diff --git a/policy-F15.patch b/policy-F15.patch index ed163bf..f672a0e 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -1,3 +1,14 @@ +diff --git a/Changelog b/Changelog +index 0de73bc..27cbe7f 100644 +--- a/Changelog ++++ b/Changelog +@@ -1,3 +1,6 @@ ++- Cron default contexts fix from Harry Ciao. ++- Man page fixes from Justin Mattock. ++- Add syslog capability. + - Support for logging in to /dev/console, from Harry Ciao. + - Database object class updates and associated SEPostgreSQL changes from + KaiGai Kohei. diff --git a/Makefile b/Makefile index b8486a0..bec48d7 100644 --- a/Makefile @@ -11,8 +22,89 @@ index b8486a0..bec48d7 100644 net_contexts := $(builddir)net_contexts all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) +diff --git a/config/appconfig-mcs/default_contexts b/config/appconfig-mcs/default_contexts +index 22aeb67..801d97b 100644 +--- a/config/appconfig-mcs/default_contexts ++++ b/config/appconfig-mcs/default_contexts +@@ -1,4 +1,4 @@ +-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 ++system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 + system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 + system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 + system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +diff --git a/config/appconfig-mls/default_contexts b/config/appconfig-mls/default_contexts +index 22aeb67..801d97b 100644 +--- a/config/appconfig-mls/default_contexts ++++ b/config/appconfig-mls/default_contexts +@@ -1,4 +1,4 @@ +-system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 ++system_r:crond_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0 + system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 + system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0 + system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 +diff --git a/config/appconfig-standard/default_contexts b/config/appconfig-standard/default_contexts +index 6141347..64a0a90 100644 +--- a/config/appconfig-standard/default_contexts ++++ b/config/appconfig-standard/default_contexts +@@ -1,4 +1,4 @@ +-system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_crond_t unconfined_r:unconfined_cronjob_t ++system_r:crond_t user_r:cronjob_t staff_r:cronjob_t sysadm_r:cronjob_t system_r:system_cronjob_t unconfined_r:unconfined_cronjob_t + system_r:local_login_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t + system_r:remote_login_t user_r:user_t staff_r:staff_t unconfined_r:unconfined_t + system_r:sshd_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t +diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8 +index a939a74..87925e6 100644 +--- a/man/man8/httpd_selinux.8 ++++ b/man/man8/httpd_selinux.8 +@@ -28,9 +28,9 @@ httpd_sys_script_exec_t + .EE + - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. + .EX +-httpd_sys_content_rw_t ++httpd_sys_rw_content_t + .EE +-- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. ++- Set files with httpd_sys_rw_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. + .EX + httpd_sys_content_ra_t + .EE +@@ -57,7 +57,7 @@ setsebool -P allow_httpd_sys_script_anon_write=1 + .EE + + .SH BOOLEANS +-SELinux policy is customizable based on least access required. SElinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. ++SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible. + .PP + httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this + +diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8 +index 4dab2e2..fce0b48 100644 +--- a/man/man8/named_selinux.8 ++++ b/man/man8/named_selinux.8 +@@ -15,7 +15,7 @@ Security-Enhanced Linux secures the named server via flexible mandatory access + control. + .SH BOOLEANS + SELinux policy is customizable based on least access required. So by +-default SElinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. ++default SELinux policy does not allow named to write master zone files. If you want to have named update the master zone files you need to set the named_write_master_zones boolean. + .EX + setsebool -P named_write_master_zones 1 + .EE +diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8 +index 14498e1..ca702c7 100644 +--- a/man/man8/samba_selinux.8 ++++ b/man/man8/samba_selinux.8 +@@ -34,7 +34,7 @@ setsebool -P allow_smbd_anon_write=1 + .SH BOOLEANS + .br + SELinux policy is customizable based on least access required. So by +-default SElinux policy turns off SELinux sharing of home directories and ++default SELinux policy turns off SELinux sharing of home directories and + the use of Samba shares from a remote machine as a home directory. + .TP + If you are setting up this machine as a Samba server and wish to share the home directories, you need to set the samba_enable_home_dirs boolean. diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index ae29de3..d09e734 100644 +index ae29de3..bf24160 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -153,6 +153,8 @@ inherits file @@ -73,6 +165,22 @@ index ae29de3..d09e734 100644 } class fd +@@ -363,6 +378,7 @@ class security + setbool + setsecparam + setcheckreqprot ++ read_policy + } + + +@@ -428,6 +444,7 @@ class capability2 + { + mac_override # unused by SELinux + mac_admin # unused by SELinux ++ syslog + } + + # diff --git a/policy/global_booleans b/policy/global_booleans index 111d004..9df7b5e 100644 --- a/policy/global_booleans @@ -7097,10 +7205,10 @@ index 0000000..5f09eb9 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..f29f417 +index 0000000..af3d623 --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,452 @@ +@@ -0,0 +1,448 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -7257,7 +7365,7 @@ index 0000000..f29f417 + +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms; + -+allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem }; ++allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem }; +dontaudit sandbox_x_domain sandbox_x_domain:process signal; +dontaudit sandbox_x_domain sandbox_xserver_t:process signal; + @@ -7409,9 +7517,6 @@ index 0000000..f29f417 + hal_dbus_chat(sandbox_x_client_t) +') + -+ -+allow sandbox_web_t self:process setsched; -+ +optional_policy(` + nsplugin_read_rw_files(sandbox_web_t) +') @@ -7424,7 +7529,6 @@ index 0000000..f29f417 + +allow sandbox_web_type self:capability { setuid setgid }; +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; -+allow sandbox_web_type self:process setsched; +dontaudit sandbox_web_type self:process setrlimit; + +allow sandbox_web_type self:tcp_socket create_stream_socket_perms; @@ -9526,7 +9630,7 @@ index 41f892f..cab1bfc 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index aad8c52..0d8458a 100644 +index aad8c52..6ac24b0 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',` @@ -9573,7 +9677,32 @@ index aad8c52..0d8458a 100644 ## ## ## -@@ -1473,3 +1492,22 @@ interface(`domain_unconfined',` +@@ -1260,6 +1279,24 @@ interface(`domain_exec_all_entry_files',` + + ######################################## + ## ++## dontaudit gettattr on all entry point files ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`domain_dontaudit_getattr_all_entry_files',` ++ gen_require(` ++ attribute entry_type; ++ ') ++ ++ dontaudit $1 entry_type:file exec_file_perms; ++') ++ ++######################################## ++## + ## dontaudit checking for execute on all entry point files + ## + ## +@@ -1473,3 +1510,22 @@ interface(`domain_unconfined',` typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; ') @@ -11717,10 +11846,52 @@ index e49c148..4d6bbf4 100644 ######################################## # diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index d7468b3..5d2f9a1 100644 +index d7468b3..774ebee 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` +@@ -442,6 +442,7 @@ interface(`kernel_read_ring_buffer',` + type kernel_t; + ') + ++ allow $1 self:capability2 syslog; + allow $1 kernel_t:system syslog_read; + ') + +@@ -479,7 +480,16 @@ interface(`kernel_change_ring_buffer_level',` + type kernel_t; + ') + ++ allow $1 self:capability2 syslog; + allow $1 kernel_t:system syslog_console; ++ ++ ifdef(`distro_rhel4',` ++ allow $1 self:capability2 sys_admin; ++ ') ++ ++ ifdef(`distro_rhel5',` ++ allow $1 self:capability2 sys_admin; ++ ') + ') + + ######################################## +@@ -498,7 +508,16 @@ interface(`kernel_clear_ring_buffer',` + type kernel_t; + ') + ++ allow $1 self:capability2 syslog; + allow $1 kernel_t:system syslog_mod; ++ ++ ifdef(`distro_rhel4',` ++ allow $1 self:capability2 sys_admin; ++ ') ++ ++ ifdef(`distro_rhel5',` ++ allow $1 self:capability2 sys_admin; ++ ') + ') + + ######################################## +@@ -716,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',` ######################################## ## @@ -11747,7 +11918,7 @@ index d7468b3..5d2f9a1 100644 ## Mount a kernel VM filesystem. ## ## -@@ -2014,7 +2034,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2014,7 +2053,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -11756,7 +11927,7 @@ index d7468b3..5d2f9a1 100644 ') ######################################## -@@ -2417,6 +2437,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2417,6 +2456,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -11781,7 +11952,7 @@ index d7468b3..5d2f9a1 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2561,7 +2599,7 @@ interface(`kernel_sendrecv_unlabeled_association',` +@@ -2561,7 +2618,7 @@ interface(`kernel_sendrecv_unlabeled_association',` allow $1 unlabeled_t:association { sendto recvfrom }; # temporary hack until labeling on packets is supported @@ -11790,7 +11961,7 @@ index d7468b3..5d2f9a1 100644 ') ######################################## -@@ -2890,6 +2928,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2890,6 +2947,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -11815,7 +11986,7 @@ index d7468b3..5d2f9a1 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2905,3 +2961,23 @@ interface(`kernel_unconfined',` +@@ -2905,3 +2980,23 @@ interface(`kernel_unconfined',` typeattribute $1 kern_unconfined; ') @@ -11978,7 +12149,7 @@ index 0e5b661..3168d72 100644 +attribute mcsuntrustedproc; +attribute mcsnetwrite; diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index 786449a..a2e1cbc 100644 +index 786449a..e8ebc76 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` @@ -12006,7 +12177,34 @@ index 786449a..a2e1cbc 100644 allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; ') -@@ -459,6 +461,7 @@ interface(`selinux_set_all_booleans',` +@@ -358,6 +360,26 @@ interface(`selinux_load_policy',` + + ######################################## + ## ++## Allow caller to read the policy from the kernel. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`selinux_read_policy',` ++ gen_require(` ++ type security_t; ++ ') ++ ++ allow $1 security_t:dir list_dir_perms; ++ allow $1 security_t:file read_file_perms; ++ allow $1 security_t:security read_policy; ++') ++ ++######################################## ++## + ## Allow caller to set the state of Booleans to + ## enable or disable conditional portions of the policy. (Deprecated) + ## +@@ -459,6 +481,7 @@ interface(`selinux_set_all_booleans',` ') allow $1 security_t:dir list_dir_perms; @@ -12014,7 +12212,7 @@ index 786449a..a2e1cbc 100644 allow $1 boolean_type:file rw_file_perms; if(!secure_mode_policyload) { -@@ -677,3 +680,24 @@ interface(`selinux_unconfined',` +@@ -677,3 +700,24 @@ interface(`selinux_unconfined',` typeattribute $1 selinux_unconfined_type; ') @@ -12291,10 +12489,18 @@ index 0000000..e1ebd1a + +corenet_enable_unlabeled_packets() diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te -index 0faef68..46c58bd 100644 +index 0faef68..4264c9c 100644 --- a/policy/modules/roles/auditadm.te +++ b/policy/modules/roles/auditadm.te -@@ -28,10 +28,13 @@ logging_manage_audit_log(auditadm_t) +@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t) + + domain_kill_all_domains(auditadm_t) + ++selinux_read_policy(auditadm_t) ++ + logging_send_syslog_msg(auditadm_t) + logging_read_generic_logs(auditadm_t) + logging_manage_audit_log(auditadm_t) logging_manage_audit_config(auditadm_t) logging_run_auditctl(auditadm_t, auditadm_r) logging_run_auditd(auditadm_t, auditadm_r) @@ -12363,10 +12569,10 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..b7c4d13 100644 +index 2be17d2..efebd79 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0) +@@ -8,12 +8,52 @@ policy_module(staff, 2.2.0) role staff_r; userdom_unpriv_user_template(staff) @@ -12412,10 +12618,14 @@ index 2be17d2..b7c4d13 100644 +netutils_signal_ping(staff_t) +netutils_kill_ping(staff_t) + ++ifndef(`enable_mls',` ++ selinux_read_policy(staff_t) ++') ++ optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +63,116 @@ optional_policy(` +@@ -27,25 +67,116 @@ optional_policy(` ') optional_policy(` @@ -12534,7 +12744,7 @@ index 2be17d2..b7c4d13 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +216,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +220,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12545,7 +12755,7 @@ index 2be17d2..b7c4d13 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +260,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +264,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -12556,7 +12766,7 @@ index 2be17d2..b7c4d13 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +291,8 @@ ifndef(`distro_redhat',` +@@ -172,3 +295,8 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -19698,7 +19908,7 @@ index 5220c9d..a2e6830 100644 ## ## Allow the specified domain to read corosync's log files. diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 7d2cf85..6c733f8 100644 +index 7d2cf85..92b621a 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t) @@ -19741,7 +19951,7 @@ index 7d2cf85..6c733f8 100644 auth_use_nsswitch(corosync_t) -@@ -83,19 +89,36 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +89,37 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -19770,6 +19980,7 @@ index 7d2cf85..6c733f8 100644 + +optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) ++ lvm_delete_clvmd_tmpfs_files(corosync_t) +') - rhcs_rw_gfs_controld_semaphores(corosync_t) @@ -20184,7 +20395,7 @@ index 35241ed..b6402c9 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f35b243..c6b63be 100644 +index f35b243..8296aaa 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -20322,8 +20533,17 @@ index f35b243..c6b63be 100644 files_read_usr_files(crond_t) files_read_etc_runtime_files(crond_t) -@@ -208,7 +224,9 @@ init_spec_domtrans_script(crond_t) +@@ -203,12 +219,18 @@ files_list_usr(crond_t) + files_search_var_lib(crond_t) + files_search_default(crond_t) ++fs_manage_cgroup_dirs(crond_t) ++fs_manage_cgroup_files(crond_t) ++ + init_rw_utmp(crond_t) + init_spec_domtrans_script(crond_t) + ++auth_manage_var_auth(crond_t) auth_use_nsswitch(crond_t) +logging_send_audit_msgs(crond_t) @@ -20332,7 +20552,7 @@ index f35b243..c6b63be 100644 seutil_read_config(crond_t) seutil_read_default_contexts(crond_t) -@@ -219,8 +237,10 @@ miscfiles_read_localization(crond_t) +@@ -219,8 +241,10 @@ miscfiles_read_localization(crond_t) userdom_use_unpriv_users_fds(crond_t) # Not sure why this is needed userdom_list_user_home_dirs(crond_t) @@ -20343,7 +20563,7 @@ index f35b243..c6b63be 100644 ifdef(`distro_debian',` # pam_limits is used -@@ -232,7 +252,7 @@ ifdef(`distro_debian',` +@@ -232,7 +256,7 @@ ifdef(`distro_debian',` ') ') @@ -20352,7 +20572,7 @@ index f35b243..c6b63be 100644 # Run the rpm program in the rpm_t domain. Allow creation of RPM log files # via redirection of standard out. optional_policy(` -@@ -240,16 +260,39 @@ ifdef(`distro_redhat', ` +@@ -240,16 +264,39 @@ ifdef(`distro_redhat', ` ') ') @@ -20393,7 +20613,7 @@ index f35b243..c6b63be 100644 amanda_search_var_lib(crond_t) ') -@@ -259,6 +302,8 @@ optional_policy(` +@@ -259,6 +306,8 @@ optional_policy(` optional_policy(` hal_dbus_chat(crond_t) @@ -20402,7 +20622,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -284,12 +329,18 @@ optional_policy(` +@@ -284,12 +333,18 @@ optional_policy(` udev_read_db(crond_t) ') @@ -20421,7 +20641,7 @@ index f35b243..c6b63be 100644 allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; allow system_cronjob_t self:passwd rootok; -@@ -301,10 +352,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) +@@ -301,10 +356,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file) # This is to handle /var/lib/misc directory. Used currently # by prelink var/lib files for cron @@ -20442,7 +20662,7 @@ index f35b243..c6b63be 100644 # The entrypoint interface is not used as this is not # a regular entrypoint. Since crontab files are # not directly executed, crond must ensure that -@@ -324,6 +384,7 @@ allow crond_t system_cronjob_t:fd use; +@@ -324,6 +388,7 @@ allow crond_t system_cronjob_t:fd use; allow system_cronjob_t crond_t:fd use; allow system_cronjob_t crond_t:fifo_file rw_file_perms; allow system_cronjob_t crond_t:process sigchld; @@ -20450,7 +20670,7 @@ index f35b243..c6b63be 100644 # Write /var/lock/makewhatis.lock. allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; -@@ -335,9 +396,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) +@@ -335,9 +400,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) @@ -20465,7 +20685,7 @@ index f35b243..c6b63be 100644 kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) -@@ -360,6 +425,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) +@@ -360,6 +429,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_read_urand(system_cronjob_t) @@ -20473,7 +20693,7 @@ index f35b243..c6b63be 100644 fs_getattr_all_fs(system_cronjob_t) fs_getattr_all_files(system_cronjob_t) -@@ -386,6 +452,7 @@ files_dontaudit_search_pids(system_cronjob_t) +@@ -386,6 +456,7 @@ files_dontaudit_search_pids(system_cronjob_t) # Access other spool directories like # /var/spool/anacron and /var/spool/slrnpull. files_manage_generic_spool(system_cronjob_t) @@ -20481,7 +20701,7 @@ index f35b243..c6b63be 100644 init_use_script_fds(system_cronjob_t) init_read_utmp(system_cronjob_t) -@@ -408,8 +475,10 @@ miscfiles_manage_man_pages(system_cronjob_t) +@@ -408,8 +479,10 @@ miscfiles_manage_man_pages(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -20493,7 +20713,7 @@ index f35b243..c6b63be 100644 # via redirection of standard out. optional_policy(` rpm_manage_log(system_cronjob_t) -@@ -434,6 +503,8 @@ optional_policy(` +@@ -434,6 +507,8 @@ optional_policy(` apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) @@ -20502,7 +20722,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -441,6 +512,14 @@ optional_policy(` +@@ -441,6 +516,14 @@ optional_policy(` ') optional_policy(` @@ -20517,7 +20737,7 @@ index f35b243..c6b63be 100644 ftp_read_log(system_cronjob_t) ') -@@ -451,15 +530,24 @@ optional_policy(` +@@ -451,15 +534,24 @@ optional_policy(` ') optional_policy(` @@ -20542,7 +20762,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -475,7 +563,7 @@ optional_policy(` +@@ -475,7 +567,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -20551,7 +20771,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -490,6 +578,7 @@ optional_policy(` +@@ -490,6 +582,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -20559,7 +20779,7 @@ index f35b243..c6b63be 100644 ') optional_policy(` -@@ -497,7 +586,13 @@ optional_policy(` +@@ -497,7 +590,13 @@ optional_policy(` ') optional_policy(` @@ -20573,7 +20793,7 @@ index f35b243..c6b63be 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,9 +685,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -590,9 +689,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -22026,11 +22246,11 @@ index 0000000..b4d0dd0 +dirsrv_read_share(httpd_dirsrvadmin_script_t) diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc new file mode 100644 -index 0000000..0070a0d +index 0000000..3aae725 --- /dev/null +++ b/policy/modules/services/dirsrv.fc @@ -0,0 +1,20 @@ -+/etc/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0) ++/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) + +/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) +/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -22038,16 +22258,16 @@ index 0000000..0070a0d +/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) + -+/usr/share/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0) ++/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0) + -+/var/run/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) ++/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) +/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0) + -+/var/lib/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0) ++/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0) + -+/var/lock/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0) ++/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0) + -+/var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0) ++/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0) + +/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0) diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if @@ -22270,10 +22490,10 @@ index 0000000..9d8f5de +') diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te new file mode 100644 -index 0000000..d28639e +index 0000000..2a9e3f9 --- /dev/null +++ b/policy/modules/services/dirsrv.te -@@ -0,0 +1,173 @@ +@@ -0,0 +1,176 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -22335,19 +22555,21 @@ index 0000000..d28639e +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + -+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) ++manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) + ++manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +allow dirsrv_t dirsrv_var_log_t:dir { setattr }; +logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) + ++manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) -+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file }) -+ +manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) ++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file }) + +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) @@ -22444,7 +22666,8 @@ index 0000000..d28639e +optional_policy(` + snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t) + snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t) -+ snmp_append_snmp_var_lib_files(dirsrv_snmp_t) ++ snmp_manage_var_lib_dirs(dirsrv_snmp_t) ++ snmp_manage_var_lib_files(dirsrv_snmp_t) + snmp_stream_connect(dirsrv_snmp_t) +') diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te @@ -23473,10 +23696,10 @@ index 0000000..84d1768 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..ebb76c1 +index 0000000..b439f82 --- /dev/null +++ b/policy/modules/services/firewalld.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,70 @@ + +policy_module(firewalld,1.0.0) + @@ -23543,6 +23766,10 @@ index 0000000..ebb76c1 +optional_policy(` + modutils_domtrans_insmod(firewalld_t) +') ++ ++optional_policy(` ++ policykit_dbus_chat(firewalld_t) ++') diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if index ebad8c4..c02062c 100644 --- a/policy/modules/services/fprintd.if @@ -24973,10 +25200,15 @@ index 87b4531..db2d189 100644 + files_list_etc($1) ') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te -index c234b32..a7b6bf7 100644 +index c234b32..6620169 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te -@@ -46,4 +46,3 @@ storage_raw_read_fixed_disk(hddtemp_t) +@@ -42,8 +42,8 @@ files_search_etc(hddtemp_t) + files_read_usr_files(hddtemp_t) + + storage_raw_read_fixed_disk(hddtemp_t) ++storage_raw_read_removable_device(hddtemp_t) + logging_send_syslog_msg(hddtemp_t) miscfiles_read_localization(hddtemp_t) @@ -34550,7 +34782,7 @@ index de37806..229a3c7 100644 + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te -index 93c896a..b6f0f45 100644 +index 93c896a..bcc1bcd 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0) @@ -34673,7 +34905,16 @@ index 93c896a..b6f0f45 100644 allow qdiskd_t self:tcp_socket create_stream_socket_perms; allow qdiskd_t self:udp_socket create_socket_perms; -@@ -207,10 +212,6 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -199,6 +204,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t) + files_dontaudit_getattr_all_pipes(qdiskd_t) + files_read_etc_files(qdiskd_t) + ++fs_list_hugetlbfs(qdiskd_t) ++ + storage_raw_read_removable_device(qdiskd_t) + storage_raw_write_removable_device(qdiskd_t) + storage_raw_read_fixed_disk(qdiskd_t) +@@ -207,10 +214,6 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) optional_policy(` @@ -34684,7 +34925,7 @@ index 93c896a..b6f0f45 100644 netutils_domtrans_ping(qdiskd_t) ') -@@ -223,18 +224,24 @@ optional_policy(` +@@ -223,18 +226,24 @@ optional_policy(` # rhcs domains common policy # @@ -36626,7 +36867,7 @@ index 623c8fa..ac10740 100644 /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if -index 275f9fb..6defb76 100644 +index 275f9fb..4f4a192 100644 --- a/policy/modules/services/snmp.if +++ b/policy/modules/services/snmp.if @@ -11,12 +11,12 @@ @@ -36654,11 +36895,11 @@ index 275f9fb..6defb76 100644 allow $1 snmpd_var_lib_t:dir list_dir_perms; read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) -@@ -69,6 +70,26 @@ interface(`snmp_read_snmp_var_lib_files',` +@@ -69,6 +70,45 @@ interface(`snmp_read_snmp_var_lib_files',` ######################################## ## -+## Append snmpd libraries. ++## Manage snmpd libraries directories +## +## +## @@ -36666,14 +36907,33 @@ index 275f9fb..6defb76 100644 +## +## +# -+interface(`snmp_append_snmp_var_lib_files',` ++interface(`snmp_manage_var_lib_dirs',` ++ gen_require(` ++ type snmpd_var_lib_t; ++ ') ++ ++ allow $1 snmpd_var_lib_t:dir manage_dir_perms; ++ files_var_lib_filetrans($1, snmpd_var_lib_t, dir) ++') ++ ++######################################## ++## ++## Manage snmpd libraries. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snmp_manage_var_lib_files',` + gen_require(` + type snmpd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 snmpd_var_lib_t:dir list_dir_perms; -+ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) ++ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) +') + +######################################## @@ -36681,7 +36941,7 @@ index 275f9fb..6defb76 100644 ## dontaudit Read snmpd libraries. ## ## -@@ -81,9 +102,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` +@@ -81,9 +121,10 @@ interface(`snmp_dontaudit_read_snmp_var_lib_files',` gen_require(` type snmpd_var_lib_t; ') @@ -36693,7 +36953,7 @@ index 275f9fb..6defb76 100644 ') ######################################## -@@ -123,12 +145,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` +@@ -123,12 +164,11 @@ interface(`snmp_dontaudit_write_snmp_var_lib_files',` # interface(`snmp_admin',` gen_require(` @@ -36709,7 +36969,7 @@ index 275f9fb..6defb76 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..19148ba 100644 +index 3d8d1b3..5c0d25f 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -36736,9 +36996,12 @@ index 3d8d1b3..19148ba 100644 allow snmpd_t self:tcp_socket create_stream_socket_perms; allow snmpd_t self:udp_socket connected_stream_socket_perms; -@@ -43,8 +45,9 @@ files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) +@@ -41,10 +43,11 @@ manage_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) + manage_sock_files_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t) + files_usr_filetrans(snmpd_t, snmpd_var_lib_t, file) files_var_filetrans(snmpd_t, snmpd_var_lib_t, { file dir sock_file }) - files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) +-files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, file) ++files_var_lib_filetrans(snmpd_t, snmpd_var_lib_t, { dir file }) +manage_dirs_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) manage_files_pattern(snmpd_t, snmpd_var_run_t, snmpd_var_run_t) @@ -41822,7 +42085,7 @@ index da2601a..223cc80 100644 + manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 145fc4b..9a7611b 100644 +index 145fc4b..5c05aae 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -42314,7 +42577,7 @@ index 145fc4b..9a7611b 100644 dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -410,18 +573,23 @@ dev_setattr_xserver_misc_dev(xdm_t) +@@ -410,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t) dev_getattr_misc_dev(xdm_t) dev_setattr_misc_dev(xdm_t) dev_dontaudit_rw_misc(xdm_t) @@ -42338,10 +42601,11 @@ index 145fc4b..9a7611b 100644 domain_dontaudit_read_all_domains_state(xdm_t) +domain_dontaudit_ptrace_all_domains(xdm_t) +domain_dontaudit_signal_all_domains(xdm_t) ++domain_dontaudit_getattr_all_entry_files(xdm_t) files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -432,9 +600,17 @@ files_list_mnt(xdm_t) +@@ -432,9 +601,17 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -42359,7 +42623,7 @@ index 145fc4b..9a7611b 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -443,28 +619,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -443,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -42398,7 +42662,7 @@ index 145fc4b..9a7611b 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -473,9 +657,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -473,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -42429,7 +42693,7 @@ index 145fc4b..9a7611b 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -491,6 +696,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -491,6 +697,12 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -42442,7 +42706,7 @@ index 145fc4b..9a7611b 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -504,11 +715,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -504,11 +716,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -42464,7 +42728,7 @@ index 145fc4b..9a7611b 100644 ') optional_policy(` -@@ -516,12 +737,54 @@ optional_policy(` +@@ -516,12 +738,54 @@ optional_policy(` ') optional_policy(` @@ -42519,7 +42783,7 @@ index 145fc4b..9a7611b 100644 hostname_exec(xdm_t) ') -@@ -539,28 +802,64 @@ optional_policy(` +@@ -539,28 +803,64 @@ optional_policy(` ') optional_policy(` @@ -42593,7 +42857,7 @@ index 145fc4b..9a7611b 100644 ') optional_policy(` -@@ -572,6 +871,10 @@ optional_policy(` +@@ -572,6 +872,10 @@ optional_policy(` ') optional_policy(` @@ -42604,7 +42868,7 @@ index 145fc4b..9a7611b 100644 xfs_stream_connect(xdm_t) ') -@@ -596,7 +899,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -596,7 +900,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -42613,7 +42877,7 @@ index 145fc4b..9a7611b 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -610,6 +913,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -610,6 +914,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -42628,7 +42892,7 @@ index 145fc4b..9a7611b 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -629,12 +940,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -629,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -42650,7 +42914,7 @@ index 145fc4b..9a7611b 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -642,6 +960,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -642,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -42658,7 +42922,7 @@ index 145fc4b..9a7611b 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -668,7 +987,6 @@ dev_rw_apm_bios(xserver_t) +@@ -668,7 +988,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -42666,7 +42930,7 @@ index 145fc4b..9a7611b 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -678,11 +996,17 @@ dev_wx_raw_memory(xserver_t) +@@ -678,11 +997,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -42684,7 +42948,7 @@ index 145fc4b..9a7611b 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -693,8 +1017,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -693,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -42698,7 +42962,7 @@ index 145fc4b..9a7611b 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -716,11 +1045,14 @@ logging_send_audit_msgs(xserver_t) +@@ -716,11 +1046,14 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -42713,7 +42977,7 @@ index 145fc4b..9a7611b 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -773,12 +1105,28 @@ optional_policy(` +@@ -773,12 +1106,28 @@ optional_policy(` ') optional_policy(` @@ -42743,7 +43007,7 @@ index 145fc4b..9a7611b 100644 unconfined_domtrans(xserver_t) ') -@@ -787,6 +1135,10 @@ optional_policy(` +@@ -787,6 +1136,10 @@ optional_policy(` ') optional_policy(` @@ -42754,7 +43018,7 @@ index 145fc4b..9a7611b 100644 xfs_stream_connect(xserver_t) ') -@@ -802,10 +1154,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -802,10 +1155,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -42768,7 +43032,7 @@ index 145fc4b..9a7611b 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -813,7 +1165,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -813,7 +1166,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -42777,7 +43041,7 @@ index 145fc4b..9a7611b 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -826,6 +1178,9 @@ init_use_fds(xserver_t) +@@ -826,6 +1179,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -42787,7 +43051,7 @@ index 145fc4b..9a7611b 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -833,6 +1188,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -833,6 +1189,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -42799,7 +43063,7 @@ index 145fc4b..9a7611b 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -841,11 +1201,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -841,11 +1202,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -42816,7 +43080,7 @@ index 145fc4b..9a7611b 100644 ') optional_policy(` -@@ -853,6 +1216,10 @@ optional_policy(` +@@ -853,6 +1217,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -42827,7 +43091,7 @@ index 145fc4b..9a7611b 100644 ######################################## # # Rules common to all X window domains -@@ -896,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -896,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -42836,7 +43100,7 @@ index 145fc4b..9a7611b 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -950,11 +1317,31 @@ allow x_domain self:x_resource { read write }; +@@ -950,11 +1318,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -42868,7 +43132,7 @@ index 145fc4b..9a7611b 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -976,18 +1363,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -976,18 +1364,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -42916,6 +43180,23 @@ index 145fc4b..9a7611b 100644 + unconfined_signal(xserver_t) + unconfined_getpgid(xserver_t) +') +diff --git a/policy/modules/services/zabbix.fc b/policy/modules/services/zabbix.fc +index 3102286..4ef4400 100644 +--- a/policy/modules/services/zabbix.fc ++++ b/policy/modules/services/zabbix.fc +@@ -1,6 +1,10 @@ +-/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/zabbix -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/zabbix-server -- gen_context(system_u:object_r:zabbix_initrc_exec_t,s0) + +-/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0) ++/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0) + + /var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0) + diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index d77e631..4776863 100644 --- a/policy/modules/services/zabbix.if @@ -44289,7 +44570,7 @@ index 6fed22c..06e5395 100644 # # /var diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index ed152c4..a398d39 100644 +index ed152c4..e96b7b1 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,40 @@ interface(`init_script_domain',` @@ -44544,7 +44825,7 @@ index ed152c4..a398d39 100644 ') ') -@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,23 +914,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -44567,11 +44848,11 @@ index ed152c4..a398d39 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -44584,12 +44865,16 @@ index ed152c4..a398d39 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## @@ -868,9 +1004,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` @@ -44605,6 +44890,24 @@ index ed152c4..a398d39 100644 files_search_etc($1) ') +@@ -937,7 +1078,7 @@ interface(`init_run_daemon',` + # + interface(`init_read_state',` + gen_require(` +- attribute init_t; ++ type init_t; + ') + + allow $1 init_t:dir search_dir_perms; +@@ -958,7 +1099,7 @@ interface(`init_read_state',` + # + interface(`init_ptrace',` + gen_require(` +- attribute init_t; ++ type init_t; + ') + + allow $1 init_t:process ptrace; @@ -1130,12 +1271,7 @@ interface(`init_read_script_state',` ') @@ -46591,7 +46894,7 @@ index 571599b..b323b73 100644 + +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index c7cfb62..ee9809d 100644 +index c7cfb62..6160239 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',` @@ -46720,7 +47023,15 @@ index c7cfb62..ee9809d 100644 ## Write generic log files. ## ## -@@ -996,6 +1090,8 @@ interface(`logging_admin_syslog',` +@@ -971,6 +1065,7 @@ interface(`logging_admin_syslog',` + type syslogd_initrc_exec_t; + ') + ++ allow $1 self:capability2 syslog; + allow $1 syslogd_t:process { ptrace signal_perms }; + allow $1 klogd_t:process { ptrace signal_perms }; + ps_process_pattern($1, syslogd_t) +@@ -996,6 +1091,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -46730,7 +47041,7 @@ index c7cfb62..ee9809d 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 9b5a9ed..d3fb3f6 100644 +index 9b5a9ed..7ea0ae3 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -55,11 +55,12 @@ type klogd_var_run_t; @@ -46810,7 +47121,15 @@ index 9b5a9ed..d3fb3f6 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -360,6 +383,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -340,6 +363,7 @@ optional_policy(` + # cjp: why net_admin! + allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; + dontaudit syslogd_t self:capability sys_tty_config; ++allow syslogd_t self:capability2 syslog; + # setpgid for metalog + # setrlimit for syslog-ng + allow syslogd_t self:process { signal_perms setpgid setrlimit }; +@@ -360,6 +384,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -46818,7 +47137,7 @@ index 9b5a9ed..d3fb3f6 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -369,9 +393,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -369,9 +394,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -46834,7 +47153,7 @@ index 9b5a9ed..d3fb3f6 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -412,6 +442,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -412,6 +443,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) @@ -46842,7 +47161,7 @@ index 9b5a9ed..d3fb3f6 100644 domain_use_interactive_fds(syslogd_t) -@@ -480,6 +511,10 @@ optional_policy(` +@@ -480,6 +512,10 @@ optional_policy(` ') optional_policy(` @@ -46853,7 +47172,7 @@ index 9b5a9ed..d3fb3f6 100644 postgresql_stream_connect(syslogd_t) ') -@@ -488,6 +523,10 @@ optional_policy(` +@@ -488,6 +524,10 @@ optional_policy(` ') optional_policy(` @@ -46891,10 +47210,10 @@ index 879bb1e..526d11c 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..b4f0663 100644 +index 58bc27f..b95f0c0 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,21 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +123,39 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -46916,16 +47235,34 @@ index 58bc27f..b4f0663 100644 + + allow $1 clvmd_tmpfs_t:file rw_file_perms; +') ++ ++######################################## ++## ++## Delete lvm temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_delete_clvmd_tmpfs_files',` ++ gen_require(` ++ type clvmd_tmpfs_t; ++ ') ++ ++ allow $1 clvmd_tmpfs_t:file unlink; ++') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 86ef2da..0676045 100644 +index 86ef2da..8de48db 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) type clvmd_initrc_exec_t; init_script_file(clvmd_initrc_exec_t) -+type clmvd_tmpfs_t; -+files_tmpfs_file(clmvd_tmpfs_t) ++type clvmd_tmpfs_t alias clmvd_tmpfs_t; ++files_tmpfs_file(clvmd_tmpfs_t) + type clvmd_var_run_t; files_pid_file(clvmd_var_run_t) @@ -46943,9 +47280,9 @@ index 86ef2da..0676045 100644 allow clvmd_t self:tcp_socket create_stream_socket_perms; allow clvmd_t self:udp_socket create_socket_perms; -+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t) -+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t) -+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file }) ++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t) ++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t) ++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file }) + manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) @@ -47037,6 +47374,18 @@ index 86ef2da..0676045 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) +@@ -274,9 +294,9 @@ storage_relabel_fixed_disk(lvm_t) + storage_dontaudit_read_removable_device(lvm_t) + # LVM creates block devices in /dev/mapper or /dev/ + # depending on its version +-# LVM(2) needs to create directores (/dev/mapper, /dev/) ++# LVM(2) needs to create directories (/dev/mapper, /dev/) + # and links from /dev/ to /dev/mapper/- +-# cjp: need create interface here for fixed disk create ++# cjp: needs to create an interface here for fixed disk create + storage_dev_filetrans_fixed_disk(lvm_t) + # Access raw devices and old /dev/lvm (c 109,0). Is this needed? + storage_manage_fixed_disk(lvm_t) @@ -309,6 +329,11 @@ ifdef(`distro_redhat',` ') @@ -47895,7 +48244,7 @@ index ed9c70d..b961d53 100644 /sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0) /sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te -index 09845c4..a49121b 100644 +index 09845c4..8cc2a2b 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -47931,6 +48280,15 @@ index 09845c4..a49121b 100644 kernel_read_system_state(mdadm_t) kernel_read_kernel_sysctls(mdadm_t) +@@ -42,7 +40,7 @@ kernel_getattr_core_if(mdadm_t) + corecmd_exec_bin(mdadm_t) + corecmd_exec_shell(mdadm_t) + +-dev_read_sysfs(mdadm_t) ++dev_rw_sysfs(mdadm_t) + # Ignore attempts to read every device file + dev_dontaudit_getattr_all_blk_files(mdadm_t) + dev_dontaudit_getattr_all_chr_files(mdadm_t) @@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t) dev_read_realtime_clock(mdadm_t) # unfortunately needed for DMI decoding: @@ -49753,10 +50111,10 @@ index ce2fbb9..8b34dbc 100644 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -') diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if -index 416e668..bd2ec2e 100644 +index 416e668..352e672 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if -@@ -12,27 +12,33 @@ +@@ -12,27 +12,34 @@ # interface(`unconfined_domain_noaudit',` gen_require(` @@ -49771,6 +50129,7 @@ index 416e668..bd2ec2e 100644 - allow $1 self:capability *; - allow $1 self:fifo_file manage_fifo_file_perms; + allow $1 self:capability ~sys_module; ++ allow $1 self:capability2 syslog; + allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; + + if (!secure_mode_insmod) { @@ -49797,7 +50156,7 @@ index 416e668..bd2ec2e 100644 kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +50,12 @@ interface(`unconfined_domain_noaudit',` +@@ -44,6 +51,12 @@ interface(`unconfined_domain_noaudit',` fs_unconfined($1) selinux_unconfined($1) @@ -49810,7 +50169,7 @@ index 416e668..bd2ec2e 100644 tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; -@@ -69,6 +81,7 @@ interface(`unconfined_domain_noaudit',` +@@ -69,6 +82,7 @@ interface(`unconfined_domain_noaudit',` optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -49818,7 +50177,7 @@ index 416e668..bd2ec2e 100644 ') optional_policy(` -@@ -122,6 +135,10 @@ interface(`unconfined_domain_noaudit',` +@@ -122,6 +136,10 @@ interface(`unconfined_domain_noaudit',` ## # interface(`unconfined_domain',` @@ -49829,7 +50188,7 @@ index 416e668..bd2ec2e 100644 unconfined_domain_noaudit($1) tunable_policy(`allow_execheap',` -@@ -178,412 +195,3 @@ interface(`unconfined_alias_domain',` +@@ -178,412 +196,3 @@ interface(`unconfined_alias_domain',` interface(`unconfined_execmem_alias_program',` refpolicywarn(`$0($1) has been deprecated.') ') @@ -50503,7 +50862,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..bc98180 100644 +index 28b88de..a0cd92e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -51662,7 +52021,15 @@ index 28b88de..bc98180 100644 ') ############################## -@@ -1074,6 +1303,9 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1295,7 @@ template(`userdom_admin_user_template',` + # + + allow $1_t self:capability ~{ sys_module audit_control audit_write }; ++ allow $1_t self:capability2 syslog; + allow $1_t self:process { setexec setfscreate }; + allow $1_t self:netlink_audit_socket nlmsg_readpriv; + allow $1_t self:tun_socket create; +@@ -1074,6 +1304,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -51672,7 +52039,7 @@ index 28b88de..bc98180 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1320,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1321,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -51680,7 +52047,7 @@ index 28b88de..bc98180 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1119,10 +1352,13 @@ template(`userdom_admin_user_template',` +@@ -1119,10 +1353,13 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -51694,7 +52061,7 @@ index 28b88de..bc98180 100644 fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1142,6 +1378,7 @@ template(`userdom_admin_user_template',` +@@ -1142,6 +1379,7 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) modutils_domtrans_insmod($1_t) @@ -51702,7 +52069,7 @@ index 28b88de..bc98180 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1447,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1448,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -51711,7 +52078,15 @@ index 28b88de..bc98180 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1237,6 +1476,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1462,7 @@ template(`userdom_security_admin_template',` + selinux_set_enforce_mode($1) + selinux_set_all_booleans($1) + selinux_set_parameters($1) ++ selinux_read_policy($1) + + auth_relabel_all_files_except_shadow($1) + auth_relabel_shadow($1) +@@ -1237,6 +1478,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -51719,7 +52094,7 @@ index 28b88de..bc98180 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1519,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1521,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -51757,7 +52132,7 @@ index 28b88de..bc98180 100644 ubac_constrained($1) ') -@@ -1395,6 +1661,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1663,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -51765,7 +52140,7 @@ index 28b88de..bc98180 100644 files_search_home($1) ') -@@ -1441,6 +1708,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1710,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -51780,7 +52155,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -1456,9 +1731,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1733,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -51792,7 +52167,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -1515,10 +1792,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1794,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -51805,7 +52180,7 @@ index 28b88de..bc98180 100644 ## ## ## -@@ -1526,35 +1803,71 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,35 +1805,71 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -51898,7 +52273,7 @@ index 28b88de..bc98180 100644 ## ## ## -@@ -1589,6 +1902,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +1904,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -51907,7 +52282,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -1603,10 +1918,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1920,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -51922,7 +52297,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -1649,6 +1966,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +1968,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -51948,7 +52323,7 @@ index 28b88de..bc98180 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2036,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2038,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -51981,7 +52356,7 @@ index 28b88de..bc98180 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2072,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2074,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -51999,7 +52374,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -1810,8 +2169,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2171,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -52009,7 +52384,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -1827,20 +2185,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2187,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -52034,7 +52409,7 @@ index 28b88de..bc98180 100644 ######################################## ## -@@ -2182,7 +2534,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2536,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -52043,7 +52418,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -2435,13 +2787,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2789,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -52059,7 +52434,7 @@ index 28b88de..bc98180 100644 ## ## ## -@@ -2462,26 +2815,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2817,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -52086,7 +52461,7 @@ index 28b88de..bc98180 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2815,7 +3148,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3150,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -52095,7 +52470,7 @@ index 28b88de..bc98180 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3164,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3166,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -52111,7 +52486,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -2917,7 +3252,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3254,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -52120,7 +52495,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -2972,7 +3307,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3309,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -52167,7 +52542,7 @@ index 28b88de..bc98180 100644 ') ######################################## -@@ -3009,6 +3382,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3384,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -52175,7 +52550,7 @@ index 28b88de..bc98180 100644 kernel_search_proc($1) ') -@@ -3139,3 +3513,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3515,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index fb7a949..77e74c6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.13 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,24 @@ exit 0 %endif %changelog +* Thu Feb 3 2011 Miroslav Grepl 3.9.13-9 +- syslog_t needs syslog capability +- dirsrv needs to be able to create /var/lib/snmp +- Fix labeling for dirsrv +- Fix for dirsrv policy missing manage_dirs_pattern +- corosync needs to delete clvm_tmpfs_t files +- qdiskd needs to list hugetlbfs +- Move setsched to sandbox_x_domain, so firefox can run without network access +- Allow hddtemp to read removable devices +- Adding syslog and read_policy permissions to policy + * syslog + Allow unconfined, sysadm_t, secadm_t, logadm_t + * read_policy + allow unconfined, sysadm_t, secadm_t, staff_t on Targeted + allow sysadm_t (optionally), secadm_t on MLS +- mdadm application will write into /sys/.../uevent whenever arrays are +assembled or disassembled. + * Tue Feb 1 2011 Dan Walsh 3.9.13-8 - Add tcsd policy