diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 3795792..02bfac3 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 0813676..b5bc472 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17882,7 +17882,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..99002ca 100644 +index 8416beb..531dfef 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -18034,7 +18034,33 @@ index 8416beb..99002ca 100644 dev_search_sysfs($1) ') -@@ -920,6 +990,24 @@ interface(`fs_getattr_cifs',` +@@ -826,6 +896,25 @@ interface(`fs_mounton_cgroup', ` + + ######################################## + ## ++## Read and write ceph files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_cephfs_files',` ++ gen_require(` ++ type cephfs_t; ++ ++ ') ++ ++ rw_files_pattern($1, cephfs_t, cephfs_t) ++') ++ ++######################################## ++## + ## Do not audit attempts to read + ## dirs on a CIFS or SMB filesystem. + ## +@@ -920,6 +1009,24 @@ interface(`fs_getattr_cifs',` ######################################## ## @@ -18059,7 +18085,7 @@ index 8416beb..99002ca 100644 ## Search directories on a CIFS or SMB filesystem. ## ## -@@ -1107,6 +1195,24 @@ interface(`fs_read_noxattr_fs_files',` +@@ -1107,6 +1214,24 @@ interface(`fs_read_noxattr_fs_files',` ######################################## ## @@ -18084,7 +18110,7 @@ index 8416beb..99002ca 100644 ## Do not audit attempts to read all ## noxattrfs files. ## -@@ -1245,7 +1351,7 @@ interface(`fs_append_cifs_files',` +@@ -1245,7 +1370,7 @@ interface(`fs_append_cifs_files',` ######################################## ## @@ -18093,7 +18119,7 @@ index 8416beb..99002ca 100644 ## on a CIFS filesystem. ## ## -@@ -1265,6 +1371,42 @@ interface(`fs_dontaudit_append_cifs_files',` +@@ -1265,6 +1390,42 @@ interface(`fs_dontaudit_append_cifs_files',` ######################################## ## @@ -18136,7 +18162,7 @@ index 8416beb..99002ca 100644 ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## -@@ -1279,7 +1421,7 @@ interface(`fs_dontaudit_rw_cifs_files',` +@@ -1279,7 +1440,7 @@ interface(`fs_dontaudit_rw_cifs_files',` type cifs_t; ') @@ -18145,7 +18171,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -1542,6 +1684,63 @@ interface(`fs_cifs_domtrans',` +@@ -1542,6 +1703,63 @@ interface(`fs_cifs_domtrans',` domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -18209,7 +18235,7 @@ index 8416beb..99002ca 100644 ####################################### ## ## Create, read, write, and delete dirs -@@ -1582,6 +1781,24 @@ interface(`fs_manage_configfs_files',` +@@ -1582,6 +1800,24 @@ interface(`fs_manage_configfs_files',` ######################################## ## @@ -18234,7 +18260,7 @@ index 8416beb..99002ca 100644 ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## -@@ -1793,63 +2010,70 @@ interface(`fs_read_eventpollfs',` +@@ -1793,63 +2029,70 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -18330,7 +18356,7 @@ index 8416beb..99002ca 100644 ## on a FUSEFS filesystem. ## ## -@@ -1859,18 +2083,19 @@ interface(`fs_mounton_fusefs',` +@@ -1859,18 +2102,19 @@ interface(`fs_mounton_fusefs',` ## ## # @@ -18355,7 +18381,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -1878,135 +2103,740 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2122,740 @@ interface(`fs_search_fusefs',` ## ## # @@ -18452,6 +18478,15 @@ index 8416beb..99002ca 100644 +## Execute a file on a FUSE filesystem +## in the specified domain. ## +-## +-## +-## Domain allowed access. +-## +-## +-## +-# +-interface(`fs_exec_fusefs_files',` +- gen_require(` +## +##

+## Execute a file on a FUSE filesystem @@ -18471,17 +18506,11 @@ index 8416beb..99002ca 100644 +## in particular used by the ssh-agent policy. +##

+##
- ## - ## --## Domain allowed access. ++## ++## +## Domain allowed to transition. - ## - ## --## --# --interface(`fs_exec_fusefs_files',` -- gen_require(` -- type fusefs_t; ++## ++## +## +## +## The type of the new process. @@ -18840,9 +18869,10 @@ index 8416beb..99002ca 100644 +# +interface(`fs_getattr_fusefs',` + gen_require(` -+ type fusefs_t; -+ ') -+ + type fusefs_t; + ') + +- exec_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:filesystem getattr; +') + @@ -19076,9 +19106,8 @@ index 8416beb..99002ca 100644 +interface(`fs_hugetlbfs_filetrans',` + gen_require(` + type hugetlbfs_t; - ') - -- exec_files_pattern($1, fusefs_t, fusefs_t) ++ ') ++ + allow $2 hugetlbfs_t:filesystem associate; + filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ') @@ -19143,7 +19172,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2014,37 +2844,38 @@ interface(`fs_dontaudit_manage_fusefs_files',` +@@ -2014,37 +2863,38 @@ interface(`fs_dontaudit_manage_fusefs_files',` ## ## # @@ -19192,7 +19221,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2052,17 +2883,19 @@ interface(`fs_getattr_hugetlbfs',` +@@ -2052,17 +2902,19 @@ interface(`fs_getattr_hugetlbfs',` ## ## # @@ -19216,7 +19245,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2070,17 +2903,20 @@ interface(`fs_list_hugetlbfs',` +@@ -2070,17 +2922,20 @@ interface(`fs_list_hugetlbfs',` ## ## # @@ -19241,7 +19270,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2088,35 +2924,35 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2088,35 +2943,35 @@ interface(`fs_manage_hugetlbfs_dirs',` ## ## # @@ -19287,7 +19316,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2124,17 +2960,17 @@ interface(`fs_associate_hugetlbfs',` +@@ -2124,17 +2979,17 @@ interface(`fs_associate_hugetlbfs',` ## ## # @@ -19309,7 +19338,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2142,71 +2978,136 @@ interface(`fs_search_inotifyfs',` +@@ -2142,71 +2997,136 @@ interface(`fs_search_inotifyfs',` ## ## # @@ -19469,7 +19498,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2214,19 +3115,21 @@ interface(`fs_hugetlbfs_filetrans',` +@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # @@ -19497,7 +19526,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2234,18 +3137,19 @@ interface(`fs_mount_iso9660_fs',` +@@ -2234,18 +3156,19 @@ interface(`fs_mount_iso9660_fs',` ## ## # @@ -19522,7 +19551,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2253,38 +3157,41 @@ interface(`fs_remount_iso9660_fs',` +@@ -2253,38 +3176,41 @@ interface(`fs_remount_iso9660_fs',` ## ## # @@ -19576,7 +19605,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2292,19 +3199,21 @@ interface(`fs_getattr_iso9660_fs',` +@@ -2292,19 +3218,21 @@ interface(`fs_getattr_iso9660_fs',` ## ## # @@ -19604,7 +19633,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2312,16 +3221,15 @@ interface(`fs_getattr_iso9660_files',` +@@ -2312,16 +3240,15 @@ interface(`fs_getattr_iso9660_files',` ## ## # @@ -19625,7 +19654,7 @@ index 8416beb..99002ca 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2356,44 +3264,62 @@ interface(`fs_remount_nfs',` +@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',` type nfs_t; ') @@ -19696,7 +19725,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -2485,6 +3411,7 @@ interface(`fs_read_nfs_files',` +@@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',` type nfs_t; ') @@ -19704,7 +19733,7 @@ index 8416beb..99002ca 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2523,6 +3450,7 @@ interface(`fs_write_nfs_files',` +@@ -2523,6 +3469,7 @@ interface(`fs_write_nfs_files',` type nfs_t; ') @@ -19712,7 +19741,7 @@ index 8416beb..99002ca 100644 allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') -@@ -2549,6 +3477,44 @@ interface(`fs_exec_nfs_files',` +@@ -2549,6 +3496,44 @@ interface(`fs_exec_nfs_files',` ######################################## ## @@ -19757,7 +19786,7 @@ index 8416beb..99002ca 100644 ## Append files ## on a NFS filesystem. ## -@@ -2569,7 +3535,7 @@ interface(`fs_append_nfs_files',` +@@ -2569,7 +3554,7 @@ interface(`fs_append_nfs_files',` ######################################## ## @@ -19766,7 +19795,7 @@ index 8416beb..99002ca 100644 ## on a NFS filesystem. ## ## -@@ -2589,6 +3555,42 @@ interface(`fs_dontaudit_append_nfs_files',` +@@ -2589,6 +3574,42 @@ interface(`fs_dontaudit_append_nfs_files',` ######################################## ## @@ -19809,7 +19838,7 @@ index 8416beb..99002ca 100644 ## Do not audit attempts to read or ## write files on a NFS filesystem. ## -@@ -2603,7 +3605,7 @@ interface(`fs_dontaudit_rw_nfs_files',` +@@ -2603,7 +3624,7 @@ interface(`fs_dontaudit_rw_nfs_files',` type nfs_t; ') @@ -19818,7 +19847,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -2627,7 +3629,7 @@ interface(`fs_read_nfs_symlinks',` +@@ -2627,7 +3648,7 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## @@ -19827,7 +19856,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -2719,6 +3721,65 @@ interface(`fs_search_rpc',` +@@ -2719,6 +3740,65 @@ interface(`fs_search_rpc',` ######################################## ## @@ -19893,7 +19922,7 @@ index 8416beb..99002ca 100644 ## Search removable storage directories. ## ## -@@ -2741,7 +3802,7 @@ interface(`fs_search_removable',` +@@ -2741,7 +3821,7 @@ interface(`fs_search_removable',` ## ## ## @@ -19902,7 +19931,7 @@ index 8416beb..99002ca 100644 ## ## # -@@ -2777,7 +3838,7 @@ interface(`fs_read_removable_files',` +@@ -2777,7 +3857,7 @@ interface(`fs_read_removable_files',` ## ## ## @@ -19911,7 +19940,7 @@ index 8416beb..99002ca 100644 ## ## # -@@ -2970,6 +4031,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4050,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -19919,7 +19948,7 @@ index 8416beb..99002ca 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,6 +4072,7 @@ interface(`fs_manage_nfs_files',` +@@ -3010,6 +4091,7 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -19927,7 +19956,7 @@ index 8416beb..99002ca 100644 manage_files_pattern($1, nfs_t, nfs_t) ') -@@ -3050,6 +4113,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4132,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -19935,7 +19964,7 @@ index 8416beb..99002ca 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4201,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4220,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -19960,7 +19989,7 @@ index 8416beb..99002ca 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3263,7 +4345,25 @@ interface(`fs_getattr_nfsd_files',` +@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',` getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') @@ -19987,7 +20016,7 @@ index 8416beb..99002ca 100644 ## ## Read and write NFS server files. ## -@@ -3283,6 +4383,59 @@ interface(`fs_rw_nfsd_fs',` +@@ -3283,6 +4402,59 @@ interface(`fs_rw_nfsd_fs',` ######################################## ## @@ -20047,7 +20076,7 @@ index 8416beb..99002ca 100644 ## Allow the type to associate to ramfs filesystems. ## ## -@@ -3392,7 +4545,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4564,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20056,7 +20085,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3429,7 +4582,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +4601,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20065,7 +20094,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3447,7 +4600,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +4619,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20074,7 +20103,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3779,6 +4932,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +4951,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20099,7 +20128,7 @@ index 8416beb..99002ca 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +4986,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5005,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20124,7 +20153,7 @@ index 8416beb..99002ca 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +5028,76 @@ interface(`fs_getattr_tmpfs',` +@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',` ## ## ## @@ -20210,7 +20239,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3879,36 +5105,35 @@ interface(`fs_relabelfrom_tmpfs',` +@@ -3879,36 +5124,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # @@ -20254,7 +20283,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3916,35 +5141,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5160,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20298,7 +20327,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3952,17 +5178,17 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5197,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20319,7 +20348,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -3970,31 +5196,30 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5215,30 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20357,7 +20386,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -4105,7 +5330,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` +@@ -4105,7 +5349,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',` type tmpfs_t; ') @@ -20366,7 +20395,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -4165,6 +5390,24 @@ interface(`fs_rw_tmpfs_files',` +@@ -4165,6 +5409,24 @@ interface(`fs_rw_tmpfs_files',` ######################################## ## @@ -20391,7 +20420,7 @@ index 8416beb..99002ca 100644 ## Read tmpfs link files. ## ## -@@ -4202,7 +5445,7 @@ interface(`fs_rw_tmpfs_chr_files',` +@@ -4202,7 +5464,7 @@ interface(`fs_rw_tmpfs_chr_files',` ######################################## ## @@ -20400,7 +20429,7 @@ index 8416beb..99002ca 100644 ## ## ## -@@ -4221,6 +5464,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4221,6 +5483,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ######################################## ## @@ -20461,7 +20490,7 @@ index 8416beb..99002ca 100644 ## Relabel character nodes on tmpfs filesystems. ## ## -@@ -4278,6 +5575,44 @@ interface(`fs_relabel_tmpfs_blk_file',` +@@ -4278,6 +5594,44 @@ interface(`fs_relabel_tmpfs_blk_file',` ######################################## ## @@ -20506,7 +20535,7 @@ index 8416beb..99002ca 100644 ## Read and write, create and delete generic ## files on tmpfs filesystems. ## -@@ -4297,6 +5632,25 @@ interface(`fs_manage_tmpfs_files',` +@@ -4297,6 +5651,25 @@ interface(`fs_manage_tmpfs_files',` ######################################## ## @@ -20532,7 +20561,7 @@ index 8416beb..99002ca 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4407,6 +5761,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +5780,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -20558,7 +20587,7 @@ index 8416beb..99002ca 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +5876,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +5895,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -20567,7 +20596,7 @@ index 8416beb..99002ca 100644 ') ######################################## -@@ -4549,7 +5924,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5943,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -20576,7 +20605,7 @@ index 8416beb..99002ca 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5971,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5990,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -20603,7 +20632,7 @@ index 8416beb..99002ca 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6066,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6085,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -20629,7 +20658,7 @@ index 8416beb..99002ca 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6326,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -20694,7 +20723,7 @@ index 8416beb..99002ca 100644 + read_files_pattern($1, efivarfs_t, efivarfs_t) +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..7e37941 100644 +index e7d1738..fc52817 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -20725,7 +20754,7 @@ index e7d1738..7e37941 100644 type bdev_t; fs_type(bdev_t) -@@ -63,16 +69,23 @@ fs_type(binfmt_misc_fs_t) +@@ -63,16 +69,28 @@ fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) @@ -20741,6 +20770,11 @@ index e7d1738..7e37941 100644 genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) -type cgroup_t; ++type cephfs_t; ++fs_type(cephfs_t) ++files_mountpoint(cephfs_t) ++genfscon ceph / gen_context(system_u:object_r:cephfs_t,s0) ++ +type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) files_mountpoint(cgroup_t) @@ -20750,7 +20784,7 @@ index e7d1738..7e37941 100644 type configfs_t; fs_type(configfs_t) -@@ -88,6 +101,11 @@ fs_noxattr_type(ecryptfs_t) +@@ -88,6 +106,11 @@ fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) @@ -20762,7 +20796,7 @@ index e7d1738..7e37941 100644 type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) -@@ -96,6 +114,7 @@ type hugetlbfs_t; +@@ -96,6 +119,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -20770,7 +20804,7 @@ index e7d1738..7e37941 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -111,6 +130,12 @@ type inotifyfs_t; +@@ -111,6 +135,12 @@ type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) @@ -20783,7 +20817,7 @@ index e7d1738..7e37941 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +143,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -20803,7 +20837,7 @@ index e7d1738..7e37941 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,17 +180,16 @@ fs_type(spufs_t) +@@ -150,17 +185,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -20825,7 +20859,7 @@ index e7d1738..7e37941 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -172,6 +201,8 @@ type vxfs_t; +@@ -172,6 +206,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -20834,7 +20868,7 @@ index e7d1738..7e37941 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +213,8 @@ fs_type(tmpfs_t) +@@ -182,6 +218,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -20843,7 +20877,7 @@ index e7d1738..7e37941 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +294,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -20852,7 +20886,7 @@ index e7d1738..7e37941 100644 files_mountpoint(removable_t) # -@@ -280,6 +315,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -20860,7 +20894,7 @@ index e7d1738..7e37941 100644 ######################################## # -@@ -301,9 +337,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -36664,7 +36698,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..09abd53 100644 +index 17eda24..f09c5ae 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -36962,7 +36996,7 @@ index 17eda24..09abd53 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +325,252 @@ ifdef(`distro_gentoo',` +@@ -186,29 +325,256 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -37016,17 +37050,20 @@ index 17eda24..09abd53 100644 +') + +optional_policy(` ++ ipa_delete_tmp(init_t) ++') ++ ++optional_policy(` + iscsi_read_lib_files(init_t) + iscsi_manage_lock(init_t) - ') - - optional_policy(` -- auth_rw_login_records(init_t) ++') ++ ++optional_policy(` + modutils_domtrans_insmod(init_t) + modutils_list_module_config(init_t) - ') - - optional_policy(` ++') ++ ++optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) + mta_read_config(init_t) @@ -37183,13 +37220,14 @@ index 17eda24..09abd53 100644 +optional_policy(` + lvm_rw_pipes(init_t) + lvm_read_config(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- auth_rw_login_records(init_t) + consolekit_manage_log(init_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -37197,18 +37235,18 @@ index 17eda24..09abd53 100644 + optional_policy(` + devicekit_dbus_chat_power(init_t) + ') -+') -+ -+optional_policy(` + ') + + optional_policy(` +- nscd_use(init_t) + # /var/run/dovecot/login/ssl-parameters.dat is a hard link to + # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up + # the directory. But we do not want to allow this. + # The master process of dovecot will manage this file. + dovecot_dontaudit_unlink_lib_files(initrc_t) - ') - - optional_policy(` -- nscd_use(init_t) ++') ++ ++optional_policy(` + networkmanager_stream_connect(init_t) + networkmanager_stream_connect(initrc_t) +') @@ -37224,7 +37262,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -216,7 +578,30 @@ optional_policy(` +@@ -216,7 +582,30 @@ optional_policy(` ') optional_policy(` @@ -37256,7 +37294,7 @@ index 17eda24..09abd53 100644 ') ######################################## -@@ -225,9 +610,9 @@ optional_policy(` +@@ -225,9 +614,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -37268,7 +37306,7 @@ index 17eda24..09abd53 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +643,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +647,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -37285,7 +37323,7 @@ index 17eda24..09abd53 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +668,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +672,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -37328,7 +37366,7 @@ index 17eda24..09abd53 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +705,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +709,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -37340,7 +37378,7 @@ index 17eda24..09abd53 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +717,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +721,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -37351,7 +37389,7 @@ index 17eda24..09abd53 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +728,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +732,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -37361,7 +37399,7 @@ index 17eda24..09abd53 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +737,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +741,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -37369,7 +37407,7 @@ index 17eda24..09abd53 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +744,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +748,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -37377,7 +37415,7 @@ index 17eda24..09abd53 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +752,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +756,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -37395,7 +37433,7 @@ index 17eda24..09abd53 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +770,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +774,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -37409,7 +37447,7 @@ index 17eda24..09abd53 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +785,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +789,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -37423,7 +37461,7 @@ index 17eda24..09abd53 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +798,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +802,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -37434,7 +37472,7 @@ index 17eda24..09abd53 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +811,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +815,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -37442,7 +37480,7 @@ index 17eda24..09abd53 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +830,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +834,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -37466,7 +37504,7 @@ index 17eda24..09abd53 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +863,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +867,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -37474,7 +37512,7 @@ index 17eda24..09abd53 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +897,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +901,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -37485,7 +37523,7 @@ index 17eda24..09abd53 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +921,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +925,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -37494,7 +37532,7 @@ index 17eda24..09abd53 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +936,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +940,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -37502,7 +37540,7 @@ index 17eda24..09abd53 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +957,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +961,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -37510,7 +37548,7 @@ index 17eda24..09abd53 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +967,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +971,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -37555,7 +37593,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -559,14 +1012,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +1016,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -37587,7 +37625,7 @@ index 17eda24..09abd53 100644 ') ') -@@ -577,6 +1047,39 @@ ifdef(`distro_suse',` +@@ -577,6 +1051,39 @@ ifdef(`distro_suse',` ') ') @@ -37627,7 +37665,7 @@ index 17eda24..09abd53 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1092,8 @@ optional_policy(` +@@ -589,6 +1096,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -37636,7 +37674,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -610,6 +1115,7 @@ optional_policy(` +@@ -610,6 +1119,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -37644,7 +37682,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -626,6 +1132,17 @@ optional_policy(` +@@ -626,6 +1136,17 @@ optional_policy(` ') optional_policy(` @@ -37662,7 +37700,7 @@ index 17eda24..09abd53 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1159,13 @@ optional_policy(` +@@ -642,9 +1163,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -37676,7 +37714,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -657,15 +1178,11 @@ optional_policy(` +@@ -657,15 +1182,11 @@ optional_policy(` ') optional_policy(` @@ -37694,7 +37732,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -686,6 +1203,15 @@ optional_policy(` +@@ -686,6 +1207,15 @@ optional_policy(` ') optional_policy(` @@ -37710,7 +37748,7 @@ index 17eda24..09abd53 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1252,7 @@ optional_policy(` +@@ -726,6 +1256,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -37718,7 +37756,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -743,7 +1270,13 @@ optional_policy(` +@@ -743,7 +1274,13 @@ optional_policy(` ') optional_policy(` @@ -37733,7 +37771,7 @@ index 17eda24..09abd53 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1299,10 @@ optional_policy(` +@@ -766,6 +1303,10 @@ optional_policy(` ') optional_policy(` @@ -37744,7 +37782,7 @@ index 17eda24..09abd53 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1312,20 @@ optional_policy(` +@@ -775,10 +1316,20 @@ optional_policy(` ') optional_policy(` @@ -37765,7 +37803,7 @@ index 17eda24..09abd53 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1334,10 @@ optional_policy(` +@@ -787,6 +1338,10 @@ optional_policy(` ') optional_policy(` @@ -37776,7 +37814,7 @@ index 17eda24..09abd53 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1359,6 @@ optional_policy(` +@@ -808,8 +1363,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -37785,7 +37823,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -818,6 +1367,10 @@ optional_policy(` +@@ -818,6 +1371,10 @@ optional_policy(` ') optional_policy(` @@ -37796,7 +37834,7 @@ index 17eda24..09abd53 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1380,12 @@ optional_policy(` +@@ -827,10 +1384,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -37809,7 +37847,7 @@ index 17eda24..09abd53 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1412,62 @@ optional_policy(` +@@ -857,21 +1416,62 @@ optional_policy(` ') optional_policy(` @@ -37873,7 +37911,7 @@ index 17eda24..09abd53 100644 ') optional_policy(` -@@ -887,6 +1483,10 @@ optional_policy(` +@@ -887,6 +1487,10 @@ optional_policy(` ') optional_policy(` @@ -37884,7 +37922,7 @@ index 17eda24..09abd53 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1497,218 @@ optional_policy(` +@@ -897,3 +1501,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -48133,10 +48171,10 @@ index 0000000..ebd6cc8 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..f799c5b +index 0000000..0be65c0 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,929 @@ +@@ -0,0 +1,930 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -48809,6 +48847,7 @@ index 0000000..f799c5b + +kernel_dgram_send(systemd_hostnamed_t) +kernel_read_xen_state(systemd_hostnamed_t) ++kernel_read_sysctl(systemd_hostnamed_t) + +dev_write_kmsg(systemd_hostnamed_t) +dev_read_sysfs(systemd_hostnamed_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 8a3b713..596ccb2 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -12236,7 +12236,7 @@ index 008f8ef..144c074 100644 admin_pattern($1, certmonger_var_run_t) ') diff --git a/certmonger.te b/certmonger.te -index 550b287..943af3b 100644 +index 550b287..ea704c2 100644 --- a/certmonger.te +++ b/certmonger.te @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t) @@ -12273,7 +12273,7 @@ index 550b287..943af3b 100644 corenet_all_recvfrom_unlabeled(certmonger_t) corenet_all_recvfrom_netlabel(certmonger_t) -@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) +@@ -49,17 +55,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t) corenet_sendrecv_certmaster_client_packets(certmonger_t) corenet_tcp_connect_certmaster_port(certmonger_t) @@ -12297,10 +12297,11 @@ index 550b287..943af3b 100644 -files_read_usr_files(certmonger_t) files_list_tmp(certmonger_t) +files_list_home(certmonger_t) ++files_dontaudit_write_etc_runtime_files(certmonger_t) fs_search_cgroup_dirs(certmonger_t) -@@ -68,18 +82,21 @@ auth_rw_cache(certmonger_t) +@@ -68,18 +83,21 @@ auth_rw_cache(certmonger_t) init_getattr_all_script_files(certmonger_t) @@ -12325,7 +12326,7 @@ index 550b287..943af3b 100644 ') optional_policy(` -@@ -92,11 +109,58 @@ optional_policy(` +@@ -92,11 +110,58 @@ optional_policy(` ') optional_policy(` @@ -25086,10 +25087,10 @@ index 0000000..b214253 +') diff --git a/dirsrv.te b/dirsrv.te new file mode 100644 -index 0000000..73d1b46 +index 0000000..aa290b1 --- /dev/null +++ b/dirsrv.te -@@ -0,0 +1,196 @@ +@@ -0,0 +1,200 @@ +policy_module(dirsrv,1.0.0) + +######################################## @@ -25243,6 +25244,10 @@ index 0000000..73d1b46 + uuidd_stream_connect_manager(dirsrv_t) +') + ++optional_policy(` ++ systemd_manage_passwd_run(dirsrv_t) ++') ++ +######################################## +# +# dirsrv-snmp local policy @@ -29623,7 +29628,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..2812a63 100644 +index 36838c2..0a8b621 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -29669,10 +29674,12 @@ index 36838c2..2812a63 100644 ## ##

    -@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false) +@@ -64,49 +71,6 @@ gen_tunable(ftpd_use_passive_mode, false) + ## + gen_tunable(ftpd_connect_all_unreserved, false) - ## - ##

    +-## +-##

    -## Determine whether ftpd can read and write -## files in user home directories. -##

    @@ -29681,10 +29688,43 @@ index 36838c2..2812a63 100644 - -## -##

    - ## Determine whether sftpd can modify - ## public files used for public file - ## transfer services. Directories/Files must -@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) +-## Determine whether sftpd can modify +-## public files used for public file +-## transfer services. Directories/Files must +-## be labeled public_content_rw_t. +-##

    +-##
    +-gen_tunable(sftpd_anon_write, false) +- +-## +-##

    +-## Determine whether sftpd-can read and write +-## files in user home directories. +-##

    +-##
    +-gen_tunable(sftpd_enable_homedirs, false) +- +-## +-##

    +-## Determine whether sftpd-can login to +-## local users and read and write all +-## files on the system, governed by DAC. +-##

    +-##
    +-gen_tunable(sftpd_full_access, false) +- +-## +-##

    +-## Determine whether sftpd can read and write +-## files in user ssh home directories. +-##

    +-##
    +-gen_tunable(sftpd_write_ssh_home, false) +- + attribute_role ftpdctl_roles; + + type anon_sftpd_t; +@@ -124,6 +88,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -29694,7 +29734,7 @@ index 36838c2..2812a63 100644 type ftpd_keytab_t; files_type(ftpd_keytab_t) -@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; +@@ -184,6 +151,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -29704,7 +29744,7 @@ index 36838c2..2812a63 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -198,22 +168,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -29731,7 +29771,7 @@ index 36838c2..2812a63 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -229,9 +196,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -29745,7 +29785,7 @@ index 36838c2..2812a63 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -250,7 +220,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -29753,7 +29793,7 @@ index 36838c2..2812a63 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t) +@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -29811,7 +29851,7 @@ index 36838c2..2812a63 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',` +@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -29861,7 +29901,7 @@ index 36838c2..2812a63 100644 corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) -@@ -363,9 +365,8 @@ optional_policy(` +@@ -363,9 +330,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -29872,7 +29912,7 @@ index 36838c2..2812a63 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +417,20 @@ optional_policy(` +@@ -416,86 +382,39 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -29893,10 +29933,15 @@ index 36838c2..2812a63 100644 # -files_read_etc_files(anon_sftpd_t) - +- miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',` +-tunable_policy(`sftpd_anon_write',` +- miscfiles_manage_public_files(anon_sftpd_t) +-') +- + ######################################## + # # Sftpd local policy # @@ -29905,26 +29950,12 @@ index 36838c2..2812a63 100644 userdom_read_user_home_content_files(sftpd_t) userdom_read_user_home_content_symlinks(sftpd_t) +userdom_dontaudit_list_admin_dir(sftpd_t) -+ -+tunable_policy(`sftpd_full_access',` -+ allow sftpd_t self:capability { dac_override dac_read_search }; -+ fs_read_noxattr_fs_files(sftpd_t) -+ files_manage_non_security_dirs(sftpd_t) -+ files_manage_non_security_files(sftpd_t) -+') -+ -+optional_policy(` -+ tunable_policy(`sftpd_write_ssh_home',` -+ ssh_manage_home_files(sftpd_t) -+ ') -+') -+ + +-tunable_policy(`sftpd_enable_homedirs',` +- allow sftpd_t self:capability { dac_override dac_read_search }; +userdom_filetrans_home_content(sftpd_t) +userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - tunable_policy(`sftpd_enable_homedirs',` - allow sftpd_t self:capability { dac_override dac_read_search }; - userdom_manage_user_home_content_dirs(sftpd_t) userdom_manage_user_home_content_files(sftpd_t) - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) @@ -29934,22 +29965,35 @@ index 36838c2..2812a63 100644 -',` - userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file }) - ') +-') +- +-tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` +- fs_manage_nfs_dirs(sftpd_t) +- fs_manage_nfs_files(sftpd_t) +- fs_manage_nfs_symlinks(sftpd_t) +-') - tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',` - tunable_policy(`sftpd_full_access',` - allow sftpd_t self:capability { dac_override dac_read_search }; - fs_read_noxattr_fs_files(sftpd_t) -- files_manage_non_auth_files(sftpd_t) -+ files_manage_non_security_files(sftpd_t) - ') +-tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',` +- fs_manage_cifs_dirs(sftpd_t) +- fs_manage_cifs_files(sftpd_t) +- fs_manage_cifs_symlinks(sftpd_t) +-') ++userdom_home_reader(sftpd_t) +-tunable_policy(`sftpd_anon_write',` +- miscfiles_manage_public_files(sftpd_t) +-') +- +-tunable_policy(`sftpd_full_access',` +- allow sftpd_t self:capability { dac_override dac_read_search }; +- fs_read_noxattr_fs_files(sftpd_t) +- files_manage_non_auth_files(sftpd_t) +-') +- -tunable_policy(`sftpd_write_ssh_home',` - ssh_manage_home_files(sftpd_t) -') -+userdom_home_reader(sftpd_t) - +- -tunable_policy(`use_samba_home_dirs',` - fs_list_cifs(sftpd_t) - fs_read_cifs_files(sftpd_t) @@ -36215,10 +36259,10 @@ index 0000000..2277038 +') diff --git a/gssproxy.te b/gssproxy.te new file mode 100644 -index 0000000..bbd5979 +index 0000000..dc1385d --- /dev/null +++ b/gssproxy.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,70 @@ +policy_module(gssproxy, 1.0.0) + +######################################## @@ -36266,6 +36310,8 @@ index 0000000..bbd5979 + +files_read_etc_files(gssproxy_t) + ++fs_getattr_all_fs(gssproxy_t) ++ +auth_use_nsswitch(gssproxy_t) + +dev_read_urand(gssproxy_t) @@ -38026,10 +38072,10 @@ index 0000000..e1ddda0 + diff --git a/ipa.if b/ipa.if new file mode 100644 -index 0000000..904782d +index 0000000..ee3a606 --- /dev/null +++ b/ipa.if -@@ -0,0 +1,178 @@ +@@ -0,0 +1,197 @@ +## Policy for IPA services. + +######################################## @@ -38208,12 +38254,31 @@ index 0000000..904782d + + files_pid_filetrans($1, ipa_var_run_t, file, $2) +') ++ ++######################################## ++## ++## Allow domain to manage ipa tmp files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_delete_tmp',` ++ gen_require(` ++ type ipa_tmp_t; ++ ') ++ ++ files_search_tmp($1) ++ allow $1 ipa_tmp_t:file unlink; ++') diff --git a/ipa.te b/ipa.te new file mode 100644 -index 0000000..5fad85e +index 0000000..3ca42f7 --- /dev/null +++ b/ipa.te -@@ -0,0 +1,195 @@ +@@ -0,0 +1,199 @@ +policy_module(ipa, 1.0.0) + +######################################## @@ -38393,6 +38458,10 @@ index 0000000..5fad85e +sysnet_read_config(ipa_dnskey_t) + +optional_policy(` ++ apache_search_config(ipa_dnskey_t) ++') ++ ++optional_policy(` + bind_domtrans_ndc(ipa_dnskey_t) + bind_read_dnssec_keys(ipa_dnskey_t) + bind_manage_zone(ipa_dnskey_t) @@ -63471,10 +63540,10 @@ index 0000000..08d0e79 +/var/opendnssec(/.*)? gen_context(system_u:object_r:opendnssec_var_t,s0) diff --git a/opendnssec.if b/opendnssec.if new file mode 100644 -index 0000000..fb0141d +index 0000000..eac3932 --- /dev/null +++ b/opendnssec.if -@@ -0,0 +1,206 @@ +@@ -0,0 +1,208 @@ + +## policy for opendnssec + @@ -63533,6 +63602,7 @@ index 0000000..fb0141d + ') + + files_search_etc($1) ++ allow $1 opendnssec_conf_t:dir list_dir_perms; + allow $1 opendnssec_conf_t:file read_file_perms; +') + @@ -63553,6 +63623,7 @@ index 0000000..fb0141d + ') + + files_search_etc($1) ++ allow $1 opendnssec_conf_t:dir manage_dir_perms; + allow $1 opendnssec_conf_t:file manage_file_perms; +') + @@ -96494,7 +96565,7 @@ index cd6c213..372c7bb 100644 + ') ') diff --git a/sanlock.te b/sanlock.te -index 0045465..7afb413 100644 +index 0045465..5080a66 100644 --- a/sanlock.te +++ b/sanlock.te @@ -6,25 +6,37 @@ policy_module(sanlock, 1.1.0) @@ -96581,7 +96652,7 @@ index 0045465..7afb413 100644 logging_log_filetrans(sanlock_t, sanlock_log_t, file) manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) -@@ -65,13 +84,16 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) +@@ -65,13 +84,18 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) kernel_read_system_state(sanlock_t) kernel_read_kernel_sysctls(sanlock_t) @@ -96592,6 +96663,8 @@ index 0045465..7afb413 100644 +files_read_mnt_symlinks(sanlock_t) + ++fs_rw_cephfs_files(sanlock_t) ++ storage_raw_rw_fixed_disk(sanlock_t) +dev_read_rand(sanlock_t) @@ -96601,7 +96674,7 @@ index 0045465..7afb413 100644 auth_use_nsswitch(sanlock_t) init_read_utmp(sanlock_t) -@@ -79,20 +101,29 @@ init_dontaudit_write_utmp(sanlock_t) +@@ -79,20 +103,29 @@ init_dontaudit_write_utmp(sanlock_t) logging_send_syslog_msg(sanlock_t) @@ -96640,7 +96713,7 @@ index 0045465..7afb413 100644 ') optional_policy(` -@@ -100,7 +131,34 @@ optional_policy(` +@@ -100,7 +133,34 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ab37315..f12dbb0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 192%{?dist} +Release: 193%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,17 @@ exit 0 %endif %changelog +* Mon May 30 2016 Lukas Vrabec 3.13.1-193 +- Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te +- Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs +- Allow gssproxy to get attributes on all filesystem object types. BZ(1333778) +- Allow ipa_dnskey_t search httpd config files. +- Dontaudit certmonger to write to etc_runtime_t +- Update opendnssec_read_conf() interface to allow caller domain also read opendnssec_conf_t dirs. +- Add interface ipa_delete_tmp() +- Allow systemd_hostanmed_t to read /proc/sysinfo labeled as sysctl_t. +- Allow systemd to remove ipa temp files during uinstalling ipa. BZ(1333106) + * Wed May 25 2016 Lukas Vrabec 3.13.1-192 - Create new SELinux type for /usr/libexec/ipa/ipa-dnskeysyncd BZ(1333106) - Add SELinux policy for opendnssec service. BZ(1333106)