659d1 --- /dev/null +++ b/gssproxy.fc -@@ -0,0 +1,7 @@ +@@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + -+/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) ++/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0) ++/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0) diff --git a/gssproxy.if b/gssproxy.if new file mode 100644 index 0000000..072ddb0 @@ -28451,10 +28658,10 @@ index 0000000..072ddb0 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..6f0253c +index 0000000..80179fe --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,64 @@ +@@ -0,0 +1,65 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -28491,8 +28698,9 @@ index 0000000..6f0253c + +manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) +manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) ++manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t) -+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file }) ++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) + @@ -29317,10 +29525,10 @@ index c5a8112..947efe0 100644 userdom_dontaudit_search_user_home_dirs(irqbalance_t) diff --git a/iscsi.fc b/iscsi.fc -index 08b7560..9d1930b 100644 +index 08b7560..417e630 100644 --- a/iscsi.fc +++ b/iscsi.fc -@@ -1,19 +1,17 @@ +@@ -1,19 +1,18 @@ -/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0) - /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) @@ -29330,6 +29538,7 @@ index 08b7560..9d1930b 100644 /usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) -/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) @@ -29344,21 +29553,47 @@ index 08b7560..9d1930b 100644 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) diff --git a/iscsi.if b/iscsi.if -index 1a35420..1d27695 100644 +index 1a35420..4b9b978 100644 --- a/iscsi.if +++ b/iscsi.if -@@ -88,27 +88,21 @@ interface(`iscsi_read_lib_files',` - ## Domain allowed access. +@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',` + + ######################################## + ## +-## All of the rules required to +-## administrate an iscsi environment. ++## Transition to iscsi named content + ## + ## + ## +-## Domain allowed access. ++## Domain allowed access. ## ## -## --## ++# ++interface(`iscsi_filetrans_named_content',` ++ gen_require(` ++ type iscsi_lock_t; ++ ') ++ ++ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") ++') ++ ++ ++######################################## ++## ++## All of the rules required to ++## administrate an iscsi environment. ++## ++## + ## -## Role allowed access. --## --## ++## Domain allowed access. + ## + ## ## - # - interface(`iscsi_admin',` +@@ -99,16 +113,15 @@ interface(`iscsi_admin',` gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; @@ -29380,7 +29615,7 @@ index 1a35420..1d27695 100644 logging_search_logs($1) admin_pattern($1, iscsi_log_t) diff --git a/iscsi.te b/iscsi.te -index 57304e4..7edd3d4 100644 +index 57304e4..46e5e3d 100644 --- a/iscsi.te +++ b/iscsi.te @@ -9,8 +9,8 @@ type iscsid_t; @@ -29394,11 +29629,13 @@ index 57304e4..7edd3d4 100644 type iscsi_lock_t; files_lock_file(iscsi_lock_t) -@@ -33,7 +33,6 @@ files_pid_file(iscsi_var_run_t) +@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t) + # Local policy # - allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; +-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource }; -dontaudit iscsid_t self:capability sys_ptrace; ++allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; allow iscsid_t self:process { setrlimit setsched signal }; allow iscsid_t self:fifo_file rw_fifo_file_perms; allow iscsid_t self:unix_stream_socket { accept connectto listen }; @@ -29416,7 +29653,7 @@ index 57304e4..7edd3d4 100644 corenet_all_recvfrom_netlabel(iscsid_t) corenet_tcp_sendrecv_generic_if(iscsid_t) corenet_tcp_sendrecv_generic_node(iscsid_t) -@@ -85,10 +85,13 @@ corenet_sendrecv_isns_client_packets(iscsid_t) +@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t) corenet_tcp_connect_isns_port(iscsid_t) corenet_tcp_sendrecv_isns_port(iscsid_t) @@ -29432,15 +29669,20 @@ index 57304e4..7edd3d4 100644 domain_use_interactive_fds(iscsid_t) domain_dontaudit_read_all_domains_state(iscsid_t) -@@ -99,8 +102,6 @@ init_stream_connect_script(iscsid_t) + ++files_read_kernel_modules(iscsid_t) ++ + auth_use_nsswitch(iscsid_t) + + init_stream_connect_script(iscsid_t) logging_send_syslog_msg(iscsid_t) -miscfiles_read_localization(iscsid_t) -- ++modutils_read_module_config(iscsid_t) + optional_policy(` tgtd_manage_semaphores(iscsid_t) - ') diff --git a/isns.te b/isns.te index bc11034..e393434 100644 --- a/isns.te @@ -33085,7 +33327,7 @@ index 19f2b97..fbc0e48 100644 ppp_signal(l2tpd_t) ppp_kill(l2tpd_t) diff --git a/ldap.fc b/ldap.fc -index bc25c95..dcdbe9b 100644 +index bc25c95..6692d91 100644 --- a/ldap.fc +++ b/ldap.fc @@ -1,8 +1,11 @@ @@ -33098,7 +33340,7 @@ index bc25c95..dcdbe9b 100644 -/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0) + -+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0) /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) @@ -33116,7 +33358,7 @@ index bc25c95..dcdbe9b 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index ee0c7cc..6ec5f73 100644 +index ee0c7cc..446c507 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -33282,7 +33524,7 @@ index ee0c7cc..6ec5f73 100644 - type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; - type slapd_db_t; + type slapd_initrc_exec_t; -+ type ldap_unit_file_t; ++ type slapd_unit_file_t; ') - allow $1 slapd_t:process { ptrace signal_perms }; @@ -33319,8 +33561,8 @@ index ee0c7cc..6ec5f73 100644 admin_pattern($1, slapd_var_run_t) + + ldap_systemctl($1) -+ admin_pattern($1, ldap_unit_file_t) -+ allow $1 ldap_unit_file_t:service all_service_perms; ++ admin_pattern($1, slapd_unit_file_t) ++ allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te index d7d9b09..562c288 100644 @@ -34610,6 +34852,24 @@ index b9270f7..15f3748 100644 +optional_policy(` + mozilla_plugin_dontaudit_rw_tmp_files(lpr_t) ') +diff --git a/mailman.fc b/mailman.fc +index 7fa381b..bbe6b01 100644 +--- a/mailman.fc ++++ b/mailman.fc +@@ -3,10 +3,12 @@ + + /etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) + ++/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) ++/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) + /usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0) +-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0) ++/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) + /var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0) + + /var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0) diff --git a/mailman.if b/mailman.if index 108c0f1..a248501 100644 --- a/mailman.if @@ -35294,10 +35554,10 @@ index e08c55d..9e634bd 100644 + +') diff --git a/mandb.fc b/mandb.fc -index 2de0f64..85c3827 100644 +index 2de0f64..50f34fd 100644 --- a/mandb.fc +++ b/mandb.fc -@@ -1 +1,7 @@ +@@ -1 +1,9 @@ /etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) + +/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0) @@ -35305,8 +35565,10 @@ index 2de0f64..85c3827 100644 +/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) + +/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0) ++ ++HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if -index 327f3f7..8d5841f 100644 +index 327f3f7..4f61561 100644 --- a/mandb.if +++ b/mandb.if @@ -1,14 +1,14 @@ @@ -35449,7 +35711,7 @@ index 327f3f7..8d5841f 100644 ') ######################################## -@@ -99,37 +129,63 @@ interface(`mandb_read_cache_content',` +@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',` ## ## # @@ -35462,13 +35724,34 @@ index 327f3f7..8d5841f 100644 + + files_search_var($1) + manage_files_pattern($1, mandb_cache_t, mandb_cache_t) ++') ++ ++######################################## ++## ++## Manage mandb cache dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mandb_manage_cache_dirs',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ') ######################################## ## -## All of the rules required to -## administrate an mandb environment. -+## Manage mandb cache dirs. ++## Create configuration files in user ++## home directories with a named file ++## type transition. ## ## ## @@ -35477,16 +35760,14 @@ index 327f3f7..8d5841f 100644 ## -## +# -+interface(`mandb_manage_cache_dirs',` ++interface(`mandb_filetrans_named_home_content',` + gen_require(` -+ type mandb_cache_t; ++ type mandb_home_t; + ') + -+ files_search_var($1) -+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ++ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath") +') + -+ +######################################## +## +## All of the rules required to administrate @@ -35525,10 +35806,10 @@ index 327f3f7..8d5841f 100644 + ') ') diff --git a/mandb.te b/mandb.te -index 5a414e0..fd54e2b 100644 +index 5a414e0..7fee444 100644 --- a/mandb.te +++ b/mandb.te -@@ -10,28 +10,45 @@ roleattribute system_r mandb_roles; +@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles; type mandb_t; type mandb_exec_t; @@ -35539,6 +35820,9 @@ index 5a414e0..fd54e2b 100644 +type mandb_cache_t; +files_type(mandb_cache_t) + ++type mandb_home_t; ++userdom_user_home_content(mandb_home_t) ++ +type mandb_lock_t; +files_lock_file(mandb_lock_t) + @@ -35558,6 +35842,9 @@ index 5a414e0..fd54e2b 100644 +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file }) +can_exec(mandb_t, mandb_exec_t) + ++userdom_search_user_home_dirs(mandb_t) ++allow mandb_t mandb_home_t:file read_file_perms; ++ +allow mandb_t mandb_lock_t:file manage_file_perms; +files_lock_filetrans(mandb_t, mandb_lock_t, file) + @@ -37069,10 +37356,16 @@ index 7e534cf..3652584 100644 + ') +') diff --git a/mongodb.te b/mongodb.te -index 4de8949..5c237c3 100644 +index 4de8949..d705316 100644 --- a/mongodb.te +++ b/mongodb.te -@@ -54,8 +54,5 @@ corenet_tcp_bind_generic_node(mongod_t) +@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t) + corenet_all_recvfrom_netlabel(mongod_t) + corenet_tcp_sendrecv_generic_if(mongod_t) + corenet_tcp_sendrecv_generic_node(mongod_t) ++corenet_tcp_connect_mongodb_port(mongod_t) + corenet_tcp_bind_generic_node(mongod_t) + dev_read_sysfs(mongod_t) dev_read_urand(mongod_t) @@ -37123,10 +37416,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..d341a52 100644 +index 6ffaba2..bb33a48 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,64 @@ +@@ -1,38 +1,65 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -37158,6 +37451,7 @@ index 6ffaba2..d341a52 100644 +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -37226,7 +37520,7 @@ index 6ffaba2..d341a52 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..879f5db 100644 +index 6194b80..af1201e 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -37865,7 +38159,7 @@ index 6194b80..879f5db 100644 ## ## ## -@@ -530,45 +448,51 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +448,52 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -37931,6 +38225,7 @@ index 6194b80..879f5db 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") @@ -37942,7 +38237,7 @@ index 6194b80..879f5db 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..30005c3 100644 +index 6a306ee..550e8d7 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -38008,7 +38303,7 @@ index 6a306ee..30005c3 100644 type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t) +@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -38037,13 +38332,12 @@ index 6a306ee..30005c3 100644 type mozilla_plugin_config_t; type mozilla_plugin_config_exec_t; -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) --role mozilla_plugin_config_roles types mozilla_plugin_config_t; +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t) +role mozilla_roles types mozilla_plugin_config_t; + role mozilla_plugin_config_roles types mozilla_plugin_config_t; type mozilla_tmp_t; - userdom_user_tmp_file(mozilla_tmp_t) -@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -38054,7 +38348,7 @@ index 6a306ee..30005c3 100644 ######################################## # # Local policy -@@ -75,27 +93,30 @@ optional_policy(` +@@ -75,27 +94,30 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -38098,7 +38392,7 @@ index 6a306ee..30005c3 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -38206,7 +38500,7 @@ index 6a306ee..30005c3 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -38317,7 +38611,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -244,19 +275,12 @@ optional_policy(` +@@ -244,19 +276,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -38339,7 +38633,7 @@ index 6a306ee..30005c3 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +289,32 @@ optional_policy(` +@@ -265,33 +290,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -38387,7 +38681,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -300,221 +323,177 @@ optional_policy(` +@@ -300,221 +324,179 @@ optional_policy(` ######################################## # @@ -38403,6 +38697,7 @@ index 6a306ee..30005c3 100644 + +allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; ++allow mozilla_plugin_t self:netlink_socket create_socket_perms; +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; +allow mozilla_plugin_t self:udp_socket create_socket_perms; allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -38567,6 +38862,7 @@ index 6a306ee..30005c3 100644 -corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) ++corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t) +corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) -dev_read_generic_usb_dev(mozilla_plugin_t) @@ -38705,7 +39001,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -523,36 +502,48 @@ optional_policy(` +@@ -523,36 +505,48 @@ optional_policy(` ') optional_policy(` @@ -38767,7 +39063,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -560,7 +551,7 @@ optional_policy(` +@@ -560,7 +554,7 @@ optional_policy(` ') optional_policy(` @@ -38776,7 +39072,7 @@ index 6a306ee..30005c3 100644 ') optional_policy(` -@@ -568,108 +559,118 @@ optional_policy(` +@@ -568,108 +562,118 @@ optional_policy(` ') optional_policy(` @@ -39089,6 +39385,44 @@ index 7c8afcc..97f2b6f 100644 udev_read_db(mpd_t) ') +diff --git a/mplayer.if b/mplayer.if +index 861d5e9..87fd115 100644 +--- a/mplayer.if ++++ b/mplayer.if +@@ -161,3 +161,33 @@ interface(`mplayer_home_filetrans_mplayer_home',` + + userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) + ') ++ ++######################################## ++## ++## Create specified objects in user home ++## directories with the generic mplayer ++## home type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`mplayer_filetrans_home_content',` ++ gen_require(` ++ type mplayer_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") ++') diff --git a/mplayer.te b/mplayer.te index 9aca704..f92829c 100644 --- a/mplayer.te @@ -43390,10 +43724,10 @@ index 56c0fbd..173a2c0 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index a1fb3c3..8fe1d63 100644 +index a1fb3c3..82f8ae6 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,43 +1,43 @@ +@@ -1,43 +1,44 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -43458,6 +43792,7 @@ index a1fb3c3..8fe1d63 100644 +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if @@ -44857,12 +45192,31 @@ index 0000000..02dc6dc +/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0) diff --git a/nova.if b/nova.if new file mode 100644 -index 0000000..7d11148 +index 0000000..cf8f660 --- /dev/null +++ b/nova.if -@@ -0,0 +1,36 @@ +@@ -0,0 +1,55 @@ +## openstack-nova + ++###################################### ++## ++## Manage nova lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nova_manage_lib_files',` ++ gen_require(` ++ type nova_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t) ++') ++ +####################################### +## +## Creates types and rules for a basic @@ -48815,10 +49169,10 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..6c841fa +index 0000000..bddd4b3 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,676 @@ +@@ -0,0 +1,677 @@ + +## policy for openshift + @@ -49307,6 +49661,7 @@ index 0000000..6c841fa + domain_user_exemption_target($1_app_t) + domain_obj_id_change_exemption($1_app_t) + domain_dyntrans_type($1_app_t) ++ auth_use_nsswitch($1_app_t) + + kernel_read_system_state($1_app_t) + @@ -49497,10 +49852,10 @@ index 0000000..6c841fa +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..461f551 +index 0000000..d94eda8 --- /dev/null +++ b/openshift.te -@@ -0,0 +1,541 @@ +@@ -0,0 +1,545 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -49594,6 +49949,7 @@ index 0000000..461f551 +# +# openshift initrc local policy +# ++ +unconfined_domain_noaudit(openshift_initrc_t) +mcs_process_set_categories(openshift_initrc_t) + @@ -49623,6 +49979,9 @@ index 0000000..461f551 +dontaudit openshift_domain openshift_initrc_t:process signull; +dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write }; + ++init_domtrans_script(openshift_initrc_t) ++init_initrc_domain(openshift_initrc_t) ++ +####################################################### +# +# Policy for all openshift domains @@ -51119,7 +51478,7 @@ index bf59ef7..c050b37 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 4e114ff..c016f25 100644 +index 4e114ff..6691677 100644 --- a/passenger.te +++ b/passenger.te @@ -1,4 +1,4 @@ @@ -51138,7 +51497,7 @@ index 4e114ff..c016f25 100644 type passenger_var_lib_t; files_type(passenger_var_lib_t) -@@ -22,22 +25,23 @@ files_pid_file(passenger_var_run_t) +@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t) ######################################## # @@ -51147,9 +51506,11 @@ index 4e114ff..c016f25 100644 # allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource }; - allow passenger_t self:process { setpgid setsched sigkill signal }; +-allow passenger_t self:process { setpgid setsched sigkill signal }; ++allow passenger_t self:process { setpgid setsched sigkill signal signull }; allow passenger_t self:fifo_file rw_fifo_file_perms; -allow passenger_t self:unix_stream_socket { accept connectto listen }; ++allow passenger_t self:tcp_socket listen; +allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +can_exec(passenger_t, passenger_exec_t) @@ -51168,7 +51529,7 @@ index 4e114ff..c016f25 100644 manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) -@@ -45,19 +49,19 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) +@@ -45,19 +50,20 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t) files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file }) @@ -51190,29 +51551,29 @@ index 4e114ff..c016f25 100644 -corenet_sendrecv_http_client_packets(passenger_t) corenet_tcp_connect_http_port(passenger_t) -corenet_tcp_sendrecv_http_port(passenger_t) ++corenet_tcp_connect_postgresql_port(passenger_t) corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) -@@ -66,14 +70,11 @@ dev_read_urand(passenger_t) +@@ -66,8 +72,6 @@ dev_read_urand(passenger_t) domain_read_all_domains_state(passenger_t) -files_read_etc_files(passenger_t) - +- auth_use_nsswitch(passenger_t) logging_send_syslog_msg(passenger_t) - --miscfiles_read_localization(passenger_t) -- - userdom_dontaudit_use_user_terminals(passenger_t) - - optional_policy(` -@@ -90,14 +91,16 @@ optional_policy(` +@@ -90,14 +94,21 @@ optional_policy(` ') optional_policy(` - puppet_manage_lib_files(passenger_t) ++ mysql_stream_connect(passenger_t) ++ mysql_list_db(passenger_t) ++') ++ ++optional_policy(` + puppet_domtrans_master(passenger_t) + puppet_manage_lib(passenger_t) puppet_read_config(passenger_t) @@ -55950,7 +56311,7 @@ index 2e23946..589bbf2 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 191a66f..aa3e5f0 100644 +index 191a66f..93a04c2 100644 --- a/postfix.te +++ b/postfix.te @@ -1,4 +1,4 @@ @@ -56779,7 +57140,8 @@ index 191a66f..aa3e5f0 100644 -allow postfix_virtual_t self:process setrlimit; +allow postfix_virtual_t self:process { setsched setrlimit }; - allow postfix_virtual_t postfix_spool_t:file rw_file_perms; +-allow postfix_virtual_t postfix_spool_t:file rw_file_perms; ++manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t) +# connect to master process stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t) @@ -62860,10 +63222,10 @@ index 70ab68b..e97da31 100644 /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) diff --git a/quantum.if b/quantum.if -index afc0068..b25d41e 100644 +index afc0068..5fb7731 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,252 @@ +@@ -2,41 +2,292 @@ ######################################## ## @@ -62888,7 +63250,25 @@ index afc0068..b25d41e 100644 + +######################################## +## -+## Read quantum's log files. ++## Allow read/write quantum pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`quantum_rw_inherited_pipes',` ++ gen_require(` ++ type quantum_t; ++ ') ++ ++ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Send sigchld to quantum. ## ## ## @@ -62896,8 +63276,28 @@ index afc0068..b25d41e 100644 ## ## -## -+## +# ++# ++interface(`quantum_sigchld',` ++ gen_require(` ++ type quantum_t; ++ ') ++ ++ allow $1 quantum_t:process sigchld; ++') ++ ++######################################## ++## ++## Read quantum's log files. ++## ++## + ## +-## Role allowed access. ++## Domain allowed access. + ## + ## + ## + # +interface(`quantum_read_log',` + gen_require(` + type quantum_log_t; @@ -62912,8 +63312,7 @@ index afc0068..b25d41e 100644 +## Append to quantum log files. +## +## - ## --## Role allowed access. ++## +## Domain allowed access. +## +## @@ -63042,9 +63441,10 @@ index afc0068..b25d41e 100644 + allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms; +') + -+######################################## ++##################################### +## -+## Allow domain to send sigchld to quantum process. ++## Connect to quantum over a unix domain ++## stream socket. +## +## +## @@ -63052,13 +63452,15 @@ index afc0068..b25d41e 100644 +## +## +# -+interface(`quantum_sigchld',` ++interface(`quantum_stream_connect',` + gen_require(` -+ type quantum_t; ++ type quantum_var_lib_t; + ') + -+ allow $1 quantum_t:process sigchld; ++ files_search_pids($1) ++ stream_connect_pattern($1, quantum_var_lib_t, quantum_var_lib_t, quantum_t ) +') ++ +######################################## +## +## Execute quantum server in the quantum domain. @@ -63092,10 +63494,9 @@ index afc0068..b25d41e 100644 +## +## +## Domain allowed access. - ## - ## --## - # ++## ++## ++# interface(`quantum_admin',` gen_require(` - type quantum_t, quantum_initrc_exec_t, quantum_log_t; @@ -63605,7 +64006,7 @@ index c5ad6de..c67dbef 100644 /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..a68f9f1 100644 +index 3698b51..42caa6c 100644 --- a/rabbitmq.te +++ b/rabbitmq.te @@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t) @@ -63617,7 +64018,7 @@ index 3698b51..a68f9f1 100644 corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) corenet_all_recvfrom_netlabel(rabbitmq_beam_t) corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) -@@ -68,11 +70,13 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) +@@ -68,20 +70,28 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) corenet_tcp_connect_epmd_port(rabbitmq_beam_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) @@ -63629,12 +64030,20 @@ index 3698b51..a68f9f1 100644 +auth_read_passwd(rabbitmq_beam_t) -miscfiles_read_localization(rabbitmq_beam_t) ++fs_getattr_xattr_fs(rabbitmq_beam_t) ++ +dev_read_sysfs(rabbitmq_beam_t) +dev_read_urand(rabbitmq_beam_t) sysnet_dns_name_resolve(rabbitmq_beam_t) -@@ -81,7 +85,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t) ++optional_policy(` ++ couchdb_read_conf_files(rabbitmq_beam_t) ++ couchdb_read_lib_files(rabbitmq_beam_t) ++') ++ + ######################################## + # # Epmd local policy # @@ -63642,7 +64051,7 @@ index 3698b51..a68f9f1 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +102,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +109,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -73712,10 +74121,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..1b21b7b +index 0000000..5da5bff --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,391 @@ +@@ -0,0 +1,392 @@ + +## policy for sandboxX + @@ -73754,6 +74163,7 @@ index 0000000..1b21b7b + dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; + dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; + allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; ++ dontaudit sandbox_xserver_t $1:file read; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors + dontaudit sandbox_x_domain $1:fifo_file { read write }; @@ -83088,10 +83498,10 @@ index 0000000..7f4bce8 +/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0) diff --git a/thin.if b/thin.if new file mode 100644 -index 0000000..d000122 +index 0000000..b9f811d --- /dev/null +++ b/thin.if -@@ -0,0 +1,44 @@ +@@ -0,0 +1,66 @@ +## thin policy + +####################################### @@ -83136,12 +83546,34 @@ index 0000000..d000122 + + can_exec($1, thin_exec_t) +') ++ ++##################################### ++## ++## Connect to thin over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`thin_stream_connect',` ++ gen_require(` ++ type thin_t, thin_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t) ++') ++ ++ diff --git a/thin.te b/thin.te new file mode 100644 -index 0000000..555b49e +index 0000000..dda7934 --- /dev/null +++ b/thin.te -@@ -0,0 +1,108 @@ +@@ -0,0 +1,113 @@ +policy_module(thin, 1.0) + +######################################## @@ -83205,6 +83637,10 @@ index 0000000..555b49e +kernel_read_kernel_sysctls(thin_domain) + +optional_policy(` ++ apache_read_sys_content(thin_domain) ++') ++ ++optional_policy(` + sysnet_read_config(thin_domain) +') + @@ -83224,6 +83660,7 @@ index 0000000..555b49e +logging_log_filetrans(thin_t, thin_log_t, { file dir }) + +manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) ++manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) +files_pid_filetrans(thin_t, thin_var_run_t, { file }) + +corenet_tcp_bind_ntop_port(thin_t) @@ -84452,7 +84889,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..8beef17 100644 +index 7116181..971952e 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -84470,7 +84907,7 @@ index 7116181..8beef17 100644 # -allow tuned_t self:capability { sys_admin sys_nice }; -+allow tuned_t self:capability { sys_admin sys_nice sys_rawio }; ++allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; +allow tuned_t self:process { setsched signal }; @@ -87873,7 +88310,7 @@ index 9dec06c..7877729 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..a8390d3 100644 +index 1f22fba..253d98d 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -88079,7 +88516,7 @@ index 1f22fba..a8390d3 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -155,290 +165,130 @@ type virt_qmf_exec_t; +@@ -155,290 +165,134 @@ type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) type virt_bridgehelper_t; @@ -88264,60 +88701,78 @@ index 1f22fba..a8390d3 100644 - fs_manage_nfs_named_sockets(virt_domain) - fs_read_nfs_symlinks(virt_domain) -') -- ++type virtd_lxc_t; ++type virtd_lxc_exec_t; ++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) + -tunable_policy(`virt_use_samba',` - fs_manage_cifs_dirs(virt_domain) - fs_manage_cifs_files(virt_domain) - fs_manage_cifs_named_sockets(virt_domain) - fs_read_cifs_symlinks(virt_domain) -') -- ++type virt_lxc_var_run_t; ++files_pid_file(virt_lxc_var_run_t) ++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; + -tunable_policy(`virt_use_sysfs',` - dev_rw_sysfs(virt_domain) -') -- ++# virt lxc container files ++type svirt_lxc_file_t; ++files_mountpoint(svirt_lxc_file_t) + -tunable_policy(`virt_use_usb',` - dev_rw_usbfs(virt_domain) - dev_read_sysfs(virt_domain) - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -- ++######################################## ++# ++# svirt local policy ++# + -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) - xserver_stream_connect(virt_domain) - ') -') -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -optional_policy(` - dbus_read_lib_files(virt_domain) -') -- ++corenet_udp_sendrecv_generic_if(svirt_t) ++corenet_udp_sendrecv_generic_node(svirt_t) ++corenet_udp_sendrecv_all_ports(svirt_t) ++corenet_udp_bind_generic_node(svirt_t) ++corenet_udp_bind_all_ports(svirt_t) ++corenet_tcp_bind_all_ports(svirt_t) ++corenet_tcp_connect_all_ports(svirt_t) + -optional_policy(` - nscd_use(virt_domain) -') -+type virtd_lxc_t; -+type virtd_lxc_exec_t; -+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) ++miscfiles_read_generic_certs(svirt_t) --optional_policy(` + optional_policy(` - samba_domtrans_smbd(virt_domain) --') -+type virt_lxc_var_run_t; -+files_pid_file(virt_lxc_var_run_t) -+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t; ++ nscd_dontaudit_write_sock_file(svirt_t) + ') --optional_policy(` + optional_policy(` - xen_rw_image_files(virt_domain) --') -+# virt lxc container files -+type svirt_lxc_file_t; -+files_mountpoint(svirt_lxc_file_t) ++ sssd_dontaudit_stream_connect(svirt_t) + ') - ######################################## +-######################################## ++####################################### # - # svirt local policy +-# svirt local policy ++# svirt_prot_exec local policy # -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) @@ -88334,13 +88789,11 @@ index 1f22fba..a8390d3 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - - corenet_udp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) - corenet_udp_bind_generic_node(svirt_t) +- +-corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) - -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) @@ -88354,26 +88807,13 @@ index 1f22fba..a8390d3 100644 -corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) - corenet_udp_bind_all_ports(svirt_t) - corenet_tcp_bind_all_ports(svirt_t) -- --corenet_sendrecv_all_client_packets(svirt_t) - corenet_tcp_connect_all_ports(svirt_t) - -+miscfiles_read_generic_certs(svirt_t) -+ -+optional_policy(` -+ nscd_use(svirt_t) -+') -+ -+####################################### -+# -+# svirt_prot_exec local policy -+# -+ +-corenet_udp_bind_all_ports(svirt_t) +-corenet_tcp_bind_all_ports(svirt_t) +allow svirt_tcg_t self:process { execmem execstack }; +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; -+ + +-corenet_sendrecv_all_client_packets(svirt_t) +-corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) +corenet_udp_sendrecv_generic_node(svirt_tcg_t) +corenet_udp_sendrecv_all_ports(svirt_tcg_t) @@ -88381,7 +88821,7 @@ index 1f22fba..a8390d3 100644 +corenet_udp_bind_all_ports(svirt_tcg_t) +corenet_tcp_bind_all_ports(svirt_tcg_t) +corenet_tcp_connect_all_ports(svirt_tcg_t) -+ + ######################################## # # virtd local policy @@ -88447,7 +88887,7 @@ index 1f22fba..a8390d3 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +298,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +302,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -88493,28 +88933,28 @@ index 1f22fba..a8390d3 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +332,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +336,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") -- --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- -can_exec(virtd_t, virt_tmp_t) - -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +344,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +348,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -88522,7 +88962,7 @@ index 1f22fba..a8390d3 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +352,16 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +356,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -88550,7 +88990,7 @@ index 1f22fba..a8390d3 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +372,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +376,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -88579,7 +89019,7 @@ index 1f22fba..a8390d3 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +423,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -88599,7 +89039,7 @@ index 1f22fba..a8390d3 100644 selinux_validate_context(virtd_t) -@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +445,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -88634,7 +89074,7 @@ index 1f22fba..a8390d3 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +471,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -88643,7 +89083,7 @@ index 1f22fba..a8390d3 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +492,321 @@ optional_policy(` +@@ -658,95 +496,321 @@ optional_policy(` ') optional_policy(` @@ -89013,7 +89453,7 @@ index 1f22fba..a8390d3 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +818,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +822,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -89043,7 +89483,7 @@ index 1f22fba..a8390d3 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +837,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +841,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -89070,7 +89510,7 @@ index 1f22fba..a8390d3 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +857,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +861,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -89102,7 +89542,7 @@ index 1f22fba..a8390d3 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +890,20 @@ optional_policy(` +@@ -847,14 +894,20 @@ optional_policy(` ') optional_policy(` @@ -89124,7 +89564,7 @@ index 1f22fba..a8390d3 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +928,44 @@ optional_policy(` +@@ -879,34 +932,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -89178,7 +89618,7 @@ index 1f22fba..a8390d3 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +975,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +979,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -89196,7 +89636,7 @@ index 1f22fba..a8390d3 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +997,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1001,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -89207,7 +89647,7 @@ index 1f22fba..a8390d3 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1006,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1010,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -89215,7 +89655,7 @@ index 1f22fba..a8390d3 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1018,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1022,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -89234,7 +89674,7 @@ index 1f22fba..a8390d3 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1032,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1036,36 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -89279,7 +89719,7 @@ index 1f22fba..a8390d3 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1069,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1073,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -89306,7 +89746,7 @@ index 1f22fba..a8390d3 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1087,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1091,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -89325,7 +89765,7 @@ index 1f22fba..a8390d3 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1106,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1110,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -89352,7 +89792,7 @@ index 1f22fba..a8390d3 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1131,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1135,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -89491,7 +89931,7 @@ index 1f22fba..a8390d3 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1229,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1233,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -89506,7 +89946,7 @@ index 1f22fba..a8390d3 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1247,8 @@ optional_policy(` +@@ -1183,9 +1251,8 @@ optional_policy(` ######################################## # @@ -89517,7 +89957,7 @@ index 1f22fba..a8390d3 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1261,114 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1265,114 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -90490,18 +90930,21 @@ index fd2b6cc..4b83bb0 100644 ######################################## diff --git a/wine.te b/wine.te -index b51923c..bdbac3a 100644 +index b51923c..2641d0b 100644 --- a/wine.te +++ b/wine.te -@@ -39,6 +39,7 @@ allow wine_t self:fifo_file manage_fifo_file_perms; +@@ -38,7 +38,10 @@ allow wine_t self:fifo_file manage_fifo_file_perms; + can_exec(wine_t, wine_exec_t) ++manage_files_pattern(wine_t, wine_home_t, wine_home_t) ++manage_dirs_pattern(wine_t, wine_home_t, wine_home_t) userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +userdom_tmpfs_filetrans(wine_t, file) manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -@@ -48,7 +49,7 @@ domain_mmap_low(wine_t) +@@ -48,7 +51,7 @@ domain_mmap_low(wine_t) files_execmod_all_files(wine_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e7e810d..36979ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 48%{?dist} +Release: 51%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,6 +530,66 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Jun 13 2013 Miroslav Grepl 3.12.1-51 +- accountservice watches when accounts come and go in wtmp +- /usr/java/jre1.7.0_21/bin/java needs to create netlink socket +- Add httpd_use_sasl boolean +- Allow net_admin for tuned_t +- iscsid needs sys_module to auto-load kernel modules +- Allow blueman to read bluetooth conf +- Add nova_manage_lib_files() interface +- Fix mplayer_filetrans_home_content() +- Add mplayer_filetrans_home_content() +- mozilla_plugin_config_roles need to be able to access mozilla_plugin_config_t +- Revert "Allow thumb_t to append inherited xdm stream socket" +- Add iscsi_filetrans_named_content() interface +- Allow to create .mplayer with the correct labeling for unconfined +- Allow iscsiadmin to create lock file with the correct labeling + +* Tue Jun 11 2013 Miroslav Grepl 3.12.1-50 +- Allow wine to manage wine home content +- Make amanda working with socket actiovation +- Add labeling for /usr/sbin/iscsiadm +- Add support for /var/run/gssproxy.sock +- dnsmasq_t needs to read sysctl_net_t + +* Fri Jun 7 2013 Miroslav Grepl 3.12.1-49 +- Fix courier_domain_template() interface +- Allow blueman to write ip_forward +- Allow mongodb to connect to mongodb port +- Allow mongodb to connect to mongodb port +- Allow java to bind jobss_debug port +- Fixes for *_admin interfaces +- Allow iscsid auto-load kernel modules needed for proper iSCSI functionality +- Need to assign attribute for courier_domain to all courier_domains +- Fail2ban reads /etc/passwd +- postfix_virtual will create new files in postfix_spool_t +- abrt triggers sys_ptrace by running pidof +- Label ~/abc as mozilla_home_t, since java apps as plugin want to create it +- Add passenger fixes needed by foreman +- Remove dup interfaces +- Add additional interfaces for quantum +- Add new interfaces for dnsmasq +- Allow passenger to read localization and send signull to itself +- Allow dnsmasq to stream connect to quantum +- Add quantum_stream_connect() +- Make sure that mcollective starts the service with the correct labeling +- Add labels for ~/.manpath +- Dontaudit attempts by svirt_t to getpw* calls +- sandbox domains are trying to look at parent process data +- Allow courior auth to create its pid file in /var/spool/courier subdir +- Add fixes for beam to have it working with couchdb +- Add labeling for /run/nm-xl2tpd.con +- Allow apache to stream connect to thin +- Add systemd support for amand +- Make public types usable for fs mount points +- Call correct mandb interface in domain.te +- Allow iptables to r/w quantum inherited pipes and send sigchld +- Allow ifconfig domtrans to iptables and execute ldconfig +- Add labels for ~/.manpath +- Allow systemd to read iscsi lib files +- seunshare is trying to look at parent process data + * Mon Jun 3 2013 Miroslav Grepl 3.12.1-48 - Fix openshift_search_lib - Add support for abrt-uefioops-oops