diff --git a/config.tgz b/config.tgz index 4f55b2e..89c20a6 100644 Binary files a/config.tgz and b/config.tgz differ diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index d6a30a1..493d4a2 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2436,3 +2436,10 @@ minissdpd = module # based on IntelligentPlatform Management Interface specification # freeipmi = module + +# Layer: contrib +# Module: freeipmi +# +# ipa policy module contain SELinux policies for IPA services +# +ipa = module diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0dea9cd..85fde71 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -71,6 +71,24 @@ index 881a292..80110a4 100644 system_r:xdm_t:s0 staff_r:staff_t:s0 staff_r:staff_su_t:s0 staff_r:staff_t:s0 staff_r:staff_sudo_t:s0 staff_r:staff_t:s0 +diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts +new file mode 100644 +index 0000000..b8fda95 +--- /dev/null ++++ b/config/appconfig-mcs/sysadm_u_default_contexts +@@ -0,0 +1,12 @@ ++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 ++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0 ++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 ++system_r:crond_t:s0 sysadm_r:sysadm_t:s0 ++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 ++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 ++ diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts new file mode 100644 index 0000000..ff32acc @@ -144,6 +162,24 @@ index c2a5ea8..f63999e 100644 system_r:xdm_t staff_r:staff_t staff_r:staff_su_t staff_r:staff_t staff_r:staff_sudo_t staff_r:staff_t +diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts +new file mode 100644 +index 0000000..b8fda95 +--- /dev/null ++++ b/config/appconfig-standard/sysadm_u_default_contexts +@@ -0,0 +1,12 @@ ++system_r:local_login_t:s0 sysadm_r:sysadm_t:s0 ++system_r:remote_login_t:s0 sysadm_r:sysadm_t:s0 ++system_r:sshd_t:s0 sysadm_r:sysadm_t:s0 ++system_r:crond_t:s0 sysadm_r:sysadm_t:s0 ++system_r:xdm_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 ++system_r:initrc_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0 ++sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0 ++ diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts new file mode 100644 index 0000000..ff32acc @@ -5363,7 +5399,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..a5e72c3 100644 +index b191055..4dec289 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5474,7 +5510,7 @@ index b191055..a5e72c3 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -119,20 +143,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, +@@ -119,20 +143,28 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5491,6 +5527,7 @@ index b191055..a5e72c3 100644 -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) +network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) ++network_port(freeipmi, tcp,9225,s0, udp,9225,s0) +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) @@ -5504,7 +5541,7 @@ index b191055..a5e72c3 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +171,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +172,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5571,7 +5608,7 @@ index b191055..a5e72c3 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +224,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +225,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5610,7 +5647,7 @@ index b191055..a5e72c3 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,39 +261,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,39 +262,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5663,7 +5700,7 @@ index b191055..a5e72c3 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,8 +311,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -259,8 +312,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5674,7 +5711,7 @@ index b191055..a5e72c3 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +324,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -271,10 +325,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5687,7 +5724,7 @@ index b191055..a5e72c3 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +341,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +342,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5714,7 +5751,7 @@ index b191055..a5e72c3 100644 ######################################## # -@@ -333,6 +390,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +391,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5723,7 +5760,7 @@ index b191055..a5e72c3 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +404,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +405,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5779,7 +5816,7 @@ index 3f6e168..51ad69a 100644 ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c054..e4d61f5 100644 +index b31c054..53df7ae 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -5846,7 +5883,16 @@ index b31c054..e4d61f5 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -198,12 +208,22 @@ ifdef(`distro_debian',` +@@ -172,6 +182,8 @@ ifdef(`distro_suse', ` + /dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) + ++/dev/uhid -c gen_context(system_u:object_r:uhid_device_t,s0) ++ + /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) +@@ -198,12 +210,22 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -5872,7 +5918,7 @@ index b31c054..e4d61f5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..2b2f4b0 100644 +index 76f285e..9f56be1 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7400,7 +7446,7 @@ index 76f285e..2b2f4b0 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5641,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5641,945 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -7551,6 +7597,7 @@ index 76f285e..2b2f4b0 100644 +gen_require(` + type device_t; + type usb_device_t; ++ type uhid_device_t; + type sound_device_t; + type apm_bios_t; + type mouse_device_t; @@ -8277,6 +8324,7 @@ index 76f285e..2b2f4b0 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") + filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") ++ filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") + dev_filetrans_xserver_named_dev($1) +') + @@ -8345,7 +8393,7 @@ index 76f285e..2b2f4b0 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..e6b93c4 100644 +index 0b1a871..a3a5f7f 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -8411,17 +8459,23 @@ index 0b1a871..e6b93c4 100644 # # Type for /dev/tpm # -@@ -266,6 +275,9 @@ dev_node(usbmon_device_t) +@@ -266,6 +275,15 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) ++# ++# uhid_device_t is the type for /dev/uhid ++# ++type uhid_device_t; ++dev_node(uhid_device_t) ++ +type vfio_device_t; +dev_node(vfio_device_t) + type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +286,7 @@ dev_node(v4l_device_t) +@@ -274,6 +292,7 @@ dev_node(v4l_device_t) # type vhost_device_t; dev_node(vhost_device_t) @@ -8429,7 +8483,7 @@ index 0b1a871..e6b93c4 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +332,5 @@ files_associate_tmp(device_node) +@@ -319,5 +338,5 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -9347,7 +9401,7 @@ index b876c48..bd5b58c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..7d12144 100644 +index f962f76..70fb827 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -11142,7 +11196,33 @@ index f962f76..7d12144 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5596,6 +6637,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5527,6 +6568,25 @@ interface(`files_rw_var_lib_dirs',` + + ######################################## + ## ++## Create directories in /var/lib ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_create_var_lib_dirs',` ++ gen_require(` ++ type var_lib_t; ++ ') ++ ++ allow $1 var_lib_t:dir { create rw_dir_perms }; ++') ++ ++ ++######################################## ++## + ## Create objects in the /var/lib directory + ## + ## +@@ -5596,6 +6656,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11168,7 +11248,7 @@ index f962f76..7d12144 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6701,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6720,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11177,7 +11257,7 @@ index f962f76..7d12144 100644 ## ## ## -@@ -5649,12 +6709,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6728,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11193,7 +11273,7 @@ index f962f76..7d12144 100644 ') ######################################## -@@ -5672,6 +6733,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6752,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11201,7 +11281,7 @@ index f962f76..7d12144 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6760,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6779,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11229,7 +11309,7 @@ index f962f76..7d12144 100644 ## ## ## -@@ -5706,13 +6787,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6806,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11246,7 +11326,7 @@ index f962f76..7d12144 100644 ') ######################################## -@@ -5731,7 +6811,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6830,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11255,7 +11335,7 @@ index f962f76..7d12144 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6844,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6863,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11263,7 +11343,7 @@ index f962f76..7d12144 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6858,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6877,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11272,7 +11352,7 @@ index f962f76..7d12144 100644 ## ## ## -@@ -5787,13 +6866,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6885,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11307,7 +11387,7 @@ index f962f76..7d12144 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +6908,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +6927,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11325,7 +11405,7 @@ index f962f76..7d12144 100644 ') ######################################## -@@ -5834,9 +6932,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +6951,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11336,7 +11416,7 @@ index f962f76..7d12144 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +6974,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +6993,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11346,7 +11426,7 @@ index f962f76..7d12144 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +6996,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7015,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11356,7 +11436,7 @@ index f962f76..7d12144 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7033,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7052,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11366,7 +11446,7 @@ index f962f76..7d12144 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7072,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7091,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11375,7 +11455,7 @@ index f962f76..7d12144 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7092,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7111,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11424,42 +11504,64 @@ index f962f76..7d12144 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,6 +7156,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,28 +7175,47 @@ interface(`files_dontaudit_search_pids',` ######################################## ## +-## List the contents of the runtime process +-## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_dontaudit_search_all_pids',` + gen_require(` +- type var_t, var_run_t; ++ attribute pidfile; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; + ') + + ######################################## + ## +-## Read generic process ID files. +-## ++## List the contents of the runtime process ++## ID directories (/var/run). +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_search_all_pids',` ++interface(`files_list_pids',` + gen_require(` -+ attribute pidfile; ++ type var_t, var_run_t; + ') + -+ dontaudit $1 pidfile:dir search_dir_perms; ++ files_search_pids($1) ++ list_dirs_pattern($1, var_t, var_run_t) +') + +######################################## +## - ## List the contents of the runtime process - ## ID directories (/var/run). - ## -@@ -6039,7 +7189,7 @@ interface(`files_list_pids',` - type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ files_search_pids($1) - list_dirs_pattern($1, var_t, var_run_t) - ') - -@@ -6058,7 +7208,7 @@ interface(`files_read_generic_pids',` ++## Read generic process ID files. ++## + ## + ## + ## Domain allowed access. +@@ -6058,7 +7227,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11468,7 +11570,7 @@ index f962f76..7d12144 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7228,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7247,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11477,7 +11579,7 @@ index f962f76..7d12144 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7290,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7309,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11485,36 +11587,11 @@ index f962f76..7d12144 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,7 +7318,7 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7337,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## --## Read and write generic process ID files. +## rw generic pid files inherited from another process - ## - ## - ## -@@ -6177,19 +7326,37 @@ interface(`files_pid_filetrans_lock_dir',` - ## - ## - # --interface(`files_rw_generic_pids',` -+interface(`files_rw_inherited_generic_pid_files',` - gen_require(` -- type var_t, var_run_t; -+ type var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- rw_files_pattern($1, var_run_t, var_run_t) -+ allow $1 var_run_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of -+## Read and write generic process ID files. +## +## +## @@ -11522,252 +11599,359 @@ index f962f76..7d12144 100644 +## +## +# -+interface(`files_rw_generic_pids',` ++interface(`files_rw_inherited_generic_pid_files',` + gen_require(` -+ type var_t, var_run_t; ++ type var_run_t; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ rw_files_pattern($1, var_run_t, var_run_t) ++ allow $1 var_run_t:file rw_inherited_file_perms; +') + +######################################## +## -+## Do not audit attempts to get the attributes of - ## daemon runtime data files. + ## Read and write generic process ID files. ## ## -@@ -6249,6 +7416,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6182,7 +7368,7 @@ interface(`files_rw_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6249,55 +7435,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## +-## Read all process ID files. +## Relable all pid directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` +interface(`files_relabel_all_pid_dirs',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) + relabel_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process IDs. +## Delete all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` +interface(`files_delete_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 pidfile:sock_file delete_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Delete all process ID directories. +## Create all pid sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6305,42 +7479,35 @@ interface(`files_delete_all_pids',` + ## + ## + # +-interface(`files_delete_all_pid_dirs',` +interface(`files_create_all_pid_sockets',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- delete_dirs_pattern($1, pidfile, pidfile) + allow $1 pidfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Create all pid named pipes -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_create_all_pid_pipes',` -+ gen_require(` -+ attribute pidfile; -+ ') -+ + gen_require(` + attribute pidfile; + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 pidfile:fifo_file create_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all pid named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6348,18 +7515,18 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_pid_pipes',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute pidfile; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 pidfile:fifo_file delete_fifo_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search the contents of generic spool +-## directories (/var/spool). +## manage all pidfile directories +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6367,37 +7534,40 @@ interface(`files_mounton_all_poly_members',` + ## + ## + # +-interface(`files_search_spool',` +interface(`files_manage_all_pid_dirs',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- search_dirs_pattern($1, var_t, var_spool_t) + manage_dirs_pattern($1,pidfile,pidfile) -+') -+ + ') + + -+######################################## -+## - ## Read all process ID files. + ######################################## + ## +-## Do not audit attempts to search generic +-## spool directories. ++## Read all process ID files. ## ## -@@ -6261,12 +7538,86 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## ++## + # +-interface(`files_dontaudit_search_spool',` ++interface(`files_read_all_pids',` gen_require(` - attribute pidfile; -- type var_t, var_run_t; +- type var_spool_t; ++ attribute pidfile; + type var_t; ') -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) +- dontaudit $1 var_spool_t:dir search_dir_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of generic spool +-## (/var/spool) directories. +## Relable all pid files -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6405,18 +7575,17 @@ interface(`files_dontaudit_search_spool',` + ## + ## + # +-interface(`files_list_spool',` +interface(`files_relabel_all_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; -+ ') -+ + ') + +- list_dirs_pattern($1, var_t, var_spool_t) + relabel_files_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool directories (/var/spool). +## Execute generic programs in /var/run in the caller domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6424,18 +7593,18 @@ interface(`files_list_spool',` + ## + ## + # +-interface(`files_manage_generic_spool_dirs',` +interface(`files_exec_generic_pid_files',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + type var_run_t; -+ ') -+ + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_dirs_pattern($1, var_spool_t, var_spool_t) + exec_files_pattern($1, var_run_t, var_run_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read generic spool files. +## manage all pidfiles +## in the /var/run directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6443,19 +7612,18 @@ interface(`files_manage_generic_spool_dirs',` + ## + ## + # +-interface(`files_read_generic_spool',` +interface(`files_manage_all_pids',` + gen_require(` +- type var_t, var_spool_t; ++ attribute pidfile; + ') + +- list_dirs_pattern($1, var_t, var_spool_t) +- read_files_pattern($1, var_spool_t, var_spool_t) ++ manage_files_pattern($1,pidfile,pidfile) + ') + + ######################################## + ## +-## Create, read, write, and delete generic +-## spool files. ++## Mount filesystems on all polyinstantiation ++## member directories. + ## + ## + ## +@@ -6463,55 +7631,130 @@ interface(`files_read_generic_spool',` + ## + ## + # +-interface(`files_manage_generic_spool',` ++interface(`files_mounton_all_poly_members',` + gen_require(` +- type var_t, var_spool_t; ++ attribute polymember; + ') + +- allow $1 var_t:dir search_dir_perms; +- manage_files_pattern($1, var_spool_t, var_spool_t) ++ allow $1 polymember:dir mounton; + ') + + ######################################## + ## +-## Create objects in the spool directory +-## with a private type with a type transition. ++## Delete all process IDs. + ## + ## + ## + ## Domain allowed access. + ## + ## +-## ++## ++# ++interface(`files_delete_all_pids',` + gen_require(` + attribute pidfile; ++ type var_t, var_run_t; + ') + -+ manage_files_pattern($1,pidfile,pidfile) ++ files_search_pids($1) ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) +') + +######################################## +## -+## Mount filesystems on all polyinstantiation -+## member directories. ++## Delete all process ID directories. +## +## -+## + ## +-## Type to which the created node will be transitioned. +## Domain allowed access. -+## -+## + ## + ## +-## +# -+interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_dirs',` + gen_require(` -+ attribute polymember; ++ attribute pidfile; ++ type var_t, var_run_t; + ') + -+ allow $1 polymember:dir mounton; - ') - - ######################################## -@@ -6286,8 +7637,8 @@ interface(`files_delete_all_pids',` - type var_t, var_run_t; - ') - + files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; - allow $1 var_run_t:lnk_file delete_lnk_file_perms; - delete_files_pattern($1, pidfile, pidfile) -@@ -6311,36 +7662,80 @@ interface(`files_delete_all_pid_dirs',` - type var_t, var_run_t; - ') - -+ files_search_pids($1) - allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++ allow $1 var_t:dir search_dir_perms; ++ delete_dirs_pattern($1, pidfile, pidfile) ++') ++ ++######################################## ++## +## Make the specified type a file +## used for spool files. +## @@ -11798,11 +11982,14 @@ index f962f76..7d12144 100644 +##

+## +## -+## + ## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +## Type of the file to be used as a +## spool file. -+## -+## + ## + ## +-## +## +# +interface(`files_spool_file',` @@ -11817,76 +12004,334 @@ index f962f76..7d12144 100644 +######################################## +## +## Create all spool sockets - ## - ## ++##
++## ## --## Domain alloed access. +-## The name of the object being created. +## Domain allowed access. ## ## # --interface(`files_manage_all_pids',` +-interface(`files_spool_filetrans',` +interface(`files_create_all_spool_sockets',` gen_require(` -- attribute pidfile; +- type var_t, var_spool_t; + attribute spoolfile; ') -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) +- allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + allow $1 spoolfile:sock_file create_sock_file_perms; ') ######################################## ## --## Mount filesystems on all polyinstantiation --## member directories. +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Delete all spool sockets ## ## ## -@@ -6348,12 +7743,33 @@ interface(`files_manage_all_pids',` +@@ -6519,64 +7762,749 @@ interface(`files_spool_filetrans',` ## ## # --interface(`files_mounton_all_poly_members',` +-interface(`files_polyinstantiate_all',` +interface(`files_delete_all_spool_sockets',` gen_require(` -- attribute polymember; +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute spoolfile; ') -- allow $1 polymember:dir mounton; +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; +- +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +- allow $1 polyparent:dir { getattr mounton }; +- +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; +- +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) +- +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +- +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) +- ') + allow $1 spoolfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Unconfined access to files. ++## Relabel to and from all spool ++## directory types. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`files_unconfined',` ++interface(`files_relabel_all_spool_dirs',` + gen_require(` +- attribute files_unconfined_type; ++ attribute spoolfile; ++ type var_t; + ') + +- typeattribute $1 files_unconfined_type; ++ relabel_dirs_pattern($1, spoolfile, spoolfile) +') + +######################################## +## -+## Relabel to and from all spool -+## directory types. ++## Search the contents of generic spool ++## directories (/var/spool). +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_all_spool_dirs',` ++interface(`files_search_spool',` + gen_require(` -+ attribute spoolfile; -+ type var_t; ++ type var_t, var_spool_t; + ') + -+ relabel_dirs_pattern($1, spoolfile, spoolfile) - ') - - ######################################## -@@ -6580,3 +7996,492 @@ interface(`files_unconfined',` - - typeattribute $1 files_unconfined_type; - ') ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_search_spool',` ++ gen_require(` ++ type var_spool_t; ++ ') ++ ++ dontaudit $1 var_spool_t:dir search_dir_perms; ++') ++ ++######################################## ++## ++## List the contents of generic spool ++## (/var/spool) directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool_dirs',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Read generic spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete generic ++## spool files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ manage_files_pattern($1, var_spool_t, var_spool_t) ++') ++ ++######################################## ++## ++## Create objects in the spool directory ++## with a private type with a type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Type to which the created node will be transitioned. ++## ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_spool_filetrans',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Allow access to manage all polyinstantiated ++## directories on the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_polyinstantiate_all',` ++ gen_require(` ++ attribute polydir, polymember, polyparent; ++ type poly_t; ++ ') ++ ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) ++ allow $1 polyparent:dir { getattr mounton }; ++ ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') ++') ++ ++######################################## ++## ++## Unconfined access to files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_unconfined',` ++ gen_require(` ++ attribute files_unconfined_type; ++ ') ++ ++ typeattribute $1 files_unconfined_type; ++') + +######################################## +## @@ -12210,6 +12655,7 @@ index f962f76..7d12144 100644 + type tmp_t; + type var_t; + type var_run_t; ++ type var_lock_t; + type tmp_t; + ') + @@ -12224,6 +12670,8 @@ index f962f76..7d12144 100644 + files_root_filetrans($1, usr_t, dir, "emul") + files_root_filetrans($1, var_t, dir, "srv") + files_root_filetrans($1, var_run_t, dir, "run") ++ files_root_filetrans($1, var_run_t, lnk_file, "run") ++ files_root_filetrans($1, var_lock_t, lnk_file, "lock") + files_root_filetrans($1, tmp_t, dir, "sandbox") + files_root_filetrans($1, tmp_t, dir, "tmp") + files_root_filetrans($1, var_t, dir, "nsr") @@ -12247,6 +12695,7 @@ index f962f76..7d12144 100644 + files_tmp_filetrans($1, tmp_t, dir, "hsperfdata_root") + files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") + files_var_filetrans($1, tmp_t, dir, "tmp") ++ files_var_filetrans($1, var_run_t, dir, "run") +') + +######################################## @@ -12375,7 +12824,7 @@ index f962f76..7d12144 100644 + ') + + allow $1 etc_t:service status; -+') + ') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..92d1a8f 100644 --- a/policy/modules/kernel/files.te @@ -14183,7 +14632,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..e7d9f85 100644 +index e100d88..2b0a5b3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -14271,7 +14720,33 @@ index e100d88..e7d9f85 100644 ') ######################################## -@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',` +@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',` + + ######################################## + ## ++## Do not audit attempts to check the ++## access on generic proc entries. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`kernel_dontaudit_access_check_proc',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ dontaudit $1 proc_t:dir_file_class_set audit_access; ++') ++ ++######################################## ++## + ## Do not audit attempts by caller to + ## read system state information in proc. + ## +@@ -1477,6 +1529,24 @@ interface(`kernel_dontaudit_list_all_proc',` ######################################## ## @@ -14296,7 +14771,7 @@ index e100d88..e7d9f85 100644 ## Do not audit attempts by caller to search ## the base directory of sysctls. ## -@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` +@@ -2085,7 +2155,7 @@ interface(`kernel_dontaudit_list_all_sysctls',` ') dontaudit $1 sysctl_type:dir list_dir_perms; @@ -14305,7 +14780,7 @@ index e100d88..e7d9f85 100644 ') ######################################## -@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',` +@@ -2282,6 +2352,25 @@ interface(`kernel_list_unlabeled',` ######################################## ## @@ -14331,7 +14806,7 @@ index e100d88..e7d9f85 100644 ## Read the process state (/proc/pid) of all unlabeled_t. ## ## -@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',` +@@ -2306,7 +2395,7 @@ interface(`kernel_read_unlabeled_state',` ## ## ## @@ -14340,7 +14815,7 @@ index e100d88..e7d9f85 100644 ## ## # -@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',` +@@ -2488,6 +2577,24 @@ interface(`kernel_rw_unlabeled_blk_files',` ######################################## ## @@ -14365,7 +14840,7 @@ index e100d88..e7d9f85 100644 ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## -@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` +@@ -2525,6 +2632,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',` ######################################## ## @@ -14390,7 +14865,7 @@ index e100d88..e7d9f85 100644 ## Allow caller to relabel unlabeled files. ## ## -@@ -2667,6 +2773,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` +@@ -2667,6 +2792,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',` ######################################## ## @@ -14415,7 +14890,7 @@ index e100d88..e7d9f85 100644 ## Receive TCP packets from an unlabeled connection. ## ## -@@ -2694,6 +2818,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` +@@ -2694,6 +2837,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',` ######################################## ## @@ -14441,7 +14916,7 @@ index e100d88..e7d9f85 100644 ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## -@@ -2803,6 +2946,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` +@@ -2803,6 +2965,33 @@ interface(`kernel_raw_recvfrom_unlabeled',` allow $1 unlabeled_t:rawip_socket recvfrom; ') @@ -14475,7 +14950,7 @@ index e100d88..e7d9f85 100644 ######################################## ## -@@ -2958,6 +3128,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` +@@ -2958,6 +3147,24 @@ interface(`kernel_relabelfrom_unlabeled_database',` ######################################## ## @@ -14500,7 +14975,7 @@ index e100d88..e7d9f85 100644 ## Unconfined access to kernel module resources. ## ## -@@ -2972,5 +3160,300 @@ interface(`kernel_unconfined',` +@@ -2972,5 +3179,300 @@ interface(`kernel_unconfined',` ') typeattribute $1 kern_unconfined; @@ -25519,7 +25994,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..88c3a2d 100644 +index 09b791d..7345117 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -25830,7 +26305,7 @@ index 09b791d..88c3a2d 100644 ') optional_policy(` -@@ -463,3 +507,133 @@ optional_policy(` +@@ -463,3 +507,134 @@ optional_policy(` samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -25858,7 +26333,7 @@ index 09b791d..88c3a2d 100644 +manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) -+files_var_filetrans(login_pgm, auth_cache_t, dir) ++files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey") + +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) +manage_files_pattern(login_pgm, auth_home_t, auth_home_t) @@ -25906,6 +26381,7 @@ index 09b791d..88c3a2d 100644 +logging_set_tty_audit(login_pgm) + +miscfiles_dontaudit_write_generic_cert_files(login_pgm) ++miscfiles_filetrans_named_content(login_pgm) + +seutil_read_config(login_pgm) +seutil_read_login_config(login_pgm) @@ -27928,7 +28404,7 @@ index 79a45f6..edf52ea 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..641bae3 100644 +index 17eda24..3ac9985 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -28971,12 +29447,14 @@ index 17eda24..641bae3 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,12 +1327,33 @@ optional_policy(` +@@ -857,12 +1327,35 @@ optional_policy(` ') optional_policy(` + virt_read_config(init_t) + virt_stream_connect(init_t) ++ virt_noatsecure(init_t) ++ virt_rlimitinh(init_t) +') + +optional_policy(` @@ -29006,7 +29484,7 @@ index 17eda24..641bae3 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -872,6 +1363,18 @@ optional_policy(` +@@ -872,6 +1365,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -29025,7 +29503,7 @@ index 17eda24..641bae3 100644 ') optional_policy(` -@@ -887,6 +1390,10 @@ optional_policy(` +@@ -887,6 +1392,10 @@ optional_policy(` ') optional_policy(` @@ -29036,7 +29514,7 @@ index 17eda24..641bae3 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1404,218 @@ optional_policy(` +@@ -897,3 +1406,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -30692,7 +31170,7 @@ index 0e3c2a9..ea9bd57 100644 + userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") +') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 446fa99..d4b6b3b 100644 +index 446fa99..050a2ac 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t) @@ -30816,7 +31294,16 @@ index 446fa99..d4b6b3b 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -215,37 +211,57 @@ allow sulogin_t self:sem create_sem_perms; +@@ -202,7 +198,7 @@ optional_policy(` + # Sulogin local policy + # + +-allow sulogin_t self:capability dac_override; ++allow sulogin_t self:capability { dac_override sys_admin }; + allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow sulogin_t self:fd use; + allow sulogin_t self:fifo_file rw_fifo_file_perms; +@@ -215,18 +211,27 @@ allow sulogin_t self:sem create_sem_perms; allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; @@ -30840,12 +31327,11 @@ index 446fa99..d4b6b3b 100644 init_getpgid_script(sulogin_t) +init_getpgid(sulogin_t) ++init_getattr_initctl(sulogin_t) logging_send_syslog_msg(sulogin_t) -+ - seutil_read_config(sulogin_t) - seutil_read_default_contexts(sulogin_t) +@@ -235,17 +240,28 @@ seutil_read_default_contexts(sulogin_t) userdom_use_unpriv_users_fds(sulogin_t) @@ -30976,7 +31462,7 @@ index b50c5fe..2faaaf2 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..bb6086e 100644 +index 4e94884..ae63d78 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -31066,24 +31552,17 @@ index 4e94884..bb6086e 100644 ######################################## ## ## Send system log messages. -@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',` +@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` - type syslogd_t, devlog_t; + attribute syslog_client_type; - ') - -- allow $1 devlog_t:lnk_file read_lnk_file_perms; -- allow $1 devlog_t:sock_file write_sock_file_perms; ++ ') ++ + typeattribute $1 syslog_client_type; +') - -- # the type of socket depends on the syslog daemon -- allow $1 syslogd_t:unix_dgram_socket sendto; -- allow $1 syslogd_t:unix_stream_socket connectto; -- allow $1 self:unix_dgram_socket create_socket_perms; -- allow $1 self:unix_stream_socket create_socket_perms; ++ +######################################## +## +## Connect to the syslog control unix stream socket. @@ -31118,17 +31597,13 @@ index 4e94884..bb6086e 100644 + gen_require(` + type devlog_t; + ') - -- # If syslog is down, the glibc syslog() function -- # will write to the console. -- term_write_console($1) -- term_dontaudit_read_console($1) ++ + allow $1 devlog_t:sock_file relabel_sock_file_perms; +') + +######################################## +## -+## Relabel the syslog pid sock_file. ++## Allow domain to read the syslog pid files. +## +## +## @@ -31136,16 +31611,42 @@ index 4e94884..bb6086e 100644 +## +## +# -+interface(`logging_relabel_syslog_pid_socket',` ++interface(`logging_read_syslog_pid',` + gen_require(` + type syslogd_var_run_t; + ') + -+ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; ++ read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) ++ list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) +') + +######################################## +## ++## Relabel the syslog pid sock_file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_relabel_syslog_pid_socket',` ++ gen_require(` ++ type syslogd_var_run_t; + ') + +- allow $1 devlog_t:lnk_file read_lnk_file_perms; +- allow $1 devlog_t:sock_file write_sock_file_perms; ++ allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; ++') + +- # the type of socket depends on the syslog daemon +- allow $1 syslogd_t:unix_dgram_socket sendto; +- allow $1 syslogd_t:unix_stream_socket connectto; +- allow $1 self:unix_dgram_socket create_socket_perms; +- allow $1 self:unix_stream_socket create_socket_perms; ++######################################## ++## +## Connect to the syslog control unix stream socket. +## +## @@ -31158,13 +31659,17 @@ index 4e94884..bb6086e 100644 + gen_require(` + type syslogd_t, syslogd_var_run_t; + ') -+ + +- # If syslog is down, the glibc syslog() function +- # will write to the console. +- term_write_console($1) +- term_dontaudit_read_console($1) + files_search_pids($1) + stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) ') ######################################## -@@ -722,6 +847,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +866,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -31190,7 +31695,7 @@ index 4e94884..bb6086e 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +920,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +939,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -31217,7 +31722,7 @@ index 4e94884..bb6086e 100644 ') ######################################## -@@ -859,7 +1021,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1040,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -31226,7 +31731,7 @@ index 4e94884..bb6086e 100644 ') ######################################## -@@ -885,6 +1047,44 @@ interface(`logging_read_generic_logs',` +@@ -885,6 +1066,44 @@ interface(`logging_read_generic_logs',` ######################################## ## @@ -31271,7 +31776,7 @@ index 4e94884..bb6086e 100644 ## Write generic log files. ## ## -@@ -905,6 +1105,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1124,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -31296,7 +31801,7 @@ index 4e94884..bb6086e 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1202,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1221,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -31314,7 +31819,7 @@ index 4e94884..bb6086e 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1227,33 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1246,33 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -31348,7 +31853,7 @@ index 4e94884..bb6086e 100644 ') ######################################## -@@ -1032,10 +1282,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1301,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -31366,7 +31871,7 @@ index 4e94884..bb6086e 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1312,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1331,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -31375,7 +31880,7 @@ index 4e94884..bb6086e 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1342,35 @@ interface(`logging_admin',` +@@ -1085,3 +1361,35 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -39643,10 +40148,10 @@ index 5fe902d..61f19e9 100644 -') +attribute unconfined_services; diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc -index db75976..65191bd 100644 +index db75976..e4eb903 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc -@@ -1,4 +1,21 @@ +@@ -1,4 +1,24 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) @@ -39667,10 +40172,13 @@ index db75976..65191bd 100644 +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs/.* <> +HOME_DIR/\.debug(/.*)? <> ++HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) ++HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) ++HOME_DIR/\.texlive2014(/.*)? gen_context(system_u:object_r:texlive_home_t,s0) + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..a964b08 100644 +index 9dc60c6..0deded7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -42518,7 +43026,7 @@ index 9dc60c6..a964b08 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4327,1646 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4327,1673 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -43232,6 +43740,33 @@ index 9dc60c6..a964b08 100644 + read_lnk_files_pattern($1, audio_home_t, audio_home_t) +') + ++###################################### ++## ++## Manage texlive content in the users homedir. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_manage_home_texlive',` ++ gen_require(` ++ type texlive_home_t; ++ ') ++ ++ userdom_search_user_home_dirs($1) ++ ++ userdom_user_home_dir_filetrans($1, texlive_cert_t, dir, ".texlive2012") ++ userdom_user_home_dir_filetrans($1, texlive_cert_t, dir, ".texlive2013") ++ userdom_user_home_dir_filetrans($1, texlive_cert_t, dir, ".texlive2014") ++ manage_dirs_pattern($1, texlive_home_t, texlive_home_t) ++ manage_files_pattern($1, texlive_home_t, texlive_home_t) ++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t) ++') ++ ++ +######################################## +## +## Do not audit attempts to write all user home content files. @@ -44166,7 +44701,7 @@ index 9dc60c6..a964b08 100644 +') + diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f4ac38d..ce05b4f 100644 +index f4ac38d..cf1296e 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1) @@ -44255,7 +44790,7 @@ index f4ac38d..ce05b4f 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t) +@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -44296,6 +44831,10 @@ index f4ac38d..ce05b4f 100644 +userdom_user_home_content(audio_home_t) +ubac_constrained(audio_home_t) + ++type texlive_home_t; ++userdom_user_home_content(texlive_home_t) ++ubac_constrained(texlive_home_t) ++ +type home_bin_t; +userdom_user_home_content(home_bin_t) +ubac_constrained(home_bin_t) @@ -44409,6 +44948,9 @@ index f4ac38d..ce05b4f 100644 +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki") +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013") ++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014") + +optional_policy(` + gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3a8e03d..6e51ffc 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -509,7 +509,7 @@ index 058d908..9d57403 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..9ef43d3 100644 +index eb50f07..021ddae 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -701,7 +701,7 @@ index eb50f07..9ef43d3 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -176,29 +187,38 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +187,39 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -729,6 +729,7 @@ index eb50f07..9ef43d3 100644 +logging_read_generic_logs(abrt_t) +logging_send_syslog_msg(abrt_t) +logging_stream_connect_syslog(abrt_t) ++logging_read_syslog_pid(abrt_t) + auth_use_nsswitch(abrt_t) @@ -743,7 +744,7 @@ index eb50f07..9ef43d3 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +226,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +227,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -760,7 +761,7 @@ index eb50f07..9ef43d3 100644 ') optional_policy(` -@@ -222,6 +238,20 @@ optional_policy(` +@@ -222,6 +239,20 @@ optional_policy(` ') optional_policy(` @@ -781,7 +782,7 @@ index eb50f07..9ef43d3 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -233,6 +263,7 @@ optional_policy(` +@@ -233,6 +264,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -789,7 +790,7 @@ index eb50f07..9ef43d3 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -243,6 +274,7 @@ optional_policy(` +@@ -243,6 +275,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -797,7 +798,7 @@ index eb50f07..9ef43d3 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +285,17 @@ optional_policy(` +@@ -253,9 +286,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -816,7 +817,7 @@ index eb50f07..9ef43d3 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +306,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +307,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -831,7 +832,7 @@ index eb50f07..9ef43d3 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +325,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -839,7 +840,7 @@ index eb50f07..9ef43d3 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +334,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -860,7 +861,7 @@ index eb50f07..9ef43d3 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +355,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +356,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -887,7 +888,7 @@ index eb50f07..9ef43d3 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +391,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -901,7 +902,7 @@ index eb50f07..9ef43d3 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +409,11 @@ optional_policy(` +@@ -343,10 +410,11 @@ optional_policy(` ####################################### # @@ -915,7 +916,7 @@ index eb50f07..9ef43d3 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +432,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +433,48 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -967,7 +968,7 @@ index eb50f07..9ef43d3 100644 ####################################### # -@@ -404,7 +481,7 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,7 +482,7 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -976,7 +977,7 @@ index eb50f07..9ef43d3 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -413,16 +490,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -413,16 +491,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1020,7 +1021,7 @@ index eb50f07..9ef43d3 100644 ') ####################################### -@@ -430,10 +533,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +534,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -9708,10 +9709,10 @@ index 0000000..23a4f86 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..a774878 +index 0000000..8d91220 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,44 @@ +@@ -0,0 +1,47 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -9746,6 +9747,7 @@ index 0000000..a774878 +files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file }) + +kernel_read_system_state(bumblebee_t) ++kernel_dontaudit_access_check_proc(bumblebee_t) + +dev_read_sysfs(bumblebee_t) + @@ -9755,6 +9757,8 @@ index 0000000..a774878 + +logging_send_syslog_msg(bumblebee_t) + ++modutils_domtrans_insmod(bumblebee_t) ++ +miscfiles_read_localization(bumblebee_t) diff --git a/cachefilesd.fc b/cachefilesd.fc index 648c790..aa03fc8 100644 @@ -22507,10 +22511,10 @@ index 0000000..d856375 +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..1229d66 +index 0000000..85e2ddb --- /dev/null +++ b/docker.te -@@ -0,0 +1,133 @@ +@@ -0,0 +1,145 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -22607,18 +22611,25 @@ index 0000000..1229d66 +# + +allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace }; -+allow docker_t self:process { setsched signal_perms }; ++allow docker_t self:process { setpgid setsched signal_perms }; +allow docker_t self:netlink_route_socket nlmsg_write; ++allow docker_t self:netlink_audit_socket create_netlink_perms; +allow docker_t self:unix_dgram_socket create_socket_perms; ++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto } + +allow docker_t docker_var_lib_t:dir mounton; ++allow docker_t docker_var_lib_t:chr_file mounton; ++can_exec(docker_t, docker_var_lib_t) + +kernel_setsched(docker_t) ++kernel_get_sysvipc_info(docker_t) + +dev_getattr_all_blk_files(docker_t) ++dev_getattr_sysfs_fs(docker_t) +dev_read_urand(docker_t) +dev_read_lvm_control(docker_t) +dev_read_sysfs(docker_t) ++dev_rw_lvm_control(docker_t) + +files_manage_isid_type_dirs(docker_t) +files_manage_isid_type_files(docker_t) @@ -22641,9 +22652,14 @@ index 0000000..1229d66 +modutils_domtrans_insmod(docker_t) + +optional_policy(` ++ udev_read_db(docker_t) ++') ++ ++optional_policy(` + virt_read_config(docker_t) + virt_exec(docker_t) +') ++ diff --git a/dovecot.fc b/dovecot.fc index c880070..4448055 100644 --- a/dovecot.fc @@ -25447,10 +25463,10 @@ index 0000000..dc94853 + diff --git a/freeipmi.te b/freeipmi.te new file mode 100644 -index 0000000..1408208 +index 0000000..43a12cb --- /dev/null +++ b/freeipmi.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,70 @@ +policy_module(freeipmi, 1.0.0) + +######################################## @@ -25509,6 +25525,8 @@ index 0000000..1408208 + +files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid") + ++corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t) ++ +####################################### +# +# ipmiseld local policy @@ -31053,10 +31071,10 @@ index 6517fad..17c3627 100644 + allow $1 hypervkvp_unit_file_t:service all_service_perms; ') diff --git a/hypervkvp.te b/hypervkvp.te -index 4eb7041..d2ad022 100644 +index 4eb7041..ddc67b0 100644 --- a/hypervkvp.te +++ b/hypervkvp.te -@@ -5,24 +5,55 @@ policy_module(hypervkvp, 1.0.0) +@@ -5,24 +5,57 @@ policy_module(hypervkvp, 1.0.0) # Declarations # @@ -31091,7 +31109,7 @@ index 4eb7041..d2ad022 100644 # -# Local policy +# hyperv domain local policy -+# + # + +allow hyperv_domain self:capability net_admin; +allow hyperv_domain self:netlink_socket create_socket_perms; @@ -31099,17 +31117,19 @@ index 4eb7041..d2ad022 100644 +allow hyperv_domain self:fifo_file rw_fifo_file_perms; +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms; + ++dev_read_sysfs(hyperv_domain) ++ +######################################## # +# hypervkvp local policy - # - --allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; --allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; ++# ++ +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t) +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir) -+ + +-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms; +-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms; +logging_send_syslog_msg(hypervkvp_t) -logging_send_syslog_msg(hypervkvpd_t) @@ -31548,6 +31568,82 @@ index d443fee..475b7f4 100644 logging_send_syslog_msg(iodined_t) +diff --git a/ipa.fc b/ipa.fc +new file mode 100644 +index 0000000..9278f85 +--- /dev/null ++++ b/ipa.fc +@@ -0,0 +1,4 @@ ++/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0) ++ ++/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0) ++ +diff --git a/ipa.if b/ipa.if +new file mode 100644 +index 0000000..c6cf456 +--- /dev/null ++++ b/ipa.if +@@ -0,0 +1,21 @@ ++## Policy for IPA services. ++ ++######################################## ++## ++## Execute rtas_errd in the rtas_errd domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipa_domtrans_otpd',` ++ gen_require(` ++ type ipa_otpd_t, ipa_otpd_t_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t) ++') ++ +diff --git a/ipa.te b/ipa.te +new file mode 100644 +index 0000000..02f7cfa +--- /dev/null ++++ b/ipa.te +@@ -0,0 +1,33 @@ ++policy_module(ipa, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute ipa_domain; ++ ++type ipa_otpd_t, ipa_domain; ++type ipa_otpd_exec_t; ++init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) ++ ++type ipa_otpd_unit_file_t; ++systemd_unit_file(ipa_otpd_unit_file_t) ++ ++######################################## ++# ++# ipa_otpd local policy ++# ++ ++allow ipa_otpd_t self:fifo_file rw_fifo_file_perms; ++allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms; ++ ++corenet_tcp_connect_radius_port(ipa_otpd_t) ++ ++optional_policy(` ++ dirsrv_stream_connect(ipa_otpd_t) ++') ++ ++optional_policy(` ++ kerberos_use(ipa_otpd_t) ++') diff --git a/irc.fc b/irc.fc index 48e7739..c3285c2 100644 --- a/irc.fc @@ -36037,7 +36133,7 @@ index b7e5679..c93db33 100644 +/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0) +/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0) diff --git a/ldap.if b/ldap.if -index 3602712..585c416 100644 +index 3602712..fc7b071 100644 --- a/ldap.if +++ b/ldap.if @@ -1,8 +1,68 @@ @@ -36145,7 +36241,7 @@ index 3602712..585c416 100644 ## ## ## -@@ -41,22 +119,28 @@ interface(`ldap_read_config',` +@@ -41,22 +119,29 @@ interface(`ldap_read_config',` ######################################## ## @@ -36169,6 +36265,7 @@ index 3602712..585c416 100644 + files_search_etc($1) + allow $1 slapd_cert_t:dir list_dir_perms; + read_files_pattern($1, slapd_cert_t, slapd_cert_t) ++ read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t) ') ######################################## @@ -36179,7 +36276,7 @@ index 3602712..585c416 100644 ## ## ## -@@ -64,18 +148,13 @@ interface(`ldap_use',` +@@ -64,18 +149,13 @@ interface(`ldap_use',` ## ## # @@ -36201,7 +36298,7 @@ index 3602712..585c416 100644 ## ## ## -@@ -83,21 +162,19 @@ interface(`ldap_stream_connect',` +@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',` ## ## # @@ -36229,7 +36326,7 @@ index 3602712..585c416 100644 ## ## ## -@@ -106,7 +183,7 @@ interface(`ldap_tcp_connect',` +@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',` ## ## ## @@ -36238,7 +36335,7 @@ index 3602712..585c416 100644 ## ## ## -@@ -117,11 +194,16 @@ interface(`ldap_admin',` +@@ -117,11 +195,16 @@ interface(`ldap_admin',` type slapd_lock_t, slapd_etc_t, slapd_var_run_t; type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; type slapd_db_t, slapd_keytab_t; @@ -36256,7 +36353,7 @@ index 3602712..585c416 100644 init_labeled_script_domtrans($1, slapd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 slapd_initrc_exec_t system_r; -@@ -130,13 +212,9 @@ interface(`ldap_admin',` +@@ -130,13 +213,9 @@ interface(`ldap_admin',` files_list_etc($1) admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) @@ -36271,7 +36368,7 @@ index 3602712..585c416 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -144,4 +222,8 @@ interface(`ldap_admin',` +@@ -144,4 +223,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -40943,10 +41040,10 @@ index 0000000..b694afc +') + diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..a4d75bf 100644 +index 6ffaba2..cb1e8b0 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,69 @@ +@@ -1,38 +1,67 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -40988,8 +41085,6 @@ index 6ffaba2..a4d75bf 100644 +HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -41050,7 +41145,7 @@ index 6ffaba2..a4d75bf 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..ada96f0 100644 +index 6194b80..7fbb9e7 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -41741,7 +41836,7 @@ index 6194b80..ada96f0 100644 ## ## ## -@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +499,56 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -41810,8 +41905,6 @@ index 6194b80..ada96f0 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012") -+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks") @@ -41825,7 +41918,7 @@ index 6194b80..ada96f0 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..0e84537 100644 +index 11ac8e4..1be2a97 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -42082,7 +42175,7 @@ index 11ac8e4..0e84537 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +196,74 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -42190,10 +42283,11 @@ index 11ac8e4..0e84537 100644 + userdom_dontaudit_read_user_tmp_files(mozilla_t) + userdom_dontaudit_list_user_home_dirs(mozilla_t) + userdom_dontaudit_read_user_home_content_files(mozilla_t) ++ userdom_manage_home_texlive(mozilla_t) ') optional_policy(` -@@ -244,19 +276,12 @@ optional_policy(` +@@ -244,19 +277,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -42215,7 +42309,7 @@ index 11ac8e4..0e84537 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +290,32 @@ optional_policy(` +@@ -265,33 +291,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -42263,7 +42357,7 @@ index 11ac8e4..0e84537 100644 ') optional_policy(` -@@ -300,259 +324,240 @@ optional_policy(` +@@ -300,259 +325,241 @@ optional_policy(` ######################################## # @@ -42342,6 +42436,7 @@ index 11ac8e4..0e84537 100644 manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) +userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file }) ++userdom_manage_home_texlive(mozilla_plugin_t) allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; @@ -42653,7 +42748,7 @@ index 11ac8e4..0e84537 100644 ') optional_policy(` -@@ -560,7 +565,7 @@ optional_policy(` +@@ -560,7 +567,7 @@ optional_policy(` ') optional_policy(` @@ -42662,7 +42757,7 @@ index 11ac8e4..0e84537 100644 ') optional_policy(` -@@ -568,108 +573,130 @@ optional_policy(` +@@ -568,108 +575,130 @@ optional_policy(` ') optional_policy(` @@ -45312,10 +45407,10 @@ index b708708..cead88c 100644 + apache_search_sys_content(munin_t) +') diff --git a/mysql.fc b/mysql.fc -index 06f8666..7ef9c78 100644 +index 06f8666..4a315d5 100644 --- a/mysql.fc +++ b/mysql.fc -@@ -1,12 +1,24 @@ +@@ -1,12 +1,25 @@ -HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) - -/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0) @@ -45334,6 +45429,7 @@ index 06f8666..7ef9c78 100644 +/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0) + +/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) ++/usr/lib/systemd/system/mariadb.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0) + +# +# /etc @@ -45349,7 +45445,7 @@ index 06f8666..7ef9c78 100644 /usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) /usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) -@@ -14,14 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) +@@ -14,14 +27,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) @@ -47290,10 +47386,10 @@ index fe1068b..98166ee 100644 userdom_dontaudit_use_unpriv_user_fds(nessusd_t) diff --git a/networkmanager.fc b/networkmanager.fc -index 94b9734..485f368 100644 +index 94b9734..bb9c83e 100644 --- a/networkmanager.fc +++ b/networkmanager.fc -@@ -1,44 +1,44 @@ +@@ -1,44 +1,46 @@ -/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) @@ -47322,7 +47418,7 @@ index 94b9734..485f368 100644 -/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) -+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) ++/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) @@ -47336,6 +47432,7 @@ index 94b9734..485f368 100644 /usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) ++/usr/bin/teamd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) +/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + +/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0) @@ -47356,6 +47453,7 @@ index 94b9734..485f368 100644 /var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) ++/var/run/teamd(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) @@ -47766,7 +47864,7 @@ index 86dc29d..5b73942 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..c7fd930 100644 +index 55f2009..076a73e 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -47791,7 +47889,7 @@ index 55f2009..c7fd930 100644 type NetworkManager_log_t; logging_log_file(NetworkManager_log_t) -@@ -39,25 +42,47 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) +@@ -39,25 +42,50 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) # Local policy # @@ -47840,15 +47938,18 @@ index 55f2009..c7fd930 100644 +#wicd +can_exec(NetworkManager_t, wpa_cli_exec_t) + ++list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) ++read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) + +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) - ++ +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +93,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,6 +96,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -47856,7 +47957,7 @@ index 55f2009..c7fd930 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +107,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ +@@ -81,17 +110,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -47875,7 +47976,7 @@ index 55f2009..c7fd930 100644 corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_tcp_sendrecv_generic_if(NetworkManager_t) corenet_udp_sendrecv_generic_if(NetworkManager_t) -@@ -102,22 +125,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) +@@ -102,22 +128,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t) corenet_tcp_sendrecv_all_ports(NetworkManager_t) corenet_udp_sendrecv_all_ports(NetworkManager_t) corenet_udp_bind_generic_node(NetworkManager_t) @@ -47901,7 +48002,7 @@ index 55f2009..c7fd930 100644 dev_rw_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) dev_read_urand(NetworkManager_t) -@@ -125,13 +141,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) +@@ -125,13 +144,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t) dev_getattr_all_chr_files(NetworkManager_t) dev_rw_wireless(NetworkManager_t) @@ -47915,7 +48016,7 @@ index 55f2009..c7fd930 100644 fs_getattr_all_fs(NetworkManager_t) fs_search_auto_mountpoints(NetworkManager_t) fs_list_inotifyfs(NetworkManager_t) -@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t) +@@ -140,6 +152,17 @@ mls_file_read_all_levels(NetworkManager_t) selinux_dontaudit_search_fs(NetworkManager_t) @@ -47933,7 +48034,7 @@ index 55f2009..c7fd930 100644 storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) -@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t) +@@ -148,10 +171,11 @@ init_domtrans_script(NetworkManager_t) auth_use_nsswitch(NetworkManager_t) @@ -47946,7 +48047,7 @@ index 55f2009..c7fd930 100644 seutil_read_config(NetworkManager_t) -@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t) +@@ -166,21 +190,32 @@ sysnet_kill_dhcpc(NetworkManager_t) sysnet_read_dhcpc_state(NetworkManager_t) sysnet_delete_dhcpc_state(NetworkManager_t) sysnet_search_dhcp_state(NetworkManager_t) @@ -47983,7 +48084,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -196,10 +228,6 @@ optional_policy(` +@@ -196,10 +231,6 @@ optional_policy(` ') optional_policy(` @@ -47994,7 +48095,7 @@ index 55f2009..c7fd930 100644 consoletype_exec(NetworkManager_t) ') -@@ -210,16 +238,11 @@ optional_policy(` +@@ -210,16 +241,11 @@ optional_policy(` optional_policy(` dbus_system_domain(NetworkManager_t, NetworkManager_exec_t) @@ -48013,7 +48114,7 @@ index 55f2009..c7fd930 100644 ') ') -@@ -231,18 +254,19 @@ optional_policy(` +@@ -231,18 +257,19 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -48036,7 +48137,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -250,6 +274,10 @@ optional_policy(` +@@ -250,6 +277,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -48047,7 +48148,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -257,11 +285,10 @@ optional_policy(` +@@ -257,11 +288,10 @@ optional_policy(` ') optional_policy(` @@ -48063,7 +48164,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -274,10 +301,17 @@ optional_policy(` +@@ -274,10 +304,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -48081,7 +48182,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -289,6 +323,7 @@ optional_policy(` +@@ -289,6 +326,7 @@ optional_policy(` ') optional_policy(` @@ -48089,7 +48190,7 @@ index 55f2009..c7fd930 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +331,7 @@ optional_policy(` +@@ -296,7 +334,7 @@ optional_policy(` ') optional_policy(` @@ -48098,7 +48199,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -307,6 +342,7 @@ optional_policy(` +@@ -307,6 +345,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -48106,7 +48207,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -320,14 +356,20 @@ optional_policy(` +@@ -320,14 +359,20 @@ optional_policy(` ') optional_policy(` @@ -48132,7 +48233,7 @@ index 55f2009..c7fd930 100644 ') optional_policy(` -@@ -357,6 +399,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +402,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -56097,10 +56198,10 @@ index 1fb1964..f92c71a 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..6b5b74b 100644 +index dfd46e4..4694942 100644 --- a/pegasus.fc +++ b/pegasus.fc -@@ -1,15 +1,25 @@ +@@ -1,15 +1,29 @@ -/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) + +/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0) @@ -56109,29 +56210,33 @@ index dfd46e4..6b5b74b 100644 -/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0) +/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) +/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) ++ ++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0) -/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0) -+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) ++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0) -+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) ++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0) -+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) ++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) -/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0) -+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) -/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) ++ ++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) ++ +/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + ++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + +/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0) diff --git a/pegasus.if b/pegasus.if @@ -59856,7 +59961,7 @@ index 5ad5291..7f1ae2a 100644 portreserve_initrc_domtrans($1) domain_system_change_exemption($1) diff --git a/portreserve.te b/portreserve.te -index 00b01e2..ffbfcee 100644 +index 00b01e2..47ab4d9 100644 --- a/portreserve.te +++ b/portreserve.te @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir } @@ -59867,13 +59972,17 @@ index 00b01e2..ffbfcee 100644 corenet_all_recvfrom_netlabel(portreserve_t) corenet_tcp_sendrecv_generic_if(portreserve_t) corenet_udp_sendrecv_generic_if(portreserve_t) -@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t) +@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t) corenet_tcp_bind_all_ports(portreserve_t) corenet_udp_bind_all_ports(portreserve_t) -files_read_etc_files(portreserve_t) - +- userdom_dontaudit_search_user_home_content(portreserve_t) ++ ++optional_policy(` ++ sssd_search_lib(portreserve_t) ++') diff --git a/portslave.te b/portslave.te index cbe36c1..8ebeb87 100644 --- a/portslave.te @@ -75894,7 +76003,7 @@ index ebe91fc..576ca21 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..0c8576e 100644 +index ef3b225..064712b 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -76171,7 +76280,7 @@ index ef3b225..0c8576e 100644 + type rpm_log_t; + ') + logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") -+ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date") ++ logging_log_named_filetrans($1, rpm_log_t, file, "up2date") +') + +######################################## @@ -85152,7 +85261,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..f7ba057 100644 +index f2f507d..de22c9c 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -85313,7 +85422,7 @@ index f2f507d..f7ba057 100644 ') optional_policy(` -@@ -151,9 +198,17 @@ optional_policy(` +@@ -151,9 +198,21 @@ optional_policy(` ') optional_policy(` @@ -85331,6 +85440,10 @@ index f2f507d..f7ba057 100644 + +optional_policy(` + setroubleshoot_signull(sosreport_t) ++') ++ ++optional_policy(` ++ unconfined_signull(sosreport_t) ') optional_policy(` @@ -90367,11 +90480,10 @@ index 0000000..39d17b7 +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file }) diff --git a/thumb.fc b/thumb.fc new file mode 100644 -index 0000000..92b6843 +index 0000000..115bf6c --- /dev/null +++ b/thumb.fc -@@ -0,0 +1,18 @@ -+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +@@ -0,0 +1,17 @@ +HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0) +HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0) @@ -90388,7 +90500,7 @@ index 0000000..92b6843 +/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0) +/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0) + -+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) ++/usr/lib/tumbler-?[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0) diff --git a/thumb.if b/thumb.if new file mode 100644 index 0000000..c1fd8b4 @@ -90530,10 +90642,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..b57cc3c +index 0000000..2ddef5c --- /dev/null +++ b/thumb.te -@@ -0,0 +1,149 @@ +@@ -0,0 +1,150 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -90583,6 +90695,7 @@ index 0000000..b57cc3c +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log") +userdom_dontaudit_access_check_user_content(thumb_t) +userdom_rw_inherited_user_tmpfs_files(thumb_t) ++userdom_manage_home_texlive(thumb_t) + +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t) @@ -91431,7 +91544,7 @@ index 61c2e07..5e1df41 100644 + ') ') diff --git a/tor.te b/tor.te -index 5ceacde..5fde651 100644 +index 5ceacde..40e9303 100644 --- a/tor.te +++ b/tor.te @@ -13,6 +13,13 @@ policy_module(tor, 1.9.0) @@ -91466,7 +91579,15 @@ index 5ceacde..5fde651 100644 corenet_sendrecv_dns_server_packets(tor_t) corenet_udp_bind_dns_port(tor_t) corenet_udp_sendrecv_dns_port(tor_t) -@@ -98,19 +107,22 @@ dev_read_urand(tor_t) +@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t) + corenet_sendrecv_tor_server_packets(tor_t) + corenet_tcp_bind_tor_port(tor_t) + corenet_tcp_sendrecv_tor_port(tor_t) ++corenet_tcp_bind_hplip_port(tor_t) + + corenet_sendrecv_all_client_packets(tor_t) + corenet_tcp_connect_all_ports(tor_t) +@@ -98,19 +108,22 @@ dev_read_urand(tor_t) domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) @@ -91583,7 +91704,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 393a330..90924a4 100644 +index 393a330..3e41bff 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -91644,7 +91765,7 @@ index 393a330..90924a4 100644 corecmd_exec_bin(tuned_t) corecmd_exec_shell(tuned_t) -@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t) +@@ -64,31 +76,57 @@ corecmd_exec_shell(tuned_t) dev_getattr_all_blk_files(tuned_t) dev_getattr_all_chr_files(tuned_t) dev_read_urand(tuned_t) @@ -91669,6 +91790,8 @@ index 393a330..90924a4 100644 -miscfiles_read_localization(tuned_t) +mount_read_pid_files(tuned_t) ++ ++modutils_domtrans_insmod(tuned_t) udev_read_pid_files(tuned_t) @@ -93350,7 +93473,7 @@ index a4f20bc..9bad8b9 100644 +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) +/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0) diff --git a/virt.if b/virt.if -index facdee8..73549fd 100644 +index facdee8..43128c6 100644 --- a/virt.if +++ b/virt.if @@ -1,120 +1,51 @@ @@ -94365,7 +94488,7 @@ index facdee8..73549fd 100644 ## ## ## -@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',` +@@ -860,74 +658,189 @@ interface(`virt_read_lib_files',` ## ## # @@ -94556,93 +94679,110 @@ index facdee8..73549fd 100644 ## -## Append virt log files. +## Do not audit attempts to write virt daemon unnamed pipes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`virt_dontaudit_write_pipes',` ++ gen_require(` ++ type virtd_t; ++ ') ++ ++ dontaudit $1 virtd_t:fd use; ++ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++') ++ ++######################################## ++## ++## Send a sigkill to virtual machines ## ## ## --## Domain allowed access. -+## Domain to not audit. +@@ -935,19 +848,17 @@ interface(`virt_read_log',` ## ## # -interface(`virt_append_log',` -+interface(`virt_dontaudit_write_pipes',` ++interface(`virt_kill_svirt',` gen_require(` - type virt_log_t; -+ type virtd_t; ++ attribute virt_domain; ') - logging_search_logs($1) - append_files_pattern($1, virt_log_t, virt_log_t) -+ dontaudit $1 virtd_t:fd use; -+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; ++ allow $1 virt_domain:process sigkill; ') ######################################## ## -## Create, read, write, and delete -## virt log files. -+## Send a sigkill to virtual machines ++## Send a sigkill to virtd daemon. ## ## ## -@@ -955,20 +848,17 @@ interface(`virt_append_log',` +@@ -955,20 +866,17 @@ interface(`virt_append_log',` ## ## # -interface(`virt_manage_log',` -+interface(`virt_kill_svirt',` ++interface(`virt_kill',` gen_require(` - type virt_log_t; -+ attribute virt_domain; ++ type virtd_t; ') - logging_search_logs($1) - manage_dirs_pattern($1, virt_log_t, virt_log_t) - manage_files_pattern($1, virt_log_t, virt_log_t) - manage_lnk_files_pattern($1, virt_log_t, virt_log_t) -+ allow $1 virt_domain:process sigkill; ++ allow $1 virtd_t:process sigkill; ') ######################################## ## -## Search virt image directories. -+## Send a sigkill to virtd daemon. ++## Send a signal to virtual machines ## ## ## -@@ -976,18 +866,17 @@ interface(`virt_manage_log',` +@@ -976,18 +884,17 @@ interface(`virt_manage_log',` ## ## # -interface(`virt_search_images',` -+interface(`virt_kill',` ++interface(`virt_signal_svirt',` gen_require(` - attribute virt_image_type; -+ type virtd_t; ++ attribute virt_domain; ') - virt_search_lib($1) - allow $1 virt_image_type:dir search_dir_perms; -+ allow $1 virtd_t:process sigkill; ++ allow $1 virt_domain:process signal; ') ######################################## ## -## Read virt image files. -+## Send a signal to virtual machines ++## Manage virt home files. ## ## ## -@@ -995,73 +884,75 @@ interface(`virt_search_images',` +@@ -995,36 +902,57 @@ interface(`virt_search_images',` ## ## # -interface(`virt_read_images',` -+interface(`virt_signal_svirt',` ++interface(`virt_manage_home_files',` gen_require(` - type virt_var_lib_t; - attribute virt_image_type; -+ attribute virt_domain; ++ type virt_home_t; ') - virt_search_lib($1) @@ -94651,7 +94791,8 @@ index facdee8..73549fd 100644 - read_files_pattern($1, virt_image_type, virt_image_type) - read_lnk_files_pattern($1, virt_image_type, virt_image_type) - read_blk_files_pattern($1, virt_image_type, virt_image_type) -+ allow $1 virt_domain:process signal; ++ userdom_search_user_home_dirs($1) ++ manage_files_pattern($1, virt_home_t, virt_home_t) +') - tunable_policy(`virt_use_nfs',` @@ -94660,105 +94801,70 @@ index facdee8..73549fd 100644 - fs_read_nfs_symlinks($1) +######################################## +## -+## Manage virt home files. ++## allow domain to read ++## virt tmpfs files +## +## +## -+## Domain allowed access. ++## Domain allowed access +## +## +# -+interface(`virt_manage_home_files',` ++interface(`virt_read_tmpfs_files',` + gen_require(` -+ type virt_home_t; ++ attribute virt_tmpfs_type; ') - tunable_policy(`virt_use_samba',` - fs_list_cifs($1) - fs_read_cifs_files($1) - fs_read_cifs_symlinks($1) -- ') -+ userdom_search_user_home_dirs($1) -+ manage_files_pattern($1, virt_home_t, virt_home_t) - ') - - ######################################## - ## --## Read and write all virt image --## character files. -+## allow domain to read -+## virt tmpfs files - ## - ## - ## --## Domain allowed access. -+## Domain allowed access - ## - ## - # --interface(`virt_rw_all_image_chr_files',` -+interface(`virt_read_tmpfs_files',` - gen_require(` -- attribute virt_image_type; -+ attribute virt_tmpfs_type; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- rw_chr_files_pattern($1, virt_image_type, virt_image_type) + allow $1 virt_tmpfs_type:file read_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## svirt cache files. ++') ++ ++######################################## ++## +## allow domain to manage +## virt tmpfs files - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain allowed access - ## - ## - # --interface(`virt_manage_svirt_cache',` -- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') -- virt_manage_virt_cache($1) ++## ++## ++# +interface(`virt_manage_tmpfs_files',` + gen_require(` + attribute virt_tmpfs_type; -+ ') + ') + + allow $1 virt_tmpfs_type:file manage_file_perms; ') ######################################## ## --## Create, read, write, and delete --## virt cache content. +-## Read and write all virt image +-## character files. +## Create .virt directory in the user home directory +## with an correct label. ## ## ## -@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',` +@@ -1032,20 +960,28 @@ interface(`virt_read_images',` ## ## # --interface(`virt_manage_virt_cache',` +-interface(`virt_rw_all_image_chr_files',` +interface(`virt_filetrans_home_content',` gen_require(` -- type virt_cache_t; +- attribute virt_image_type; + type virt_home_t; + type svirt_home_t; ') -- files_search_var($1) -- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) -- manage_files_pattern($1, virt_cache_t, virt_cache_t) -- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- rw_chr_files_pattern($1, virt_image_type, virt_image_type) + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") + userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") + filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") @@ -94775,42 +94881,36 @@ index facdee8..73549fd 100644 ######################################## ## -## Create, read, write, and delete --## virt image files. +-## svirt cache files. +## Dontaudit attempts to Read virt_image_type devices. ## ## ## -@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',` +@@ -1053,37 +989,129 @@ interface(`virt_rw_all_image_chr_files',` ## ## # --interface(`virt_manage_images',` +-interface(`virt_manage_svirt_cache',` +- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.') +- virt_manage_virt_cache($1) +interface(`virt_dontaudit_read_chr_dev',` - gen_require(` -- type virt_var_lib_t; - attribute virt_image_type; - ') - -- virt_search_lib($1) -- allow $1 virt_image_type:dir list_dir_perms; -- manage_dirs_pattern($1, virt_image_type, virt_image_type) -- manage_files_pattern($1, virt_image_type, virt_image_type) -- read_lnk_files_pattern($1, virt_image_type, virt_image_type) -- rw_blk_files_pattern($1, virt_image_type, virt_image_type) ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; -+') + ') -- tunable_policy(`virt_use_nfs',` -- fs_manage_nfs_dirs($1) -- fs_manage_nfs_files($1) -- fs_read_nfs_symlinks($1) -+######################################## -+## + ######################################## + ## +-## Create, read, write, and delete +-## virt cache content. +## Creates types and rules for a basic +## virt_lxc process domain. -+## + ## +-## +## -+## + ## +## Prefix for the domain. +## +## @@ -94818,12 +94918,8 @@ index facdee8..73549fd 100644 +template(`virt_sandbox_domain_template',` + gen_require(` + attribute svirt_sandbox_domain; - ') - -- tunable_policy(`virt_use_samba',` -- fs_manage_cifs_files($1) -- fs_manage_cifs_files($1) -- fs_read_cifs_symlinks($1) ++ ') ++ + type $1_t, svirt_sandbox_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) @@ -94858,7 +94954,7 @@ index facdee8..73549fd 100644 +## +## +## -+## Domain allowed access. + ## Domain allowed access. +## +## +# @@ -94877,22 +94973,30 @@ index facdee8..73549fd 100644 +## +## +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`virt_manage_virt_cache',` +interface(`virt_filetrans_named_content',` -+ gen_require(` + gen_require(` +- type virt_cache_t; + type virt_lxc_var_run_t; + type virt_var_run_t; -+ ') -+ + ') + +- files_search_var($1) +- manage_dirs_pattern($1, virt_cache_t, virt_cache_t) +- manage_files_pattern($1, virt_cache_t, virt_cache_t) +- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") + files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") + files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## virt image files. +## Execute qemu in the svirt domain, and +## allow the specified role the svirt domain. +## @@ -94923,6 +95027,37 @@ index facdee8..73549fd 100644 +######################################## +## +## Read and write to svirt_image devices. + ## + ## + ## +@@ -1091,36 +1119,54 @@ interface(`virt_manage_virt_cache',` + ## + ## + # +-interface(`virt_manage_images',` ++interface(`virt_rw_svirt_dev',` + gen_require(` +- type virt_var_lib_t; +- attribute virt_image_type; ++ type svirt_image_t; + ') + +- virt_search_lib($1) +- allow $1 virt_image_type:dir list_dir_perms; +- manage_dirs_pattern($1, virt_image_type, virt_image_type) +- manage_files_pattern($1, virt_image_type, virt_image_type) +- read_lnk_files_pattern($1, virt_image_type, virt_image_type) +- rw_blk_files_pattern($1, virt_image_type, virt_image_type) ++ allow $1 svirt_image_t:chr_file rw_file_perms; ++') + +- tunable_policy(`virt_use_nfs',` +- fs_manage_nfs_dirs($1) +- fs_manage_nfs_files($1) +- fs_read_nfs_symlinks($1) ++######################################## ++## ++## Read and write to svirt_image devices. +## +## +## @@ -94930,12 +95065,34 @@ index facdee8..73549fd 100644 +## +## +# -+interface(`virt_rw_svirt_dev',` ++interface(`virt_rlimitinh',` + gen_require(` -+ type svirt_image_t; ++ type virtd_t; ') + +- tunable_policy(`virt_use_samba',` +- fs_manage_cifs_files($1) +- fs_manage_cifs_files($1) +- fs_read_cifs_symlinks($1) ++ allow $1 virtd_t:process { rlimitinh }; ++') + -+ allow $1 svirt_image_t:chr_file rw_file_perms; ++######################################## ++## ++## Read and write to svirt_image devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_noatsecure',` ++ gen_require(` ++ type virtd_t; + ') ++ ++ allow $1 virtd_t:process { noatsecure rlimitinh }; ') ######################################## @@ -94947,7 +95104,7 @@ index facdee8..73549fd 100644 ## ## ## -@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',` +@@ -1136,50 +1182,36 @@ interface(`virt_manage_images',` # interface(`virt_admin',` gen_require(` @@ -97064,6 +97221,132 @@ index 6b72968..de409cc 100644 userdom_dontaudit_search_user_home_dirs(vlock_t) -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) +diff --git a/vmtools.fc b/vmtools.fc +new file mode 100644 +index 0000000..5726cdb +--- /dev/null ++++ b/vmtools.fc +@@ -0,0 +1,3 @@ ++/usr/bin/vmtoolsd -- gen_context(system_u:object_r:vmtools_exec_t,s0) ++ ++/usr/lib/systemd/system/vmtoolsd.* -- gen_context(system_u:object_r:vmtools_unit_file_t,s0) +diff --git a/vmtools.if b/vmtools.if +new file mode 100644 +index 0000000..044be2f +--- /dev/null ++++ b/vmtools.if +@@ -0,0 +1,78 @@ ++## VMware Tools daemon ++ ++######################################## ++## ++## Execute vmtools in the vmtools domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vmtools_domtrans',` ++ gen_require(` ++ type vmtools_t, vmtools_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, vmtools_exec_t, vmtools_t) ++') ++######################################## ++## ++## Execute vmtools server in the vmtools domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`vmtools_systemctl',` ++ gen_require(` ++ type vmtools_t; ++ type vmtools_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 vmtools_unit_file_t:file read_file_perms; ++ allow $1 vmtools_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, vmtools_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an vmtools environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`vmtools_admin',` ++ gen_require(` ++ type vmtools_t; ++ type vmtools_unit_file_t; ++ ') ++ ++ allow $1 vmtools_t:process { signal_perms }; ++ ps_process_pattern($1, vmtools_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ninfod_t:process ptrace; ++ ') ++ ++ vmtools_systemctl($1) ++ admin_pattern($1, vmtools_unit_file_t) ++ allow $1 vmtools_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/vmtools.te b/vmtools.te +new file mode 100644 +index 0000000..7918651 +--- /dev/null ++++ b/vmtools.te +@@ -0,0 +1,27 @@ ++policy_module(vmtools, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type vmtools_t; ++type vmtools_exec_t; ++init_daemon_domain(vmtools_t, vmtools_exec_t) ++ ++type vmtools_unit_file_t; ++systemd_unit_file(vmtools_unit_file_t) ++ ++######################################## ++# ++# vmtools local policy ++# ++allow vmtools_t self:fifo_file rw_fifo_file_perms; ++allow vmtools_t self:unix_stream_socket create_stream_socket_perms; ++allow vmtools_t self:unix_dgram_socket create_socket_perms; ++ ++auth_use_nsswitch(vmtools_t) ++ ++dev_read_urand(vmtools_t) ++ ++logging_send_syslog_msg(vmtools_t) diff --git a/vmware.if b/vmware.if index 20a1fb2..470ea95 100644 --- a/vmware.if @@ -99998,7 +100281,7 @@ index dd63de0..38ce620 100644 - admin_pattern($1, zabbix_tmpfs_t) ') diff --git a/zabbix.te b/zabbix.te -index 7f496c6..1498539 100644 +index 7f496c6..922b7e0 100644 --- a/zabbix.te +++ b/zabbix.te @@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0) @@ -100189,7 +100472,7 @@ index 7f496c6..1498539 100644 fs_getattr_all_fs(zabbix_agent_t) -@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t) +@@ -190,8 +181,14 @@ init_read_utmp(zabbix_agent_t) logging_search_logs(zabbix_agent_t) @@ -100200,9 +100483,12 @@ index 7f496c6..1498539 100644 zabbix_tcp_connect(zabbix_agent_t) + +optional_policy(` -+ hostname_exec(zabbix_agent_t) ++ dmidecode_domtrans(zabbix_agent_t) +') + ++optional_policy(` ++ hostname_exec(zabbix_agent_t) ++') diff --git a/zarafa.fc b/zarafa.fc index faf99ed..44e94fa 100644 --- a/zarafa.fc diff --git a/selinux-policy.spec b/selinux-policy.spec index 2fec2d9..302876e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -252,7 +252,8 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/sysadm_u %define relabel() \ . %{_sysconfdir}/selinux/config; \ @@ -575,6 +576,27 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Dec 13 2013 Miroslav Grepl 3.13.1-10 +- Allow freeipmi_ipmidetectd_t to use freeipmi port +- Update freeipmi_domain_template() +- Allow journalctl running as ABRT to read /run/log/journal +- Allow NM to read dispatcher.d directory +- Update freeipmi policy +- Type transitions with a filename not allowed inside conditionals +- Allow tor to bind to hplip port +- Make new type to texlive files in homedir +- Allow zabbix_agent to transition to dmidecode +- Add rules for docker +- Allow sosreport to send signull to unconfined_t +- Add virt_noatsecure and virt_rlimitinh interfaces +- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port +- Add sysadm_u_default_contexts +- Add logging_read_syslog_pid() +- Fix userdom_manage_home_texlive() interface +- Make new type to texlive files in homedir +- Add filename transitions for /run and /lock links +- Allow virtd to inherit rlimit information + * Mon Dec 9 2013 Miroslav Grepl 3.13.1-9 - DRM master and input event devices are used by the TakeDevice API - Clean up bumblebee policy