diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 6e51ffc..94d21eb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2011,7 +2011,7 @@ index 7f4dfbc..e5c9f45 100644 /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0) diff --git a/amanda.te b/amanda.te -index 519051c..52f2c41 100644 +index 519051c..f5784a5 100644 --- a/amanda.te +++ b/amanda.te @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles; @@ -2049,7 +2049,7 @@ index 519051c..52f2c41 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -2061,11 +2061,12 @@ index 519051c..52f2c41 100644 corenet_tcp_bind_generic_node(amanda_t) +corenet_tcp_bind_amanda_port(amanda_t) ++corenet_udp_bind_amanda_port(amanda_t) + corenet_sendrecv_all_server_packets(amanda_t) corenet_tcp_bind_all_rpc_ports(amanda_t) corenet_tcp_bind_generic_port(amanda_t) -@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) +@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t) dev_getattr_all_blk_files(amanda_t) dev_getattr_all_chr_files(amanda_t) @@ -2073,7 +2074,7 @@ index 519051c..52f2c41 100644 files_read_etc_runtime_files(amanda_t) files_list_all(amanda_t) -@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -2081,7 +2082,7 @@ index 519051c..52f2c41 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -9709,10 +9710,10 @@ index 0000000..23a4f86 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..8d91220 +index 0000000..8c82398 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,47 @@ +@@ -0,0 +1,44 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -9751,15 +9752,12 @@ index 0000000..8d91220 + +dev_read_sysfs(bumblebee_t) + -+domain_use_interactive_fds(bumblebee_t) -+ -+files_read_etc_files(bumblebee_t) ++auth_read_passwd(bumblebee_t) + +logging_send_syslog_msg(bumblebee_t) + +modutils_domtrans_insmod(bumblebee_t) + -+miscfiles_read_localization(bumblebee_t) diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 --- a/cachefilesd.fc @@ -22511,7 +22509,7 @@ index 0000000..d856375 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..85e2ddb +index 0000000..c5b0dcd --- /dev/null +++ b/docker.te @@ -0,0 +1,145 @@ @@ -22615,7 +22613,7 @@ index 0000000..85e2ddb +allow docker_t self:netlink_route_socket nlmsg_write; +allow docker_t self:netlink_audit_socket create_netlink_perms; +allow docker_t self:unix_dgram_socket create_socket_perms; -+allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto } ++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow docker_t docker_var_lib_t:dir mounton; +allow docker_t docker_var_lib_t:chr_file mounton; @@ -89790,7 +89788,7 @@ index 3dd87da..0d13384 100644 -/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) +/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0) diff --git a/tftp.if b/tftp.if -index 9957e30..cf0b925 100644 +index 9957e30..cd21321 100644 --- a/tftp.if +++ b/tftp.if @@ -1,8 +1,8 @@ @@ -89852,16 +89850,16 @@ index 9957e30..cf0b925 100644 ######################################## ## -## Read tftpd configuration files. -+## Manage tftp /var/lib files. ++## Allow read tftp /var/lib files. ## ## ## -@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',` +@@ -53,19 +54,18 @@ interface(`tftp_manage_rw_content',` ## ## # -interface(`tftp_read_config_files',` -+interface(`tftp_manage_rw_content',` ++interface(`tftp_read_rw_content',` gen_require(` - type tftpd_conf_t; + type tftpdir_rw_t; @@ -89870,52 +89868,84 @@ index 9957e30..cf0b925 100644 - files_search_etc($1) - allow $1 tftpd_conf_t:file read_file_perms; + files_search_var_lib($1) -+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) -+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Create, read, write, and delete -## tftpd configuration files. -+## Read tftp config files. ++## Allow write tftp /var/lib files. ## ## ## -@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',` +@@ -73,55 +73,83 @@ interface(`tftp_read_config_files',` ## ## # -interface(`tftp_manage_config_files',` -+interface(`tftp_read_config',` ++interface(`tftp_write_rw_content',` gen_require(` - type tftpd_conf_t; -+ type tftpd_etc_t; ++ type tftpdir_rw_t; ') - files_search_etc($1) - allow $1 tftpd_conf_t:file manage_file_perms; -+ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) ++ files_search_var_lib($1) ++ write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ') ######################################## ## -## Create objects in etc directories -## with tftp conf type. -+## Manage tftp config files. ++## Manage tftp /var/lib files. ## ## ## -## Domain allowed to transition. --## --## ++## Domain allowed access. + ## + ## -## --## ++# ++interface(`tftp_manage_rw_content',` ++ gen_require(` ++ type tftpdir_rw_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++') ++ ++######################################## ++## ++## Read tftp config files. ++## ++## + ## -## Class of the object being created. --## --## ++## Domain allowed access. + ## + ## -## --## ++# ++interface(`tftp_read_config',` ++ gen_require(` ++ type tftpd_etc_t; ++ ') ++ ++ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) ++') ++ ++######################################## ++## ++## Manage tftp config files. ++## ++## + ## -## The name of the object being created. +## Domain allowed access. ## @@ -89949,7 +89979,7 @@ index 9957e30..cf0b925 100644 ## ## Private file type. ## -@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',` +@@ -131,25 +159,38 @@ interface(`tftp_etc_filetrans_config',` ## Class of the object being created. ## ## @@ -89996,7 +90026,7 @@ index 9957e30..cf0b925 100644 ## ## ## -@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',` +@@ -161,18 +202,22 @@ interface(`tftp_filetrans_tftpdir',` interface(`tftp_admin',` gen_require(` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; @@ -95177,10 +95207,10 @@ index facdee8..43128c6 100644 + virt_stream_connect($1) ') diff --git a/virt.te b/virt.te -index f03dcf5..d58e3de 100644 +index f03dcf5..6771aec 100644 --- a/virt.te +++ b/virt.te -@@ -1,150 +1,176 @@ +@@ -1,150 +1,190 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -95318,17 +95348,29 @@ index f03dcf5..d58e3de 100644 -attribute virt_image_type; -attribute virt_tmp_type; -attribute virt_tmpfs_type; -- ++## ++##

++## Allow confined virtual guests to use usb devices ++##

++## ++gen_tunable(virt_use_usb, true) + -attribute svirt_lxc_domain; -- ++## ++##

++## Allow sandbox containers to use netlink system calls ++##

++## ++gen_tunable(virt_sandbox_use_netlink, false) + -attribute_role virt_domain_roles; -roleattribute system_r virt_domain_roles; +## +##

-+## Allow confined virtual guests to use usb devices ++## Allow sandbox containers to send audit messages +##

+## -+gen_tunable(virt_use_usb, true) ++gen_tunable(virt_sandbox_use_audit, false) -attribute_role virt_bridgehelper_roles; -roleattribute system_r virt_bridgehelper_roles; @@ -95430,7 +95472,7 @@ index f03dcf5..d58e3de 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -153,299 +179,144 @@ ifdef(`enable_mls',` +@@ -153,299 +193,144 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh) ') @@ -95731,13 +95773,13 @@ index f03dcf5..d58e3de 100644 -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -95816,7 +95858,7 @@ index f03dcf5..d58e3de 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +326,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +340,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -95863,29 +95905,29 @@ index f03dcf5..d58e3de 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,16 +361,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,16 +375,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto }; +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -520,6 +374,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -520,6 +388,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -95893,7 +95935,7 @@ index f03dcf5..d58e3de 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +382,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +396,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -95921,7 +95963,7 @@ index f03dcf5..d58e3de 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,22 +402,27 @@ dev_rw_vhost(virtd_t) +@@ -555,22 +416,27 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -95954,7 +95996,7 @@ index f03dcf5..d58e3de 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -601,15 +453,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +467,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -95974,7 +96016,7 @@ index f03dcf5..d58e3de 100644 selinux_validate_context(virtd_t) -@@ -620,18 +475,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +489,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -96011,7 +96053,7 @@ index f03dcf5..d58e3de 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +503,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +517,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -96020,7 +96062,7 @@ index f03dcf5..d58e3de 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +528,12 @@ optional_policy(` +@@ -665,20 +542,12 @@ optional_policy(` ') optional_policy(` @@ -96041,7 +96083,7 @@ index f03dcf5..d58e3de 100644 ') optional_policy(` -@@ -691,20 +546,26 @@ optional_policy(` +@@ -691,20 +560,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -96072,7 +96114,7 @@ index f03dcf5..d58e3de 100644 ') optional_policy(` -@@ -712,11 +573,13 @@ optional_policy(` +@@ -712,11 +587,13 @@ optional_policy(` ') optional_policy(` @@ -96086,7 +96128,7 @@ index f03dcf5..d58e3de 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +590,18 @@ optional_policy(` +@@ -727,10 +604,18 @@ optional_policy(` ') optional_policy(` @@ -96105,7 +96147,7 @@ index f03dcf5..d58e3de 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +617,264 @@ optional_policy(` +@@ -746,44 +631,264 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -96205,7 +96247,7 @@ index f03dcf5..d58e3de 100644 -can_exec(virsh_t, virsh_exec_t) +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -96217,7 +96259,7 @@ index f03dcf5..d58e3de 100644 +corenet_tcp_bind_virt_migration_port(virt_domain) +corenet_tcp_connect_virt_migration_port(virt_domain) +corenet_rw_inherited_tun_tap_dev(virt_domain) - ++ +dev_list_sysfs(virt_domain) +dev_getattr_fs(virt_domain) +dev_dontaudit_getattr_all(virt_domain) @@ -96392,7 +96434,7 @@ index f03dcf5..d58e3de 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +885,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +899,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -96419,7 +96461,7 @@ index f03dcf5..d58e3de 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +905,23 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +919,23 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -96452,7 +96494,7 @@ index f03dcf5..d58e3de 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +940,20 @@ optional_policy(` +@@ -856,14 +954,20 @@ optional_policy(` ') optional_policy(` @@ -96474,7 +96516,7 @@ index f03dcf5..d58e3de 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +978,65 @@ optional_policy(` +@@ -888,49 +992,65 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -96558,7 +96600,7 @@ index f03dcf5..d58e3de 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1048,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1062,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -96578,7 +96620,7 @@ index f03dcf5..d58e3de 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1069,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1083,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -96602,7 +96644,7 @@ index f03dcf5..d58e3de 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1094,246 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1108,256 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -96729,11 +96771,6 @@ index f03dcf5..d58e3de 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` -+ apache_exec_modules(svirt_sandbox_domain) -+ apache_read_sys_content(svirt_sandbox_domain) -+') -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; @@ -96818,17 +96855,22 @@ index f03dcf5..d58e3de 100644 - -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` -+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ++ apache_exec_modules(svirt_sandbox_domain) ++ apache_read_sys_content(svirt_sandbox_domain) +') optional_policy(` - udev_read_pid_files(svirt_lxc_domain) -+ ssh_use_ptys(svirt_sandbox_domain) ++ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) ') optional_policy(` - apache_exec_modules(svirt_lxc_domain) - apache_read_sys_content(svirt_lxc_domain) ++ ssh_use_ptys(svirt_sandbox_domain) ++') ++ ++optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') + @@ -96853,15 +96895,14 @@ index f03dcf5..d58e3de 100644 -allow svirt_lxc_net_t self:packet_socket create_socket_perms; -allow svirt_lxc_net_t self:socket create_socket_perms; -allow svirt_lxc_net_t self:rawip_socket create_socket_perms; -+allow svirt_lxc_net_t self:process { execstack execmem }; - allow svirt_lxc_net_t self:netlink_socket create_socket_perms; +-allow svirt_lxc_net_t self:netlink_socket create_socket_perms; -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms; -+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; - allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; - +-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; +- -kernel_read_network_state(svirt_lxc_net_t) -kernel_read_irq_sysctls(svirt_lxc_net_t) -- ++allow svirt_lxc_net_t self:process { execstack execmem }; + -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t) -corenet_all_recvfrom_netlabel(svirt_lxc_net_t) -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t) @@ -96872,13 +96913,18 @@ index f03dcf5..d58e3de 100644 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_generic_node(svirt_lxc_net_t) -corenet_udp_bind_generic_node(svirt_lxc_net_t) -+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; -+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_lxc_net_t self:netlink_socket create_socket_perms; ++ allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++') -corenet_sendrecv_all_server_packets(svirt_lxc_net_t) -corenet_udp_bind_all_ports(svirt_lxc_net_t) -corenet_tcp_bind_all_ports(svirt_lxc_net_t) -- ++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms; ++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms; + -corenet_sendrecv_all_client_packets(svirt_lxc_net_t) -corenet_tcp_connect_all_ports(svirt_lxc_net_t) +kernel_read_irq_sysctls(svirt_lxc_net_t) @@ -96896,22 +96942,25 @@ index f03dcf5..d58e3de 100644 fs_manage_cgroup_dirs(svirt_lxc_net_t) -fs_rw_cgroup_files(svirt_lxc_net_t) +fs_manage_cgroup_files(svirt_lxc_net_t) -+ + +-auth_use_nsswitch(svirt_lxc_net_t) +term_pty(svirt_sandbox_file_t) - auth_use_nsswitch(svirt_lxc_net_t) +-logging_send_audit_msgs(svirt_lxc_net_t) ++auth_use_nsswitch(svirt_lxc_net_t) +-userdom_use_user_ptys(svirt_lxc_net_t) +rpm_read_db(svirt_lxc_net_t) -+ - logging_send_audit_msgs(svirt_lxc_net_t) - - userdom_use_user_ptys(svirt_lxc_net_t) -optional_policy(` - rpm_read_db(svirt_lxc_net_t) --') -- ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(svirt_lxc_net_t) + ') + -####################################### ++userdom_use_user_ptys(svirt_lxc_net_t) ++ +######################################## # -# Prot exec local policy @@ -96923,9 +96972,12 @@ index f03dcf5..d58e3de 100644 +allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_qemu_net_t self:capability2 block_suspend; +allow svirt_qemu_net_t self:process { execstack execmem }; -+allow svirt_qemu_net_t self:netlink_socket create_socket_perms; -+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_qemu_net_t self:netlink_socket create_socket_perms; ++ allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++') + +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t) @@ -96947,13 +96999,13 @@ index f03dcf5..d58e3de 100644 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +dev_read_sysfs(svirt_qemu_net_t) +dev_getattr_mtrr_dev(svirt_qemu_net_t) +dev_read_rand(svirt_qemu_net_t) +dev_read_urand(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +files_read_kernel_modules(svirt_qemu_net_t) + +fs_noxattr_type(svirt_sandbox_file_t) @@ -96967,7 +97019,9 @@ index f03dcf5..d58e3de 100644 + +rpm_read_db(svirt_qemu_net_t) + -+logging_send_audit_msgs(svirt_qemu_net_t) ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(svirt_qemu_net_t) ++') + +userdom_use_user_ptys(svirt_qemu_net_t) @@ -96985,7 +97039,7 @@ index f03dcf5..d58e3de 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1346,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1370,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -97000,7 +97054,7 @@ index f03dcf5..d58e3de 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,9 +1364,8 @@ optional_policy(` +@@ -1192,9 +1388,8 @@ optional_policy(` ######################################## # @@ -97011,7 +97065,7 @@ index f03dcf5..d58e3de 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1378,193 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1207,5 +1402,198 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -97148,9 +97202,12 @@ index f03dcf5..d58e3de 100644 + +allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap }; +dontaudit svirt_kvm_net_t self:capability2 block_suspend; -+allow svirt_kvm_net_t self:netlink_socket create_socket_perms; -+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; -+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++ ++tunable_policy(`virt_sandbox_use_netlink',` ++ allow svirt_kvm_net_t self:netlink_socket create_socket_perms; ++ allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms; ++ allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms; ++') + +term_use_generic_ptys(svirt_kvm_net_t) +term_use_ptmx(svirt_kvm_net_t) @@ -97185,7 +97242,9 @@ index f03dcf5..d58e3de 100644 + +rpm_read_db(svirt_kvm_net_t) + -+logging_send_audit_msgs(svirt_kvm_net_t) ++tunable_policy(`virt_sandbox_use_audit',` ++ logging_send_audit_msgs(svirt_kvm_net_t) ++') + +userdom_use_user_ptys(svirt_kvm_net_t) +