diff --git a/booleans.subs_dist b/booleans.subs_dist index 249f12d..d4ff62c 100644 --- a/booleans.subs_dist +++ b/booleans.subs_dist @@ -50,4 +50,4 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm clamd_use_jit antivirus_use_jit amavis_use_jit antivirus_use_jit logwatch_can_sendmail logwatch_can_network_connect_mail -puppetmaster_use_db puppet_use_db +puppet_manage_all_files puppetagent_manage_all_files diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index c658d41..65bee05 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2512,5 +2512,11 @@ bacula = module # # rhnsd policy # - rhnsd = module + +# Layer: contrib +# Module: gear +# +# gear policy +# +gear = module diff --git a/policy-rawhide-base-user_tmp.patch b/policy-rawhide-base-user_tmp.patch new file mode 100644 index 0000000..477a847 --- /dev/null +++ b/policy-rawhide-base-user_tmp.patch @@ -0,0 +1,885 @@ +diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te +index 32514ee..91a6a37 100644 +--- a/policy/modules/admin/bootloader.te ++++ b/policy/modules/admin/bootloader.te +@@ -154,7 +154,7 @@ modutils_domtrans_insmod(bootloader_t) + seutil_read_bin_policy(bootloader_t) + seutil_read_loadpolicy(bootloader_t) + +-userdom_getattr_user_tmpfs_files(bootloader_t) ++userdom_getattr_user_tmp_files(bootloader_t) + userdom_use_inherited_user_terminals(bootloader_t) + userdom_dontaudit_search_user_home_dirs(bootloader_t) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 337a00e..87c6145 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -5199,6 +5199,7 @@ interface(`files_search_tmp',` + type tmp_t; + ') + ++ fs_search_tmpfs($1) + read_lnk_files_pattern($1, tmp_t, tmp_t) + allow $1 tmp_t:dir search_dir_perms; + ') +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index a3fe7f6..13a745c 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -33,7 +33,6 @@ gen_tunable(unconfined_login, true) + userdom_base_user_template(unconfined) + userdom_manage_home_role(unconfined_r, unconfined_t) + userdom_manage_tmp_role(unconfined_r, unconfined_t) +-userdom_manage_tmpfs_role(unconfined_r, unconfined_t) + userdom_unpriv_type(unconfined_t) + + type unconfined_exec_t; +diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if +index e8dcfa7..eb9cefe 100644 +--- a/policy/modules/services/ssh.if ++++ b/policy/modules/services/ssh.if +@@ -219,8 +219,9 @@ template(`ssh_server_template',` + allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; + term_create_pty($1_t, $1_devpts_t) + +- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) +- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) ++ #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) ++ #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) ++ userdom_manage_tmp_role(system_r, sshd_t) + + allow $1_t $1_var_run_t:file manage_file_perms; + files_pid_filetrans($1_t, $1_var_run_t, file) +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index a8b01bf..fc87b9e 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -89,7 +89,7 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t) + type ssh_tmpfs_t; + typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; + typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; +-userdom_user_tmpfs_file(ssh_tmpfs_t) ++userdom_user_tmp_file(ssh_tmpfs_t) + + type ssh_home_t; + typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; +@@ -127,7 +127,7 @@ manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) + manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) +-fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++#fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + + manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) + manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) +@@ -292,7 +292,7 @@ auth_exec_login_program(sshd_t) + + userdom_read_user_home_content_files(sshd_t) + userdom_read_user_home_content_symlinks(sshd_t) +-userdom_manage_tmp_role(system_r, sshd_t) ++#userdom_manage_tmp_role(system_r, sshd_t) + userdom_spec_domtrans_unpriv_users(sshd_t) + userdom_signal_unpriv_users(sshd_t) + userdom_dyntransition_unpriv_users(sshd_t) +diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc +index 4dda124..4eee56a 100644 +--- a/policy/modules/services/xserver.fc ++++ b/policy/modules/services/xserver.fc +@@ -76,10 +76,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) + # /tmp + # + +-/tmp/\.X0-lock -- gen_context(system_u:object_r:xdm_tmp_t,s0) +-/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) +-/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:xdm_tmp_t,s0) +-/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) ++/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:user_fonts_t,s0) + + # + # /usr +diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if +index bf98136..2469c27 100644 +--- a/policy/modules/services/xserver.if ++++ b/policy/modules/services/xserver.if +@@ -220,7 +220,7 @@ interface(`xserver_non_drawing_client',` + interface(`xserver_user_client',` + refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') + gen_require(` +- type xdm_t, xdm_tmp_t; ++ type xdm_t; + type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; + ') + +@@ -235,8 +235,8 @@ interface(`xserver_user_client',` + # for when /tmp/.X11-unix is created by the system + allow $1 xdm_t:fd use; + allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; +- allow $1 xdm_tmp_t:dir search_dir_perms; +- allow $1 xdm_tmp_t:sock_file { read write }; ++ userdom_search_user_tmp_dirs($1) ++ userdom_rw_user_tmp_sock_files($1) + dontaudit $1 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. +@@ -395,7 +395,7 @@ template(`xserver_object_types_template',` + # + template(`xserver_user_x_domain_template',` + gen_require(` +- type xdm_t, xdm_tmp_t, xserver_tmpfs_t; ++ type xdm_t, xserver_tmpfs_t; + type xdm_home_t; + type xauth_home_t, iceauth_home_t, xserver_t; + ') +@@ -413,8 +413,8 @@ template(`xserver_user_x_domain_template',` + # for when /tmp/.X11-unix is created by the system + allow $2 xdm_t:fd use; + allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; +- allow $2 xdm_tmp_t:dir search_dir_perms; +- allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; ++ userdom_search_user_tmp_dirs($2) ++ userdom_rw_user_tmp_sock_files($2) + dontaudit $2 xdm_t:tcp_socket { read write }; + + # Allow connections to X server. +@@ -429,7 +429,7 @@ template(`xserver_user_x_domain_template',` + xserver_ro_session($2, $3) + xserver_use_user_fonts($2) + +- xserver_read_xdm_tmp_files($2) ++ userdom_read_user_tmp_files($2) + xserver_read_xdm_pid($2) + xserver_xdm_append_log($2) + +@@ -817,12 +817,13 @@ interface(`xserver_manage_xdm_spool_files',` + # + interface(`xserver_stream_connect_xdm',` + gen_require(` +- type xdm_t, xdm_tmp_t, xdm_var_run_t; ++ type xdm_t, xdm_var_run_t; + ') + + files_search_tmp($1) + files_search_pids($1) +- stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t) ++ stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) ++ userdom_stream_connect($1) + ') + + ######################################## +@@ -934,12 +935,8 @@ interface(`xserver_read_xdm_rw_config',` + ## + # + interface(`xserver_search_xdm_tmp_dirs',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 xdm_tmp_t:dir search_dir_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') ++ userdom_search_user_tmp_dirs($1) + ') + + ######################################## +@@ -953,11 +950,8 @@ interface(`xserver_search_xdm_tmp_dirs',` + ## + # + interface(`xserver_setattr_xdm_tmp_dirs',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- allow $1 xdm_tmp_t:dir setattr_dir_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') ++ userdom_dontaudit_setattr_user_tmp($1) + ') + + ######################################## +@@ -971,11 +965,8 @@ interface(`xserver_setattr_xdm_tmp_dirs',` + ## + # + interface(`xserver_dontaudit_xdm_tmp_dirs',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- dontaudit $1 xdm_tmp_t:dir setattr_dir_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') ++ userdom_dontaudit_setattr_user_tmp($1) + ') + + ######################################## +@@ -990,13 +981,8 @@ interface(`xserver_dontaudit_xdm_tmp_dirs',` + ## + # + interface(`xserver_create_xdm_tmp_sockets',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- files_search_tmp($1) +- allow $1 xdm_tmp_t:dir list_dir_perms; +- create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') ++ userdom_create_user_tmp_sockets($1) + ') + + ######################################## +@@ -1317,12 +1303,8 @@ interface(`xserver_manage_xdm_etc_files',` + ## + # + interface(`xserver_read_xdm_tmp_files',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- files_search_tmp($1) +- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.') ++ userdom_read_user_tmpfs_files($1) + ') + + ######################################## +@@ -1336,12 +1318,8 @@ interface(`xserver_read_xdm_tmp_files',` + ## + # + interface(`xserver_dontaudit_read_xdm_tmp_files',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- dontaudit $1 xdm_tmp_t:dir search_dir_perms; +- dontaudit $1 xdm_tmp_t:file read_file_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.') ++ userdom_dontaudit_read_user_tmp_files($1) + ') + + ######################################## +@@ -1355,12 +1333,8 @@ interface(`xserver_dontaudit_read_xdm_tmp_files',` + ## + # + interface(`xserver_rw_xdm_tmp_files',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- allow $1 xdm_tmp_t:dir search_dir_perms; +- allow $1 xdm_tmp_t:file rw_file_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') ++ userdom_rw_user_tmpfs_files($1) + ') + + ######################################## +@@ -1374,11 +1348,8 @@ interface(`xserver_rw_xdm_tmp_files',` + ## + # + interface(`xserver_manage_xdm_tmp_files',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') ++ userdom_manage_user_tmp_files($1) + ') + + ######################################## +@@ -1392,11 +1363,8 @@ interface(`xserver_manage_xdm_tmp_files',` + ## + # + interface(`xserver_relabel_xdm_tmp_dirs',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- allow $1 xdm_tmp_t:dir relabel_dir_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') ++ userdom_relabel_user_tmp_dirs($1) + ') + + ######################################## +@@ -1410,11 +1378,8 @@ interface(`xserver_relabel_xdm_tmp_dirs',` + ## + # + interface(`xserver_manage_xdm_tmp_dirs',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- manage_dirs_pattern($1, xdm_tmp_t, xdm_tmp_t) ++ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') ++ userdom_manage_user_tmp_dirs($1) + ') + + ######################################## +@@ -1429,11 +1394,8 @@ interface(`xserver_manage_xdm_tmp_dirs',` + ## + # + interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; ++ refpolicywarn(`$0() has been deprecated, please use usedom_dontaudit_user_getattr_tmp_sockets instead.') ++ usedom_dontaudit_user_getattr_tmp_sockets($1) + ') + + ######################################## +@@ -1946,11 +1908,8 @@ interface(`xserver_xdm_ioctl_log',` + ## + # + interface(`xserver_append_xdm_tmp_files',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- allow $1 xdm_tmp_t:file append_inherited_file_perms; ++ refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.') ++ userdom_append_user_tmp_files($1) + ') + + ######################################## +@@ -2296,12 +2255,8 @@ interface(`xserver_filetrans_admin_home_content',` + ## + # + interface(`xserver_xdm_tmp_filetrans',` +- gen_require(` +- type xdm_tmp_t; +- ') +- +- filetrans_pattern($1, xdm_tmp_t, $2, $3, $4) +- files_search_tmp($1) ++ refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.') ++ userdom_user_tmp_filetrans($1,$2, $3, $4) + ') + + ######################################## +diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te +index f0e5cc0..e3f28af 100644 +--- a/policy/modules/services/xserver.te ++++ b/policy/modules/services/xserver.te +@@ -231,12 +231,6 @@ files_type(xserver_var_lib_t) + type xserver_var_run_t; + files_pid_file(xserver_var_run_t) + +-type xdm_tmp_t; +-files_tmp_file(xdm_tmp_t) +-typealias xdm_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; +-typealias xdm_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t }; +-userdom_user_tmp_file(xserver_tmp_t) +- + type xdm_tmpfs_t; + files_tmpfs_file(xdm_tmpfs_t) + +@@ -264,7 +258,7 @@ files_config_file(xserver_etc_t) + type xserver_tmpfs_t; + typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t xguest_xserver_tmpfs_t unconfined_xserver_tmpfs_t xdm_xserver_tmpfs_t }; + typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t }; +-userdom_user_tmpfs_file(xserver_tmpfs_t) ++userdom_user_tmp_file(xserver_tmpfs_t) + + type xsession_exec_t; + corecmd_executable_file(xsession_exec_t) +@@ -470,14 +464,8 @@ read_files_pattern(xdm_t, xdm_etc_t, xdm_etc_t) + # this is ugly, daemons should not create files under /etc! + manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) + +-manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file }) +-relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t) +-can_exec(xdm_t, xdm_tmp_t) ++userdom_manage_all_user_tmp_content(xdm_t) ++userdom_exec_user_tmp_files(xdm_t) + + manage_dirs_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) + manage_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t) +@@ -697,7 +685,7 @@ userdom_stream_connect(xdm_t) + userdom_manage_user_tmp_dirs(xdm_t) + userdom_manage_user_tmp_files(xdm_t) + userdom_manage_user_tmp_sockets(xdm_t) +-userdom_manage_tmpfs_role(system_r, xdm_t) ++userdom_manage_tmp_role(system_r, xdm_t) + + #userdom_home_manager(xdm_t) + tunable_policy(`xdm_write_home',` +@@ -1349,9 +1337,8 @@ dontaudit xserver_t xdm_var_lib_t:dir search_dir_perms; + read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t) + + # Label pid and temporary files with derived types. +-manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +-manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +-manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) ++userdom_manage_user_tmp_files(xserver_t) ++userdom_manage_user_tmp_sockets(xserver_t) + + # Run xkbcomp. + allow xserver_t xkb_var_lib_t:lnk_file read_lnk_file_perms; +@@ -1591,7 +1578,6 @@ manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) + + stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) + allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; +-dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms; + files_search_tmp(x_userdomain) + + # Communicate via System V shared memory. +@@ -1618,10 +1604,9 @@ allow x_userdomain xauth_home_t:file read_file_perms; + # for when /tmp/.X11-unix is created by the system + allow x_userdomain xdm_t:fd use; + allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; +-allow x_userdomain xdm_tmp_t:dir search_dir_perms; +-allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms; ++userdom_search_user_tmp_dirs(x_userdomain) ++userdom_rw_user_tmp_sock_files(x_userdomain) + dontaudit x_userdomain xdm_t:tcp_socket { read write }; +-dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms; + + allow x_userdomain xdm_t:dbus send_msg; + allow xdm_t x_userdomain:dbus send_msg; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 1259fbd..5e66714 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -553,7 +553,7 @@ logging_manage_all_logs(syslogd_t) + + userdom_dontaudit_use_unpriv_user_fds(syslogd_t) + userdom_search_user_home_dirs(syslogd_t) +-userdom_rw_inherited_user_tmpfs_files(syslogd_t) ++userdom_rw_inherited_user_tmp_files(syslogd_t) + + ifdef(`distro_gentoo',` + # default gentoo syslog-ng config appends kernel +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 00b82b3..9933cad 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -413,7 +413,7 @@ allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms; + manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) + manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t) + fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file }) +-userdom_rw_user_tmpfs_files(mount_ecryptfs_t) ++userdom_rw_user_tmp_files(mount_ecryptfs_t) + + domain_use_interactive_fds(mount_ecryptfs_t) + +diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc +index 4ca3a28..8f5380f 100644 +--- a/policy/modules/system/userdomain.fc ++++ b/policy/modules/system/userdomain.fc +@@ -21,6 +21,12 @@ HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + ++/tmp/\.X0-lock -- gen_context(system_u:object_r:user_tmp_t,s0) ++/tmp/\.X11-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) ++/tmp/\.ICE-unix(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) ++ ++ ++ + /var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) + + /tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 102478f..4f42aa5 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -420,6 +420,7 @@ interface(`userdom_manage_tmp_role',` + manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) + manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) + files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) ++ fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) + relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) + relabel_files_pattern($2, user_tmp_type, user_tmp_type) + relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) +@@ -427,8 +428,6 @@ interface(`userdom_manage_tmp_role',` + relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) + ') + +- +- + ####################################### + ## + ## Dontaudit search of user bin dirs. +@@ -534,24 +533,8 @@ interface(`userdom_manage_tmpfs_files',` + ## + # + interface(`userdom_manage_tmpfs_role',` +- gen_require(` +- attribute user_tmpfs_type; +- type user_tmpfs_t; +- ') +- +- role $1 types user_tmpfs_t; +- +- manage_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) +- manage_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- manage_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- manage_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- manage_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- fs_tmpfs_filetrans($2, user_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +- relabel_dirs_pattern($2, user_tmpfs_type, user_tmpfs_type) +- relabel_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- relabel_lnk_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- relabel_sock_files_pattern($2, user_tmpfs_type, user_tmpfs_type) +- relabel_fifo_files_pattern($2, user_tmpfs_type, user_tmpfs_type) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') ++ userdom_manage_tmp_role($1,$2) + ') + + ####################################### +@@ -994,7 +977,6 @@ template(`userdom_login_user_template', ` + userdom_manage_home_role($1_r, $1_t) + + userdom_manage_tmp_role($1_r, $1_usertype) +- userdom_manage_tmpfs_role($1_r, $1_usertype) + + ifelse(`$1',`unconfined',`',` + gen_tunable($1_exec_content, true) +@@ -1839,8 +1821,8 @@ interface(`userdom_user_tmp_file',` + ## + # + interface(`userdom_user_tmpfs_file',` +- files_tmpfs_file($1) +- ubac_constrained($1) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.') ++ userdom_user_tmp_file($1) + ') + + ######################################## +@@ -1878,14 +1860,8 @@ interface(`userdom_user_tmp_content',` + ## + # + interface(`userdom_user_tmpfs_content',` +- gen_require(` +- attribute user_tmpfs_type; +- ') +- +- typeattribute $1 user_tmpfs_type; +- +- files_tmpfs_file($1) +- ubac_constrained($1) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.') ++ userdom_user_tmp_content($1) + ') + + ######################################## +@@ -2400,6 +2376,43 @@ interface(`userdom_setattr_user_tmp_files',` + + ######################################## + ## ++## Create a user tmp sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_create_user_tmp_sockets',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 user_tmp_t:dir list_dir_perms; ++ create_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++') ++ ++######################################## ++## ++## Dontaudit getattr on user tmp sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`usedom_dontaudit_user_getattr_tmp_sockets',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; ++') ++ ++######################################## ++## + ## Relabel user tmp files. + ## + ## +@@ -2416,6 +2429,26 @@ interface(`userdom_relabel_user_tmp_files',` + + allow $1 user_tmp_t:file relabel_file_perms; + ') ++ ++######################################## ++## ++## Relabel user tmp files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_relabel_user_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:dir relabel_dir_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to set the +@@ -3068,6 +3101,25 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` + ## + ## + # ++interface(`userdom_getattr_user_tmp_files',` ++ gen_require(` ++ attribute user_tmp_type; ++ ') ++ ++ getattr_files_pattern($1, user_tmp_type, user_tmp_type) ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Read user temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# + interface(`userdom_read_user_tmp_files',` + gen_require(` + attribute user_tmp_type; +@@ -3080,6 +3132,23 @@ interface(`userdom_read_user_tmp_files',` + + ######################################## + ## ++## Read user temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_append_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ allow $1 user_tmp_t:file append_inherited_file_perms; ++') ++ ++######################################## ++## + ## Do not audit attempts to read users + ## temporary files. + ## +@@ -3135,6 +3204,25 @@ interface(`userdom_rw_user_tmp_files',` + rw_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) + ') ++######################################## ++## ++## Read and write user temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_rw_user_tmp_sock_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:dir list_dir_perms; ++ allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; ++ files_search_tmp($1) ++') + + ######################################## + ## +@@ -3372,12 +3460,8 @@ interface(`userdom_tmp_filetrans_user_tmp',` + ## + # + interface(`userdom_getattr_user_tmpfs_files',` +- gen_require(` +- type user_tmpfs_t; +- ') +- +- getattr_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- fs_search_tmpfs($1) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') ++ userdom_getattr_user_tmp_files($1) + ') + + ######################################## +@@ -3391,14 +3475,8 @@ interface(`userdom_getattr_user_tmpfs_files',` + ## + # + interface(`userdom_read_user_tmpfs_files',` +- gen_require(` +- type user_tmpfs_t; +- ') +- +- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- allow $1 user_tmpfs_t:dir list_dir_perms; +- fs_search_tmpfs($1) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') ++ userdom_read_user_tmp_files($1) + ') + + ######################################## +@@ -3412,14 +3490,8 @@ interface(`userdom_read_user_tmpfs_files',` + ## + # + interface(`userdom_rw_user_tmpfs_files',` +- gen_require(` +- type user_tmpfs_t; +- ') +- +- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t) +- allow $1 user_tmpfs_t:dir list_dir_perms; +- fs_search_tmpfs($1) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') ++ userdom_rw_user_tmp_files($1) + ') + + ######################################## +@@ -3433,11 +3505,8 @@ interface(`userdom_rw_user_tmpfs_files',` + ## + # + interface(`userdom_rw_inherited_user_tmpfs_files',` +- gen_require(` +- type user_tmpfs_t; +- ') +- +- allow $1 user_tmpfs_t:file rw_inherited_file_perms; ++ refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') ++ userdom_rw_inherited_user_tmp_files($1) + ') + + ######################################## +@@ -3451,11 +3520,26 @@ interface(`userdom_rw_inherited_user_tmpfs_files',` + ## + # + interface(`userdom_execute_user_tmpfs_files',` ++ refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') ++ userdom_execute_user_tmp_files($1) ++') ++ ++######################################## ++## ++## Execute user tmpfs files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_execute_user_tmp_files',` + gen_require(` +- type user_tmpfs_t; ++ type user_tmp_t; + ') + +- allow $1 user_tmpfs_t:file execute; ++ allow $1 user_tmp_t:file execute; + ') + + ######################################## +@@ -5208,16 +5292,8 @@ interface(`userdom_list_all_user_tmp_content',` + ## + # + interface(`userdom_manage_all_user_tmpfs_content',` +- gen_require(` +- attribute user_tmpfs_type; +- ') +- +- manage_dirs_pattern($1, user_tmpfs_type, user_tmpfs_type) +- manage_files_pattern($1, user_tmpfs_type, user_tmpfs_type) +- manage_lnk_files_pattern($1, user_tmpfs_type, user_tmpfs_type) +- manage_sock_files_pattern($1, user_tmpfs_type, user_tmpfs_type) +- manage_fifo_files_pattern($1, user_tmpfs_type, user_tmpfs_type) +- fs_search_tmpfs($1) ++ refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') ++ userdom_manage_all_user_tmp_content($1) + ') + + ######################################## +@@ -5431,11 +5507,8 @@ interface(`userdom_dontaudit_setattr_user_tmp',` + ## + # + interface(`userdom_dontaudit_setattr_user_tmpfs',` +- gen_require(` +- type user_tmpfs_t; +- ') +- +- dontaudit $1 user_tmpfs_t:file setattr; ++ refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.') ++ userdom_dontaudit_setattr_user_tmp($1) + ') + + ######################################## +@@ -5539,11 +5612,8 @@ interface(`userdom_delete_user_tmp_files',` + ## + # + interface(`userdom_delete_user_tmpfs_files',` +- gen_require(` +- type user_tmpfs_t; +- ') +- +- allow $1 user_tmpfs_t:file delete_file_perms; ++ refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmpfs_files instead.') ++ userdom_delete_user_tmpfs_files($1) + ') + + ######################################## +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 7283238..6cc7d53 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -97,19 +97,18 @@ dev_node(user_devpts_t) + files_type(user_devpts_t) + ubac_constrained(user_devpts_t) + +-type user_tmp_t, user_tmp_type; ++type user_tmp_t, user_tmp_type, user_tmpfs_type; + typealias user_tmp_t alias { screen_tmp_t winbind_tmp_t wine_tmp_t sshd_tmp_t staff_tmp_t sysadm_tmp_t secadm_tmp_t auditadm_tmp_t unconfined_tmp_t }; + typealias user_tmp_t alias { staff_untrusted_content_tmp_t sysadm_untrusted_content_tmp_t secadm_untrusted_content_tmp_t auditadm_untrusted_content_tmp_t unconfined_untrusted_content_tmp_t }; ++typealias user_tmp_t alias { user_tmpfs_t staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; ++typealias user_tmp_t alias xdm_tmp_t; ++typealias user_tmp_t alias { xserver_tmp_t user_xserver_tmp_t staff_xserver_tmp_t sysadm_xserver_tmp_t ice_tmp_t }; + files_tmp_file(user_tmp_t) ++files_tmpfs_file(user_tmp_t) + userdom_user_home_content(user_tmp_t) + files_poly_parent(user_tmp_t) + files_mountpoint(user_tmp_t) + +-type user_tmpfs_t, user_tmpfs_type; +-typealias user_tmpfs_t alias { staff_tmpfs_t sysadm_tmpfs_t secadm_tmpfs_t auditadm_tmpfs_t unconfined_tmpfs_t }; +-files_tmpfs_file(user_tmpfs_t) +-userdom_user_home_content(user_tmpfs_t) +- + type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; + dev_node(user_tty_device_t) + ubac_constrained(user_tty_device_t) diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f15a12c..f459a64 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -2357,10 +2357,10 @@ index 0960199..aa51ab2 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index d9fce57..fc6d1d3 100644 +index d9fce57..612503a 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te -@@ -7,3 +7,100 @@ attribute sudodomain; +@@ -7,3 +7,105 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) @@ -2392,6 +2392,7 @@ index d9fce57..fc6d1d3 100644 +allow sudodomain self:unix_dgram_socket sendto; +allow sudodomain self:unix_stream_socket connectto; +allow sudodomain self:key manage_key_perms; ++allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_getattr_core_if(sudodomain) +kernel_link_key(sudodomain) @@ -2454,6 +2455,10 @@ index d9fce57..fc6d1d3 100644 +userdom_search_admin_dir(sudodomain) +userdom_manage_all_users_keys(sudodomain) + ++tunable_policy(`authlogin_yubikey',` ++ auth_manage_home_content(sudodomain) ++') ++ +optional_policy(` + dbus_system_bus_client(sudodomain) +') @@ -5411,7 +5416,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..11bfc30 100644 +index b191055..dd4a176 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5485,7 +5490,7 @@ index b191055..11bfc30 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -84,55 +107,67 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) +@@ -84,55 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0) network_port(amavisd_recv, tcp,10024,s0) network_port(amavisd_send, tcp,10025,s0) network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0) @@ -5551,6 +5556,7 @@ index b191055..11bfc30 100644 +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) ++network_port(gear, tcp,43273,s0, udp,43273,s0) network_port(gdomap, tcp,538,s0, udp,538,s0) network_port(gds_db, tcp,3050,s0, udp,3050,s0) network_port(giftd, tcp,1213,s0) @@ -5561,7 +5567,7 @@ index b191055..11bfc30 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +175,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5628,7 +5634,7 @@ index b191055..11bfc30 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +228,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5669,7 +5675,7 @@ index b191055..11bfc30 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,52 +267,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,52 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5738,7 +5744,7 @@ index b191055..11bfc30 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +330,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -271,10 +331,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5751,7 +5757,7 @@ index b191055..11bfc30 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +347,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +348,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5778,7 +5784,7 @@ index b191055..11bfc30 100644 ######################################## # -@@ -333,6 +396,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +397,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5787,7 +5793,7 @@ index b191055..11bfc30 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +410,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +411,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5843,7 +5849,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..1212440 100644 +index b31c054..5e37a40 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5921,7 +5927,7 @@ index b31c054..1212440 100644 /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) -@@ -198,12 +212,22 @@ ifdef(`distro_debian',` +@@ -198,12 +212,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -5933,6 +5939,11 @@ index b31c054..1212440 100644 /var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0) /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ++/var/named/chroot_sdb/dev -d gen_context(system_u:object_r:device_t,s0) ++/var/named/chroot_sdb/dev/null -c gen_context(system_u:object_r:null_device_t,s0) ++/var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0) ++/var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ++/ +/var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0) ') + @@ -8731,7 +8742,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..0b3704b 100644 +index cf04cb5..806e1cc 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8869,7 +8880,7 @@ index cf04cb5..0b3704b 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +232,342 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +232,346 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9089,6 +9100,10 @@ index cf04cb5..0b3704b 100644 +') + +optional_policy(` ++ userdom_filetrans_named_user_tmp_files(named_filetrans_domain) ++') ++ ++optional_policy(` + virt_filetrans_named_content(named_filetrans_domain) +') + @@ -9213,7 +9228,7 @@ index cf04cb5..0b3704b 100644 + unconfined_server_stream_connect(domain) +') diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index b876c48..7a98631 100644 +index b876c48..bbd0e79 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -9347,7 +9362,7 @@ index b876c48..7a98631 100644 # # /selinux # -@@ -178,25 +191,28 @@ ifdef(`distro_debian',` +@@ -178,13 +191,14 @@ ifdef(`distro_debian',` # # /srv # @@ -9364,10 +9379,7 @@ index b876c48..7a98631 100644 /tmp/.* <> /tmp/\.journal <> - /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) - /tmp/lost\+found/.* <> -+/var/tmp/hsperfdata_root gen_context(system_u:object_r:tmp_t,s0) - +@@ -194,9 +208,10 @@ ifdef(`distro_debian',` # # /usr # @@ -9379,7 +9391,7 @@ index b876c48..7a98631 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -204,15 +220,9 @@ ifdef(`distro_debian',` +@@ -204,15 +219,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -9396,7 +9408,7 @@ index b876c48..7a98631 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -220,8 +230,6 @@ ifdef(`distro_debian',` +@@ -220,8 +229,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -9405,7 +9417,7 @@ index b876c48..7a98631 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -229,7 +237,7 @@ ifndef(`distro_redhat',` +@@ -229,7 +236,7 @@ ifndef(`distro_redhat',` # # /var # @@ -9414,7 +9426,7 @@ index b876c48..7a98631 100644 /var/.* gen_context(system_u:object_r:var_t,s0) /var/\.journal <> -@@ -237,11 +245,25 @@ ifndef(`distro_redhat',` +@@ -237,11 +244,25 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -9441,7 +9453,7 @@ index b876c48..7a98631 100644 /var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/log/lost\+found/.* <> -@@ -256,12 +278,14 @@ ifndef(`distro_redhat',` +@@ -256,12 +277,14 @@ ifndef(`distro_redhat',` /var/run -l gen_context(system_u:object_r:var_run_t,s0) /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> @@ -9456,14 +9468,14 @@ index b876c48..7a98631 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -271,3 +295,5 @@ ifdef(`distro_debian',` +@@ -271,3 +294,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..ae94e80 100644 +index f962f76..337a00e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -12372,7 +12384,7 @@ index f962f76..ae94e80 100644 ## ## ## -@@ -6573,10 +7835,785 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7835,784 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -13027,7 +13039,6 @@ index f962f76..ae94e80 100644 + files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") + files_etc_filetrans_etc_runtime($1, file, "hwconf") + files_etc_filetrans_etc_runtime($1, file, "iptables.save") -+ files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") + files_var_filetrans($1, var_run_t, dir, "run") @@ -20525,7 +20536,7 @@ index 3835596..fbca2be 100644 ######################################## ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 6d77e81..c8df034 100644 +index 6d77e81..c175ba4 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,12 @@ @@ -20541,7 +20552,7 @@ index 6d77e81..c8df034 100644 # this module should be named user, but that is # a compile error since user is a keyword. -@@ -12,12 +19,96 @@ role user_r; +@@ -12,12 +19,98 @@ role user_r; userdom_unpriv_user_template(user) @@ -20554,6 +20565,8 @@ index 6d77e81..c8df034 100644 +storage_read_scsi_generic(user_t) +storage_write_scsi_generic(user_t) + ++seutil_read_module_store(user_t) ++ +init_dbus_chat(user_t) +init_status(user_t) + @@ -20639,7 +20652,7 @@ index 6d77e81..c8df034 100644 ') optional_policy(` -@@ -25,6 +116,18 @@ optional_policy(` +@@ -25,6 +118,18 @@ optional_policy(` ') optional_policy(` @@ -20658,7 +20671,7 @@ index 6d77e81..c8df034 100644 vlock_run(user_t, user_r) ') -@@ -102,10 +205,6 @@ ifndef(`distro_redhat',` +@@ -102,10 +207,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20669,7 +20682,7 @@ index 6d77e81..c8df034 100644 postgresql_role(user_r, user_t) ') -@@ -128,7 +227,6 @@ ifndef(`distro_redhat',` +@@ -128,7 +229,6 @@ ifndef(`distro_redhat',` optional_policy(` ssh_role_template(user, user_r, user_t) ') @@ -20677,7 +20690,7 @@ index 6d77e81..c8df034 100644 optional_policy(` su_role_template(user, user_r, user_t) ') -@@ -161,3 +259,19 @@ ifndef(`distro_redhat',` +@@ -161,3 +261,19 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -22662,7 +22675,7 @@ index cc877c7..a8b01bf 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index 8274418..522a2f0 100644 +index 8274418..4dda124 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -22765,12 +22778,13 @@ index 8274418..522a2f0 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,18 +130,31 @@ ifndef(`distro_debian',` +@@ -92,18 +130,32 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) ++/var/lib/lightdm-data(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) +/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) @@ -22801,7 +22815,7 @@ index 8274418..522a2f0 100644 /var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -112,6 +163,16 @@ ifndef(`distro_debian',` +@@ -112,6 +164,16 @@ ifndef(`distro_debian',` /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -24471,7 +24485,7 @@ index 6bf0ecc..bf98136 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..95dde04 100644 +index 8b40377..f0e5cc0 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -24722,7 +24736,7 @@ index 8b40377..95dde04 100644 ') ######################################## -@@ -248,48 +324,90 @@ tunable_policy(`use_samba_home_dirs',` +@@ -248,48 +324,91 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -24785,6 +24799,7 @@ index 8b40377..95dde04 100644 +userdom_use_inherited_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) +userdom_read_all_users_state(xauth_t) ++userdom_search_user_home_dirs(xauth_t) +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file) +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority") +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l") @@ -24824,7 +24839,7 @@ index 8b40377..95dde04 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -300,64 +418,109 @@ optional_policy(` +@@ -300,64 +419,109 @@ optional_policy(` # XDM Local policy # @@ -24944,7 +24959,7 @@ index 8b40377..95dde04 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +529,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +530,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -24977,7 +24992,7 @@ index 8b40377..95dde04 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +562,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +563,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -25031,7 +25046,7 @@ index 8b40377..95dde04 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +615,28 @@ files_list_mnt(xdm_t) +@@ -431,9 +616,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -25060,7 +25075,7 @@ index 8b40377..95dde04 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +645,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +646,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -25109,7 +25124,7 @@ index 8b40377..95dde04 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +692,149 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +693,155 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -25132,12 +25147,14 @@ index 8b40377..95dde04 100644 + fs_manage_nfs_dirs(xdm_t) + fs_manage_nfs_files(xdm_t) + fs_manage_nfs_symlinks(xdm_t) ++ fs_append_nfs_files(xdm_t) +') + +tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(xdm_t) + fs_manage_cifs_files(xdm_t) + fs_manage_cifs_symlinks(xdm_t) ++ fs_append_cifs_files(xdm_t) +') + +tunable_policy(`use_fusefs_home_dirs',` @@ -25199,6 +25216,10 @@ index 8b40377..95dde04 100644 +') + +optional_policy(` ++ remotelogin_signull(xdm_t) ++') ++ ++optional_policy(` + spamassassin_filetrans_home_content(xdm_t) + spamassassin_filetrans_admin_home_content(xdm_t) +') @@ -25265,7 +25286,7 @@ index 8b40377..95dde04 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -503,11 +848,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -503,11 +855,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -25292,7 +25313,7 @@ index 8b40377..95dde04 100644 ') optional_policy(` -@@ -517,9 +877,34 @@ optional_policy(` +@@ -517,9 +884,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -25328,7 +25349,7 @@ index 8b40377..95dde04 100644 ') ') -@@ -530,6 +915,20 @@ optional_policy(` +@@ -530,6 +922,20 @@ optional_policy(` ') optional_policy(` @@ -25349,7 +25370,7 @@ index 8b40377..95dde04 100644 hostname_exec(xdm_t) ') -@@ -547,28 +946,78 @@ optional_policy(` +@@ -547,28 +953,78 @@ optional_policy(` ') optional_policy(` @@ -25437,7 +25458,7 @@ index 8b40377..95dde04 100644 ') optional_policy(` -@@ -580,6 +1029,14 @@ optional_policy(` +@@ -580,6 +1036,14 @@ optional_policy(` ') optional_policy(` @@ -25452,7 +25473,7 @@ index 8b40377..95dde04 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1051,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1058,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -25461,7 +25482,7 @@ index 8b40377..95dde04 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1061,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1068,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -25474,7 +25495,7 @@ index 8b40377..95dde04 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1078,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1085,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -25490,7 +25511,7 @@ index 8b40377..95dde04 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1094,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1101,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -25501,7 +25522,7 @@ index 8b40377..95dde04 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1109,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1116,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -25538,7 +25559,7 @@ index 8b40377..95dde04 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1155,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1162,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -25570,7 +25591,7 @@ index 8b40377..95dde04 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1188,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1195,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -25585,7 +25606,7 @@ index 8b40377..95dde04 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1209,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1216,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -25609,7 +25630,7 @@ index 8b40377..95dde04 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1228,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1235,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -25618,7 +25639,7 @@ index 8b40377..95dde04 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1272,44 @@ optional_policy(` +@@ -785,17 +1279,44 @@ optional_policy(` ') optional_policy(` @@ -25665,7 +25686,7 @@ index 8b40377..95dde04 100644 ') optional_policy(` -@@ -803,6 +1317,10 @@ optional_policy(` +@@ -803,6 +1324,10 @@ optional_policy(` ') optional_policy(` @@ -25676,7 +25697,7 @@ index 8b40377..95dde04 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,10 +1343,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -25690,7 +25711,7 @@ index 8b40377..95dde04 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -829,7 +1354,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -25699,7 +25720,7 @@ index 8b40377..95dde04 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1360,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1367,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -25734,7 +25755,7 @@ index 8b40377..95dde04 100644 ') optional_policy(` -@@ -912,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1432,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25743,7 +25764,7 @@ index 8b40377..95dde04 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1479,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1486,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -25775,7 +25796,7 @@ index 8b40377..95dde04 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1532,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -26099,14 +26120,14 @@ index c6fdab7..af71c62 100644 sudo_sigchld(application_domain_type) ') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 2479587..39239cf 100644 +index 2479587..077c9bc 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -1,14 +1,28 @@ -+HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.yubico/(.*) gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) +/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) @@ -26135,7 +26156,7 @@ index 2479587..39239cf 100644 /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) -@@ -16,13 +30,24 @@ ifdef(`distro_suse', ` +@@ -16,13 +30,25 @@ ifdef(`distro_suse', ` /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') @@ -26147,6 +26168,7 @@ index 2479587..39239cf 100644 -/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) +/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_timestamp_exec_t,s0) ++/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) +/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) +/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -26162,7 +26184,7 @@ index 2479587..39239cf 100644 /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) -@@ -30,21 +55,25 @@ ifdef(`distro_gentoo', ` +@@ -30,21 +56,25 @@ ifdef(`distro_gentoo', ` /var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) @@ -26193,7 +26215,7 @@ index 2479587..39239cf 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..08c3e93 100644 +index 3efd5b6..0bd3a26 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -26779,7 +26801,7 @@ index 3efd5b6..08c3e93 100644 ') ######################################## -@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',` +@@ -1805,3 +2029,262 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -26982,6 +27004,26 @@ index 3efd5b6..08c3e93 100644 + read_files_pattern($1, auth_home_t, auth_home_t) +') + ++######################################## ++## ++## Read the authorization data in the user home directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_manage_home_content',` ++ ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, auth_home_t, auth_home_t) ++ manage_dirs_pattern($1, auth_home_t, auth_home_t) ++') + +######################################## +## @@ -27023,7 +27065,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..1a3d5b3 100644 +index 09b791d..73376ca 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -27039,7 +27081,7 @@ index 09b791d..1a3d5b3 100644 + +## +##

-+## Allow users to login using a yubikey server ++## Allow users to login using a yubikey OTP server or challenge response mode +##

+## +gen_tunable(authlogin_yubikey, false) @@ -29613,7 +29655,7 @@ index 79a45f6..89b43aa 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..d1590ad 100644 +index 17eda24..56e006c 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29826,7 +29868,7 @@ index 17eda24..d1590ad 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +246,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +246,53 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -29866,6 +29908,7 @@ index 17eda24..d1590ad 100644 +logging_send_audit_msgs(init_t) logging_rw_generic_logs(init_t) +logging_relabel_devlog_dev(init_t) ++logging_manage_audit_config(init_t) seutil_read_config(init_t) +seutil_read_module_store(init_t) @@ -29882,7 +29925,7 @@ index 17eda24..d1590ad 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +300,230 @@ ifdef(`distro_gentoo',` +@@ -186,29 +301,230 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -30121,7 +30164,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -216,7 +531,31 @@ optional_policy(` +@@ -216,7 +532,31 @@ optional_policy(` ') optional_policy(` @@ -30153,7 +30196,7 @@ index 17eda24..d1590ad 100644 ') ######################################## -@@ -225,9 +564,9 @@ optional_policy(` +@@ -225,9 +565,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -30165,7 +30208,7 @@ index 17eda24..d1590ad 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +597,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +598,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -30182,7 +30225,7 @@ index 17eda24..d1590ad 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +622,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +623,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30225,7 +30268,7 @@ index 17eda24..d1590ad 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +659,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +660,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30237,7 +30280,7 @@ index 17eda24..d1590ad 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +671,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +672,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30248,7 +30291,7 @@ index 17eda24..d1590ad 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +682,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +683,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30258,7 +30301,7 @@ index 17eda24..d1590ad 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +691,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +692,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30266,7 +30309,7 @@ index 17eda24..d1590ad 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +698,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +699,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30274,7 +30317,7 @@ index 17eda24..d1590ad 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +706,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +707,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30292,7 +30335,7 @@ index 17eda24..d1590ad 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +724,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +725,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30306,7 +30349,7 @@ index 17eda24..d1590ad 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +739,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +740,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30320,7 +30363,7 @@ index 17eda24..d1590ad 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +752,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +753,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30331,7 +30374,7 @@ index 17eda24..d1590ad 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +765,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +766,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30339,7 +30382,7 @@ index 17eda24..d1590ad 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +784,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +785,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30363,7 +30406,7 @@ index 17eda24..d1590ad 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +817,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +818,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30371,7 +30414,7 @@ index 17eda24..d1590ad 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +851,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +852,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30382,7 +30425,7 @@ index 17eda24..d1590ad 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +875,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +876,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30391,7 +30434,7 @@ index 17eda24..d1590ad 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +890,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +891,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30399,7 +30442,7 @@ index 17eda24..d1590ad 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +911,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +912,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30407,7 +30450,7 @@ index 17eda24..d1590ad 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +921,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +922,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30452,7 +30495,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -559,14 +966,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +967,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30484,7 +30527,7 @@ index 17eda24..d1590ad 100644 ') ') -@@ -577,6 +1001,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1002,39 @@ ifdef(`distro_suse',` ') ') @@ -30524,7 +30567,7 @@ index 17eda24..d1590ad 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1046,8 @@ optional_policy(` +@@ -589,6 +1047,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30533,7 +30576,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -610,6 +1069,7 @@ optional_policy(` +@@ -610,6 +1070,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30541,7 +30584,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -626,6 +1086,17 @@ optional_policy(` +@@ -626,6 +1087,17 @@ optional_policy(` ') optional_policy(` @@ -30559,7 +30602,7 @@ index 17eda24..d1590ad 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1113,13 @@ optional_policy(` +@@ -642,9 +1114,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30573,7 +30616,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -657,15 +1132,11 @@ optional_policy(` +@@ -657,15 +1133,11 @@ optional_policy(` ') optional_policy(` @@ -30591,7 +30634,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -686,6 +1157,15 @@ optional_policy(` +@@ -686,6 +1158,15 @@ optional_policy(` ') optional_policy(` @@ -30607,7 +30650,7 @@ index 17eda24..d1590ad 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1206,7 @@ optional_policy(` +@@ -726,6 +1207,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30615,7 +30658,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -743,7 +1224,13 @@ optional_policy(` +@@ -743,7 +1225,13 @@ optional_policy(` ') optional_policy(` @@ -30630,7 +30673,7 @@ index 17eda24..d1590ad 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1253,10 @@ optional_policy(` +@@ -766,6 +1254,10 @@ optional_policy(` ') optional_policy(` @@ -30641,7 +30684,7 @@ index 17eda24..d1590ad 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1266,20 @@ optional_policy(` +@@ -775,10 +1267,20 @@ optional_policy(` ') optional_policy(` @@ -30662,7 +30705,7 @@ index 17eda24..d1590ad 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1288,10 @@ optional_policy(` +@@ -787,6 +1289,10 @@ optional_policy(` ') optional_policy(` @@ -30673,7 +30716,7 @@ index 17eda24..d1590ad 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1313,6 @@ optional_policy(` +@@ -808,8 +1314,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30682,7 +30725,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -818,6 +1321,10 @@ optional_policy(` +@@ -818,6 +1322,10 @@ optional_policy(` ') optional_policy(` @@ -30693,7 +30736,7 @@ index 17eda24..d1590ad 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1334,12 @@ optional_policy(` +@@ -827,10 +1335,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30706,7 +30749,7 @@ index 17eda24..d1590ad 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1366,60 @@ optional_policy(` +@@ -857,21 +1367,60 @@ optional_policy(` ') optional_policy(` @@ -30768,7 +30811,7 @@ index 17eda24..d1590ad 100644 ') optional_policy(` -@@ -887,6 +1435,10 @@ optional_policy(` +@@ -887,6 +1436,10 @@ optional_policy(` ') optional_policy(` @@ -30779,7 +30822,7 @@ index 17eda24..d1590ad 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1449,218 @@ optional_policy(` +@@ -897,3 +1450,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -30999,10 +31042,10 @@ index 17eda24..d1590ad 100644 + ') + ') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..08589f8 100644 +index 662e79b..fc34e78 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,14 +1,23 @@ +@@ -1,14 +1,24 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) @@ -31010,6 +31053,7 @@ index 662e79b..08589f8 100644 -/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/usr/lib/systemd/system/ipsec.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) ++/usr/lib/systemd/system/strongimcv.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) + +/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) @@ -31027,17 +31071,19 @@ index 662e79b..08589f8 100644 /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) -@@ -26,16 +35,24 @@ +@@ -26,16 +36,26 @@ /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/libexec/nm-libreswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) -+/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +/usr/sbin/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/sbin/strongimcv -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) +/var/lock/subsys/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) @@ -33253,7 +33299,7 @@ index 4e94884..b144ffe 100644 + logging_log_filetrans($1, var_log_t, dir, "anaconda") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1..cdc1c76 100644 +index 59b04c1..1259fbd 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,21 @@ policy_module(logging, 1.20.1) @@ -33452,7 +33498,7 @@ index 59b04c1..cdc1c76 100644 # sys_nice for rsyslog # cjp: why net_admin! -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid }; ++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw }; dontaudit syslogd_t self:capability sys_tty_config; +allow syslogd_t self:capability2 { syslog block_suspend }; # setpgid for metalog @@ -33464,15 +33510,18 @@ index 59b04c1..cdc1c76 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -371,6 +413,7 @@ allow syslogd_t self:udp_socket create_socket_perms; +@@ -369,8 +411,10 @@ allow syslogd_t self:unix_dgram_socket sendto; + allow syslogd_t self:fifo_file rw_fifo_file_perms; + allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; ++allow syslogd_t self:rawip_socket create_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -@@ -389,30 +432,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +433,46 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -33522,7 +33571,7 @@ index 59b04c1..cdc1c76 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +481,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +482,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -33531,7 +33580,7 @@ index 59b04c1..cdc1c76 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +493,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +494,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -33559,7 +33608,7 @@ index 59b04c1..cdc1c76 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +526,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +527,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -33577,7 +33626,7 @@ index 59b04c1..cdc1c76 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +548,11 @@ init_use_fds(syslogd_t) +@@ -466,11 +549,11 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -33592,7 +33641,7 @@ index 59b04c1..cdc1c76 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -507,15 +589,40 @@ optional_policy(` +@@ -507,15 +590,40 @@ optional_policy(` ') optional_policy(` @@ -33633,7 +33682,7 @@ index 59b04c1..cdc1c76 100644 ') optional_policy(` -@@ -526,3 +633,26 @@ optional_policy(` +@@ -526,3 +634,26 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -37448,7 +37497,7 @@ index 40edc18..a072ac2 100644 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) + diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 2cea692..f752c31 100644 +index 2cea692..77f307f 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',` @@ -37776,7 +37825,7 @@ index 2cea692..f752c31 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) -@@ -796,3 +983,95 @@ interface(`sysnet_use_portmap',` +@@ -796,3 +983,115 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') @@ -37865,6 +37914,26 @@ index 2cea692..f752c31 100644 +## +## +# ++interface(`sysnet_manage_ifconfig_run',` ++ gen_require(` ++ type ifconfig_var_run_t; ++ ') ++ ++ manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++') ++ ++######################################## ++## ++## Transition to sysnet ifconfig named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`sysnet_filetrans_named_content_ifconfig',` + gen_require(` + type ifconfig_var_run_t; @@ -41792,10 +41861,10 @@ index 5fe902d..fcc9efe 100644 + rpm_transition_script(unconfined_service_t, system_r) ') diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..e4eb903 100644 +index db75976..4ca3a28 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,24 @@ +@@ -1,4 +1,28 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -41821,8 +41890,12 @@ index db75976..e4eb903 100644 +HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) ++ ++/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) ++/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) ++ diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..b921b57 100644 +index 9dc60c6..102478f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -44098,7 +44171,34 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2661,6 +3341,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2538,6 +3218,26 @@ interface(`userdom_manage_user_tmp_files',` + ######################################## + ## + ## Create, read, write, and delete user ++## temporary files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_filetrans_named_user_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") ++ files_search_tmp($1) ++') ++ ++######################################## ++## ++## Create, read, write, and delete user + ## temporary symbolic links. + ## + ## +@@ -2661,6 +3361,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -44124,7 +44224,7 @@ index 9dc60c6..b921b57 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3376,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3396,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -44140,7 +44240,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -2704,7 +3404,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3424,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -44149,7 +44249,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -2712,14 +3412,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3432,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -44184,7 +44284,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2814,6 +3530,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3550,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -44209,7 +44309,7 @@ index 9dc60c6..b921b57 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3566,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3586,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -44252,7 +44352,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -2856,14 +3602,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3622,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -44290,7 +44390,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2882,8 +3647,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3667,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -44320,7 +44420,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -2955,69 +3739,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3759,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -44421,7 +44521,7 @@ index 9dc60c6..b921b57 100644 ## ## ## -@@ -3025,12 +3808,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3828,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -44436,7 +44536,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -3094,7 +3877,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3897,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -44445,7 +44545,7 @@ index 9dc60c6..b921b57 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +3893,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,16 +3913,18 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -44456,11 +44556,33 @@ index 9dc60c6..b921b57 100644 files_list_home($1) - allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; ++ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Send signull to unprivileged user domains. ++## Send general signals to unprivileged user domains. + ## + ## + ## +@@ -3127,30 +3932,12 @@ interface(`userdom_search_user_home_content',` + ## + ## + # +-interface(`userdom_signull_unpriv_users',` ++interface(`userdom_signal_unpriv_users',` + gen_require(` + attribute unpriv_userdomain; + ') + +- allow $1 unpriv_userdomain:process signull; -') - -######################################## -## --## Send signull to unprivileged user domains. +-## Send general signals to unprivileged user domains. -## -## -## @@ -44468,75 +44590,44 @@ index 9dc60c6..b921b57 100644 -## -## -# --interface(`userdom_signull_unpriv_users',` +-interface(`userdom_signal_unpriv_users',` - gen_require(` - attribute unpriv_userdomain; - ') - -- allow $1 unpriv_userdomain:process signull; -+ allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; -+ allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; +- allow $1 unpriv_userdomain:process signal; ++ allow $1 unpriv_userdomain:process signal; ') ######################################## -@@ -3214,31 +3981,49 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4001,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') - dontaudit $1 user_devpts_t:chr_file rw_file_perms; + dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; - ') - - ######################################## - ## --## Relabel files to unprivileged user pty types. ++') ++ ++######################################## ++## +## Do not audit attempts to open user ptys. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`userdom_relabelto_user_ptys',` -+interface(`userdom_dontaudit_open_user_ptys',` - gen_require(` - type user_devpts_t; - ') - -- allow $1 user_devpts_t:chr_file relabelto; -+ dontaudit $1 user_devpts_t:chr_file open; - ') - - ######################################## - ## --## Do not audit attempts to relabel files from --## user pty types. -+## Relabel files to unprivileged user pty types. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`userdom_relabelto_user_ptys',` ++interface(`userdom_dontaudit_open_user_ptys',` + gen_require(` + type user_devpts_t; + ') + -+ allow $1 user_devpts_t:chr_file relabelto; -+') -+ -+######################################## -+## -+## Do not audit attempts to relabel files from -+## user pty types. - ## - ## - ## -@@ -3269,7 +4054,83 @@ interface(`userdom_write_user_tmp_files',` ++ dontaudit $1 user_devpts_t:chr_file open; + ') + + ######################################## +@@ -3269,7 +4074,83 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -44621,7 +44712,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -3287,7 +4148,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3287,7 +4168,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -44630,7 +44721,7 @@ index 9dc60c6..b921b57 100644 ') ######################################## -@@ -3306,6 +4167,7 @@ interface(`userdom_read_all_users_state',` +@@ -3306,6 +4187,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -44638,7 +44729,7 @@ index 9dc60c6..b921b57 100644 kernel_search_proc($1) ') -@@ -3382,6 +4244,42 @@ interface(`userdom_signal_all_users',` +@@ -3382,6 +4264,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -44681,7 +44772,7 @@ index 9dc60c6..b921b57 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4300,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4320,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -44706,7 +44797,7 @@ index 9dc60c6..b921b57 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4351,1680 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4371,1680 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -44875,7 +44966,7 @@ index 9dc60c6..b921b57 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir list_dir_perms; -+') + ') + +######################################## +## @@ -44894,7 +44985,7 @@ index 9dc60c6..b921b57 100644 + + allow $1 admin_home_t:lnk_file read_lnk_file_perms; + allow $1 admin_home_t:dir search_dir_perms; - ') ++') + +######################################## +## diff --git a/policy-rawhide-contrib-user_tmp.patch b/policy-rawhide-contrib-user_tmp.patch new file mode 100644 index 0000000..052ec5c --- /dev/null +++ b/policy-rawhide-contrib-user_tmp.patch @@ -0,0 +1,252 @@ +diff --git a/chrome.te b/chrome.te +index fb60ffc..7d937cb 100644 +--- a/chrome.te ++++ b/chrome.te +@@ -114,8 +114,8 @@ miscfiles_read_fonts(chrome_sandbox_t) + + sysnet_dns_name_resolve(chrome_sandbox_t) + +-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t) +-userdom_execute_user_tmpfs_files(chrome_sandbox_t) ++userdom_rw_inherited_user_tmp_files(chrome_sandbox_t) ++userdom_execute_user_tmp_files(chrome_sandbox_t) + + userdom_use_user_ptys(chrome_sandbox_t) + userdom_write_inherited_user_tmp_files(chrome_sandbox_t) +@@ -236,8 +236,8 @@ init_read_state(chrome_sandbox_nacl_t) + libs_legacy_use_shared_libs(chrome_sandbox_nacl_t) + + userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t) +-userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t) +-userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t) ++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) ++userdom_execute_user_tmp_files(chrome_sandbox_nacl_t) + userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t) + userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t) + userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t) +diff --git a/colord.te b/colord.te +index 5425ddf..3d5988c 100644 +--- a/colord.te ++++ b/colord.te +@@ -112,7 +112,7 @@ logging_send_syslog_msg(colord_t) + + systemd_read_logind_sessions_files(colord_t) + +-userdom_rw_user_tmpfs_files(colord_t) ++userdom_rw_user_tmp_files(colord_t) + userdom_home_reader(colord_t) + userdom_list_user_home_content(colord_t) + userdom_read_inherited_user_home_content_files(colord_t) +diff --git a/corosync.te b/corosync.te +index e827567..837e0a8 100644 +--- a/corosync.te ++++ b/corosync.te +@@ -108,8 +108,8 @@ logging_send_syslog_msg(corosync_t) + miscfiles_read_localization(corosync_t) + + userdom_read_user_tmp_files(corosync_t) +-userdom_delete_user_tmpfs_files(corosync_t) +-userdom_rw_user_tmpfs_files(corosync_t) ++userdom_delete_user_tmp_files(corosync_t) ++userdom_rw_user_tmp_files(corosync_t) + + optional_policy(` + fs_manage_tmpfs_files(corosync_t) +diff --git a/gpg.te b/gpg.te +index 695e8fa..fe77236 100644 +--- a/gpg.te ++++ b/gpg.te +@@ -364,9 +364,9 @@ miscfiles_read_fonts(gpg_pinentry_t) + + # for .Xauthority + userdom_read_user_home_content_files(gpg_pinentry_t) +-userdom_read_user_tmpfs_files(gpg_pinentry_t) ++userdom_read_user_tmp_files(gpg_pinentry_t) + # Bug: user pulseaudio files need open,read and unlink: +-allow gpg_pinentry_t user_tmpfs_t:file unlink; ++allow gpg_pinentry_t user_tmp_t:file unlink; + userdom_signull_unpriv_users(gpg_pinentry_t) + userdom_use_user_terminals(gpg_pinentry_t) + +diff --git a/journalctl.te b/journalctl.te +index 5de3229..e1d6594 100644 +--- a/journalctl.te ++++ b/journalctl.te +@@ -36,8 +36,7 @@ fs_getattr_all_fs(journalctl_t) + userdom_list_user_home_dirs(journalctl_t) + userdom_read_user_home_content_files(journalctl_t) + userdom_use_inherited_user_ptys(journalctl_t) +-userdom_write_inherited_user_tmp_files(journalctl_t) +-userdom_rw_inherited_user_tmpfs_files(journalctl_t) ++userdom_rw_inherited_user_tmp_files(journalctl_t) + userdom_rw_inherited_user_home_content_files(journalctl_t) + + miscfiles_read_localization(journalctl_t) +diff --git a/kismet.te b/kismet.te +index c070420..4e66536 100644 +--- a/kismet.te ++++ b/kismet.te +@@ -96,7 +96,7 @@ corenet_tcp_connect_rtsclient_port(kismet_t) + auth_use_nsswitch(kismet_t) + + userdom_use_inherited_user_terminals(kismet_t) +-userdom_read_user_tmpfs_files(kismet_t) ++userdom_read_user_tmp_files(kismet_t) + + optional_policy(` + dbus_system_bus_client(kismet_t) +diff --git a/mozilla.te b/mozilla.te +index ad56dac..01dc360 100644 +--- a/mozilla.te ++++ b/mozilla.te +@@ -357,7 +357,6 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin + manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t) + files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) + userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file }) +-xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file }) + can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t) + + manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) +@@ -365,7 +364,6 @@ manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugi + manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) + fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +-userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) + userdom_manage_home_texlive(mozilla_plugin_t) + + allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; +@@ -484,8 +482,6 @@ term_getattr_ptmx(mozilla_plugin_t) + term_dontaudit_use_ptmx(mozilla_plugin_t) + + userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t) +-userdom_rw_user_tmpfs_files(mozilla_plugin_t) +-userdom_delete_user_tmpfs_files(mozilla_plugin_t) + userdom_dontaudit_use_user_terminals(mozilla_plugin_t) + userdom_manage_user_tmp_sockets(mozilla_plugin_t) + userdom_manage_user_tmp_dirs(mozilla_plugin_t) +diff --git a/mpd.te b/mpd.te +index 92632e8..953e3bf 100644 +--- a/mpd.te ++++ b/mpd.te +@@ -172,7 +172,7 @@ tunable_policy(`mpd_enable_homedirs',` + userdom_stream_connect(mpd_t) + userdom_read_home_audio_files(mpd_t) + userdom_list_user_tmp(mpd_t) +- userdom_read_user_tmpfs_files(mpd_t) ++ userdom_read_user_tmp_files(mpd_t) + userdom_dontaudit_setattr_user_tmp(mpd_t) + ') + +diff --git a/podsleuth.te b/podsleuth.te +index 5bf10ce..c06ace5 100644 +--- a/podsleuth.te ++++ b/podsleuth.te +@@ -80,7 +80,7 @@ sysnet_dns_name_resolve(podsleuth_t) + + userdom_signal_unpriv_users(podsleuth_t) + userdom_signull_unpriv_users(podsleuth_t) +-userdom_read_user_tmpfs_files(podsleuth_t) ++userdom_read_user_tmp_files(podsleuth_t) + + optional_policy(` + dbus_system_bus_client(podsleuth_t) +diff --git a/pulseaudio.te b/pulseaudio.te +index 1d2470f..64ac070 100644 +--- a/pulseaudio.te ++++ b/pulseaudio.te +@@ -97,7 +97,7 @@ auth_use_nsswitch(pulseaudio_t) + + logging_send_syslog_msg(pulseaudio_t) + +-userdom_read_user_tmpfs_files(pulseaudio_t) ++userdom_read_user_tmp_files(pulseaudio_t) + + userdom_search_user_home_dirs(pulseaudio_t) + userdom_write_user_tmp_sockets(pulseaudio_t) +@@ -224,7 +224,7 @@ pulseaudio_signull(pulseaudio_client) + + userdom_manage_user_home_content_files(pulseaudio_client) + +-userdom_read_user_tmpfs_files(pulseaudio_client) ++userdom_read_user_tmp_files(pulseaudio_client) + + tunable_policy(`use_nfs_home_dirs',` + fs_getattr_nfs(pulseaudio_client) +diff --git a/qemu.te b/qemu.te +index 8c1e989..958c0ef 100644 +--- a/qemu.te ++++ b/qemu.te +@@ -52,7 +52,7 @@ storage_raw_write_removable_device(qemu_t) + storage_raw_read_removable_device(qemu_t) + + userdom_search_user_home_content(qemu_t) +-userdom_read_user_tmpfs_files(qemu_t) ++userdom_read_user_tmp_files(qemu_t) + userdom_stream_connect(qemu_t) + + tunable_policy(`qemu_full_network',` +diff --git a/rhcs.te b/rhcs.te +index ec50831..eb9e2ac 100644 +--- a/rhcs.te ++++ b/rhcs.te +@@ -219,9 +219,8 @@ init_read_script_state(cluster_t) + init_rw_script_tmp_files(cluster_t) + init_manage_script_status_files(cluster_t) + +-userdom_read_user_tmp_files(cluster_t) +-userdom_delete_user_tmpfs_files(cluster_t) +-userdom_rw_user_tmpfs_files(cluster_t) ++userdom_delete_user_tmp_files(cluster_t) ++userdom_rw_user_tmp_files(cluster_t) + userdom_kill_all_users(cluster_t) + + tunable_policy(`cluster_can_network_connect',` +diff --git a/sandboxX.te b/sandboxX.te +index 956922c..499e739 100644 +--- a/sandboxX.te ++++ b/sandboxX.te +@@ -415,8 +415,8 @@ selinux_compute_relabel_context(sandbox_web_type) + selinux_compute_user_contexts(sandbox_web_type) + seutil_read_default_contexts(sandbox_web_type) + +-userdom_rw_user_tmpfs_files(sandbox_web_type) +-userdom_delete_user_tmpfs_files(sandbox_web_type) ++userdom_rw_user_tmp_files(sandbox_web_type) ++userdom_delete_user_tmp_files(sandbox_web_type) + + optional_policy(` + alsa_read_rw_config(sandbox_web_type) +diff --git a/thumb.te b/thumb.te +index 0e30ce2..bd82684 100644 +--- a/thumb.te ++++ b/thumb.te +@@ -46,7 +46,7 @@ manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t) + userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails") + userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") + userdom_dontaudit_access_check_user_content(thumb_t) +-userdom_rw_inherited_user_tmpfs_files(thumb_t) ++userdom_rw_inherited_user_tmp_files(thumb_t) + userdom_manage_home_texlive(thumb_t) + + manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +@@ -55,7 +55,6 @@ manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) + exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) + files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) + userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file }) +-xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file) + + manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) + manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t) +diff --git a/userhelper.if b/userhelper.if +index 35d784a..b25ec0d 100644 +--- a/userhelper.if ++++ b/userhelper.if +@@ -315,7 +315,7 @@ template(`userhelper_console_role_template',` + + auth_use_pam($1_consolehelper_t) + +- userdom_manage_tmpfs_role($2, $1_consolehelper_t) ++ userdom_manage_tmp_role($2, $1_consolehelper_t) + + optional_policy(` + dbus_connect_session_bus($1_consolehelper_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c33f667..aab44a5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index 1a93dc5..2eebc19 100644 +index 1a93dc5..36f5a1f 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,31 +1,43 @@ +@@ -1,31 +1,44 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -50,6 +50,7 @@ index 1a93dc5..2eebc19 100644 +/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) ++/var/spool/faf(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) +/var/spool/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/spool/rhsm/debug(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) @@ -70,7 +71,7 @@ index 1a93dc5..2eebc19 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..1e5378d 100644 +index 058d908..2f6c3a9 100644 --- a/abrt.if +++ b/abrt.if @@ -1,4 +1,26 @@ @@ -346,7 +347,7 @@ index 058d908..1e5378d 100644 ## ## ## -@@ -288,39 +407,173 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +407,174 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -446,6 +447,7 @@ index 058d908..1e5378d 100644 + manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) ++ manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) +') + +##################################### @@ -2311,14 +2313,17 @@ index 16d0d66..60abfd0 100644 optional_policy(` nscd_dontaudit_search_pid(amtu_t) diff --git a/anaconda.fc b/anaconda.fc -index b098089..b2c4d10 100644 +index b098089..258407b 100644 --- a/anaconda.fc +++ b/anaconda.fc -@@ -1 +1,4 @@ +@@ -1 +1,7 @@ # No file context specifications. + +/usr/libexec/anaconda/anaconda-yum -- gen_context(system_u:object_r:install_exec_t,s0) +/usr/sbin/anaconda -- gen_context(system_u:object_r:install_exec_t,s0) ++ ++/usr/bin/ostree -- gen_context(system_u:object_r:install_exec_t,s0) ++/usr/bin/rpm-ostree -- gen_context(system_u:object_r:install_exec_t,s0) diff --git a/anaconda.if b/anaconda.if index 14a61b7..21bbf36 100644 --- a/anaconda.if @@ -4916,10 +4921,10 @@ index f6eb485..51b128e 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 6649962..1f527f5 100644 +index 6649962..6ae8921 100644 --- a/apache.te +++ b/apache.te -@@ -5,280 +5,325 @@ policy_module(apache, 2.7.2) +@@ -5,280 +5,331 @@ policy_module(apache, 2.7.2) # Declarations # @@ -4940,7 +4945,6 @@ index 6649962..1f527f5 100644 ## -gen_tunable(allow_httpd_anon_write, false) +gen_tunable(httpd_anon_write, false) -+ ## -##

@@ -5061,61 +5065,55 @@ index 6649962..1f527f5 100644 +##

+## Allow httpd to connect to memcache server +##

-+## -+gen_tunable(httpd_can_network_memcache, false) -+ -+## -+##

-+## Allow httpd to act as a relay -+##

## - gen_tunable(httpd_can_network_relay, false) +-gen_tunable(httpd_can_network_relay, false) ++gen_tunable(httpd_can_network_memcache, false) ## -##

-## Determine whether httpd daemon can -## connect to zabbix over the network. -##

-+##

-+## Allow http daemon to connect to zabbix -+##

++##

++## Allow httpd to act as a relay ++##

## -gen_tunable(httpd_can_network_connect_zabbix, false) -+gen_tunable(httpd_can_connect_zabbix, false) ++gen_tunable(httpd_can_network_relay, false) ## -##

-## Determine whether httpd can send mail. -##

+##

-+## Allow http daemon to connect to mythtv ++## Allow http daemon to connect to zabbix +##

## -gen_tunable(httpd_can_sendmail, false) -+gen_tunable(httpd_can_connect_mythtv, false) ++gen_tunable(httpd_can_connect_zabbix, false) ## -##

-## Determine whether httpd can communicate -## with avahi service via dbus. -##

-+##

-+## Allow http daemon to check spam -+##

++##

++## Allow http daemon to connect to mythtv ++##

## -gen_tunable(httpd_dbus_avahi, false) -+gen_tunable(httpd_can_check_spam, false) ++gen_tunable(httpd_can_connect_mythtv, false) ## -##

-## Determine wether httpd can use support. -##

+##

-+## Allow http daemon to send mail ++## Allow http daemon to check spam +##

## -gen_tunable(httpd_enable_cgi, false) -+gen_tunable(httpd_can_sendmail, false) ++gen_tunable(httpd_can_check_spam, false) ## -##

@@ -5123,11 +5121,11 @@ index 6649962..1f527f5 100644 -## FTP server by listening on the ftp port. -##

+##

-+## Allow Apache to communicate with avahi service via dbus ++## Allow http daemon to send mail +##

## -gen_tunable(httpd_enable_ftp_server, false) -+gen_tunable(httpd_dbus_avahi, false) ++gen_tunable(httpd_can_sendmail, false) ## -##

@@ -5135,11 +5133,11 @@ index 6649962..1f527f5 100644 -## user home directories. -##

+##

-+## Allow httpd cgi support ++## Allow Apache to communicate with avahi service via dbus +##

## -gen_tunable(httpd_enable_homedirs, false) -+gen_tunable(httpd_enable_cgi, false) ++gen_tunable(httpd_dbus_avahi, false) ## -##

@@ -5149,12 +5147,11 @@ index 6649962..1f527f5 100644 -## be labeled public_content_rw_t. -##

+##

-+## Allow httpd to act as a FTP server by -+## listening on the ftp port. ++## Allow Apache to communicate with sssd service via dbus +##

## -gen_tunable(httpd_gpg_anon_write, false) -+gen_tunable(httpd_enable_ftp_server, false) ++gen_tunable(httpd_dbus_sssd, false) ## -##

@@ -5162,24 +5159,24 @@ index 6649962..1f527f5 100644 -## its temporary content. -##

+##

-+## Allow httpd to act as a FTP client -+## connecting to the ftp port and ephemeral ports ++## Allow httpd cgi support +##

## -gen_tunable(httpd_tmp_exec, false) -+gen_tunable(httpd_can_connect_ftp, false) ++gen_tunable(httpd_enable_cgi, false) ## -##

-## Determine whether httpd scripts and -## modules can use execmem and execstack. -##

-+##

-+## Allow httpd to connect to the ldap port -+##

++##

++## Allow httpd to act as a FTP server by ++## listening on the ftp port. ++##

## -gen_tunable(httpd_execmem, false) -+gen_tunable(httpd_can_connect_ldap, false) ++gen_tunable(httpd_enable_ftp_server, false) ## -##

@@ -5187,34 +5184,35 @@ index 6649962..1f527f5 100644 -## to port 80 for graceful shutdown. -##

+##

-+## Allow httpd to read home directories ++## Allow httpd to act as a FTP client ++## connecting to the ftp port and ephemeral ports +##

## -gen_tunable(httpd_graceful_shutdown, false) -+gen_tunable(httpd_enable_homedirs, false) ++gen_tunable(httpd_can_connect_ftp, false) ## -##

-## Determine whether httpd can -## manage IPA content files. -##

-+##

-+## Allow httpd to read user content -+##

++##

++## Allow httpd to connect to the ldap port ++##

## -gen_tunable(httpd_manage_ipa, false) -+gen_tunable(httpd_read_user_content, false) ++gen_tunable(httpd_can_connect_ldap, false) ## -##

-## Determine whether httpd can use mod_auth_ntlm_winbind. -##

+##

-+## Allow Apache to run in stickshift mode, not transition to passenger ++## Allow httpd to read home directories +##

## -gen_tunable(httpd_mod_auth_ntlm_winbind, false) -+gen_tunable(httpd_run_stickshift, false) ++gen_tunable(httpd_enable_homedirs, false) ## -##

@@ -5222,11 +5220,10 @@ index 6649962..1f527f5 100644 -## generic user home content files. -##

+##

-+## Allow Apache to query NS records ++## Allow httpd to read user content +##

## --gen_tunable(httpd_read_user_content, false) -+gen_tunable(httpd_verify_dns, false) + gen_tunable(httpd_read_user_content, false) ## -##

@@ -5234,6 +5231,20 @@ index 6649962..1f527f5 100644 -## its resource limits. -##

+##

++## Allow Apache to run in stickshift mode, not transition to passenger ++##

++## ++gen_tunable(httpd_run_stickshift, false) ++ ++## ++##

++## Allow Apache to query NS records ++##

++## ++gen_tunable(httpd_verify_dns, false) ++ ++## ++##

+## Allow httpd daemon to change its resource limits +##

## @@ -5393,7 +5404,7 @@ index 6649962..1f527f5 100644 type httpd_initrc_exec_t; init_script_file(httpd_initrc_exec_t) -@@ -286,15 +331,35 @@ init_script_file(httpd_initrc_exec_t) +@@ -286,15 +337,35 @@ init_script_file(httpd_initrc_exec_t) type httpd_keytab_t; files_type(httpd_keytab_t) @@ -5429,7 +5440,7 @@ index 6649962..1f527f5 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -302,10 +367,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -302,10 +373,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -5442,7 +5453,7 @@ index 6649962..1f527f5 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -314,9 +377,19 @@ role system_r types httpd_suexec_t; +@@ -314,9 +383,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5465,7 +5476,7 @@ index 6649962..1f527f5 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -324,14 +397,21 @@ files_tmp_file(httpd_tmp_t) +@@ -324,14 +403,21 @@ files_tmp_file(httpd_tmp_t) type httpd_tmpfs_t; files_tmpfs_file(httpd_tmpfs_t) @@ -5488,7 +5499,7 @@ index 6649962..1f527f5 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -346,33 +426,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -346,33 +432,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5539,7 +5550,7 @@ index 6649962..1f527f5 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -381,30 +468,38 @@ allow httpd_t self:shm create_shm_perms; +@@ -381,30 +474,38 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5583,7 +5594,7 @@ index 6649962..1f527f5 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,14 +507,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,14 +513,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5605,7 +5616,7 @@ index 6649962..1f527f5 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -450,140 +552,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +558,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5673,7 +5684,7 @@ index 6649962..1f527f5 100644 +fs_read_hugetlbfs_files(httpd_t) + +auth_use_nsswitch(httpd_t) -+ + +application_exec_all(httpd_t) + +# execute perl @@ -5682,7 +5693,7 @@ index 6649962..1f527f5 100644 + +domain_use_interactive_fds(httpd_t) +domain_dontaudit_read_all_domains_state(httpd_t) - ++ +files_dontaudit_search_all_pids(httpd_t) files_dontaudit_getattr_all_pids(httpd_t) -files_read_usr_files(httpd_t) @@ -5843,7 +5854,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +728,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +734,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5903,7 +5914,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +780,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +786,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5994,7 +6005,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,66 +827,56 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +833,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6015,8 +6026,10 @@ index 6649962..1f527f5 100644 - userdom_use_user_terminals(httpd_t) -',` - userdom_dontaudit_use_user_terminals(httpd_t) --') -- ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_cifs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_cifs_dirs(httpd_t) @@ -6027,28 +6040,15 @@ index 6649962..1f527f5 100644 -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) -') -- --tunable_policy(`httpd_use_fusefs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_fusefs_dirs(httpd_t) -- fs_manage_fusefs_files(httpd_t) -- fs_read_fusefs_symlinks(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) --') +optional_policy(` + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) --tunable_policy(`httpd_use_nfs',` +-tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) -- fs_manage_nfs_dirs(httpd_t) -- fs_manage_nfs_files(httpd_t) -- fs_manage_nfs_symlinks(httpd_t) +- fs_manage_fusefs_dirs(httpd_t) +- fs_manage_fusefs_files(httpd_t) +- fs_read_fusefs_symlinks(httpd_t) -') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) @@ -6057,22 +6057,27 @@ index 6649962..1f527f5 100644 + cobbler_search_lib(httpd_t) + ') --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_t) +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) + tunable_policy(`httpd_can_network_connect_cobbler',` + corenet_tcp_connect_cobbler_port(httpd_t) + ') ') - optional_policy(` -- calamaris_read_www_files(httpd_t) +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) ++optional_policy(` + tunable_policy(`httpd_use_sasl',` + sasl_connect(httpd_t) + ') ') - optional_policy(` -- ccs_read_config(httpd_t) +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_t) ++optional_policy(` + # Support for ABRT retrace server + # mod_wsgi + abrt_manage_spool_retrace(httpd_t) @@ -6081,26 +6086,33 @@ index 6649962..1f527f5 100644 ') optional_policy(` +@@ -749,24 +886,32 @@ optional_policy(` + ') + + optional_policy(` - clamav_domtrans_clamscan(httpd_t) -+ calamaris_read_www_files(httpd_t) ++ cron_system_entry(httpd_t, httpd_exec_t) ') optional_policy(` - cobbler_read_config(httpd_t) - cobbler_read_lib_files(httpd_t) -+ ccs_read_config(httpd_t) ++ cvs_read_data(httpd_t) ') optional_policy(` -@@ -770,6 +892,23 @@ optional_policy(` +- cron_system_entry(httpd_t, httpd_exec_t) ++ daemontools_service_domain(httpd_t, httpd_exec_t) ') optional_policy(` +- cvs_read_data(httpd_t) + #needed by FreeIPA + dirsrv_stream_connect(httpd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- daemontools_service_domain(httpd_t, httpd_exec_t) + dirsrv_manage_config(httpd_t) + dirsrv_manage_log(httpd_t) + dirsrv_manage_var_run(httpd_t) @@ -6110,13 +6122,21 @@ index 6649962..1f527f5 100644 + dirsrvadmin_manage_config(httpd_t) + dirsrvadmin_manage_tmp(httpd_t) + dirsrvadmin_domtrans_unconfined_script_t(httpd_t) -+') -+ -+ optional_policy(` - dbus_system_bus_client(httpd_t) + ') + optional_policy(` +@@ -775,6 +920,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` -@@ -786,35 +925,55 @@ optional_policy(` + avahi_dbus_chat(httpd_t) + ') ++ ++ tunable_policy(`httpd_dbus_sssd', ++ sssd_dbus_chat(httpd_t) ++ ') + ') + + optional_policy(` +@@ -786,35 +935,55 @@ optional_policy(` ') optional_policy(` @@ -6185,7 +6205,7 @@ index 6649962..1f527f5 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +981,18 @@ optional_policy(` +@@ -822,8 +991,18 @@ optional_policy(` ') optional_policy(` @@ -6204,7 +6224,7 @@ index 6649962..1f527f5 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1001,7 @@ optional_policy(` +@@ -832,6 +1011,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -6212,7 +6232,7 @@ index 6649962..1f527f5 100644 ') optional_policy(` -@@ -842,20 +1012,39 @@ optional_policy(` +@@ -842,20 +1022,39 @@ optional_policy(` ') optional_policy(` @@ -6258,7 +6278,7 @@ index 6649962..1f527f5 100644 ') optional_policy(` -@@ -863,19 +1052,35 @@ optional_policy(` +@@ -863,19 +1062,35 @@ optional_policy(` ') optional_policy(` @@ -6294,7 +6314,7 @@ index 6649962..1f527f5 100644 udev_read_db(httpd_t) ') -@@ -883,65 +1088,173 @@ optional_policy(` +@@ -883,65 +1098,173 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -6490,7 +6510,7 @@ index 6649962..1f527f5 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1263,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1273,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6645,7 +6665,7 @@ index 6649962..1f527f5 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1347,106 @@ optional_policy(` +@@ -1083,172 +1357,106 @@ optional_policy(` ') ') @@ -6882,7 +6902,7 @@ index 6649962..1f527f5 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1454,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1464,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6979,7 +6999,7 @@ index 6649962..1f527f5 100644 ######################################## # -@@ -1321,8 +1529,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1539,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6996,7 +7016,7 @@ index 6649962..1f527f5 100644 ') ######################################## -@@ -1330,49 +1545,38 @@ optional_policy(` +@@ -1330,49 +1555,38 @@ optional_policy(` # User content local policy # @@ -7061,7 +7081,7 @@ index 6649962..1f527f5 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1586,100 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1596,100 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -9625,7 +9645,7 @@ index 02fefaa..fbcef10 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..28c35c1 100644 +index 687d4c4..3c5a83a 100644 --- a/boinc.te +++ b/boinc.te @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1) @@ -9815,17 +9835,19 @@ index 687d4c4..28c35c1 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -137,8 +151,7 @@ init_read_utmp(boinc_t) +@@ -137,8 +151,9 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) -miscfiles_read_fonts(boinc_t) -miscfiles_read_localization(boinc_t) ++modutils_dontaudit_exec_insmod(boinc_t) ++ +xserver_stream_connect(boinc_t) tunable_policy(`boinc_execmem',` allow boinc_t self:process { execstack execmem }; -@@ -148,48 +161,61 @@ optional_policy(` +@@ -148,48 +163,61 @@ optional_policy(` mta_send_mail(boinc_t) ') @@ -11475,10 +11497,10 @@ index 0000000..a0fdbcb +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..748f5d5 +index 0000000..fb60ffc --- /dev/null +++ b/chrome.te -@@ -0,0 +1,247 @@ +@@ -0,0 +1,248 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -11607,6 +11629,7 @@ index 0000000..748f5d5 +userdom_manage_home_certs(chrome_sandbox_t) + +optional_policy(` ++ gnome_exec_config_home_files(chrome_sandbox_t) + gnome_read_generic_cache_files(chrome_sandbox_t) + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_read_home_config(chrome_sandbox_t) @@ -14408,10 +14431,10 @@ index 0000000..54b4b04 +') diff --git a/conman.te b/conman.te new file mode 100644 -index 0000000..0de2d4d +index 0000000..d6b0314 --- /dev/null +++ b/conman.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,49 @@ +policy_module(conman, 1.0.0) + +######################################## @@ -14439,7 +14462,7 @@ index 0000000..0de2d4d + +allow conman_t self:fifo_file rw_fifo_file_perms; +allow conman_t self:unix_stream_socket create_stream_socket_perms; -+allow conman_t self:tcp_socket { listen create_socket_perms }; ++allow conman_t self:tcp_socket { accept listen create_socket_perms }; + +manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) +manage_files_pattern(conman_t, conman_log_t, conman_log_t) @@ -14454,6 +14477,10 @@ index 0000000..0de2d4d + +logging_send_syslog_msg(conman_t) + ++sysnet_dns_name_resolve(conman_t) ++ ++userdom_use_user_ptys(conman_t) ++ +optional_policy(` + freeipmi_stream_connect(conman_t) +') @@ -19410,10 +19437,10 @@ index f55c420..e9d64ab 100644 - -miscfiles_read_localization(dbskkd_t) diff --git a/dbus.fc b/dbus.fc -index dda905b..31f269b 100644 +index dda905b..ccd0ba9 100644 --- a/dbus.fc +++ b/dbus.fc -@@ -1,20 +1,26 @@ +@@ -1,20 +1,27 @@ -HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0) +/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0) @@ -19441,6 +19468,7 @@ index dda905b..31f269b 100644 -/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) +/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) ++/var/cache/ibus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) -/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0) - @@ -19452,7 +19480,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..2d33fcd 100644 +index 62d22cb..2b84a85 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -20235,7 +20263,7 @@ index 62d22cb..2d33fcd 100644 ## ## ## -@@ -597,28 +571,32 @@ interface(`dbus_use_system_bus_fds',` +@@ -597,28 +571,49 @@ interface(`dbus_use_system_bus_fds',` ## ## # @@ -20275,6 +20303,23 @@ index 62d22cb..2d33fcd 100644 - typeattribute $1 dbusd_unconfined; + dontaudit $1 system_bus_type:dbus send_msg; + dontaudit system_bus_type $1:dbus send_msg; ++') ++ ++####################################### ++## ++## Transition to dbus named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_filetrans_named_content_system',` ++ gen_require(` ++ type system_dbusd_var_lib_t; ++ ') ++ files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") ') diff --git a/dbus.te b/dbus.te index c9998c8..8b8b691 100644 @@ -22768,7 +22813,7 @@ index 23ab808..84735a8 100644 +/var/run/dnsmasq.* gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/dnsmasq.if b/dnsmasq.if -index 19aa0b8..e34a540 100644 +index 19aa0b8..b9895ba 100644 --- a/dnsmasq.if +++ b/dnsmasq.if @@ -10,7 +10,6 @@ @@ -22912,27 +22957,40 @@ index 19aa0b8..e34a540 100644 read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) ') -@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',` +@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',` ######################################## ## -## Create specified objects in specified -## directories with a type transition to -## the dnsmasq pid file type. -+## Transition to dnsmasq named content ++## Create dnsmasq pid directories. ## ## ## --## Domain allowed access. --## --## + ## Domain allowed access. + ## + ## -## -## -## Directory to transition on. -## -## -## --## ++# ++interface(`dnsmasq_read_state',` ++ gen_require(` ++ type dnsmasq_t; ++ ') ++ ps_process_pattern($1, dnsmasq_t) ++') ++ ++######################################## ++## ++## Transition to dnsmasq named content ++## ++## + ## -## The object class of the object being created. +## Domain allowed access. ## @@ -22980,7 +23038,7 @@ index 19aa0b8..e34a540 100644 ') ######################################## -@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',` +@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; @@ -23001,7 +23059,7 @@ index 19aa0b8..e34a540 100644 init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; -@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',` +@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) @@ -23286,10 +23344,10 @@ index 0000000..fd679a1 +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0) diff --git a/docker.if b/docker.if new file mode 100644 -index 0000000..4ca46bc +index 0000000..1048292 --- /dev/null +++ b/docker.if -@@ -0,0 +1,325 @@ +@@ -0,0 +1,345 @@ + +## The open-source application container engine. + @@ -23573,6 +23631,26 @@ index 0000000..4ca46bc + +######################################## +## ++## Connect to docker over a unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`docker_stream_connect',` ++ gen_require(` ++ type docker_t, docker_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t) ++') ++ ++ ++######################################## ++## +## All of the rules required to administrate +## an docker environment +## @@ -23617,10 +23695,10 @@ index 0000000..4ca46bc +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..d30d730 +index 0000000..d5a606c --- /dev/null +++ b/docker.te -@@ -0,0 +1,263 @@ +@@ -0,0 +1,266 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23765,6 +23843,7 @@ index 0000000..d30d730 +auth_use_nsswitch(docker_t) + +init_read_state(docker_t) ++init_status(docker_t) + +logging_send_audit_msgs(docker_t) +logging_send_syslog_msg(docker_t) @@ -23845,6 +23924,8 @@ index 0000000..d30d730 + +modutils_domtrans_insmod(docker_t) + ++systemd_status_all_unit_files(docker_t) ++ +userdom_stream_connect(docker_t) +userdom_search_user_home_content(docker_t) + @@ -25893,10 +25974,10 @@ index cf0e567..fed8792 100644 + apache_read_log(fail2ban_client_t) +') diff --git a/fcoe.te b/fcoe.te -index ce358fb..aabd04f 100644 +index ce358fb..65ade3f 100644 --- a/fcoe.te +++ b/fcoe.te -@@ -20,25 +20,27 @@ files_pid_file(fcoemon_var_run_t) +@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t) # Local policy # @@ -25928,6 +26009,10 @@ index ce358fb..aabd04f 100644 optional_policy(` lldpad_dgram_send(fcoemon_t) ') ++ ++optional_policy(` ++ networkmanager_dgram_send(fcoemon_t) ++') diff --git a/fetchmail.fc b/fetchmail.fc index 133b8ee..a47a12f 100644 --- a/fetchmail.fc @@ -27441,6 +27526,420 @@ index 2820368..88c98f4 100644 sysnet_read_config(gatekeeper_t) userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t) +diff --git a/gear.fc b/gear.fc +new file mode 100644 +index 0000000..5eabf35 +--- /dev/null ++++ b/gear.fc +@@ -0,0 +1,7 @@ ++/usr/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) ++ ++/usr/lib/systemd/system/gear.service -- gen_context(system_u:object_r:gear_unit_file_t,s0) ++ ++/var/lib/containers/bin/gear -- gen_context(system_u:object_r:gear_exec_t,s0) ++ ++/var/lib/gear(/.*)? gen_context(system_u:object_r:gear_var_lib_t,s0) +diff --git a/gear.if b/gear.if +new file mode 100644 +index 0000000..04e159f +--- /dev/null ++++ b/gear.if +@@ -0,0 +1,288 @@ ++ ++## The open-source application container engine. ++ ++######################################## ++## ++## Execute gear in the gear domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gear_domtrans',` ++ gen_require(` ++ type gear_t, gear_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, gear_exec_t, gear_t) ++') ++ ++######################################## ++## ++## Search gear lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_search_lib',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ allow $1 gear_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Execute gear lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_exec_lib',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ allow $1 gear_var_lib_t:dir search_dir_perms; ++ can_exec($1, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Read gear lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_read_lib_files',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, gear_var_lib_t, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gear lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_manage_lib_files',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t) ++ manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Manage gear lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_manage_lib_dirs',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t) ++') ++ ++######################################## ++## ++## Create objects in a gear var lib directory ++## with an automatic type transition to ++## a specified private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The type of the object to create. ++## ++## ++## ++## ++## The class of the object to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`gear_lib_filetrans',` ++ gen_require(` ++ type gear_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, gear_var_lib_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Read gear PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_read_pid_files',` ++ gen_require(` ++ type gear_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, gear_var_run_t, gear_var_run_t) ++') ++ ++######################################## ++## ++## Execute gear server in the gear domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`gear_systemctl',` ++ gen_require(` ++ type gear_t; ++ type gear_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 gear_unit_file_t:file read_file_perms; ++ allow $1 gear_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, gear_t) ++') ++ ++######################################## ++## ++## Read and write gear shared memory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_rw_sem',` ++ gen_require(` ++ type gear_t; ++ ') ++ ++ allow $1 gear_t:sem rw_sem_perms; ++') ++ ++####################################### ++## ++## Read and write the gear pty type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_use_ptys',` ++ gen_require(` ++ type gear_devpts_t; ++ ') ++ ++ allow $1 gear_devpts_t:chr_file rw_term_perms; ++') ++ ++####################################### ++## ++## Allow domain to create gear content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_filetrans_named_content',` ++ gen_require(` ++ type gear_var_lib_t; ++ type gear_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, gear_var_run_t, file, "gear.pid") ++ files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear") ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gear environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gear_admin',` ++ gen_require(` ++ type gear_t; ++ type gear_var_lib_t, gear_var_run_t; ++ type gear_unit_file_t; ++ type gear_lock_t; ++ type gear_log_t; ++ ') ++ ++ allow $1 gear_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, gear_t) ++ ++ files_search_var_lib($1) ++ admin_pattern($1, gear_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, gear_var_run_t) ++ ++ logging_search_logs($1) ++ admin_pattern($1, gear_log_t) ++ ++ gear_systemctl($1) ++ admin_pattern($1, gear_unit_file_t) ++ allow $1 gear_unit_file_t:service all_service_perms; ++') +diff --git a/gear.te b/gear.te +new file mode 100644 +index 0000000..e6a1c7c +--- /dev/null ++++ b/gear.te +@@ -0,0 +1,101 @@ ++policy_module(gear, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type gear_t; ++type gear_exec_t; ++init_daemon_domain(gear_t, gear_exec_t) ++ ++type gear_var_lib_t; ++files_type(gear_var_lib_t) ++ ++type gear_log_t; ++logging_log_file(gear_log_t) ++ ++type gear_var_run_t; ++files_pid_file(gear_var_run_t) ++ ++type gear_unit_file_t; ++systemd_unit_file(gear_unit_file_t) ++ ++######################################## ++# ++# gear local policy ++# ++allow gear_t self:capability chown; ++allow gear_t self:capability2 block_suspend; ++allow gear_t self:process { getattr signal_perms }; ++allow gear_t self:fifo_file rw_fifo_file_perms; ++allow gear_t self:unix_stream_socket create_stream_socket_perms; ++allow gear_t self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(gear_t, gear_log_t, gear_log_t) ++manage_files_pattern(gear_t, gear_log_t, gear_log_t) ++manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t) ++logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file }) ++ ++gear_filetrans_named_content(gear_t) ++ ++manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t) ++files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file }) ++ ++manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t) ++files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file }) ++ ++kernel_read_system_state(gear_t) ++kernel_read_network_state(gear_t) ++kernel_read_all_sysctls(gear_t) ++kernel_rw_net_sysctls(gear_t) ++ ++domain_use_interactive_fds(gear_t) ++domain_read_all_domains_state(gear_t) ++ ++corecmd_exec_bin(gear_t) ++corecmd_exec_shell(gear_t) ++ ++corenet_tcp_bind_generic_node(gear_t) ++corenet_tcp_sendrecv_generic_if(gear_t) ++corenet_tcp_sendrecv_generic_node(gear_t) ++corenet_tcp_sendrecv_generic_port(gear_t) ++corenet_tcp_bind_gear_port(gear_t) ++ ++files_read_etc_files(gear_t) ++ ++fs_read_cgroup_files(gear_t) ++fs_read_tmpfs_symlinks(gear_t) ++ ++auth_use_nsswitch(gear_t) ++ ++init_read_state(gear_t) ++init_dbus_chat(gear_t) ++ ++iptables_domtrans(gear_t) ++ ++logging_send_audit_msgs(gear_t) ++logging_send_syslog_msg(gear_t) ++ ++miscfiles_read_localization(gear_t) ++ ++mount_domtrans(gear_t) ++ ++seutil_read_default_contexts(gear_t) ++ ++sysnet_dns_name_resolve(gear_t) ++ ++sysnet_domtrans_ifconfig(gear_t) ++ ++systemd_manage_all_unit_files(gear_t) ++ ++optional_policy(` ++ docker_stream_connect(gear_t) ++') diff --git a/geoclue.fc b/geoclue.fc new file mode 100644 index 0000000..a97f14f @@ -28811,7 +29310,7 @@ index e39de43..6a6db28 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/gnome.if b/gnome.if -index ab09d61..8bcb6ba 100644 +index ab09d61..5f39122 100644 --- a/gnome.if +++ b/gnome.if @@ -1,52 +1,78 @@ @@ -29858,7 +30357,7 @@ index ab09d61..8bcb6ba 100644 ## ## ## -@@ -706,12 +820,948 @@ interface(`gnome_stream_connect_gkeyringd',` +@@ -706,12 +820,966 @@ interface(`gnome_stream_connect_gkeyringd',` ## ## # @@ -30415,6 +30914,24 @@ index ab09d61..8bcb6ba 100644 + can_exec($1, gstreamer_home_t) +') + ++###################################### ++## ++## Allow to execute config home content files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_exec_config_home_files',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ can_exec($1, config_home_t) ++') ++ +####################################### +## +## file name transition gstreamer home content files. @@ -33345,10 +33862,10 @@ index 0000000..48d7322 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..d028154 +index 0000000..a2af18e --- /dev/null +++ b/ipa.if -@@ -0,0 +1,57 @@ +@@ -0,0 +1,76 @@ +## Policy for IPA services. + +######################################## @@ -33406,6 +33923,25 @@ index 0000000..d028154 + manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) +') + ++######################################## ++## ++## Allow domain to manage ipa lib files/dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_read_lib',` ++ gen_require(` ++ type ipa_var_lib_t; ++ ') ++ ++ read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++') ++ diff --git a/ipa.te b/ipa.te new file mode 100644 index 0000000..b60bc5f @@ -41276,10 +41812,10 @@ index 0000000..3f433f1 +') diff --git a/mcollective.te b/mcollective.te new file mode 100644 -index 0000000..a04dd6b +index 0000000..8bc27f4 --- /dev/null +++ b/mcollective.te -@@ -0,0 +1,29 @@ +@@ -0,0 +1,27 @@ +policy_module(mcollective, 1.0.0) + +######################################## @@ -41292,8 +41828,6 @@ index 0000000..a04dd6b +init_daemon_domain(mcollective_t, mcollective_exec_t) +cron_system_entry(mcollective_t, mcollective_exec_t) + -+permissive mcollective_t; -+ +type mcollective_etc_rw_t; +files_type(mcollective_etc_rw_t) + @@ -50610,7 +51144,7 @@ index 86dc29d..1cd0d0e 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..ed9adbc 100644 +index 55f2009..5fa2fb5 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -50635,7 +51169,7 @@ index 55f2009..ed9adbc 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,25 +42,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,53 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -50654,6 +51188,9 @@ index 55f2009..ed9adbc 100644 + +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms }; + ++allow NetworkManager_t self:process setfscreate; ++selinux_validate_context(NetworkManager_t) ++ +tunable_policy(`deny_ptrace',`',` + allow NetworkManager_t self:capability sys_ptrace; + allow NetworkManager_t self:process ptrace; @@ -50683,10 +51220,10 @@ index 55f2009..ed9adbc 100644 +can_exec(NetworkManager_t, NetworkManager_exec_t) +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) -+ + +list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) +read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) - ++ +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) @@ -50695,7 +51232,7 @@ index 55f2009..ed9adbc 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +96,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +99,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -50703,7 +51240,7 @@ index 55f2009..ed9adbc 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +110,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +113,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -50722,7 +51259,7 @@ index 55f2009..ed9adbc 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +128,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +131,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -50748,7 +51285,7 @@ index 55f2009..ed9adbc 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +144,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +147,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -50762,7 +51299,7 @@ index 55f2009..ed9adbc 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,18 +152,33 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,18 +155,33 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -50797,7 +51334,7 @@ index 55f2009..ed9adbc 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +193,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +196,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -50834,7 +51371,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -196,10 +234,6 @@ optional_policy(` +@@ -196,10 +237,6 @@ optional_policy(` ') optional_policy(` @@ -50845,7 +51382,7 @@ index 55f2009..ed9adbc 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +244,11 @@ optional_policy(` +@@ -210,16 +247,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -50864,7 +51401,7 @@ index 55f2009..ed9adbc 100644 ') ') -@@ -231,18 +260,27 @@ optional_policy(` +@@ -231,10 +263,11 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -50873,16 +51410,14 @@ index 55f2009..ed9adbc 100644 optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) -+ hal_write_log(NetworkManager_t) ++ fcoe_dgram_send_fcoemon(NetworkManager_t) ') optional_policy(` -- hal_write_log(NetworkManager_t) -+ howl_signal(NetworkManager_t) +@@ -246,10 +279,26 @@ optional_policy(` ') optional_policy(` -- howl_signal(NetworkManager_t) + gnome_dontaudit_search_config(NetworkManager_t) +') + @@ -50892,10 +51427,10 @@ index 55f2009..ed9adbc 100644 + +optional_policy(` + iodined_domtrans(NetworkManager_t) - ') - - optional_policy(` -@@ -250,6 +288,10 @@ optional_policy(` ++') ++ ++optional_policy(` + ipsec_domtrans_mgmt(NetworkManager_t) ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -50906,7 +51441,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -257,15 +299,19 @@ optional_policy(` +@@ -257,15 +306,19 @@ optional_policy(` ') optional_policy(` @@ -50928,7 +51463,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -274,10 +320,17 @@ optional_policy(` +@@ -274,10 +327,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -50946,7 +51481,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -289,6 +342,7 @@ optional_policy(` +@@ -289,6 +349,7 @@ optional_policy(` ') optional_policy(` @@ -50954,7 +51489,7 @@ index 55f2009..ed9adbc 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +350,7 @@ optional_policy(` +@@ -296,7 +357,7 @@ optional_policy(` ') optional_policy(` @@ -50963,7 +51498,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -307,6 +361,7 @@ optional_policy(` +@@ -307,6 +368,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -50971,7 +51506,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -320,14 +375,20 @@ optional_policy(` +@@ -320,14 +382,20 @@ optional_policy(` ') optional_policy(` @@ -50997,7 +51532,7 @@ index 55f2009..ed9adbc 100644 ') optional_policy(` -@@ -357,6 +418,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +425,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -53101,7 +53636,7 @@ index 97df768..852d1c6 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 421bf1a..b80dbe5 100644 +index 421bf1a..e3f91f6 100644 --- a/nslcd.te +++ b/nslcd.te @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t) @@ -53115,7 +53650,7 @@ index 421bf1a..b80dbe5 100644 -allow nslcd_t self:capability { setgid setuid dac_override }; -allow nslcd_t self:process signal; -allow nslcd_t self:unix_stream_socket { accept listen }; -+allow nslcd_t self:capability { dac_override setgid setuid sys_nice }; ++allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice }; +allow nslcd_t self:process { setsched signal signull }; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; @@ -54023,7 +54558,7 @@ index af3c91e..6882a3f 100644 /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/ntp.if b/ntp.if -index e96a309..c6d1b01 100644 +index e96a309..2bacc3f 100644 --- a/ntp.if +++ b/ntp.if @@ -1,4 +1,4 @@ @@ -54190,7 +54725,7 @@ index e96a309..c6d1b01 100644 logging_list_logs($1) admin_pattern($1, ntpd_log_t) -@@ -186,5 +270,28 @@ interface(`ntp_admin',` +@@ -186,5 +270,30 @@ interface(`ntp_admin',` files_list_pids($1) admin_pattern($1, ntpd_var_run_t) @@ -54215,13 +54750,15 @@ index e96a309..c6d1b01 100644 +interface(`ntp_filetrans_named_content',` + gen_require(` + type ntp_conf_t; ++ type ntp_drift_t; + ') + + files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") + files_etc_filetrans($1, ntp_conf_t, dir, "ntp") ++ files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") ') diff --git a/ntp.te b/ntp.te -index f81b113..8d889d8 100644 +index f81b113..5c71385 100644 --- a/ntp.te +++ b/ntp.te @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t; @@ -54234,7 +54771,15 @@ index f81b113..8d889d8 100644 type ntp_conf_t; files_config_file(ntp_conf_t) -@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) +@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen }; + + manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) + manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t) ++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod") + + allow ntpd_t ntp_conf_t:file read_file_perms; + +@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) allow ntpd_t ntpd_log_t:dir setattr_dir_perms; @@ -54245,7 +54790,7 @@ index f81b113..8d889d8 100644 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir }) manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t) -@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t) +@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t) kernel_read_network_state(ntpd_t) kernel_request_load_module(ntpd_t) @@ -54269,7 +54814,7 @@ index f81b113..8d889d8 100644 corecmd_exec_bin(ntpd_t) corecmd_exec_shell(ntpd_t) -@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t) +@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t) domain_dontaudit_list_all_domains_state(ntpd_t) files_read_etc_runtime_files(ntpd_t) @@ -54286,7 +54831,7 @@ index f81b113..8d889d8 100644 auth_use_nsswitch(ntpd_t) -@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t) +@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t) logging_send_syslog_msg(ntpd_t) @@ -59037,7 +59582,7 @@ index bf59ef7..0ec51d4 100644 + manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') diff --git a/passenger.te b/passenger.te -index 08ec33b..12f6357 100644 +index 08ec33b..24ce7e8 100644 --- a/passenger.te +++ b/passenger.te @@ -14,6 +14,9 @@ role system_r types passenger_t; @@ -59129,7 +59674,7 @@ index 08ec33b..12f6357 100644 +') + +optional_policy(` -+ puppet_domtrans(passenger_t) ++ puppet_domtrans_master(passenger_t) + puppet_manage_lib(passenger_t) puppet_read_config(passenger_t) - puppet_append_log_files(passenger_t) @@ -59838,7 +60383,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..aa814c8 100644 +index 608f454..6054e92 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -59857,7 +60402,7 @@ index 608f454..aa814c8 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,319 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,324 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -60035,6 +60580,8 @@ index 608f454..aa814c8 100644 +# pegasus openlmi service local policy +# + ++fs_getattr_all_fs(pegasus_openlmi_admin_t) ++ +init_manage_transient_unit(pegasus_openlmi_admin_t) +init_disable_services(pegasus_openlmi_admin_t) +init_enable_services(pegasus_openlmi_admin_t) @@ -60049,6 +60596,9 @@ index 608f454..aa814c8 100644 + +allow pegasus_openlmi_service_t self:udp_socket create_socket_perms; + ++logging_read_syslog_pid(pegasus_openlmi_admin_t) ++logging_read_generic_logs(pegasus_openlmi_admin_t) ++ +optional_policy(` + dbus_system_bus_client(pegasus_openlmi_admin_t) + @@ -60182,7 +60732,7 @@ index 608f454..aa814c8 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +357,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -60213,7 +60763,7 @@ index 608f454..aa814c8 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +383,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -60246,7 +60796,7 @@ index 608f454..aa814c8 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +411,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -60258,7 +60808,7 @@ index 608f454..aa814c8 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +427,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -60294,7 +60844,7 @@ index 608f454..aa814c8 100644 ') optional_policy(` -@@ -151,16 +456,24 @@ optional_policy(` +@@ -151,16 +461,24 @@ optional_policy(` ') optional_policy(` @@ -60323,7 +60873,7 @@ index 608f454..aa814c8 100644 ') optional_policy(` -@@ -168,7 +481,7 @@ optional_policy(` +@@ -168,7 +486,7 @@ optional_policy(` ') optional_policy(` @@ -60332,7 +60882,7 @@ index 608f454..aa814c8 100644 ') optional_policy(` -@@ -180,6 +493,7 @@ optional_policy(` +@@ -180,6 +498,7 @@ optional_policy(` ') optional_policy(` @@ -61473,10 +62023,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..22f672d +index 0000000..90c6736 --- /dev/null +++ b/pki.te -@@ -0,0 +1,274 @@ +@@ -0,0 +1,278 @@ +policy_module(pki,10.0.11) + +######################################## @@ -61624,6 +62174,10 @@ index 0000000..22f672d + hostname_exec(pki_tomcat_t) +') + ++optional_policy(` ++ ipa_read_lib(pki_tomcat_t) ++') ++ +####################################### +# +# tps local policy @@ -68847,31 +69401,37 @@ index 6643b49..1d2470f 100644 optional_policy(` diff --git a/puppet.fc b/puppet.fc -index d68e26d..98ad443 100644 +index d68e26d..cad91e2 100644 --- a/puppet.fc +++ b/puppet.fc -@@ -1,18 +1,13 @@ +@@ -1,18 +1,20 @@ -/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) ++/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0) -/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0) -/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) -+/usr/lib/systemd/system/puppet.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) -+/usr/lib/systemd/system/puppetmaster.* -- gen_context(system_u:object_r:puppet_unit_file_t,s0) ++/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppetagent_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0) - /usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) +-/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -+/usr/bin/puppet -- gen_context(system_u:object_r:puppet_exec_t,s0) -+/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppet_exec_t,s0) -+/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppet_exec_t,s0) ++#helper scripts ++/usr/bin/start-puppet-agent -- gen_context(system_u:object_r:puppetagent_exec_t,s0) ++/usr/bin/start-puppet-master -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) -/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) -/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) -- ++/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/bin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) ++/usr/bin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + -/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) -- ++/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) ++/usr/sbin/puppetd -- gen_context(system_u:object_r:puppetagent_exec_t,s0) ++/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0) + -/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) - -/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) @@ -68879,10 +69439,10 @@ index d68e26d..98ad443 100644 +/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) +/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0) diff --git a/puppet.if b/puppet.if -index 7cb8b1f..6357588 100644 +index 7cb8b1f..9422c90 100644 --- a/puppet.if +++ b/puppet.if -@@ -1,4 +1,50 @@ +@@ -1,4 +1,32 @@ -## Configuration management system. +## Puppet client daemon +## @@ -68894,47 +69454,29 @@ index 7cb8b1f..6357588 100644 +##

+## + -+####################################### -+## -+## Execute puppet_master in the puppet_master -+## domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`puppet_domtrans_master',` -+ gen_require(` -+ type puppetmaster_t, puppetmaster_exec_t; -+ ') -+ refpolicywarn(`$0($*) has been deprecated.') -+') -+ +######################################## +## -+## Execute puppet in the puppet -+## domain. ++## Execute puppet_master in the puppet_master ++## domain. +## +## +## -+## Domain allowed to transition. ++## Domain allowed to transition. +## +## +# -+interface(`puppet_domtrans',` -+ gen_require(` -+ type puppet_t, puppet_exec_t; -+ ') ++interface(`puppet_domtrans_master',` ++ gen_require(` ++ type puppetmaster_t, puppetmaster_exec_t; ++ ') + -+ corecmd_search_bin($1) -+ domtrans_pattern($1, puppet_exec_t, puppet_t) ++ corecmd_search_bin($1) ++ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) +') ######################################## ## -@@ -40,16 +86,19 @@ interface(`puppet_domtrans_puppetca',` +@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',` # interface(`puppet_run_puppetca',` gen_require(` @@ -68958,7 +69500,7 @@ index 7cb8b1f..6357588 100644 ## ## ## -@@ -57,15 +106,13 @@ interface(`puppet_run_puppetca',` +@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',` ## ## # @@ -68978,7 +69520,7 @@ index 7cb8b1f..6357588 100644 ') ################################################ -@@ -78,158 +125,164 @@ interface(`puppet_read_config',` +@@ -78,158 +107,164 @@ interface(`puppet_read_config',` ## ## # @@ -69152,15 +69694,15 @@ index 7cb8b1f..6357588 100644 -## -## Domain allowed access. -## --## --## --## --## Role allowed access. --## +## +## Domain allowed access. +## ## +-## +-## +-## Role allowed access. +-## +-## -## # -interface(`puppet_admin',` @@ -69170,14 +69712,14 @@ index 7cb8b1f..6357588 100644 - type puppet_var_run_t, puppetmaster_tmp_t; - type puppet_t, puppetca_t, puppetmaster_t; - ') +- +- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) +interface(`puppet_manage_log',` + gen_require(` + type puppet_log_t; + ') -- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t }) -- - init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t }) - domain_system_change_exemption($1) - role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r; @@ -69238,10 +69780,10 @@ index 7cb8b1f..6357588 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; ') diff --git a/puppet.te b/puppet.te -index 618dcfe..ca66457 100644 +index 618dcfe..0903e67 100644 --- a/puppet.te +++ b/puppet.te -@@ -6,25 +6,31 @@ policy_module(puppet, 1.4.0) +@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0) # ## @@ -69254,7 +69796,8 @@ index 618dcfe..ca66457 100644 +## types. +##

## - gen_tunable(puppet_manage_all_files, false) +-gen_tunable(puppet_manage_all_files, false) ++gen_tunable(puppetagent_manage_all_files, false) -attribute_role puppetca_roles; -roleattribute system_r puppetca_roles; @@ -69263,25 +69806,29 @@ index 618dcfe..ca66457 100644 +## Allow Puppet master to use connect to MySQL and PostgreSQL database +##

+## -+gen_tunable(puppet_use_db, false) ++gen_tunable(puppetmaster_use_db, false) - type puppet_t; - type puppet_exec_t; - init_daemon_domain(puppet_t, puppet_exec_t) +-type puppet_t; +-type puppet_exec_t; +-init_daemon_domain(puppet_t, puppet_exec_t) ++type puppetagent_t; ++type puppetagent_exec_t; ++typealias puppetagent_exec_t alias puppet_exec_t; ++typealias puppetagent_t alias puppet_t; ++init_daemon_domain(puppetagent_t, puppetagent_exec_t) -+typealias puppet_t alias puppetmaster_t; -+ type puppet_etc_t; files_config_file(puppet_etc_t) -type puppet_initrc_exec_t; -init_script_file(puppet_initrc_exec_t) -+type puppet_unit_file_t; -+systemd_unit_file(puppet_unit_file_t) ++type puppetagent_initrc_exec_t; ++typealias puppetagent_initrc_exec_t alias puppet_initrc_exec_t; ++init_script_file(puppetagent_initrc_exec_t) type puppet_log_t; logging_log_file(puppet_log_t) -@@ -37,52 +43,37 @@ files_type(puppet_var_lib_t) +@@ -37,12 +44,11 @@ files_type(puppet_var_lib_t) type puppet_var_run_t; files_pid_file(puppet_var_run_t) @@ -69291,18 +69838,12 @@ index 618dcfe..ca66457 100644 type puppetca_exec_t; application_domain(puppetca_t, puppetca_exec_t) -role puppetca_roles types puppetca_t; -- --type puppetmaster_t; --type puppetmaster_exec_t; --init_daemon_domain(puppetmaster_t, puppetmaster_exec_t) -- --type puppetmaster_initrc_exec_t; --init_script_file(puppetmaster_initrc_exec_t) -- --type puppetmaster_tmp_t; --files_tmp_file(puppetmaster_tmp_t) +role system_r types puppetca_t; + type puppetmaster_t; + type puppetmaster_exec_t; +@@ -56,161 +62,156 @@ files_tmp_file(puppetmaster_tmp_t) + ######################################## # -# Local policy @@ -69310,146 +69851,254 @@ index 618dcfe..ca66457 100644 # -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; -+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; - allow puppet_t self:process { signal signull getsched setsched }; - allow puppet_t self:fifo_file rw_fifo_file_perms; - allow puppet_t self:netlink_route_socket create_netlink_socket_perms; +-allow puppet_t self:process { signal signull getsched setsched }; +-allow puppet_t self:fifo_file rw_fifo_file_perms; +-allow puppet_t self:netlink_route_socket create_netlink_socket_perms; -allow puppet_t self:tcp_socket { accept listen }; -+allow puppet_t self:tcp_socket create_stream_socket_perms; - allow puppet_t self:udp_socket create_socket_perms; - +-allow puppet_t self:udp_socket create_socket_perms; +- -allow puppet_t puppet_etc_t:dir list_dir_perms; -allow puppet_t puppet_etc_t:file read_file_perms; -allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; -+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t) - - manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) - manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +- +-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -can_exec(puppet_t, puppet_var_lib_t) -+files_search_var_lib(puppet_t) - +- -setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) -+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) - manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) - files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) - +-manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t) +-files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir }) +- -allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; -append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t) - create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) +-create_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -read_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t) -+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) - logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) - - manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) -@@ -91,43 +82,38 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) - - kernel_dontaudit_search_sysctl(puppet_t) - kernel_dontaudit_search_kernel_sysctl(puppet_t) -+kernel_read_system_state(puppet_t) - kernel_read_crypto_sysctls(puppet_t) - kernel_read_kernel_sysctls(puppet_t) +-logging_log_filetrans(puppet_t, puppet_log_t, { file dir }) +- +-manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +-manage_files_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t) +-files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir }) +- +-kernel_dontaudit_search_sysctl(puppet_t) +-kernel_dontaudit_search_kernel_sysctl(puppet_t) +-kernel_read_crypto_sysctls(puppet_t) +-kernel_read_kernel_sysctls(puppet_t) -kernel_read_net_sysctls(puppet_t) -kernel_read_network_state(puppet_t) - -+corecmd_read_all_executables(puppet_t) -+corecmd_dontaudit_access_all_executables(puppet_t) - corecmd_exec_bin(puppet_t) - corecmd_exec_shell(puppet_t) +- +-corecmd_exec_bin(puppet_t) +-corecmd_exec_shell(puppet_t) -corecmd_read_all_executables(puppet_t) - - corenet_all_recvfrom_netlabel(puppet_t) +- +-corenet_all_recvfrom_netlabel(puppet_t) -corenet_all_recvfrom_unlabeled(puppet_t) - corenet_tcp_sendrecv_generic_if(puppet_t) - corenet_tcp_sendrecv_generic_node(puppet_t) +-corenet_tcp_sendrecv_generic_if(puppet_t) +-corenet_tcp_sendrecv_generic_node(puppet_t) - -corenet_sendrecv_puppet_client_packets(puppet_t) -+corenet_tcp_bind_generic_node(puppet_t) - corenet_tcp_connect_puppet_port(puppet_t) +-corenet_tcp_connect_puppet_port(puppet_t) -corenet_tcp_sendrecv_puppet_port(puppet_t) -+corenet_sendrecv_puppet_client_packets(puppet_t) - - dev_read_rand(puppet_t) - dev_read_sysfs(puppet_t) - dev_read_urand(puppet_t) - +- +-dev_read_rand(puppet_t) +-dev_read_sysfs(puppet_t) +-dev_read_urand(puppet_t) +- -domain_interactive_fd(puppet_t) - domain_read_all_domains_state(puppet_t) -+domain_interactive_fd(puppet_t) -+domain_named_filetrans(puppet_t) - - files_manage_config_files(puppet_t) - files_manage_config_dirs(puppet_t) - files_manage_etc_dirs(puppet_t) - files_manage_etc_files(puppet_t) +-domain_read_all_domains_state(puppet_t) +- +-files_manage_config_files(puppet_t) +-files_manage_config_dirs(puppet_t) +-files_manage_etc_dirs(puppet_t) +-files_manage_etc_files(puppet_t) -files_read_usr_files(puppet_t) - files_read_usr_symlinks(puppet_t) - files_relabel_config_dirs(puppet_t) - files_relabel_config_files(puppet_t) +-files_read_usr_symlinks(puppet_t) +-files_relabel_config_dirs(puppet_t) +-files_relabel_config_files(puppet_t) -files_search_var_lib(puppet_t) - +- -selinux_get_fs_mount(puppet_t) -selinux_search_fs(puppet_t) - selinux_set_all_booleans(puppet_t) - selinux_set_generic_booleans(puppet_t) - selinux_validate_context(puppet_t) -@@ -135,6 +121,8 @@ selinux_validate_context(puppet_t) - term_dontaudit_getattr_unallocated_ttys(puppet_t) - term_dontaudit_getattr_all_ttys(puppet_t) - -+auth_use_nsswitch(puppet_t) -+ - init_all_labeled_script_domtrans(puppet_t) - init_domtrans_script(puppet_t) - init_read_utmp(puppet_t) -@@ -143,18 +131,31 @@ init_signull_script(puppet_t) - logging_send_syslog_msg(puppet_t) - - miscfiles_read_hwdata(puppet_t) +-selinux_set_all_booleans(puppet_t) +-selinux_set_generic_booleans(puppet_t) +-selinux_validate_context(puppet_t) +- +-term_dontaudit_getattr_unallocated_ttys(puppet_t) +-term_dontaudit_getattr_all_ttys(puppet_t) +- +-init_all_labeled_script_domtrans(puppet_t) +-init_domtrans_script(puppet_t) +-init_read_utmp(puppet_t) +-init_signull_script(puppet_t) +- +-logging_send_syslog_msg(puppet_t) +- +-miscfiles_read_hwdata(puppet_t) -miscfiles_read_localization(puppet_t) - -mount_domtrans(puppet_t) - - seutil_domtrans_setfiles(puppet_t) - seutil_domtrans_semanage(puppet_t) -+seutil_read_file_contexts(puppet_t) - - sysnet_run_ifconfig(puppet_t, system_r) +- +-seutil_domtrans_setfiles(puppet_t) +-seutil_domtrans_semanage(puppet_t) +- +-sysnet_run_ifconfig(puppet_t, system_r) -sysnet_use_ldap(puppet_t) -+ -+usermanage_access_check_groupadd(puppet_t) -+usermanage_access_check_passwd(puppet_t) -+usermanage_access_check_useradd(puppet_t) - - tunable_policy(`puppet_manage_all_files',` +- +-tunable_policy(`puppet_manage_all_files',` - files_manage_non_auth_files(puppet_t) -+ files_manage_non_security_files(puppet_t) -+') ++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; ++allow puppetagent_t self:process { signal signull getsched setsched }; ++allow puppetagent_t self:fifo_file rw_fifo_file_perms; ++allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms; ++allow puppetagent_t self:tcp_socket create_stream_socket_perms; ++allow puppetagent_t self:udp_socket create_socket_perms; + -+optional_policy(` -+ tunable_policy(`puppet_use_db',` -+ mysql_stream_connect(puppet_t) -+ ') -+') ++read_files_pattern(puppetagent_t, puppet_etc_t, puppet_etc_t) ++ ++manage_dirs_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t) ++manage_files_pattern(puppetagent_t, puppet_var_lib_t, puppet_var_lib_t) ++files_search_var_lib(puppetagent_t) ++ ++manage_dirs_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t) ++manage_files_pattern(puppetagent_t, puppet_var_run_t, puppet_var_run_t) ++files_pid_filetrans(puppetagent_t, puppet_var_run_t, { file dir }) ++ ++create_dirs_pattern(puppetagent_t, var_log_t, puppet_log_t) ++create_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t) ++append_files_pattern(puppetagent_t, puppet_log_t, puppet_log_t) ++logging_log_filetrans(puppetagent_t, puppet_log_t, { file dir }) ++ ++manage_dirs_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t) ++manage_files_pattern(puppetagent_t, puppet_tmp_t, puppet_tmp_t) ++files_tmp_filetrans(puppetagent_t, puppet_tmp_t, { file dir }) ++ ++kernel_dontaudit_search_sysctl(puppetagent_t) ++kernel_dontaudit_search_kernel_sysctl(puppetagent_t) ++kernel_read_system_state(puppetagent_t) ++kernel_read_crypto_sysctls(puppetagent_t) ++kernel_read_kernel_sysctls(puppetagent_t) ++ ++corecmd_read_all_executables(puppetagent_t) ++corecmd_dontaudit_access_all_executables(puppetagent_t) ++corecmd_exec_bin(puppetagent_t) ++corecmd_exec_shell(puppetagent_t) ++ ++corenet_all_recvfrom_netlabel(puppetagent_t) ++corenet_tcp_sendrecv_generic_if(puppetagent_t) ++corenet_tcp_sendrecv_generic_node(puppetagent_t) ++corenet_tcp_bind_generic_node(puppetagent_t) ++corenet_tcp_connect_puppet_port(puppetagent_t) ++corenet_sendrecv_puppet_client_packets(puppetagent_t) ++ ++dev_read_rand(puppetagent_t) ++dev_read_sysfs(puppetagent_t) ++dev_read_urand(puppetagent_t) ++ ++domain_read_all_domains_state(puppetagent_t) ++domain_interactive_fd(puppetagent_t) ++domain_named_filetrans(puppetagent_t) ++ ++files_manage_config_files(puppetagent_t) ++files_manage_config_dirs(puppetagent_t) ++files_manage_etc_dirs(puppetagent_t) ++files_manage_etc_files(puppetagent_t) ++files_read_usr_symlinks(puppetagent_t) ++files_relabel_config_dirs(puppetagent_t) ++files_relabel_config_files(puppetagent_t) + ++selinux_set_all_booleans(puppetagent_t) ++selinux_set_generic_booleans(puppetagent_t) ++selinux_validate_context(puppetagent_t) ++ ++term_dontaudit_getattr_unallocated_ttys(puppetagent_t) ++term_dontaudit_getattr_all_ttys(puppetagent_t) ++ ++auth_use_nsswitch(puppetagent_t) ++ ++init_all_labeled_script_domtrans(puppetagent_t) ++init_domtrans_script(puppetagent_t) ++init_read_utmp(puppetagent_t) ++init_signull_script(puppetagent_t) ++ ++logging_send_syslog_msg(puppetagent_t) ++ ++miscfiles_read_hwdata(puppetagent_t) ++ ++seutil_domtrans_setfiles(puppetagent_t) ++seutil_domtrans_semanage(puppetagent_t) ++seutil_read_file_contexts(puppetagent_t) ++ ++sysnet_run_ifconfig(puppetagent_t, system_r) ++ ++usermanage_access_check_groupadd(puppetagent_t) ++usermanage_access_check_passwd(puppetagent_t) ++usermanage_access_check_useradd(puppetagent_t) ++ ++tunable_policy(`puppetagent_manage_all_files',` ++ files_manage_non_security_files(puppetagent_t) + ') + + optional_policy(` +- cfengine_read_lib_files(puppet_t) ++ mysql_stream_connect(puppetagent_t) + ') + + optional_policy(` +- consoletype_exec(puppet_t) ++ postgresql_stream_connect(puppetagent_t) + ') + + optional_policy(` +- hostname_exec(puppet_t) ++ cfengine_read_lib_files(puppetagent_t) + ') + + optional_policy(` +- mount_domtrans(puppet_t) ++ consoletype_exec(puppetagent_t) + ') + + optional_policy(` +- mta_send_mail(puppet_t) ++ hostname_exec(puppetagent_t) + ') + + optional_policy(` +- portage_domtrans(puppet_t) +- portage_domtrans_fetch(puppet_t) +- portage_domtrans_gcc_config(puppet_t) ++ mount_domtrans(puppetagent_t) + ') + + optional_policy(` +- files_rw_var_files(puppet_t) ++ mta_send_mail(puppetagent_t) ++') + +- rpm_domtrans(puppet_t) +- rpm_manage_db(puppet_t) +- rpm_manage_log(puppet_t) +optional_policy(` -+ tunable_policy(`puppet_use_db',` -+ postgresql_stream_connect(puppet_t) -+ ') ++ portage_domtrans(puppetagent_t) ++ portage_domtrans_fetch(puppetagent_t) ++ portage_domtrans_gcc_config(puppetagent_t) ') optional_policy(` -@@ -196,21 +197,19 @@ optional_policy(` +- unconfined_domain(puppet_t) ++ files_rw_var_files(puppetagent_t) ++ ++ rpm_domtrans(puppetagent_t) ++ rpm_manage_db(puppetagent_t) ++ rpm_manage_log(puppetagent_t) ') optional_policy(` - usermanage_domtrans_groupadd(puppet_t) - usermanage_domtrans_useradd(puppet_t) -+ openshift_initrc_domtrans(puppet_t) ++ unconfined_domain_noaudit(puppetagent_t) ') -+ ######################################## # -# Ca local policy @@ -69466,7 +70115,7 @@ index 618dcfe..ca66457 100644 allow puppetca_t puppet_var_lib_t:dir list_dir_perms; manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t) -@@ -221,6 +220,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; +@@ -221,6 +222,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms; allow puppetca_t puppet_var_run_t:dir search_dir_perms; kernel_read_system_state(puppetca_t) @@ -69474,7 +70123,7 @@ index 618dcfe..ca66457 100644 kernel_read_kernel_sysctls(puppetca_t) corecmd_exec_bin(puppetca_t) -@@ -229,15 +229,12 @@ corecmd_exec_shell(puppetca_t) +@@ -229,15 +231,12 @@ corecmd_exec_shell(puppetca_t) dev_read_urand(puppetca_t) dev_search_sysfs(puppetca_t) @@ -69490,107 +70139,148 @@ index 618dcfe..ca66457 100644 miscfiles_read_generic_certs(puppetca_t) seutil_read_file_contexts(puppetca_t) -@@ -246,99 +243,7 @@ optional_policy(` +@@ -246,38 +245,47 @@ optional_policy(` hostname_exec(puppetca_t) ') --######################################## --# ++optional_policy(` ++ mta_sendmail_access_check(puppetca_t) ++') ++ ++ + ######################################## + # -# Master local policy --# -- --allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; --allow puppetmaster_t self:process { signal_perms getsched setsched }; --allow puppetmaster_t self:fifo_file rw_fifo_file_perms; ++# Pupper master personal policy + # + + allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; + allow puppetmaster_t self:process { signal_perms getsched setsched }; + allow puppetmaster_t self:fifo_file rw_fifo_file_perms; -allow puppetmaster_t self:netlink_route_socket nlmsg_write; --allow puppetmaster_t self:socket create; ++allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; + allow puppetmaster_t self:socket create; -allow puppetmaster_t self:tcp_socket { accept listen }; -- ++allow puppetmaster_t self:tcp_socket create_stream_socket_perms; ++allow puppetmaster_t self:udp_socket create_socket_perms; + -allow puppetmaster_t puppet_etc_t:dir list_dir_perms; -allow puppetmaster_t puppet_etc_t:file read_file_perms; -allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; -- ++list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) ++read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t) + -allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; -append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) -setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) --logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) -- ++allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms }; ++allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms }; + logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir }) ++allow puppetmaster_t puppet_log_t:file relabel_file_perms; + -allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms }; -- ++manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) ++allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; ++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; + -allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppet_var_run_t:file manage_file_perms; --files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) -- ++setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) ++manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) + files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir }) ++allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms; + -allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms }; -allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms; --files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) -- --kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) --kernel_read_network_state(puppetmaster_t) --kernel_read_system_state(puppetmaster_t) --kernel_read_crypto_sysctls(puppetmaster_t) --kernel_read_kernel_sysctls(puppetmaster_t) -- --corecmd_exec_bin(puppetmaster_t) --corecmd_exec_shell(puppetmaster_t) -- --corenet_all_recvfrom_netlabel(puppetmaster_t) ++manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) ++manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) + files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) ++allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms; + + kernel_dontaudit_search_kernel_sysctl(puppetmaster_t) + kernel_read_network_state(puppetmaster_t) +@@ -289,23 +297,24 @@ corecmd_exec_bin(puppetmaster_t) + corecmd_exec_shell(puppetmaster_t) + + corenet_all_recvfrom_netlabel(puppetmaster_t) -corenet_all_recvfrom_unlabeled(puppetmaster_t) --corenet_tcp_sendrecv_generic_if(puppetmaster_t) --corenet_tcp_sendrecv_generic_node(puppetmaster_t) --corenet_tcp_bind_generic_node(puppetmaster_t) + corenet_tcp_sendrecv_generic_if(puppetmaster_t) + corenet_tcp_sendrecv_generic_node(puppetmaster_t) + corenet_tcp_bind_generic_node(puppetmaster_t) - -corenet_sendrecv_puppet_server_packets(puppetmaster_t) --corenet_tcp_bind_puppet_port(puppetmaster_t) + corenet_tcp_bind_puppet_port(puppetmaster_t) -corenet_tcp_sendrecv_puppet_port(puppetmaster_t) -- --dev_read_rand(puppetmaster_t) --dev_read_urand(puppetmaster_t) --dev_search_sysfs(puppetmaster_t) -- ++corenet_sendrecv_puppet_server_packets(puppetmaster_t) ++corenet_tcp_connect_ntop_port(puppetmaster_t) ++ ++# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports. ++corenet_udp_bind_generic_node(puppetmaster_t) ++corenet_udp_bind_generic_port(puppetmaster_t) + + dev_read_rand(puppetmaster_t) + dev_read_urand(puppetmaster_t) + dev_search_sysfs(puppetmaster_t) + -domain_obj_id_change_exemption(puppetmaster_t) --domain_read_all_domains_state(puppetmaster_t) -- + domain_read_all_domains_state(puppetmaster_t) ++domain_obj_id_change_exemption(puppetmaster_t) + -files_read_usr_files(puppetmaster_t) -- --selinux_validate_context(puppetmaster_t) -- --auth_use_nsswitch(puppetmaster_t) -- --logging_send_syslog_msg(puppetmaster_t) -- --miscfiles_read_generic_certs(puppetmaster_t) + + selinux_validate_context(puppetmaster_t) + +@@ -314,26 +323,31 @@ auth_use_nsswitch(puppetmaster_t) + logging_send_syslog_msg(puppetmaster_t) + + miscfiles_read_generic_certs(puppetmaster_t) -miscfiles_read_localization(puppetmaster_t) -- --seutil_read_file_contexts(puppetmaster_t) -- --sysnet_run_ifconfig(puppetmaster_t, system_r) -- --optional_policy(` + + seutil_read_file_contexts(puppetmaster_t) + + sysnet_run_ifconfig(puppetmaster_t, system_r) + ++mta_send_mail(puppetmaster_t) ++ + optional_policy(` - hostname_exec(puppetmaster_t) --') -- ++ tunable_policy(`puppetmaster_use_db',` ++ mysql_stream_connect(puppetmaster_t) ++ ') + ') + optional_policy(` - mta_send_mail(puppetmaster_t) -+ mta_sendmail_access_check(puppetca_t) ++ tunable_policy(`puppetmaster_use_db',` ++ postgresql_stream_connect(puppetmaster_t) ++ ') ') --optional_policy(` + optional_policy(` - mysql_stream_connect(puppetmaster_t) --') -- --optional_policy(` ++ systemd_dbus_chat_timedated(puppetmaster_t) + ') + + optional_policy(` - postgresql_stream_connect(puppetmaster_t) --') -- --optional_policy(` -- files_read_usr_symlinks(puppetmaster_t) -- -- rpm_exec(puppetmaster_t) -- rpm_read_db(puppetmaster_t) --') ++ hostname_exec(puppetmaster_t) + ') + + optional_policy(` +@@ -342,3 +356,9 @@ optional_policy(` + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) + ') ++ ++optional_policy(` ++ usermanage_access_check_groupadd(puppetmaster_t) ++ usermanage_access_check_passwd(puppetmaster_t) ++ usermanage_access_check_useradd(puppetmaster_t) ++') diff --git a/pwauth.fc b/pwauth.fc index 7e7b444..e2f8687 100644 --- a/pwauth.fc @@ -72141,10 +72831,10 @@ index afc0068..3105104 100644 + ') ') diff --git a/quantum.te b/quantum.te -index 8644d8b..c93b852 100644 +index 8644d8b..2ba5770 100644 --- a/quantum.te +++ b/quantum.te -@@ -5,92 +5,121 @@ policy_module(quantum, 1.1.0) +@@ -5,92 +5,127 @@ policy_module(quantum, 1.1.0) # Declarations # @@ -72189,7 +72879,7 @@ index 8644d8b..c93b852 100644 -allow quantum_t self:key manage_key_perms; -allow quantum_t self:tcp_socket { accept listen }; -allow quantum_t self:unix_stream_socket { accept listen }; -+allow neutron_t self:capability { setgid setuid sys_resource net_admin sys_admin }; ++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin }; +allow neutron_t self:process { setsched setrlimit }; +allow neutron_t self:fifo_file rw_fifo_file_perms; +allow neutron_t self:key manage_key_perms; @@ -72202,37 +72892,39 @@ index 8644d8b..c93b852 100644 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t) +logging_log_filetrans(neutron_t, neutron_log_t, dir) -+ -+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) -+files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t) -append_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -create_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t) -logging_log_filetrans(quantum_t, quantum_log_t, dir) -+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) -+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) ++manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t) ++files_tmp_filetrans(neutron_t, neutron_tmp_t, file) -manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t) -files_tmp_filetrans(quantum_t, quantum_tmp_t, file) -+can_exec(neutron_t, neutron_tmp_t) ++manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t) ++files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir) -manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t) -files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir) ++can_exec(neutron_t, neutron_tmp_t) + +-can_exec(quantum_t, quantum_tmp_t) +kernel_read_kernel_sysctls(neutron_t) +kernel_read_system_state(neutron_t) +kernel_read_network_state(neutron_t) +kernel_request_load_module(neutron_t) --can_exec(quantum_t, quantum_tmp_t) +-kernel_read_kernel_sysctls(quantum_t) +-kernel_read_system_state(quantum_t) +corecmd_exec_shell(neutron_t) +corecmd_exec_bin(neutron_t) --kernel_read_kernel_sysctls(quantum_t) --kernel_read_system_state(quantum_t) +-corecmd_exec_shell(quantum_t) +-corecmd_exec_bin(quantum_t) +corenet_all_recvfrom_unlabeled(neutron_t) +corenet_all_recvfrom_netlabel(neutron_t) +corenet_tcp_sendrecv_generic_if(neutron_t) @@ -72240,82 +72932,86 @@ index 8644d8b..c93b852 100644 +corenet_tcp_sendrecv_all_ports(neutron_t) +corenet_tcp_bind_generic_node(neutron_t) --corecmd_exec_shell(quantum_t) --corecmd_exec_bin(quantum_t) -+corenet_tcp_bind_neutron_port(neutron_t) -+corenet_tcp_connect_keystone_port(neutron_t) -+corenet_tcp_connect_amqp_port(neutron_t) -+corenet_tcp_connect_mysqld_port(neutron_t) - -corenet_all_recvfrom_unlabeled(quantum_t) -corenet_all_recvfrom_netlabel(quantum_t) -corenet_tcp_sendrecv_generic_if(quantum_t) -corenet_tcp_sendrecv_generic_node(quantum_t) -corenet_tcp_sendrecv_all_ports(quantum_t) -corenet_tcp_bind_generic_node(quantum_t) -+domain_named_filetrans(neutron_t) ++corenet_tcp_bind_neutron_port(neutron_t) ++corenet_tcp_connect_keystone_port(neutron_t) ++corenet_tcp_connect_amqp_port(neutron_t) ++corenet_tcp_connect_mysqld_port(neutron_t) -dev_list_sysfs(quantum_t) -dev_read_urand(quantum_t) ++domain_named_filetrans(neutron_t) + +-files_read_usr_files(quantum_t) +dev_read_sysfs(neutron_t) +dev_read_urand(neutron_t) +dev_mounton_sysfs(neutron_t) +dev_mount_sysfs_fs(neutron_t) - --files_read_usr_files(quantum_t) -+auth_use_nsswitch(neutron_t) ++dev_unmount_sysfs_fs(neutron_t) -auth_use_nsswitch(quantum_t) -+libs_exec_ldconfig(neutron_t) ++files_mounton_non_security(neutron_t) -libs_exec_ldconfig(quantum_t) -+logging_send_audit_msgs(neutron_t) -+logging_send_syslog_msg(neutron_t) ++auth_use_nsswitch(neutron_t) -logging_send_audit_msgs(quantum_t) -logging_send_syslog_msg(quantum_t) -+sysnet_exec_ifconfig(neutron_t) -+sysnet_filetrans_named_content_ifconfig(neutron_t) ++libs_exec_ldconfig(neutron_t) -miscfiles_read_localization(quantum_t) -+optional_policy(` -+ brctl_domtrans(neutron_t) -+') ++logging_send_audit_msgs(neutron_t) ++logging_send_syslog_msg(neutron_t) -sysnet_domtrans_ifconfig(quantum_t) -+optional_policy(` -+ dnsmasq_domtrans(neutron_t) -+') ++sysnet_exec_ifconfig(neutron_t) ++sysnet_manage_ifconfig_run(neutron_t) ++sysnet_filetrans_named_content_ifconfig(neutron_t) optional_policy(` - brctl_domtrans(quantum_t) -+ iptables_domtrans(neutron_t) ++ brctl_domtrans(neutron_t) ') optional_policy(` - mysql_stream_connect(quantum_t) - mysql_read_config(quantum_t) -+ mysql_stream_connect(neutron_t) -+ mysql_read_config(neutron_t) ++ dnsmasq_domtrans(neutron_t) ++ dnsmasq_signal(neutron_t) ++ dnsmasq_read_state(neutron_t) ++') - mysql_tcp_connect(quantum_t) -+ mysql_tcp_connect(neutron_t) ++optional_policy(` ++ iptables_domtrans(neutron_t) ') optional_policy(` - postgresql_stream_connect(quantum_t) - postgresql_unpriv_client(quantum_t) ++ mysql_stream_connect(neutron_t) ++ mysql_read_config(neutron_t) + +- postgresql_tcp_connect(quantum_t) ++ mysql_tcp_connect(neutron_t) + ') ++ ++optional_policy(` + postgresql_stream_connect(neutron_t) + postgresql_unpriv_client(neutron_t) + + postgresql_tcp_connect(neutron_t) +') - -- postgresql_tcp_connect(quantum_t) ++ +optional_policy(` + openvswitch_domtrans(neutron_t) + openvswitch_stream_connect(neutron_t) - ') ++') + +optional_policy(` + sudo_exec(neutron_t) @@ -75089,7 +75785,7 @@ index 327baf0..d8691bd 100644 + # Remote login currently has no file contexts. diff --git a/remotelogin.if b/remotelogin.if -index a9ce68e..31be971 100644 +index a9ce68e..92520aa 100644 --- a/remotelogin.if +++ b/remotelogin.if @@ -1,4 +1,4 @@ @@ -75113,24 +75809,23 @@ index a9ce68e..31be971 100644 ## ## ## -@@ -36,44 +35,3 @@ interface(`remotelogin_signal',` +@@ -39,8 +38,7 @@ interface(`remotelogin_signal',` - allow $1 remote_login_t:process signal; - ') -- --######################################## --## + ######################################## + ## -## Create, read, write, and delete -## remote login temporary content. --## --## --## --## Domain allowed access. --## --## --# ++## allow Domain to signal remote login domain. + ## + ## + ## +@@ -48,32 +46,10 @@ interface(`remotelogin_signal',` + ## + ## + # -interface(`remotelogin_manage_tmp_content',` -- gen_require(` ++interface(`remotelogin_signull',` + gen_require(` - type remote_login_tmp_t; - ') - @@ -75152,12 +75847,14 @@ index a9ce68e..31be971 100644 -interface(`remotelogin_relabel_tmp_content',` - gen_require(` - type remote_login_tmp_t; -- ') -- ++ type remote_login_t; + ') + - files_search_tmp($1) - allow $1 remote_login_tmp_t:dir relabel_dir_perms; - allow $1 remote_login_tmp_t:file relabel_file_perms; --') ++ allow $1 remote_login_t:process signull; + ') diff --git a/remotelogin.te b/remotelogin.te index ae30871..43fd6e8 100644 --- a/remotelogin.te @@ -84333,10 +85030,10 @@ index 0000000..89bc443 +') diff --git a/sandbox.te b/sandbox.te new file mode 100644 -index 0000000..b12aada +index 0000000..62a9666 --- /dev/null +++ b/sandbox.te -@@ -0,0 +1,62 @@ +@@ -0,0 +1,63 @@ +policy_module(sandbox,1.0.0) + +attribute sandbox_domain; @@ -84382,6 +85079,7 @@ index 0000000..b12aada +') + +kernel_dontaudit_read_system_state(sandbox_domain) ++kernel_dontaudit_getattr_core_if(sandbox_domain) + +corecmd_exec_all_executables(sandbox_domain) + @@ -97562,7 +98260,7 @@ index 1c35171..2cba4df 100644 domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; diff --git a/varnishd.te b/varnishd.te -index 9d4d8cb..f50c3ff 100644 +index 9d4d8cb..a58e2dd 100644 --- a/varnishd.te +++ b/varnishd.te @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t; @@ -97574,7 +98272,7 @@ index 9d4d8cb..f50c3ff 100644 type varnishd_tmp_t; files_tmp_file(varnishd_tmp_t) -@@ -43,7 +43,7 @@ type varnishlog_var_run_t; +@@ -43,16 +43,16 @@ type varnishlog_var_run_t; files_pid_file(varnishlog_var_run_t) type varnishlog_log_t; @@ -97583,9 +98281,11 @@ index 9d4d8cb..f50c3ff 100644 ######################################## # -@@ -52,7 +52,7 @@ files_type(varnishlog_log_t) + # Local policy + # - allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; +-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid }; ++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown }; dontaudit varnishd_t self:capability sys_tty_config; -allow varnishd_t self:process signal; +allow varnishd_t self:process { execmem signal }; @@ -97727,7 +98427,7 @@ index 31c752e..ef52235 100644 init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/vdagent.te b/vdagent.te -index 87da8a2..9148a0d 100644 +index 87da8a2..13f2f44 100644 --- a/vdagent.te +++ b/vdagent.te @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t) @@ -97738,7 +98438,7 @@ index 87da8a2..9148a0d 100644 allow vdagent_t self:fifo_file rw_fifo_file_perms; allow vdagent_t self:unix_stream_socket { accept listen }; -@@ -39,20 +40,21 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) +@@ -39,23 +40,26 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t) logging_log_filetrans(vdagent_t, vdagent_log_t, file) @@ -97764,6 +98464,11 @@ index 87da8a2..9148a0d 100644 userdom_read_all_users_state(vdagent_t) ++xserver_read_xdm_state(vdagent_t) ++ + optional_policy(` + dbus_system_bus_client(vdagent_t) + diff --git a/vhostmd.if b/vhostmd.if index 22edd58..c3a5364 100644 --- a/vhostmd.if diff --git a/selinux-policy.spec b/selinux-policy.spec index 57bb4e8..0872a60 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,12 +19,14 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 40%{?dist} +Release: 45%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-rawhide-base.patch patch1: policy-rawhide-contrib.patch +patch2: policy-rawhide-base-user_tmp.patch +patch3: policy-rawhide-contrib-user_tmp.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -319,9 +321,11 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-contrib-%{version} -q -b 29 %patch1 -p1 +%patch3 -p1 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch -p1 +%patch2 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib @@ -584,6 +588,46 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Apr 8 2014 Miroslav Grepl 3.13.1-45 +Rename puppet_t to puppetagent_t and used it only for puppet agent which can be started by init. Also make it as unconfined_noaudit because there is no reason to confine it but we wantto avoid init_t. + +* Tue Apr 8 2014 Miroslav Grepl 3.13.1-44 +- Change hsperfdata_root to have as user_tmp_t +- Allow rsyslog low-level network access +- Fix use_nfs_home_dirs/use_samba_home_dirs for xdm_t to allow append .xsession-errors by lightdm +- Allow conman to resolve DNS and use user ptys +- update pegasus_openlmi_admin_t policy +- nslcd wants chown capability +- Dontaudit exec insmod in boinc policy + +* Fri Apr 4 2014 Miroslav Grepl 3.13.1-43 +- Add labels for /var/named/chroot_sdb/dev devices +- Add support for strongimcv +- Add additional fixes for yubikeys based on william@firstyear.id.au +- Allow init_t run /sbin/augenrules +- Remove dup decl for dev_unmount_sysfs_fs +- Allow unpriv SELinux user to use sandbox +- Fix ntp_filetrans_named_content for sntp-kod file +- Add httpd_dbus_sssd boolean +- Dontaudit exec insmod in boinc policy +- Add dbus_filetrans_named_content_system() +- We want to label only /usr/bin/start-puppet-master to avoid puppet agent running in puppet_t +- varnishd wants chown capability +- update ntp_filetrans_named_content() interface +- Add additional fixes for neutron_t. #1083335 +- Dontaudit sandbox_t getattr on proc_kcore_t +- Allow pki_tomcat_t to read ipa lib files + +* Tue Apr 1 2014 Miroslav Grepl 3.13.1-42 +- Merge user_tmp_t and user_tmpfs_t together to have only user_tmp_t + +* Thu Mar 27 2014 Miroslav Grepl 3.13.1-41 +- Turn on gear_port_t +- Add gear policy and remove permissive domains. +- Add labels for ostree +- Add SELinux awareness for NM +- Label /usr/sbin/pwhistory_helper as updpwd_exec_t + * Wed Mar 26 2014 Miroslav Grepl 3.13.1-40 - update storage_filetrans_all_named_dev for sg* devices - Allow auditctl_t to getattr on all removeable devices