diff --git a/policy-F16.patch b/policy-F16.patch index 207bd6d..d704566 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -336,10 +336,27 @@ index e3e0701..3fd0282 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te -index 46d467c..3305e15 100644 +index 46d467c..53c116c 100644 --- a/policy/modules/admin/amanda.te +++ b/policy/modules/admin/amanda.te -@@ -200,12 +200,14 @@ files_search_pids(amanda_recover_t) +@@ -58,7 +58,7 @@ optional_policy(` + # + + allow amanda_t self:capability { chown dac_override setuid kill }; +-allow amanda_t self:process { setpgid signal }; ++allow amanda_t self:process { getsched setsched setpgid signal }; + allow amanda_t self:fifo_file rw_fifo_file_perms; + allow amanda_t self:unix_stream_socket create_stream_socket_perms; + allow amanda_t self:unix_dgram_socket create_socket_perms; +@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms; + + manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) + manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) ++manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t) + filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) + + allow amanda_t amanda_dumpdates_t:file rw_file_perms; +@@ -200,12 +201,14 @@ files_search_pids(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -472,7 +489,7 @@ index 63eb96b..17a9f6d 100644 ## ## Execute bootloader interactively and do diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index d3da8f2..559bc9b 100644 +index d3da8f2..9152065 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -23,7 +23,7 @@ role system_r types bootloader_t; @@ -506,29 +523,30 @@ index d3da8f2..559bc9b 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -162,12 +162,18 @@ ifdef(`distro_redhat',` +@@ -162,8 +162,10 @@ ifdef(`distro_redhat',` files_manage_isid_type_blk_files(bootloader_t) files_manage_isid_type_chr_files(bootloader_t) - # for mke2fs - mount_domtrans(bootloader_t) -- - optional_policy(` -- unconfined_domain(bootloader_t) ++ optional_policy(` + # for mke2fs + mount_domtrans(bootloader_t) - ') -+ -+ #optional_policy(` -+ # unconfined_domain(bootloader_t) -+ #') ++ ') + + optional_policy(` + unconfined_domain(bootloader_t) +@@ -171,6 +173,10 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ devicekit_dontaudit_read_pid_files(bootloader_t) +') + +optional_policy(` -+ devicekit_dontaudit_read_pid_files(bootloader_t) + fstools_exec(bootloader_t) ') - optional_policy(` @@ -197,10 +203,7 @@ optional_policy(` modutils_exec_insmod(bootloader_t) modutils_exec_depmod(bootloader_t) @@ -966,7 +984,7 @@ index 9dd6880..4b7fa27 100644 optional_policy(` diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te -index 4f7bd3c..6c420a4 100644 +index 4f7bd3c..a29af21 100644 --- a/policy/modules/admin/kudzu.te +++ b/policy/modules/admin/kudzu.te @@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t) @@ -999,12 +1017,11 @@ index 4f7bd3c..6c420a4 100644 ') optional_policy(` -@@ -141,5 +140,5 @@ optional_policy(` +@@ -141,5 +140,4 @@ optional_policy(` optional_policy(` unconfined_domtrans(kudzu_t) - unconfined_domain(kudzu_t) -+ #unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 7090dae..6eac7b9 100644 @@ -1579,6 +1596,243 @@ index 3470036..66412e6 100644 +optional_policy(` + puppet_manage_lib(passenger_t) +') +diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc +new file mode 100644 +index 0000000..6e6a8fc +--- /dev/null ++++ b/policy/modules/admin/permissivedomains.fc +@@ -0,0 +1 @@ ++# No file contexts +diff --git a/policy/modules/admin/permissivedomains.if b/policy/modules/admin/permissivedomains.if +new file mode 100644 +index 0000000..bd83148 +--- /dev/null ++++ b/policy/modules/admin/permissivedomains.if +@@ -0,0 +1 @@ ++## No Interfaces +diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te +new file mode 100644 +index 0000000..3b8c1e9 +--- /dev/null ++++ b/policy/modules/admin/permissivedomains.te +@@ -0,0 +1,217 @@ ++policy_module(permissivedomains,16) ++ ++optional_policy(` ++ gen_require(` ++ type systemd_logger_t; ++ ') ++ ++ permissive systemd_logger_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ permissive systemd_logind_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type fcoemon_t; ++ ') ++ ++ permissive fcoemon_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type httpd_passwd_t; ++ ') ++ ++ permissive httpd_passwd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type puppetca_t; ++ ') ++ ++ permissive puppetca_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type spamd_update_t; ++ ') ++ ++ permissive spamd_update_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type rhev_agentd_t; ++ ') ++ ++ permissive rhev_agentd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type abrt_handle_event_t; ++ ') ++ ++ permissive abrt_handle_event_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type cfengine_serverd_t; ++ ') ++ ++ permissive cfengine_serverd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type cfengine_execd_t; ++ ') ++ ++ permissive cfengine_execd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type cfengine_monitord_t; ++ ') ++ ++ permissive cfengine_monitord_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type rhsmcertd_t; ++ ') ++ ++ permissive rhsmcertd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type fail2ban_client_t; ++ ') ++ ++ permissive fail2ban_client_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type ctdbd_t; ++ ') ++ ++ permissive ctdbd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type mscan_t; ++ ') ++ ++ permissive mscan_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type lldpad_t; ++ ') ++ ++ permissive lldpad_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type sblim_gatherd_t; ++ ') ++ ++ permissive sblim_gatherd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type sblim_gatherd_t; ++ ') ++ ++ permissive sblim_gatherd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type callweaver_t; ++ ') ++ ++ permissive callweaver_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type sanlock_t; ++ ') ++ ++ permissive sanlock_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type uuidd_t; ++ ') ++ ++ permissive uuidd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type wdmd_t; ++ ') ++ ++ permissive wdmd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type dspam_t; ++ ') ++ ++ permissive dspam_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type virt_lxc_t; ++ ') ++ ++ permissive virt_lxc_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type virtd_t; ++ ') ++ ++ permissive virtd_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type pyicqt_t; ++ ') ++ ++ permissive pyicqt_t; ++') ++ ++optional_policy(` ++ gen_require(` ++ type telepathy_logger_t; ++ ') ++ ++ permissive telepathy_logger_t; ++') diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..b665b08 100644 --- a/policy/modules/admin/portage.fc @@ -1664,7 +1918,7 @@ index 93ec175..0e42018 100644 ') ') diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te -index af55369..77b9b29 100644 +index af55369..e83b341 100644 --- a/policy/modules/admin/prelink.te +++ b/policy/modules/admin/prelink.te @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t) @@ -1722,31 +1976,22 @@ index af55369..77b9b29 100644 optional_policy(` amanda_manage_lib(prelink_t) -@@ -109,13 +120,22 @@ optional_policy(` +@@ -109,6 +120,15 @@ optional_policy(` ') optional_policy(` -- rpm_manage_tmp_files(prelink_t) + gnome_dontaudit_read_config(prelink_t) + gnome_dontaudit_read_inherited_gconf_config_files(prelink_t) - ') - - optional_policy(` -- unconfined_domain(prelink_t) ++') ++ ++optional_policy(` + nsplugin_manage_rw_files(prelink_t) +') + +optional_policy(` -+ rpm_manage_tmp_files(prelink_t) + rpm_manage_tmp_files(prelink_t) ') -+#optional_policy(` -+# unconfined_domain(prelink_t) -+#') -+ - ######################################## - # - # Prelink Cron system Policy @@ -129,6 +149,7 @@ optional_policy(` read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) @@ -3016,7 +3261,7 @@ index d5aaf0e..6b16aef 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te -index 6a5004b..de58aeb 100644 +index 6a5004b..90cf622 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0) @@ -3076,7 +3321,7 @@ index 6a5004b..de58aeb 100644 apache_delete_cache_files(tmpreaper_t) apache_setattr_cache_dirs(tmpreaper_t) ') -@@ -66,9 +78,17 @@ optional_policy(` +@@ -66,9 +78,13 @@ optional_policy(` ') optional_policy(` @@ -3092,10 +3337,6 @@ index 6a5004b..de58aeb 100644 - unconfined_domain(tmpreaper_t) + rpm_manage_cache(tmpreaper_t) ') -+ -+#optional_policy(` -+# unconfined_domain(tmpreaper_t) -+#') diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te index 2ae8b62..a8e786b 100644 --- a/policy/modules/admin/tripwire.te @@ -3346,7 +3587,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..233bbc6 100644 +index 441cf22..3d2f418 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t) @@ -3479,15 +3720,15 @@ index 441cf22..233bbc6 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,20 +503,16 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) @@ -3498,14 +3739,10 @@ index 441cf22..233bbc6 100644 - unconfined_domain(useradd_t) - ') -') -+#ifdef(`distro_redhat',` -+# optional_policy(` -+# unconfined_domain(useradd_t) -+# ') -+#') - +- optional_policy(` apache_manage_all_user_content(useradd_t) + ') diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te index ebf4b26..453a827 100644 --- a/policy/modules/admin/vpn.te @@ -6538,10 +6775,10 @@ index 0000000..cf65577 +') diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te new file mode 100644 -index 0000000..bb02f40 +index 0000000..6d0c9e3 --- /dev/null +++ b/policy/modules/apps/kde.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,43 @@ +policy_module(kde,1.0.0) + +######################################## @@ -6553,8 +6790,6 @@ index 0000000..bb02f40 +type kdebacklighthelper_exec_t; +dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t) + -+permissive kdebacklighthelper_t; -+ +######################################## +# +# backlighthelper local policy @@ -10008,19 +10243,10 @@ index 3cfb128..609921d 100644 + ') +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..e6e956f 100644 +index 2533ea0..7c8de51 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te -@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t) - telepathy_domain_template(idle) - telepathy_domain_template(logger) - -+permissive telepathy_logger_t; -+ - type telepathy_logger_cache_home_t; - userdom_user_home_content(telepathy_logger_cache_home_t) - -@@ -67,6 +69,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble +@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t) files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file }) @@ -10035,7 +10261,7 @@ index 2533ea0..e6e956f 100644 corenet_all_recvfrom_netlabel(telepathy_gabble_t) corenet_all_recvfrom_unlabeled(telepathy_gabble_t) corenet_tcp_sendrecv_generic_if(telepathy_gabble_t) -@@ -112,6 +122,10 @@ optional_policy(` +@@ -112,6 +120,10 @@ optional_policy(` dbus_system_bus_client(telepathy_gabble_t) ') @@ -10046,7 +10272,7 @@ index 2533ea0..e6e956f 100644 ####################################### # # Telepathy Idle local policy. -@@ -148,9 +162,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -148,9 +160,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` allow telepathy_logger_t self:unix_stream_socket create_socket_perms; manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t) @@ -10058,7 +10284,7 @@ index 2533ea0..e6e956f 100644 files_read_etc_files(telepathy_logger_t) files_read_usr_files(telepathy_logger_t) -@@ -168,6 +184,11 @@ tunable_policy(`use_samba_home_dirs',` +@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_logger_t) ') @@ -10070,7 +10296,7 @@ index 2533ea0..e6e956f 100644 ####################################### # # Telepathy Mission-Control local policy. -@@ -176,6 +197,7 @@ tunable_policy(`use_samba_home_dirs',` +@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',` manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t) userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file }) @@ -10078,7 +10304,7 @@ index 2533ea0..e6e956f 100644 dev_read_rand(telepathy_mission_control_t) -@@ -194,6 +216,16 @@ tunable_policy(`use_samba_home_dirs',` +@@ -194,6 +214,16 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(telepathy_mission_control_t) ') @@ -10095,7 +10321,7 @@ index 2533ea0..e6e956f 100644 ####################################### # # Telepathy Butterfly and Haze local policy. -@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; +@@ -205,8 +235,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect }; manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t) @@ -10107,7 +10333,7 @@ index 2533ea0..e6e956f 100644 corenet_all_recvfrom_netlabel(telepathy_msn_t) corenet_all_recvfrom_unlabeled(telepathy_msn_t) -@@ -246,6 +281,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` +@@ -246,6 +279,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',` ') optional_policy(` @@ -10118,7 +10344,7 @@ index 2533ea0..e6e956f 100644 dbus_system_bus_client(telepathy_msn_t) optional_policy(` -@@ -365,10 +404,9 @@ dev_read_urand(telepathy_domain) +@@ -365,10 +402,9 @@ dev_read_urand(telepathy_domain) kernel_read_system_state(telepathy_domain) @@ -10130,7 +10356,7 @@ index 2533ea0..e6e956f 100644 miscfiles_read_localization(telepathy_domain) optional_policy(` -@@ -376,5 +414,23 @@ optional_policy(` +@@ -376,5 +412,23 @@ optional_policy(` ') optional_policy(` @@ -12049,7 +12275,7 @@ index 4f3b542..5a41e58 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..d898d5a 100644 +index 99b71cb..2039d50 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,14 @@ attribute netif_type; @@ -12182,7 +12408,7 @@ index 99b71cb..d898d5a 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -18530,7 +18756,7 @@ index 2be17d2..afb3532 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..9db59b0 100644 +index e14b961..7ef880f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,55 @@ ifndef(`enable_mls',` @@ -18665,14 +18891,14 @@ index e14b961..9db59b0 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') @@ -18705,7 +18931,7 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -225,17 +278,29 @@ optional_policy(` +@@ -225,21 +278,37 @@ optional_policy(` ') optional_policy(` @@ -18735,7 +18961,15 @@ index e14b961..9db59b0 100644 oav_run_update(sysadm_t, sysadm_r) ') -@@ -253,19 +318,19 @@ optional_policy(` + optional_policy(` ++ openvpn_run(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + pcmcia_run_cardctl(sysadm_t, sysadm_r) + ') + +@@ -253,19 +322,19 @@ optional_policy(` ') optional_policy(` @@ -18759,7 +18993,7 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -274,10 +339,7 @@ optional_policy(` +@@ -274,10 +343,7 @@ optional_policy(` optional_policy(` rpm_run(sysadm_t, sysadm_r) @@ -18771,7 +19005,7 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -302,12 +364,18 @@ optional_policy(` +@@ -302,12 +368,18 @@ optional_policy(` ') optional_policy(` @@ -18791,7 +19025,7 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -332,7 +400,7 @@ optional_policy(` +@@ -332,7 +404,7 @@ optional_policy(` ') optional_policy(` @@ -18800,7 +19034,7 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -343,19 +411,15 @@ optional_policy(` +@@ -343,19 +415,15 @@ optional_policy(` ') optional_policy(` @@ -18822,7 +19056,7 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -367,45 +431,45 @@ optional_policy(` +@@ -367,45 +435,45 @@ optional_policy(` ') optional_policy(` @@ -18879,7 +19113,7 @@ index e14b961..9db59b0 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,6 +503,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +507,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -18887,36 +19121,36 @@ index e14b961..9db59b0 100644 ') optional_policy(` -@@ -446,11 +511,62 @@ ifndef(`distro_redhat',` +@@ -446,11 +515,62 @@ ifndef(`distro_redhat',` ') optional_policy(` - irc_role(sysadm_r, sysadm_t) + java_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` -+ lockdev_role(sysadm_r, sysadm_t) ') optional_policy(` - java_role(sysadm_r, sysadm_t) -+ mozilla_role(sysadm_r, sysadm_t) ++ lockdev_role(sysadm_r, sysadm_t) + ') + + optional_policy(` -+ mplayer_role(sysadm_r, sysadm_t) ++ mozilla_role(sysadm_r, sysadm_t) + ') + + optional_policy(` ++ mplayer_role(sysadm_r, sysadm_t) + ') +-') + ++ optional_policy(` + pyzor_role(sysadm_r, sysadm_t) + ') + + optional_policy(` + razor_role(sysadm_r, sysadm_t) - ') --') - ++ ') ++ + optional_policy(` + rssh_role(sysadm_r, sysadm_t) + ') @@ -20745,7 +20979,7 @@ index 0b827c5..e03a970 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..e96a565 100644 +index 30861ec..ee2d7f1 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -20775,7 +21009,7 @@ index 30861ec..e96a565 100644 type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -32,9 +50,24 @@ files_type(abrt_var_cache_t) +@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t) type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -20783,8 +21017,6 @@ index 30861ec..e96a565 100644 +type abrt_dump_oops_exec_t; +init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) + -+permissive abrt_dump_oops_t; -+ +# type for abrt-handle-event to handle +# ABRT event scripts +type abrt_handle_event_t, abrt_domain; @@ -20792,8 +21024,6 @@ index 30861ec..e96a565 100644 +application_domain(abrt_handle_event_t, abrt_handle_event_exec_t) +role system_r types abrt_handle_event_t; + -+permissive abrt_handle_event_t; -+ # type needed to allow all domains # to handle /var/cache/abrt -type abrt_helper_t; @@ -20801,7 +21031,7 @@ index 30861ec..e96a565 100644 type abrt_helper_exec_t; application_domain(abrt_helper_t, abrt_helper_exec_t) role system_r types abrt_helper_t; -@@ -43,14 +76,37 @@ ifdef(`enable_mcs',` +@@ -43,14 +72,34 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -20819,9 +21049,6 @@ index 30861ec..e96a565 100644 +application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +role system_r types abrt_retrace_coredump_t; + -+permissive abrt_retrace_worker_exec_t; -+permissive abrt_retrace_coredump_t; -+ +type abrt_retrace_cache_t; +files_type(abrt_retrace_cache_t) + @@ -20841,7 +21068,7 @@ index 30861ec..e96a565 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +115,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -20849,7 +21076,7 @@ index 30861ec..e96a565 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +126,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -20857,7 +21084,7 @@ index 30861ec..e96a565 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +140,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -20869,7 +21096,7 @@ index 30861ec..e96a565 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +161,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -20877,7 +21104,7 @@ index 30861ec..e96a565 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -20887,7 +21114,7 @@ index 30861ec..e96a565 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +180,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -20896,7 +21123,7 @@ index 30861ec..e96a565 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,15 +192,23 @@ fs_read_nfs_files(abrt_t) +@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -20923,7 +21150,7 @@ index 30861ec..e96a565 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +219,11 @@ optional_policy(` +@@ -150,6 +212,11 @@ optional_policy(` ') optional_policy(` @@ -20935,7 +21162,7 @@ index 30861ec..e96a565 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +241,7 @@ optional_policy(` +@@ -167,6 +234,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -20943,7 +21170,7 @@ index 30861ec..e96a565 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +253,35 @@ optional_policy(` +@@ -178,12 +246,35 @@ optional_policy(` ') optional_policy(` @@ -20980,7 +21207,7 @@ index 30861ec..e96a565 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -21009,7 +21236,7 @@ index 30861ec..e96a565 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +321,126 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -21027,7 +21254,7 @@ index 30861ec..e96a565 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; - ') ++') + +####################################### +# @@ -21095,7 +21322,7 @@ index 30861ec..e96a565 100644 + +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) -+') + ') + +######################################## +# @@ -22333,7 +22560,7 @@ index 6480167..13d57b7 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..9b19325 100644 +index 3136c6a..ee04348 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -22645,7 +22872,7 @@ index 3136c6a..9b19325 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -254,14 +337,25 @@ files_type(httpd_var_lib_t) +@@ -254,14 +337,23 @@ files_type(httpd_var_lib_t) type httpd_var_run_t; files_pid_file(httpd_var_run_t) @@ -22666,12 +22893,10 @@ index 3136c6a..9b19325 100644 +application_domain(httpd_passwd_t, httpd_passwd_exec_t) +role system_r types httpd_passwd_t; + -+permissive httpd_passwd_t; -+ ######################################## # # Apache server local policy -@@ -281,11 +375,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -281,11 +373,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto }; allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow httpd_t self:tcp_socket create_stream_socket_perms; allow httpd_t self:udp_socket create_socket_perms; @@ -22685,7 +22910,7 @@ index 3136c6a..9b19325 100644 # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -329,8 +425,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; +@@ -329,8 +423,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) @@ -22696,7 +22921,7 @@ index 3136c6a..9b19325 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -355,6 +452,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -355,6 +450,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) kernel_read_kernel_sysctls(httpd_t) # for modules that want to access /proc/meminfo kernel_read_system_state(httpd_t) @@ -22706,7 +22931,7 @@ index 3136c6a..9b19325 100644 corenet_all_recvfrom_unlabeled(httpd_t) corenet_all_recvfrom_netlabel(httpd_t) -@@ -365,11 +465,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) +@@ -365,11 +463,15 @@ corenet_udp_sendrecv_generic_node(httpd_t) corenet_tcp_sendrecv_all_ports(httpd_t) corenet_udp_sendrecv_all_ports(httpd_t) corenet_tcp_bind_generic_node(httpd_t) @@ -22723,7 +22948,7 @@ index 3136c6a..9b19325 100644 dev_read_sysfs(httpd_t) dev_read_rand(httpd_t) -@@ -378,12 +482,12 @@ dev_rw_crypto(httpd_t) +@@ -378,12 +480,12 @@ dev_rw_crypto(httpd_t) fs_getattr_all_fs(httpd_t) fs_search_auto_mountpoints(httpd_t) @@ -22739,7 +22964,7 @@ index 3136c6a..9b19325 100644 domain_use_interactive_fds(httpd_t) -@@ -391,6 +495,7 @@ files_dontaudit_getattr_all_pids(httpd_t) +@@ -391,6 +493,7 @@ files_dontaudit_getattr_all_pids(httpd_t) files_read_usr_files(httpd_t) files_list_mnt(httpd_t) files_search_spool(httpd_t) @@ -22747,7 +22972,7 @@ index 3136c6a..9b19325 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,9 +507,20 @@ files_read_etc_files(httpd_t) +@@ -402,9 +505,20 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) @@ -22768,7 +22993,7 @@ index 3136c6a..9b19325 100644 logging_send_syslog_msg(httpd_t) miscfiles_read_localization(httpd_t) -@@ -416,34 +532,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +530,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -22845,7 +23070,7 @@ index 3136c6a..9b19325 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +612,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +610,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -22856,7 +23081,7 @@ index 3136c6a..9b19325 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +626,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +624,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -22886,7 +23111,7 @@ index 3136c6a..9b19325 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +656,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +654,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -22903,7 +23128,7 @@ index 3136c6a..9b19325 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +680,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +678,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -22924,7 +23149,7 @@ index 3136c6a..9b19325 100644 ') optional_policy(` -@@ -513,7 +704,13 @@ optional_policy(` +@@ -513,7 +702,13 @@ optional_policy(` ') optional_policy(` @@ -22939,7 +23164,7 @@ index 3136c6a..9b19325 100644 ') optional_policy(` -@@ -528,7 +725,19 @@ optional_policy(` +@@ -528,7 +723,19 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -22960,7 +23185,7 @@ index 3136c6a..9b19325 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +746,13 @@ optional_policy(` +@@ -537,8 +744,13 @@ optional_policy(` ') optional_policy(` @@ -22975,7 +23200,7 @@ index 3136c6a..9b19325 100644 ') ') -@@ -556,7 +770,13 @@ optional_policy(` +@@ -556,7 +768,13 @@ optional_policy(` ') optional_policy(` @@ -22989,7 +23214,7 @@ index 3136c6a..9b19325 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +787,7 @@ optional_policy(` +@@ -567,6 +785,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -22997,7 +23222,7 @@ index 3136c6a..9b19325 100644 ') optional_policy(` -@@ -577,6 +798,20 @@ optional_policy(` +@@ -577,6 +796,20 @@ optional_policy(` ') optional_policy(` @@ -23018,7 +23243,7 @@ index 3136c6a..9b19325 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +826,11 @@ optional_policy(` +@@ -591,6 +824,11 @@ optional_policy(` ') optional_policy(` @@ -23030,7 +23255,7 @@ index 3136c6a..9b19325 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +843,12 @@ optional_policy(` +@@ -603,6 +841,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -23043,7 +23268,7 @@ index 3136c6a..9b19325 100644 ######################################## # # Apache helper local policy -@@ -616,7 +862,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +860,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -23056,7 +23281,7 @@ index 3136c6a..9b19325 100644 ######################################## # -@@ -654,28 +904,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +902,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -23100,7 +23325,7 @@ index 3136c6a..9b19325 100644 ') ######################################## -@@ -685,6 +937,8 @@ optional_policy(` +@@ -685,6 +935,8 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -23109,7 +23334,7 @@ index 3136c6a..9b19325 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -699,17 +953,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +951,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -23135,7 +23360,7 @@ index 3136c6a..9b19325 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +999,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +997,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -23168,7 +23393,7 @@ index 3136c6a..9b19325 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1046,25 @@ optional_policy(` +@@ -769,6 +1044,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -23194,7 +23419,7 @@ index 3136c6a..9b19325 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1085,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1083,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -23212,7 +23437,7 @@ index 3136c6a..9b19325 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1104,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1102,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -23269,7 +23494,7 @@ index 3136c6a..9b19325 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1155,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1153,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -23300,7 +23525,7 @@ index 3136c6a..9b19325 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1190,20 @@ optional_policy(` +@@ -842,10 +1188,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -23321,7 +23546,7 @@ index 3136c6a..9b19325 100644 ') ######################################## -@@ -891,11 +1249,48 @@ optional_policy(` +@@ -891,11 +1247,48 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -23446,7 +23671,7 @@ index 1ea99b2..9427dd5 100644 + stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) ') diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te -index 1c8c27e..4ae8a51 100644 +index 1c8c27e..21b91de 100644 --- a/policy/modules/services/apm.te +++ b/policy/modules/services/apm.te @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0) @@ -23552,19 +23777,17 @@ index 1c8c27e..4ae8a51 100644 ') optional_policy(` -@@ -218,9 +232,9 @@ optional_policy(` - udev_read_state(apmd_t) #necessary? +@@ -219,10 +233,6 @@ optional_policy(` ') --optional_policy(` + optional_policy(` - unconfined_domain(apmd_t) -') -+#optional_policy(` -+# unconfined_domain(apmd_t) -+#') - - optional_policy(` +- +-optional_policy(` vbetool_domtrans(apmd_t) + ') + diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if index c804110..bdefbe1 100644 --- a/policy/modules/services/arpwatch.if @@ -25272,10 +25495,10 @@ index 0000000..564acbd +') diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te new file mode 100644 -index 0000000..a7c96a5 +index 0000000..4cfc9f8 --- /dev/null +++ b/policy/modules/services/callweaver.te -@@ -0,0 +1,79 @@ +@@ -0,0 +1,77 @@ +policy_module(callweaver,1.0.0) + +######################################## @@ -25287,8 +25510,6 @@ index 0000000..a7c96a5 +type callweaver_exec_t; +init_daemon_domain(callweaver_t, callweaver_exec_t) + -+permissive callweaver_t; -+ +type callweaver_initrc_exec_t; +init_script_file(callweaver_initrc_exec_t) + @@ -25674,10 +25895,10 @@ index 0000000..12fe9ce + diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te new file mode 100644 -index 0000000..db2ac2d +index 0000000..1ba0484 --- /dev/null +++ b/policy/modules/services/cfengine.te -@@ -0,0 +1,133 @@ +@@ -0,0 +1,127 @@ +policy_module(cfengine, 1.0.0) + +######################################## @@ -25689,8 +25910,6 @@ index 0000000..db2ac2d +type cfengine_serverd_exec_t; +init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t) + -+permissive cfengine_serverd_t; -+ +type cfengine_initrc_exec_t; +init_script_file(cfengine_initrc_exec_t) + @@ -25701,14 +25920,10 @@ index 0000000..db2ac2d +type cfengine_execd_exec_t; +init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t) + -+permissive cfengine_execd_t; -+ +type cfengine_monitord_t; +type cfengine_monitord_exec_t; +init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t) + -+permissive cfengine_monitord_t; -+ +######################################## +# +# cfengine-server local policy @@ -25894,14 +26109,14 @@ index dad226c..7617c53 100644 miscfiles_read_localization(cgred_t) diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc -index fd8cd0b..46678a2 100644 +index fd8cd0b..3d61138 100644 --- a/policy/modules/services/chronyd.fc +++ b/policy/modules/services/chronyd.fc @@ -2,8 +2,12 @@ /etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0) -+/lib/systemd/system/chonyd\.service -- gen_context(system_u:object_r:chronyd_unit_t,s0) ++/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0) + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) @@ -25911,7 +26126,7 @@ index fd8cd0b..46678a2 100644 +/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0) +/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0) diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if -index 9a0da94..f599a70 100644 +index 9a0da94..6a9d3d8 100644 --- a/policy/modules/services/chronyd.if +++ b/policy/modules/services/chronyd.if @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',` @@ -25939,7 +26154,7 @@ index 9a0da94..f599a70 100644 #################################### ## ## Execute chronyd -@@ -56,6 +74,103 @@ interface(`chronyd_read_log',` +@@ -56,6 +74,122 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') @@ -26040,10 +26255,29 @@ index 9a0da94..f599a70 100644 + stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) +') + ++######################################## ++## ++## Send to chronyd over a unix domain ++## datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`chronyd_dgram_send',` ++ gen_require(` ++ type chronyd_t; ++ ') ++ ++ allow $1 chronyd_t:unix_dgram_socket sendto; ++') ++ #################################### ## ## All of the rules required to administrate -@@ -75,9 +190,9 @@ interface(`chronyd_read_log',` +@@ -75,9 +209,9 @@ interface(`chronyd_read_log',` # interface(`chronyd_admin',` gen_require(` @@ -26056,7 +26290,7 @@ index 9a0da94..f599a70 100644 ') allow $1 chronyd_t:process { ptrace signal_perms }; -@@ -88,18 +203,19 @@ interface(`chronyd_admin',` +@@ -88,18 +222,19 @@ interface(`chronyd_admin',` role_transition $2 chronyd_initrc_exec_t system_r; allow $2 system_r; @@ -27119,10 +27353,10 @@ index 0000000..ed13d1e + diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te new file mode 100644 -index 0000000..2dfd363 +index 0000000..207f706 --- /dev/null +++ b/policy/modules/services/collectd.te -@@ -0,0 +1,60 @@ +@@ -0,0 +1,57 @@ +policy_module(collectd, 1.0.0) + +######################################## @@ -27134,8 +27368,6 @@ index 0000000..2dfd363 +type collectd_exec_t; +init_daemon_domain(collectd_t, collectd_exec_t) + -+permissive collectd_t; -+ +type collectd_initrc_exec_t; +init_script_file(collectd_initrc_exec_t) + @@ -27178,7 +27410,6 @@ index 0000000..2dfd363 + +optional_policy(` + apache_content_template(collectd) -+ permissive httpd_collectd_script_t; + + miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t) +') @@ -28950,10 +29181,10 @@ index 0000000..1c3a90b + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..758f972 +index 0000000..e6042d9 --- /dev/null +++ b/policy/modules/services/ctdbd.te -@@ -0,0 +1,115 @@ +@@ -0,0 +1,113 @@ +policy_module(ctdbd, 1.0.0) + +######################################## @@ -28965,8 +29196,6 @@ index 0000000..758f972 +type ctdbd_exec_t; +init_daemon_domain(ctdbd_t, ctdbd_exec_t) + -+permissive ctdbd_t; -+ +type ctdbd_initrc_exec_t; +init_script_file(ctdbd_initrc_exec_t) + @@ -30591,7 +30820,7 @@ index f706b99..13d3a35 100644 + files_list_pids($1) ') diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te -index f231f17..4506fa3 100644 +index f231f17..5a06fc7 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t) @@ -30658,11 +30887,11 @@ index f231f17..4506fa3 100644 virt_manage_images(devicekit_disk_t) ') -+#optional_policy(` -+# unconfined_domain(devicekit_t) -+# unconfined_domain(devicekit_power_t) -+# unconfined_domain(devicekit_disk_t) -+#') ++optional_policy(` ++ unconfined_domain(devicekit_t) ++ unconfined_domain(devicekit_power_t) ++ unconfined_domain(devicekit_disk_t) ++') + ######################################## # @@ -32681,10 +32910,10 @@ index 0000000..d7a7118 +') diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te new file mode 100644 -index 0000000..66e9629 +index 0000000..d409571 --- /dev/null +++ b/policy/modules/services/dspam.te -@@ -0,0 +1,97 @@ +@@ -0,0 +1,95 @@ + +policy_module(dspam, 1.0.0) + @@ -32697,8 +32926,6 @@ index 0000000..66e9629 +type dspam_exec_t; +init_daemon_domain(dspam_t, dspam_exec_t) + -+permissive dspam_t; -+ +type dspam_initrc_exec_t; +init_script_file(dspam_initrc_exec_t) + @@ -33099,10 +33326,10 @@ index f590a1f..338e5bf 100644 + admin_pattern($1, fail2ban_tmp_t) ') diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te -index 2a69e5e..7b33bda 100644 +index 2a69e5e..35a2c0b 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te -@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t) +@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t) type fail2ban_var_run_t; files_pid_file(fail2ban_var_run_t) @@ -33113,9 +33340,6 @@ index 2a69e5e..7b33bda 100644 +type fail2ban_client_exec_t; +init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t) + -+# new in F16 -+permissive fail2ban_client_t; -+ ######################################## # -# fail2ban local policy @@ -33127,7 +33351,7 @@ index 2a69e5e..7b33bda 100644 allow fail2ban_t self:process signal; allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms }; -@@ -36,7 +46,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; +@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms; allow fail2ban_t self:tcp_socket create_stream_socket_perms; # log files @@ -33136,7 +33360,7 @@ index 2a69e5e..7b33bda 100644 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) -@@ -50,6 +60,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +@@ -50,6 +57,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file }) @@ -33148,7 +33372,7 @@ index 2a69e5e..7b33bda 100644 kernel_read_system_state(fail2ban_t) corecmd_exec_bin(fail2ban_t) -@@ -66,6 +81,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) +@@ -66,6 +78,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t) dev_read_urand(fail2ban_t) domain_use_interactive_fds(fail2ban_t) @@ -33156,7 +33380,7 @@ index 2a69e5e..7b33bda 100644 files_read_etc_files(fail2ban_t) files_read_etc_runtime_files(fail2ban_t) -@@ -94,5 +110,34 @@ optional_policy(` +@@ -94,5 +107,34 @@ optional_policy(` ') optional_policy(` @@ -33301,10 +33525,10 @@ index 0000000..d827274 + diff --git a/policy/modules/services/fcoemon.te b/policy/modules/services/fcoemon.te new file mode 100644 -index 0000000..eb4be44 +index 0000000..1f39a80 --- /dev/null +++ b/policy/modules/services/fcoemon.te -@@ -0,0 +1,48 @@ +@@ -0,0 +1,46 @@ +policy_module(fcoemon, 1.0.0) + +######################################## @@ -33316,8 +33540,6 @@ index 0000000..eb4be44 +type fcoemon_exec_t; +init_daemon_domain(fcoemon_t, fcoemon_exec_t) + -+permissive fcoemon_t; -+ +type fcoemon_var_run_t; +files_pid_file(fcoemon_var_run_t) + @@ -34731,15 +34953,14 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..983ab3e 100644 +index 4fde46b..ab59945 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -9,24 +9,32 @@ type gnomeclock_t; +@@ -9,24 +9,31 @@ type gnomeclock_t; type gnomeclock_exec_t; dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +systemd_systemctl_domain(gnomeclock) -+permissive gnomeclock_systemctl_t; + ######################################## # @@ -34770,7 +34991,7 @@ index 4fde46b..983ab3e 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,12 +43,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -34885,7 +35106,7 @@ index a627b34..c4cfc6d 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te -index 03742d8..6ba7c74 100644 +index 03742d8..d9232fe 100644 --- a/policy/modules/services/gpsd.te +++ b/policy/modules/services/gpsd.te @@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t) @@ -34899,7 +35120,14 @@ index 03742d8..6ba7c74 100644 allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; allow gpsd_t self:tcp_socket create_stream_socket_perms; -@@ -43,9 +43,13 @@ corenet_all_recvfrom_netlabel(gpsd_t) +@@ -38,14 +38,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) + manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) + files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) + ++kernel_list_proc(gpsd_t) ++ + corenet_all_recvfrom_unlabeled(gpsd_t) + corenet_all_recvfrom_netlabel(gpsd_t) corenet_tcp_sendrecv_generic_if(gpsd_t) corenet_tcp_sendrecv_generic_node(gpsd_t) corenet_tcp_sendrecv_all_ports(gpsd_t) @@ -34908,18 +35136,20 @@ index 03742d8..6ba7c74 100644 corenet_tcp_bind_gpsd_port(gpsd_t) +dev_read_sysfs(gpsd_t) ++dev_rw_realtime_clock(gpsd_t) + +domain_dontaudit_read_all_domains_state(gpsd_t) + term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) -@@ -56,6 +60,11 @@ logging_send_syslog_msg(gpsd_t) +@@ -56,6 +63,12 @@ logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` + chronyd_rw_shm(gpsd_t) + chronyd_stream_connect(gpsd_t) ++ chronyd_dgram_send(gpsd_t) +') + +optional_policy(` @@ -35377,10 +35607,15 @@ index 87b4531..db2d189 100644 + files_list_etc($1) ') diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te -index c234b32..32f1b6d 100644 +index c234b32..6c0a73d 100644 --- a/policy/modules/services/hddtemp.te +++ b/policy/modules/services/hddtemp.te -@@ -42,8 +42,12 @@ files_search_etc(hddtemp_t) +@@ -38,12 +38,16 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t) + corenet_sendrecv_hddtemp_server_packets(hddtemp_t) + corenet_tcp_sendrecv_hddtemp_port(hddtemp_t) + +-files_search_etc(hddtemp_t) ++files_read_etc_files(hddtemp_t) files_read_usr_files(hddtemp_t) storage_raw_read_fixed_disk(hddtemp_t) @@ -35954,10 +36189,10 @@ index 9878499..81fcd0f 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te -index da2127e..6538d66 100644 +index da2127e..a666df2 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te -@@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0) +@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0) # Declarations # @@ -35969,8 +36204,6 @@ index da2127e..6538d66 100644 +jabber_domain_template(jabberd) +jabber_domain_template(jabberd_router) +jabber_domain_template(pyicqt) -+ -+permissive pyicqt_t; type jabberd_initrc_exec_t; init_script_file(jabberd_initrc_exec_t) @@ -36043,15 +36276,15 @@ index da2127e..6538d66 100644 +corenet_tcp_connect_jabber_router_port(jabberd_router_t) +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t) +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t) ++ ++fs_getattr_all_fs(jabberd_router_t) -dev_read_sysfs(jabberd_t) -# For SSL -dev_read_rand(jabberd_t) -+fs_getattr_all_fs(jabberd_router_t) ++miscfiles_read_generic_certs(jabberd_router_t) -domain_use_interactive_fds(jabberd_t) -+miscfiles_read_generic_certs(jabberd_router_t) -+ +optional_policy(` + kerberos_use(jabberd_router_t) +') @@ -36091,8 +36324,8 @@ index da2127e..6538d66 100644 optional_policy(` - seutil_sigchld_newrole(jabberd_t) + udev_read_db(jabberd_t) -+') -+ + ') + +###################################### +# +# Local policy for pyicq-t @@ -36125,15 +36358,15 @@ index da2127e..6538d66 100644 +libs_use_shared_libs(pyicqt_t) + +# needed for pyicq-t-mysql -+optional_policy(` -+ corenet_tcp_connect_mysqld_port(pyicqt_t) - ') - optional_policy(` - udev_read_db(jabberd_t) -+ sysnet_use_ldap(pyicqt_t) ++ corenet_tcp_connect_mysqld_port(pyicqt_t) ') + ++optional_policy(` ++ sysnet_use_ldap(pyicqt_t) ++') ++ +####################################### +# +# Local policy for jabberd domains @@ -36944,10 +37177,10 @@ index 0000000..5783d58 + diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te new file mode 100644 -index 0000000..02359ec +index 0000000..4aac893 --- /dev/null +++ b/policy/modules/services/l2tpd.te -@@ -0,0 +1,58 @@ +@@ -0,0 +1,56 @@ +policy_module(l2tpd, 1.0.0) + +######################################## @@ -36959,8 +37192,6 @@ index 0000000..02359ec +type l2tpd_exec_t; +init_daemon_domain(l2tpd_t, l2tpd_exec_t) + -+permissive l2tpd_t; -+ +type l2tpd_initrc_exec_t; +init_script_file(l2tpd_initrc_exec_t) + @@ -37472,10 +37703,10 @@ index 0000000..9d1bac3 + diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te new file mode 100644 -index 0000000..b5ba929 +index 0000000..b7f4268 --- /dev/null +++ b/policy/modules/services/lldpad.te -@@ -0,0 +1,70 @@ +@@ -0,0 +1,72 @@ +policy_module(lldpad, 1.0.0) + +######################################## @@ -37487,8 +37718,6 @@ index 0000000..b5ba929 +type lldpad_exec_t; +init_daemon_domain(lldpad_t, lldpad_exec_t) + -+permissive lldpad_t; -+ +type lldpad_initrc_exec_t; +init_script_file(lldpad_initrc_exec_t) + @@ -37507,6 +37736,10 @@ index 0000000..b5ba929 +# + +allow lldpad_t self:capability { net_admin net_raw }; ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit lldpad_t self:capability sys_module; ++') + +allow lldpad_t self:shm create_shm_perms; +allow lldpad_t self:fifo_file rw_fifo_file_perms; @@ -37899,10 +38132,10 @@ index 0000000..39c12cb +') diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te new file mode 100644 -index 0000000..b1cf109 +index 0000000..5b84980 --- /dev/null +++ b/policy/modules/services/mailscanner.te -@@ -0,0 +1,90 @@ +@@ -0,0 +1,87 @@ +policy_module(mailscanner, 1.0.0) + +######################################## @@ -37926,9 +38159,6 @@ index 0000000..b1cf109 +type mscan_var_run_t; +files_pid_file(mscan_var_run_t) + -+# New in F16 -+permissive mscan_t; -+ +######################################## +# +# Local policy @@ -39629,7 +39859,7 @@ index 343cee3..f8c4fb6 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te -index 64268e4..cdcf4c7 100644 +index 64268e4..8d3091f 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -20,14 +20,16 @@ files_type(etc_aliases_t) @@ -39751,7 +39981,7 @@ index 64268e4..cdcf4c7 100644 nagios_read_tmp_files(system_mail_t) ') -@@ -158,18 +165,6 @@ optional_policy(` +@@ -158,22 +165,13 @@ optional_policy(` files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file }) domain_use_interactive_fds(system_mail_t) @@ -39770,7 +40000,14 @@ index 64268e4..cdcf4c7 100644 ') optional_policy(` -@@ -189,6 +184,10 @@ optional_policy(` + qmail_domtrans_inject(system_mail_t) ++ qmail_manage_spool_dirs(system_mail_t) ++ qmail_manage_spool_files(system_mail_t) ++ qmail_rw_spool_pipes(system_mail_t) + ') + + optional_policy(` +@@ -189,6 +187,10 @@ optional_policy(` ') optional_policy(` @@ -39781,7 +40018,7 @@ index 64268e4..cdcf4c7 100644 smartmon_read_tmp_files(system_mail_t) ') -@@ -199,15 +198,16 @@ optional_policy(` +@@ -199,15 +201,16 @@ optional_policy(` arpwatch_search_data(mailserver_delivery) arpwatch_manage_tmp_files(mta_user_agent) @@ -39802,7 +40039,7 @@ index 64268e4..cdcf4c7 100644 ######################################## # # Mailserver delivery local policy -@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) +@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t) @@ -39812,7 +40049,7 @@ index 64268e4..cdcf4c7 100644 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) -@@ -242,6 +243,10 @@ optional_policy(` +@@ -242,6 +246,10 @@ optional_policy(` ') optional_policy(` @@ -39823,7 +40060,7 @@ index 64268e4..cdcf4c7 100644 # so MTA can access /var/lib/mailman/mail/wrapper files_search_var_lib(mailserver_delivery) -@@ -249,16 +254,25 @@ optional_policy(` +@@ -249,16 +257,25 @@ optional_policy(` mailman_read_data_symlinks(mailserver_delivery) ') @@ -39851,7 +40088,7 @@ index 64268e4..cdcf4c7 100644 # Create dead.letter in user home directories. userdom_manage_user_home_content_files(user_mail_t) userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file) -@@ -292,3 +306,44 @@ optional_policy(` +@@ -292,3 +309,44 @@ optional_policy(` postfix_read_config(user_mail_t) postfix_list_spool(user_mail_t) ') @@ -42426,7 +42663,7 @@ index ceafba6..9eb6967 100644 + udev_read_db(pcscd_t) +') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te -index 3185114..6f2f1d4 100644 +index 3185114..4abd429 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -16,7 +16,7 @@ type pegasus_tmp_t; @@ -42443,7 +42680,7 @@ index 3185114..6f2f1d4 100644 # -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service }; -+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service }; ++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_bind_service }; dontaudit pegasus_t self:capability sys_tty_config; allow pegasus_t self:process signal; allow pegasus_t self:fifo_file rw_fifo_file_perms; @@ -42823,10 +43060,10 @@ index 0000000..548d0a2 +') diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te new file mode 100644 -index 0000000..0ac1a0c +index 0000000..aaf3fa8 --- /dev/null +++ b/policy/modules/services/piranha.te -@@ -0,0 +1,299 @@ +@@ -0,0 +1,295 @@ +policy_module(piranha, 1.0.0) + +######################################## @@ -43086,10 +43323,6 @@ index 0000000..0ac1a0c + udev_read_db(piranha_pulse_t) +') + -+#optional_policy(` -+# unconfined_domain(piranha_pulse_t) -+#') -+ +#################################### +# +# piranha domains common policy @@ -44280,7 +44513,7 @@ index 46bee12..c22af86 100644 + role $2 types postfix_postdrop_t; +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te -index a32c4b3..511cb5f 100644 +index a32c4b3..4f41f4e 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1) @@ -44623,10 +44856,14 @@ index a32c4b3..511cb5f 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -565,6 +641,10 @@ optional_policy(` +@@ -565,6 +641,14 @@ optional_policy(` ') optional_policy(` ++ dovecot_stream_connect(postfix_smtp_t) ++') ++ ++optional_policy(` + dspam_stream_connect(postfix_smtp_t) +') + @@ -44634,7 +44871,7 @@ index a32c4b3..511cb5f 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -588,10 +668,16 @@ corecmd_exec_bin(postfix_smtpd_t) +@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t) # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -44651,7 +44888,7 @@ index a32c4b3..511cb5f 100644 ') optional_policy(` -@@ -611,8 +697,8 @@ optional_policy(` +@@ -611,8 +701,8 @@ optional_policy(` # Postfix virtual local policy # @@ -44661,7 +44898,7 @@ index a32c4b3..511cb5f 100644 allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -630,3 +716,8 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +720,8 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -45787,17 +46024,13 @@ index 2855a44..2898ff9 100644 + files_search_var_lib($1) +') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..313f77d 100644 +index 64c5f95..7041ad9 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te -@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0) - # Declarations +@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) # -+# New in Fedora16 -+permissive puppetca_t; -+ -+## + ## +##

+## Allow Puppet client to manage all file +## types. @@ -45805,7 +46038,7 @@ index 64c5f95..313f77d 100644 +## +gen_tunable(puppet_manage_all_files, false) + - ## ++## ##

-## Allow Puppet client to manage all file -## types. @@ -45817,7 +46050,7 @@ index 64c5f95..313f77d 100644 type puppet_t; type puppet_exec_t; -@@ -35,6 +45,11 @@ files_type(puppet_var_lib_t) +@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t) type puppet_var_run_t; files_pid_file(puppet_var_run_t) @@ -45829,7 +46062,7 @@ index 64c5f95..313f77d 100644 type puppetmaster_t; type puppetmaster_exec_t; init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) -@@ -63,7 +78,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib(puppet_t) @@ -45838,7 +46071,7 @@ index 64c5f95..313f77d 100644 manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) -@@ -132,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t) +@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t) sysnet_run_ifconfig(puppet_t, system_r) tunable_policy(`puppet_manage_all_files',` @@ -45847,7 +46080,7 @@ index 64c5f95..313f77d 100644 ') optional_policy(` -@@ -162,7 +177,60 @@ optional_policy(` +@@ -162,7 +174,60 @@ optional_policy(` ######################################## # @@ -45909,7 +46142,7 @@ index 64c5f95..313f77d 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +239,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +236,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -45948,7 +46181,7 @@ index 64c5f95..313f77d 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +277,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -45998,7 +46231,7 @@ index 64c5f95..313f77d 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +330,9 @@ optional_policy(` +@@ -231,3 +327,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -46234,8 +46467,20 @@ index cd683f9..a272112 100644 kernel_read_kernel_sysctls(pyzord_t) kernel_read_system_state(pyzord_t) +diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc +index 0055e54..f988f51 100644 +--- a/policy/modules/services/qmail.fc ++++ b/policy/modules/services/qmail.fc +@@ -17,6 +17,7 @@ + /var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0) + + /var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) ++/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0) + + /var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0) + diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if -index a55bf44..77a25f5 100644 +index a55bf44..27007ed 100644 --- a/policy/modules/services/qmail.if +++ b/policy/modules/services/qmail.if @@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',` @@ -46270,6 +46515,66 @@ index a55bf44..77a25f5 100644 ') ') +@@ -149,3 +147,59 @@ interface(`qmail_smtpd_service_domain',` + + domtrans_pattern(qmail_smtpd_t, $2, $1) + ') ++ ++######################################## ++##

++## Create, read, write, and delete qmail ++## spool directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qmail_manage_spool_dirs',` ++ gen_require(` ++ type qmail_spool_t; ++ ') ++ ++ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete qmail ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`qmail_manage_spool_files',` ++ gen_require(` ++ type qmail_spool_t; ++ ') ++ ++ manage_files_pattern($1, qmail_spool_t, qmail_spool_t) ++') ++ ++######################################## ++## ++## Read and write to qmail spool pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`qmail_rw_spool_pipes',` ++ gen_require(` ++ type qmail_spool_t; ++ ') ++ ++ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; ++') diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te index 355b2a2..88e6f40 100644 --- a/policy/modules/services/qmail.te @@ -47282,7 +47587,7 @@ index 7dc38d1..9c2c963 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te -index 00fa514..d95e136 100644 +index 00fa514..e605105 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0) @@ -47413,19 +47718,6 @@ index 00fa514..d95e136 100644 mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') -@@ -193,9 +220,9 @@ optional_policy(` - virt_stream_connect(rgmanager_t) - ') - --optional_policy(` -- unconfined_domain(rgmanager_t) --') -+#optional_policy(` -+# unconfined_domain(rgmanager_t) -+#') - - optional_policy(` - xen_domtrans_xm(rgmanager_t) diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc index c2ba53b..853eeb5 100644 --- a/policy/modules/services/rhcs.fc @@ -47965,10 +48257,10 @@ index 0000000..bf11e25 +') diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te new file mode 100644 -index 0000000..bc97a21 +index 0000000..23ba402 --- /dev/null +++ b/policy/modules/services/rhev.te -@@ -0,0 +1,84 @@ +@@ -0,0 +1,82 @@ +policy_module(rhev,1.0) + +######################################## @@ -47987,8 +48279,6 @@ index 0000000..bc97a21 +type rhev_agentd_tmp_t; +files_tmp_file(rhev_agentd_tmp_t) + -+permissive rhev_agentd_t; -+ +######################################## +# +# rhev_agentd_t local policy @@ -48408,10 +48698,10 @@ index 0000000..811c52e + diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te new file mode 100644 -index 0000000..9f9c62f +index 0000000..4d1d0c7 --- /dev/null +++ b/policy/modules/services/rhsmcertd.te -@@ -0,0 +1,63 @@ +@@ -0,0 +1,61 @@ +policy_module(rhsmcertd, 1.0.0) + +######################################## @@ -48423,8 +48713,6 @@ index 0000000..9f9c62f +type rhsmcertd_exec_t; +init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t) + -+permissive rhsmcertd_t; -+ +type rhsmcertd_initrc_exec_t; +init_script_file(rhsmcertd_initrc_exec_t) + @@ -50364,10 +50652,10 @@ index 0000000..486d53d +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..dae577a +index 0000000..46930eb --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,65 @@ +@@ -0,0 +1,63 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -50379,8 +50667,6 @@ index 0000000..dae577a +type sanlock_exec_t; +init_daemon_domain(sanlock_t, sanlock_exec_t) + -+permissive sanlock_t; -+ +type sanlock_var_run_t; +files_pid_file(sanlock_var_run_t) + @@ -50605,10 +50891,10 @@ index 0000000..8aef188 + diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te new file mode 100644 -index 0000000..74080f1 +index 0000000..785c2f3 --- /dev/null +++ b/policy/modules/services/sblim.te -@@ -0,0 +1,106 @@ +@@ -0,0 +1,102 @@ +policy_module(sblim, 1.0.0) + +######################################## @@ -50622,14 +50908,10 @@ index 0000000..74080f1 +type sblim_gatherd_exec_t; +init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) + -+permissive sblim_gatherd_t; -+ +type sblim_reposd_t, sblim_domain; +type sblim_reposd_exec_t; +init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) + -+permissive sblim_gatherd_t; -+ +type sblim_var_run_t; +files_pid_file(sblim_var_run_t) + @@ -51622,10 +51904,10 @@ index c954f31..c7cadcb 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te -index ec1eb1e..4d649e1 100644 +index ec1eb1e..659d854 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te -@@ -6,56 +6,103 @@ policy_module(spamassassin, 2.4.0) +@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0) # ## @@ -51744,8 +52026,6 @@ index ec1eb1e..4d649e1 100644 +application_domain(spamd_update_t, spamd_update_exec_t) +cron_system_entry(spamd_update_t, spamd_update_exec_t) +role system_r types spamd_update_t; -+ -+permissive spamd_update_t; type spamd_t; type spamd_exec_t; @@ -51766,7 +52046,7 @@ index ec1eb1e..4d649e1 100644 type spamd_tmp_t; files_tmp_file(spamd_tmp_t) -@@ -108,6 +155,7 @@ kernel_read_kernel_sysctls(spamassassin_t) +@@ -108,6 +153,7 @@ kernel_read_kernel_sysctls(spamassassin_t) dev_read_urand(spamassassin_t) fs_search_auto_mountpoints(spamassassin_t) @@ -51774,7 +52054,7 @@ index ec1eb1e..4d649e1 100644 # this should probably be removed corecmd_list_bin(spamassassin_t) -@@ -148,6 +196,9 @@ tunable_policy(`spamassassin_can_network',` +@@ -148,6 +194,9 @@ tunable_policy(`spamassassin_can_network',` corenet_udp_sendrecv_all_ports(spamassassin_t) corenet_tcp_connect_all_ports(spamassassin_t) corenet_sendrecv_all_client_packets(spamassassin_t) @@ -51784,7 +52064,7 @@ index ec1eb1e..4d649e1 100644 sysnet_read_config(spamassassin_t) ') -@@ -184,6 +235,8 @@ optional_policy(` +@@ -184,6 +233,8 @@ optional_policy(` optional_policy(` mta_read_config(spamassassin_t) sendmail_stub(spamassassin_t) @@ -51793,7 +52073,7 @@ index ec1eb1e..4d649e1 100644 ') ######################################## -@@ -206,15 +259,32 @@ allow spamc_t self:unix_stream_socket connectto; +@@ -206,15 +257,32 @@ allow spamc_t self:unix_stream_socket connectto; allow spamc_t self:tcp_socket create_stream_socket_perms; allow spamc_t self:udp_socket create_socket_perms; @@ -51826,7 +52106,7 @@ index ec1eb1e..4d649e1 100644 corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -226,6 +296,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) +@@ -226,6 +294,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t) corenet_udp_sendrecv_all_ports(spamc_t) corenet_tcp_connect_all_ports(spamc_t) corenet_sendrecv_all_client_packets(spamc_t) @@ -51834,7 +52114,7 @@ index ec1eb1e..4d649e1 100644 fs_search_auto_mountpoints(spamc_t) -@@ -244,9 +315,14 @@ files_read_usr_files(spamc_t) +@@ -244,9 +313,14 @@ files_read_usr_files(spamc_t) files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) @@ -51849,7 +52129,7 @@ index ec1eb1e..4d649e1 100644 miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -254,27 +330,46 @@ seutil_read_config(spamc_t) +@@ -254,27 +328,46 @@ seutil_read_config(spamc_t) sysnet_read_config(spamc_t) @@ -51902,7 +52182,7 @@ index ec1eb1e..4d649e1 100644 ') ######################################## -@@ -286,7 +381,7 @@ optional_policy(` +@@ -286,7 +379,7 @@ optional_policy(` # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -51911,7 +52191,7 @@ index ec1eb1e..4d649e1 100644 dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -302,10 +397,17 @@ allow spamd_t self:unix_dgram_socket sendto; +@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto; allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -51930,7 +52210,7 @@ index ec1eb1e..4d649e1 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -314,11 +416,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -51948,7 +52228,7 @@ index ec1eb1e..4d649e1 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) -@@ -367,22 +473,27 @@ files_read_var_lib_files(spamd_t) +@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t) init_dontaudit_rw_utmp(spamd_t) @@ -51980,7 +52260,7 @@ index ec1eb1e..4d649e1 100644 fs_manage_cifs_files(spamd_t) ') -@@ -399,7 +510,9 @@ optional_policy(` +@@ -399,7 +508,9 @@ optional_policy(` ') optional_policy(` @@ -51990,7 +52270,7 @@ index ec1eb1e..4d649e1 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -408,25 +521,17 @@ optional_policy(` +@@ -408,25 +519,17 @@ optional_policy(` ') optional_policy(` @@ -52018,7 +52298,7 @@ index ec1eb1e..4d649e1 100644 postgresql_stream_connect(spamd_t) ') -@@ -437,6 +542,10 @@ optional_policy(` +@@ -437,6 +540,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -52029,7 +52309,7 @@ index ec1eb1e..4d649e1 100644 ') optional_policy(` -@@ -451,3 +560,43 @@ optional_policy(` +@@ -451,3 +558,43 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -54057,10 +54337,10 @@ index 0000000..5a2fd4c +') diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te new file mode 100644 -index 0000000..7826086 +index 0000000..ac053f3 --- /dev/null +++ b/policy/modules/services/uuidd.te -@@ -0,0 +1,48 @@ +@@ -0,0 +1,46 @@ +policy_module(uuidd, 1.0.0) + +######################################## @@ -54072,8 +54352,6 @@ index 0000000..7826086 +type uuidd_exec_t; +init_daemon_domain(uuidd_t, uuidd_exec_t) + -+permissive uuidd_t; -+ +type uuidd_initrc_exec_t; +init_script_file(uuidd_initrc_exec_t) + @@ -54981,7 +55259,7 @@ index 7c5d8d8..d83a9a2 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..e18ede2 100644 +index 3eca020..9c42952 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -55118,7 +55396,7 @@ index 3eca020..e18ede2 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -99,20 +123,33 @@ ifdef(`enable_mls',` +@@ -99,20 +123,29 @@ ifdef(`enable_mls',` ######################################## # @@ -55132,10 +55410,6 @@ index 3eca020..e18ede2 100644 +type virt_lxc_var_run_t; +files_pid_file(virt_lxc_var_run_t) + -+permissive virt_lxc_t; -+ -+permissive virtd_t; -+ +######################################## +# # svirt local policy @@ -55156,7 +55430,7 @@ index 3eca020..e18ede2 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -130,9 +163,13 @@ corenet_tcp_connect_all_ports(svirt_t) dev_list_sysfs(svirt_t) @@ -55170,7 +55444,7 @@ index 3eca020..e18ede2 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +184,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -55186,7 +55460,7 @@ index 3eca020..e18ede2 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +201,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -55209,7 +55483,7 @@ index 3eca020..e18ede2 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +230,35 @@ optional_policy(` +@@ -174,21 +226,35 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -55250,7 +55524,7 @@ index 3eca020..e18ede2 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +266,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -55268,7 +55542,7 @@ index 3eca020..e18ede2 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +290,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -55284,7 +55558,7 @@ index 3eca020..e18ede2 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +318,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -55317,7 +55591,7 @@ index 3eca020..e18ede2 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +350,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -55336,14 +55610,14 @@ index 3eca020..e18ede2 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +385,29 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) - -+selinux_validate_context(virtd_t) + ++selinux_validate_context(virtd_t) + +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -55366,7 +55640,7 @@ index 3eca020..e18ede2 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +430,10 @@ optional_policy(` +@@ -313,6 +426,10 @@ optional_policy(` ') optional_policy(` @@ -55377,7 +55651,7 @@ index 3eca020..e18ede2 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,11 +450,17 @@ optional_policy(` +@@ -329,11 +446,17 @@ optional_policy(` ') optional_policy(` @@ -55395,7 +55669,7 @@ index 3eca020..e18ede2 100644 ') optional_policy(` -@@ -365,6 +492,12 @@ optional_policy(` +@@ -365,6 +488,12 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -55408,19 +55682,7 @@ index 3eca020..e18ede2 100644 ') optional_policy(` -@@ -385,29 +518,45 @@ optional_policy(` - udev_read_db(virtd_t) - ') - --optional_policy(` -- unconfined_domain(virtd_t) --') -+#optional_policy(` -+# unconfined_domain(virtd_t) -+#') - - ######################################## - # +@@ -394,20 +523,36 @@ optional_policy(` # virtual domains common policy # @@ -55459,7 +55721,7 @@ index 3eca020..e18ede2 100644 corecmd_exec_bin(virt_domain) corecmd_exec_shell(virt_domain) -@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) +@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -55472,7 +55734,7 @@ index 3eca020..e18ede2 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +579,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +575,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -55485,7 +55747,7 @@ index 3eca020..e18ede2 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,14 +592,20 @@ files_search_all(virt_domain) +@@ -440,14 +588,20 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -55493,12 +55755,12 @@ index 3eca020..e18ede2 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -55509,7 +55771,7 @@ index 3eca020..e18ede2 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +615,176 @@ optional_policy(` +@@ -457,8 +611,176 @@ optional_policy(` ') optional_policy(` @@ -55893,10 +56155,10 @@ index 0000000..a554011 +') diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te new file mode 100644 -index 0000000..b9d6149 +index 0000000..307c99e --- /dev/null +++ b/policy/modules/services/wdmd.te -@@ -0,0 +1,53 @@ +@@ -0,0 +1,51 @@ +policy_module(wdmd,1.0.0) + +######################################## @@ -55908,8 +56170,6 @@ index 0000000..b9d6149 +type wdmd_exec_t; +init_daemon_domain(wdmd_t, wdmd_exec_t) + -+permissive wdmd_t; -+ +type wdmd_var_run_t; +files_pid_file(wdmd_var_run_t) + @@ -57291,7 +57551,7 @@ index 130ced9..b6fb17a 100644 + userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 143c893..798589f 100644 +index 143c893..00b270e 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -57459,7 +57719,7 @@ index 143c893..798589f 100644 # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -196,15 +247,11 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; +@@ -196,15 +247,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -57468,8 +57728,7 @@ index 143c893..798589f 100644 -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; -files_tmp_file(xserver_tmp_t) -ubac_constrained(xserver_tmp_t) -+permissive xserver_t; - +- type xserver_tmpfs_t; -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t }; -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t }; @@ -57478,7 +57737,7 @@ index 143c893..798589f 100644 files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -234,10 +281,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) +@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file) allow xdm_t iceauth_home_t:file read_file_perms; @@ -57497,7 +57756,7 @@ index 143c893..798589f 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(iceauth_t) -@@ -247,52 +301,113 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,52 +299,113 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(iceauth_t) ') @@ -57617,7 +57876,7 @@ index 143c893..798589f 100644 optional_policy(` ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) -@@ -304,20 +419,36 @@ optional_policy(` +@@ -304,20 +417,36 @@ optional_policy(` # XDM Local policy # @@ -57658,7 +57917,7 @@ index 143c893..798589f 100644 # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,43 +456,62 @@ can_exec(xdm_t, xdm_exec_t) +@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t) allow xdm_t xdm_lock_t:file manage_file_perms; files_lock_filetrans(xdm_t, xdm_lock_t, file) @@ -57727,7 +57986,7 @@ index 143c893..798589f 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -370,18 +520,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -57755,7 +58014,7 @@ index 143c893..798589f 100644 corenet_all_recvfrom_unlabeled(xdm_t) corenet_all_recvfrom_netlabel(xdm_t) -@@ -393,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -57809,7 +58068,7 @@ index 143c893..798589f 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -435,9 +604,23 @@ files_list_mnt(xdm_t) +@@ -435,9 +602,23 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -57833,7 +58092,7 @@ index 143c893..798589f 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -57873,7 +58132,7 @@ index 143c893..798589f 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t) +@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -57904,7 +58163,7 @@ index 143c893..798589f 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_t) -@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',` fs_exec_cifs_files(xdm_t) ') @@ -57919,7 +58178,7 @@ index 143c893..798589f 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',` +@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -57941,7 +58200,7 @@ index 143c893..798589f 100644 ') optional_policy(` -@@ -519,12 +750,62 @@ optional_policy(` +@@ -519,12 +748,62 @@ optional_policy(` ') optional_policy(` @@ -58004,7 +58263,7 @@ index 143c893..798589f 100644 hostname_exec(xdm_t) ') -@@ -542,28 +823,69 @@ optional_policy(` +@@ -542,28 +821,69 @@ optional_policy(` ') optional_policy(` @@ -58083,7 +58342,7 @@ index 143c893..798589f 100644 ') optional_policy(` -@@ -575,6 +897,14 @@ optional_policy(` +@@ -575,6 +895,14 @@ optional_policy(` ') optional_policy(` @@ -58098,7 +58357,7 @@ index 143c893..798589f 100644 xfs_stream_connect(xdm_t) ') -@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send; +@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -58107,7 +58366,7 @@ index 143c893..798589f 100644 dontaudit xserver_t self:capability chown; allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; -@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -58123,7 +58382,7 @@ index 143c893..798589f 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -58145,7 +58404,7 @@ index 143c893..798589f 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -58153,7 +58412,7 @@ index 143c893..798589f 100644 # Run helper programs in xserver_t. corecmd_exec_bin(xserver_t) -@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t) +@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -58161,7 +58420,7 @@ index 143c893..798589f 100644 dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t) +@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t) dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -58179,7 +58438,7 @@ index 143c893..798589f 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t) +@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -58193,7 +58452,7 @@ index 143c893..798589f 100644 selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -711,8 +1066,6 @@ init_getpgid(xserver_t) +@@ -711,8 +1064,6 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -58202,7 +58461,7 @@ index 143c893..798589f 100644 locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) -@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t) +@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -58217,7 +58476,7 @@ index 143c893..798589f 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -778,16 +1132,40 @@ optional_policy(` +@@ -778,16 +1130,40 @@ optional_policy(` ') optional_policy(` @@ -58255,11 +58514,11 @@ index 143c893..798589f 100644 optional_policy(` - unconfined_domain_noaudit(xserver_t) -+ #unconfined_domain(xserver_t) ++ unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') -@@ -796,6 +1174,10 @@ optional_policy(` +@@ -796,6 +1172,10 @@ optional_policy(` ') optional_policy(` @@ -58270,7 +58529,7 @@ index 143c893..798589f 100644 xfs_stream_connect(xserver_t) ') -@@ -811,10 +1193,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -58284,7 +58543,7 @@ index 143c893..798589f 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -822,7 +1204,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -58293,7 +58552,7 @@ index 143c893..798589f 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -835,6 +1217,9 @@ init_use_fds(xserver_t) +@@ -835,6 +1215,9 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -58303,7 +58562,7 @@ index 143c893..798589f 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -842,6 +1227,11 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_symlinks(xserver_t) ') @@ -58315,7 +58574,7 @@ index 143c893..798589f 100644 tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_dirs(xserver_t) fs_manage_cifs_files(xserver_t) -@@ -850,11 +1240,14 @@ tunable_policy(`use_samba_home_dirs',` +@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_system_bus_client(xserver_t) @@ -58332,7 +58591,7 @@ index 143c893..798589f 100644 ') optional_policy(` -@@ -862,6 +1255,10 @@ optional_policy(` +@@ -862,6 +1253,10 @@ optional_policy(` rhgb_rw_tmpfs_files(xserver_t) ') @@ -58343,7 +58602,7 @@ index 143c893..798589f 100644 ######################################## # # Rules common to all X window domains -@@ -905,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -58352,7 +58611,7 @@ index 143c893..798589f 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -959,11 +1356,31 @@ allow x_domain self:x_resource { read write }; +@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -58384,7 +58643,7 @@ index 143c893..798589f 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -985,18 +1402,32 @@ tunable_policy(`! xserver_object_manager',` +@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -58582,7 +58841,7 @@ index 21ae664..3e448dd 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te -index 9fb4747..a59cfc2 100644 +index 9fb4747..afe5e5f 100644 --- a/policy/modules/services/zarafa.te +++ b/policy/modules/services/zarafa.te @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) @@ -58596,15 +58855,15 @@ index 9fb4747..a59cfc2 100644 zarafa_domain_template(monitor) zarafa_domain_template(server) -@@ -32,6 +36,8 @@ zarafa_domain_template(spooler) - type zarafa_var_lib_t; - files_tmp_file(zarafa_var_lib_t) +@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t + manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) + files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) -+permissive zarafa_indexer_t; ++dev_read_rand(zarafa_deliver_t) + ######################################## # - # zarafa-deliver local policy + # zarafa_gateway local policy @@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) @@ -59576,7 +59835,7 @@ index a97a096..ab1e16a 100644 /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te -index c28da1c..bf8ea27 100644 +index c28da1c..38390f5 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t) @@ -59620,26 +59879,15 @@ index c28da1c..bf8ea27 100644 init_use_fds(fsadm_t) init_use_script_ptys(fsadm_t) init_dontaudit_getattr_initctl(fsadm_t) -@@ -147,13 +156,13 @@ miscfiles_read_localization(fsadm_t) +@@ -147,7 +156,7 @@ miscfiles_read_localization(fsadm_t) seutil_read_config(fsadm_t) -userdom_use_user_terminals(fsadm_t) +term_use_all_inherited_terms(fsadm_t) --ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_domain(fsadm_t) -- ') --') -+#ifdef(`distro_redhat',` -+# optional_policy(` -+# unconfined_domain(fsadm_t) -+# ') -+#') - - optional_policy(` - amanda_rw_dumpdates_files(fsadm_t) + ifdef(`distro_redhat',` + optional_policy(` @@ -166,6 +175,11 @@ optional_policy(` ') @@ -62615,7 +62863,7 @@ index 808ba93..ed84884 100644 ######################################## diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index e5836d3..b32b945 100644 +index e5836d3..c76046b 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot }; @@ -62669,17 +62917,13 @@ index e5836d3..b32b945 100644 puppet_rw_tmp(ldconfig_t) ') -@@ -141,6 +153,7 @@ optional_policy(` +@@ -141,6 +153,3 @@ optional_policy(` rpm_manage_script_tmp_files(ldconfig_t) ') -optional_policy(` - unconfined_domain(ldconfig_t) -') -+#optional_policy(` -+# unconfined_domain(ldconfig_t) -+#') -+ diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index a0b379d..2a55eab 100644 --- a/policy/modules/system/locallogin.te @@ -63372,7 +63616,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..4513ab9 100644 +index a0a0ebf..e55e967 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -63405,26 +63649,18 @@ index a0a0ebf..4513ab9 100644 manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t) files_pid_filetrans(clvmd_t, clvmd_var_run_t, file) -@@ -134,10 +141,15 @@ userdom_dontaudit_search_user_home_dirs(clvmd_t) - lvm_domtrans(clvmd_t) - lvm_read_config(clvmd_t) +@@ -141,6 +148,11 @@ ifdef(`distro_redhat',` + ') --ifdef(`distro_redhat',` -- optional_policy(` -- unconfined_domain(clvmd_t) -- ') -+#ifdef(`distro_redhat',` -+# optional_policy(` -+# unconfined_domain(clvmd_t) -+# ') -+#') -+ -+optional_policy(` + optional_policy(` + aisexec_stream_connect(clvmd_t) + corosync_stream_connect(clvmd_t) ++') ++ ++optional_policy(` + ccs_stream_connect(clvmd_t) ') - optional_policy(` @@ -167,9 +179,10 @@ optional_policy(` # net_admin for multipath allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin }; @@ -63530,7 +63766,7 @@ index a0a0ebf..4513ab9 100644 miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) -@@ -299,15 +324,23 @@ seutil_read_file_contexts(lvm_t) +@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -63541,22 +63777,18 @@ index a0a0ebf..4513ab9 100644 ifdef(`distro_redhat',` # this is from the initrd: - files_rw_isid_type_dirs(lvm_t) +@@ -311,6 +339,11 @@ ifdef(`distro_redhat',` + ') -- optional_policy(` -- unconfined_domain(lvm_t) -- ') -+ #optional_policy(` -+ # unconfined_domain(lvm_t) -+ #') + optional_policy(` ++ aisexec_stream_connect(lvm_t) ++ corosync_stream_connect(lvm_t) +') + +optional_policy(` -+ aisexec_stream_connect(lvm_t) -+ corosync_stream_connect(lvm_t) + bootloader_rw_tmp_files(lvm_t) ') - optional_policy(` @@ -331,14 +364,26 @@ optional_policy(` ') @@ -63705,7 +63937,7 @@ index 9c0faab..dd6530e 100644 ## loading modules. ## diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index a0eef20..8b724a5 100644 +index a0eef20..d5408ff 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -18,11 +18,12 @@ type insmod_t; @@ -63761,21 +63993,15 @@ index a0eef20..8b724a5 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -94,21 +102,22 @@ optional_policy(` - rpm_manage_script_tmp_files(depmod_t) +@@ -95,7 +103,6 @@ optional_policy(` ') --optional_policy(` + optional_policy(` - # Read System.map from home directories. -- unconfined_domain(depmod_t) --') -+#optional_policy(` -+# # Read System.map from home directories. -+# unconfined_domain(depmod_t) -+#') + unconfined_domain(depmod_t) + ') - ######################################## - # +@@ -104,11 +111,12 @@ optional_policy(` # insmod local policy # @@ -63789,7 +64015,7 @@ index a0eef20..8b724a5 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) +@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) can_exec(insmod_t, insmod_exec_t) @@ -63799,7 +64025,7 @@ index a0eef20..8b724a5 100644 kernel_load_module(insmod_t) kernel_request_load_module(insmod_t) kernel_read_system_state(insmod_t) -@@ -126,6 +138,7 @@ kernel_write_proc_files(insmod_t) +@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t) kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -63807,7 +64033,7 @@ index a0eef20..8b724a5 100644 # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -143,6 +156,7 @@ dev_rw_agp(insmod_t) +@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -63815,7 +64041,7 @@ index a0eef20..8b724a5 100644 domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -161,11 +175,18 @@ files_write_kernel_modules(insmod_t) +@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t) fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -63834,7 +64060,7 @@ index a0eef20..8b724a5 100644 logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -174,8 +195,7 @@ miscfiles_read_localization(insmod_t) +@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t) seutil_read_file_contexts(insmod_t) @@ -63844,7 +64070,7 @@ index a0eef20..8b724a5 100644 userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -187,28 +207,27 @@ optional_policy(` +@@ -187,28 +206,27 @@ optional_policy(` ') optional_policy(` @@ -63879,13 +64105,7 @@ index a0eef20..8b724a5 100644 ') optional_policy(` -@@ -231,11 +250,15 @@ optional_policy(` - ') - - optional_policy(` -- unconfined_domain(insmod_t) -+ #unconfined_domain(insmod_t) - unconfined_dontaudit_rw_pipes(insmod_t) +@@ -236,6 +254,10 @@ optional_policy(` ') optional_policy(` @@ -63896,7 +64116,7 @@ index a0eef20..8b724a5 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t) +@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t) miscfiles_read_localization(update_modules_t) @@ -64651,7 +64871,7 @@ index b1a85b5..db0d815 100644 ## ## diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te -index a19ecea..4e2ef36 100644 +index a19ecea..dbcca4d 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -64713,16 +64933,6 @@ index a19ecea..4e2ef36 100644 term_dontaudit_list_ptys(mdadm_t) -@@ -95,6 +97,6 @@ optional_policy(` - udev_read_db(mdadm_t) - ') - --optional_policy(` -- unconfined_domain(mdadm_t) --') -+#optional_policy(` -+# unconfined_domain(mdadm_t) -+#') diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index 2cc4bda..167c358 100644 --- a/policy/modules/system/selinuxutil.fc @@ -65190,7 +65400,7 @@ index 170e2c7..b85fc73 100644 + ') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..3e78f42 100644 +index 7ed9819..4e8cb38 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -65500,11 +65710,11 @@ index 7ed9819..3e78f42 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -- --locallogin_use_fds(semanage_t) +# Admins are creating pp files in random locations +files_read_non_security_files(semanage_t) +-locallogin_use_fds(semanage_t) +- -logging_send_syslog_msg(semanage_t) - -miscfiles_read_localization(semanage_t) @@ -65594,25 +65804,25 @@ index 7ed9819..3e78f42 100644 -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -term_use_all_ttys(setfiles_t) -term_use_all_ptys(setfiles_t) -term_use_unallocated_ttys(setfiles_t) -- --# this is to satisfy the assertion: --auth_relabelto_shadow(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - --init_use_fds(setfiles_t) --init_use_script_fds(setfiles_t) --init_use_script_ptys(setfiles_t) --init_exec_script_files(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) +-# this is to satisfy the assertion: +-auth_relabelto_shadow(setfiles_t) +- +-init_use_fds(setfiles_t) +-init_use_script_fds(setfiles_t) +-init_use_script_ptys(setfiles_t) +-init_exec_script_files(setfiles_t) +- -logging_send_syslog_msg(setfiles_t) +######################################## +# @@ -65679,12 +65889,10 @@ index 7ed9819..3e78f42 100644 ') ') --optional_policy(` + optional_policy(` - hotplug_use_fds(setfiles_t) --') -+#optional_policy(` -+# unconfined_domain(setfiles_mac_t) -+#') ++ unconfined_domain(setfiles_mac_t) + ') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 1447687..cdc0223 100644 --- a/policy/modules/system/setrans.te @@ -66634,10 +66842,10 @@ index 0000000..fc27830 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f4df137 +index 0000000..d1bcd34 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,350 @@ +@@ -0,0 +1,346 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -66649,15 +66857,10 @@ index 0000000..f4df137 +attribute systemd_domain; +attribute systemctl_domain; + -+# New in f16 -+permissive systemd_logger_t; -+ +type systemd_logger_t; +type systemd_logger_exec_t; +init_systemd_domain(systemd_logger_t, systemd_logger_exec_t) + -+permissive systemd_logind_t; -+ +type systemd_logind_t; +type systemd_logind_exec_t; +init_systemd_domain(systemd_logind_t, systemd_logind_exec_t) @@ -66725,9 +66928,10 @@ index 0000000..f4df137 +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) ++dev_setattr_kvm_dev(systemd_logind_t) +dev_setattr_sound_dev(systemd_logind_t) ++dev_setattr_generic_usb_dev(systemd_logind_t) +dev_setattr_video_dev(systemd_logind_t) -+dev_setattr_kvm_dev(systemd_logind_t) + +# /etc/udev/udev.conf should probably have a private type if only for confined administration +# /etc/nsswitch.conf @@ -67210,15 +67414,10 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..91fae52 100644 +index d88f7c3..2627fa4 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te -@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) - domain_interactive_fd(udev_t) - init_daemon_domain(udev_t, udev_exec_t) - -+permissive udev_t; -+ +@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) @@ -67234,7 +67433,7 @@ index d88f7c3..91fae52 100644 ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) -@@ -38,6 +38,12 @@ ifdef(`enable_mcs',` +@@ -38,6 +36,12 @@ ifdef(`enable_mcs',` allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace }; dontaudit udev_t self:capability sys_tty_config; @@ -67247,7 +67446,7 @@ index d88f7c3..91fae52 100644 allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow udev_t self:process { execmem setfscreate }; allow udev_t self:fd use; -@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto; +@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto; allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; allow udev_t self:rawip_socket create_socket_perms; @@ -67255,7 +67454,7 @@ index d88f7c3..91fae52 100644 allow udev_t udev_exec_t:file write; can_exec(udev_t, udev_exec_t) -@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t) +@@ -62,17 +67,16 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; @@ -67278,7 +67477,7 @@ index d88f7c3..91fae52 100644 kernel_read_system_state(udev_t) kernel_request_load_module(udev_t) -@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t) +@@ -87,6 +91,7 @@ kernel_rw_unix_dgram_sockets(udev_t) kernel_dgram_send(udev_t) kernel_signal(udev_t) kernel_search_debugfs(udev_t) @@ -67286,7 +67485,7 @@ index d88f7c3..91fae52 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -97,6 +104,7 @@ corecmd_exec_all_executables(udev_t) +@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t) dev_rw_sysfs(udev_t) dev_manage_all_dev_nodes(udev_t) @@ -67294,7 +67493,7 @@ index d88f7c3..91fae52 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +113,29 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,21 +111,29 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -67325,7 +67524,7 @@ index d88f7c3..91fae52 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -67333,7 +67532,7 @@ index d88f7c3..91fae52 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -67342,7 +67541,7 @@ index d88f7c3..91fae52 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,15 +205,16 @@ ifdef(`distro_redhat',` +@@ -186,8 +203,9 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -67353,17 +67552,7 @@ index d88f7c3..91fae52 100644 # for arping used for static IP addresses on PCMCIA ethernet netutils_domtrans(udev_t) - -- optional_policy(` -- unconfined_domain(udev_t) -- ') -+ #optional_policy(` -+ # unconfined_domain(udev_t) -+ #') - ') - - optional_policy(` -@@ -216,11 +236,16 @@ optional_policy(` +@@ -216,11 +234,16 @@ optional_policy(` ') optional_policy(` @@ -67381,7 +67570,7 @@ index d88f7c3..91fae52 100644 ') optional_policy(` -@@ -230,10 +255,20 @@ optional_policy(` +@@ -230,10 +253,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -67402,7 +67591,7 @@ index d88f7c3..91fae52 100644 ') optional_policy(` -@@ -259,6 +294,10 @@ optional_policy(` +@@ -259,6 +292,10 @@ optional_policy(` ') optional_policy(` @@ -67413,7 +67602,7 @@ index d88f7c3..91fae52 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +312,11 @@ optional_policy(` +@@ -273,6 +310,11 @@ optional_policy(` ') optional_policy(` @@ -68200,7 +68389,7 @@ index db75976..cca4cd1 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 4b2878a..07569a4 100644 +index 4b2878a..022f6e7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -69342,7 +69531,7 @@ index 4b2878a..07569a4 100644 files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` -@@ -978,23 +1238,71 @@ template(`userdom_unpriv_user_template', ` +@@ -978,23 +1238,72 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -69420,10 +69609,11 @@ index 4b2878a..07569a4 100644 - netutils_run_ping_cond($1_t, $1_r) - netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) ++ postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1003,7 +1312,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -69434,7 +69624,7 @@ index 4b2878a..07569a4 100644 ') ') -@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1350,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -69443,7 +69633,7 @@ index 4b2878a..07569a4 100644 ') ############################## -@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1377,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -69451,7 +69641,7 @@ index 4b2878a..07569a4 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1386,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -69461,7 +69651,7 @@ index 4b2878a..07569a4 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1403,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -69469,7 +69659,7 @@ index 4b2878a..07569a4 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1421,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -69483,7 +69673,7 @@ index 4b2878a..07569a4 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',` +@@ -1119,29 +1438,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -69526,7 +69716,7 @@ index 4b2878a..07569a4 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',` +@@ -1151,6 +1479,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -69535,7 +69725,7 @@ index 4b2878a..07569a4 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1540,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -69544,7 +69734,7 @@ index 4b2878a..07569a4 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',` +@@ -1222,8 +1554,9 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -69555,7 +69745,7 @@ index 4b2878a..07569a4 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',` +@@ -1234,13 +1567,24 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -69584,7 +69774,7 @@ index 4b2878a..07569a4 100644 ') optional_policy(` -@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',` +@@ -1251,12 +1595,12 @@ template(`userdom_security_admin_template',` dmesg_exec($1) ') @@ -69600,7 +69790,7 @@ index 4b2878a..07569a4 100644 ') optional_policy(` -@@ -1279,54 +1622,66 @@ template(`userdom_security_admin_template',` +@@ -1279,54 +1623,66 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -69682,7 +69872,7 @@ index 4b2878a..07569a4 100644 ## ## ## -@@ -1334,7 +1689,44 @@ interface(`userdom_setattr_user_ptys',` +@@ -1334,7 +1690,44 @@ interface(`userdom_setattr_user_ptys',` ## ## # @@ -69728,7 +69918,7 @@ index 4b2878a..07569a4 100644 gen_require(` type user_devpts_t; ') -@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1788,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -69736,7 +69926,7 @@ index 4b2878a..07569a4 100644 files_search_home($1) ') -@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1835,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -69751,7 +69941,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1858,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -69763,7 +69953,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,6 +1919,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -69806,7 +69996,7 @@ index 4b2878a..07569a4 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1589,6 +2029,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -69815,7 +70005,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +2045,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -69830,7 +70020,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2093,43 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ## @@ -69874,7 +70064,7 @@ index 4b2878a..07569a4 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1668,6 +2149,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -69900,7 +70090,7 @@ index 4b2878a..07569a4 100644 ## Mmap user home files. ## ## -@@ -1700,12 +2199,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2200,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -69933,7 +70123,7 @@ index 4b2878a..07569a4 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2235,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -69951,7 +70141,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -1779,6 +2301,60 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -70012,7 +70202,7 @@ index 4b2878a..07569a4 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2386,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -70022,7 +70212,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -1827,20 +2402,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -70047,7 +70237,7 @@ index 4b2878a..07569a4 100644 ######################################## ## -@@ -1941,6 +2510,24 @@ interface(`userdom_delete_user_home_content_symlinks',` +@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',` ######################################## ## @@ -70072,7 +70262,7 @@ index 4b2878a..07569a4 100644 ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## -@@ -2008,7 +2595,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -70081,7 +70271,7 @@ index 4b2878a..07569a4 100644 files_search_home($1) ') -@@ -2182,7 +2769,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -70090,7 +70280,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -2390,7 +2977,7 @@ interface(`userdom_user_tmp_filetrans',` +@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',` type user_tmp_t; ') @@ -70099,7 +70289,7 @@ index 4b2878a..07569a4 100644 files_search_tmp($1) ') -@@ -2435,13 +3022,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +3023,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -70115,7 +70305,7 @@ index 4b2878a..07569a4 100644 ## ## ## -@@ -2462,26 +3050,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +3051,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -70142,7 +70332,7 @@ index 4b2878a..07569a4 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,7 +3140,7 @@ interface(`userdom_use_user_ttys',` +@@ -2572,7 +3141,7 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -70151,7 +70341,7 @@ index 4b2878a..07569a4 100644 ## ## ## -@@ -2580,70 +3148,138 @@ interface(`userdom_use_user_ttys',` +@@ -2580,70 +3149,138 @@ interface(`userdom_use_user_ttys',` ## ## # @@ -70320,7 +70510,7 @@ index 4b2878a..07569a4 100644 ######################################## ## ## Execute a shell in all user domains. This -@@ -2736,24 +3372,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2736,24 +3373,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -70345,7 +70535,7 @@ index 4b2878a..07569a4 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -2772,25 +3390,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -2772,25 +3391,6 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -70371,7 +70561,7 @@ index 4b2878a..07569a4 100644 ######################################## ## ## Manage unpriviledged user SysV shared -@@ -2852,7 +3451,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2852,7 +3452,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -70380,7 +70570,7 @@ index 4b2878a..07569a4 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2868,29 +3467,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2868,29 +3468,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -70414,7 +70604,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -2972,7 +3555,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2972,7 +3556,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -70423,7 +70613,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -3027,7 +3610,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -3027,7 +3611,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -70470,7 +70660,7 @@ index 4b2878a..07569a4 100644 ') ######################################## -@@ -3064,6 +3685,7 @@ interface(`userdom_read_all_users_state',` +@@ -3064,6 +3686,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -70478,7 +70668,7 @@ index 4b2878a..07569a4 100644 kernel_search_proc($1) ') -@@ -3142,6 +3764,24 @@ interface(`userdom_signal_all_users',` +@@ -3142,6 +3765,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -70503,7 +70693,7 @@ index 4b2878a..07569a4 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3194,3 +3834,1076 @@ interface(`userdom_dbus_send_all_users',` +@@ -3194,3 +3835,1076 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index cca2336..23c0704 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 21%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,16 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Aug 29 2011 Miroslav Grepl 3.10.0-22 +- Allow Postfix to deliver to Dovecot LMTP socket +- Ignore bogus sys_module for lldpad +- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock +- systemd_logind_t sets the attributes on usb devices +- Allow hddtemp_t to read etc_t files +- Add permissivedomains module +- Move all permissive domains calls to permissivedomain.te +- Allow pegasis to send kill signals to other UIDs + * Wed Aug 24 2011 Miroslav Grepl 3.10.0-21 - Allow insmod_t to use fds leaked from devicekit - dontaudit getattr between insmod_t and init_t unix_stream_sockets