diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 8195c81..53707e1 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -205762,7 +205762,7 @@ index 7590165..19aaaed 100644 + fs_mounton_fusefs(seunshare_domain) +') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 644d4d7..b8419c0 100644 +index 644d4d7..4d8e35b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -1,9 +1,10 @@ @@ -206036,7 +206036,7 @@ index 644d4d7..b8419c0 100644 /usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -332,9 +396,11 @@ ifdef(`distro_redhat', ` +@@ -332,9 +396,12 @@ ifdef(`distro_redhat', ` /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -206045,10 +206045,11 @@ index 644d4d7..b8419c0 100644 /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/munin/plugins/plugin\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0) /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0) -@@ -383,11 +449,15 @@ ifdef(`distro_suse', ` +@@ -383,11 +450,15 @@ ifdef(`distro_suse', ` # # /var # @@ -206065,7 +206066,7 @@ index 644d4d7..b8419c0 100644 /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) -@@ -397,3 +467,12 @@ ifdef(`distro_suse', ` +@@ -397,3 +468,12 @@ ifdef(`distro_suse', ` ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -210224,7 +210225,7 @@ index 6529bd9..cfec99c 100644 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; allow devices_unconfined_type mtrr_device_t:file *; diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if -index 6a1e4d1..70c5c72 100644 +index 6a1e4d1..258c7cc 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -76,33 +76,8 @@ interface(`domain_type',` @@ -210333,16 +210334,11 @@ index 6a1e4d1..70c5c72 100644 ## Relabel to and from all entry point ## file types. ## -@@ -1530,4 +1543,30 @@ interface(`domain_unconfined',` +@@ -1530,4 +1543,25 @@ interface(`domain_unconfined',` typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; + -+ mcs_file_read_all($1) -+ mcs_file_write_all($1) -+ mcs_killall($1) -+ mcs_ptrace_all($1) -+ mcs_socket_write_all_levels($1) + mcs_process_set_categories($1) +') + @@ -211009,7 +211005,7 @@ index c2c6e05..d0e6d1c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..eaf2611 100644 +index 64ff4d7..8a9355a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -211276,7 +211272,32 @@ index 64ff4d7..eaf2611 100644 ') ############################################# -@@ -1673,6 +1816,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1583,6 +1726,24 @@ interface(`files_getattr_all_mountpoints',` + + ######################################## + ## ++## List the directory of all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_list_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir list_dir_perms; ++') ++ ++######################################## ++## + ## Set the attributes of all mount points. + ## + ## +@@ -1673,6 +1834,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -211301,7 +211322,7 @@ index 64ff4d7..eaf2611 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1691,6 +1852,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,6 +1870,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -211326,7 +211347,7 @@ index 64ff4d7..eaf2611 100644 ## List the contents of the root directory. ## ## -@@ -1874,25 +2053,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2071,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -211358,7 +211379,7 @@ index 64ff4d7..eaf2611 100644 ## ## ## -@@ -1905,7 +2084,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2102,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -211367,7 +211388,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -1928,6 +2107,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2125,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -211392,7 +211413,7 @@ index 64ff4d7..eaf2611 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2824,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2842,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -211417,7 +211438,7 @@ index 64ff4d7..eaf2611 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +2913,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +2931,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -211425,7 +211446,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -2706,7 +2922,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +2940,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -211434,37 +211455,123 @@ index 64ff4d7..eaf2611 100644 ## ## # -@@ -2762,6 +2978,25 @@ interface(`files_manage_etc_files',` +@@ -2762,25 +2996,26 @@ interface(`files_manage_etc_files',` ######################################## ## +-## Delete system configuration files in /etc. +## Do not audit attempts to check the +## access on etc files + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`files_delete_etc_files',` ++interface(`files_dontaudit_access_check_etc',` + gen_require(` + type etc_t; + ') + +- delete_files_pattern($1, etc_t, etc_t) ++ dontaudit $1 etc_t:dir_file_class_set audit_access; + ') + + ######################################## + ## +-## Execute generic files in /etc. ++## Delete system configuration files in /etc. + ## + ## + ## +@@ -2788,19 +3023,17 @@ interface(`files_delete_etc_files',` + ## + ## + # +-interface(`files_exec_etc_files',` ++interface(`files_delete_etc_files',` + gen_require(` + type etc_t; + ') + +- allow $1 etc_t:dir list_dir_perms; +- read_lnk_files_pattern($1, etc_t, etc_t) +- exec_files_pattern($1, etc_t, etc_t) ++ delete_files_pattern($1, etc_t, etc_t) + ') + +-####################################### ++######################################## + ## +-## Relabel from and to generic files in /etc. ++## Remove entries from the etc directory. + ## + ## + ## +@@ -2808,18 +3041,17 @@ interface(`files_exec_etc_files',` + ## + ## + # +-interface(`files_relabel_etc_files',` ++interface(`files_delete_etc_dir_entry',` + gen_require(` + type etc_t; + ') + +- allow $1 etc_t:dir list_dir_perms; +- relabel_files_pattern($1, etc_t, etc_t) ++ allow $1 etc_t:dir del_entry_dir_perms; + ') + + ######################################## + ## +-## Read symbolic links in /etc. ++## Execute generic files in /etc. + ## + ## + ## +@@ -2827,17 +3059,56 @@ interface(`files_relabel_etc_files',` + ## + ## + # +-interface(`files_read_etc_symlinks',` ++interface(`files_exec_etc_files',` + gen_require(` + type etc_t; + ') + ++ allow $1 etc_t:dir list_dir_perms; + read_lnk_files_pattern($1, etc_t, etc_t) ++ exec_files_pattern($1, etc_t, etc_t) + ') + +-######################################## ++####################################### + ## +-## Create, read, write, and delete symbolic links in /etc. ++## Relabel from and to generic files in /etc. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_access_check_etc',` ++interface(`files_relabel_etc_files',` + gen_require(` + type etc_t; + ') + -+ dontaudit $1 etc_t:dir_file_class_set audit_access; ++ allow $1 etc_t:dir list_dir_perms; ++ relabel_files_pattern($1, etc_t, etc_t) +') + +######################################## +## - ## Delete system configuration files in /etc. - ## - ## -@@ -2780,6 +3015,24 @@ interface(`files_delete_etc_files',` - - ######################################## - ## -+## Remove entries from the etc directory. ++## Read symbolic links in /etc. +## +## +## @@ -211472,20 +211579,21 @@ index 64ff4d7..eaf2611 100644 +## +## +# -+interface(`files_delete_etc_dir_entry',` ++interface(`files_read_etc_symlinks',` + gen_require(` + type etc_t; + ') + -+ allow $1 etc_t:dir del_entry_dir_perms; ++ read_lnk_files_pattern($1, etc_t, etc_t) +') + +######################################## +## - ## Execute generic files in /etc. ++## Create, read, write, and delete symbolic links in /etc. ## ## -@@ -2945,26 +3198,8 @@ interface(`files_delete_boot_flag',` + ## +@@ -2945,24 +3216,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -211507,14 +211615,10 @@ index 64ff4d7..eaf2611 100644 - -######################################## -## --## Read files in /etc that are dynamically --## created on boot, such as mtab. -+## Read files in /etc that are dynamically -+## created on boot, such as mtab. + ## Read files in /etc that are dynamically + ## created on boot, such as mtab. ## - ## - ##

-@@ -3003,9 +3238,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3256,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ##

@@ -211525,7 +211629,7 @@ index 64ff4d7..eaf2611 100644 ## ## ## -@@ -3013,18 +3246,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3264,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -211547,7 +211651,7 @@ index 64ff4d7..eaf2611 100644 ## ## ## -@@ -3042,6 +3274,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3292,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -211574,7 +211678,7 @@ index 64ff4d7..eaf2611 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3311,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3329,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -211582,7 +211686,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -3080,6 +3333,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3351,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -211590,7 +211694,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -3132,6 +3386,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3404,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -211616,7 +211720,7 @@ index 64ff4d7..eaf2611 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3481,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3499,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -211642,7 +211746,7 @@ index 64ff4d7..eaf2611 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3747,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3765,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -211668,7 +211772,7 @@ index 64ff4d7..eaf2611 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4107,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4125,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -211712,7 +211816,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -4199,6 +4528,133 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,6 +4546,133 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -211846,7 +211950,7 @@ index 64ff4d7..eaf2611 100644 ######################################## ## ## Allow the specified type to associate -@@ -4221,6 +4677,26 @@ interface(`files_associate_tmp',` +@@ -4221,6 +4695,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -211873,7 +211977,7 @@ index 64ff4d7..eaf2611 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4234,17 +4710,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4234,17 +4728,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -211912,7 +212016,7 @@ index 64ff4d7..eaf2611 100644 ## ## # -@@ -4271,6 +4767,7 @@ interface(`files_search_tmp',` +@@ -4271,6 +4785,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -211920,7 +212024,7 @@ index 64ff4d7..eaf2611 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +4804,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +4822,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -211928,7 +212032,7 @@ index 64ff4d7..eaf2611 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +4814,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +4832,7 @@ interface(`files_list_tmp',` ## ## ## @@ -211937,7 +212041,7 @@ index 64ff4d7..eaf2611 100644 ## ## # -@@ -4328,6 +4826,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +4844,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -211963,7 +212067,7 @@ index 64ff4d7..eaf2611 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +4860,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +4878,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -211971,12 +212075,18 @@ index 64ff4d7..eaf2611 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +4902,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,13 +4920,39 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. -+## + ## +-## +-## +-## Domain allowed access. +-## +-## +## +##

+## Allow shared library text relocations in tmp files. @@ -212001,149 +212111,39 @@ index 64ff4d7..eaf2611 100644 + +######################################## +##

- ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4438,7 +4982,7 @@ interface(`files_rw_generic_tmp_sockets',` - - ######################################## - ## --## Set the attributes of all tmp directories. -+## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -4446,17 +4990,17 @@ interface(`files_rw_generic_tmp_sockets',` - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` -+interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir { search_dir_perms setattr }; -+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## List all tmp directories. -+## Relabel a file from the type used in /tmp. - ## - ## - ## -@@ -4464,59 +5008,53 @@ interface(`files_setattr_all_tmp_dirs',` - ## - ## - # --interface(`files_list_all_tmp',` -+interface(`files_relabelfrom_tmp_files',` - gen_require(` -- attribute tmpfile; -+ type tmp_t; - ') - -- allow $1 tmpfile:dir list_dir_perms; -+ relabelfrom_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Relabel to and from all temporary --## directory types. -+## Set the attributes of all tmp directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_relabel_all_tmp_dirs',` -+interface(`files_setattr_all_tmp_dirs',` - gen_require(` - attribute tmpfile; -- type var_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- relabel_dirs_pattern($1, tmpfile, tmpfile) -+ allow $1 tmpfile:dir { search_dir_perms setattr }; - ') - - ######################################## - ## --## Do not audit attempts to get the attributes --## of all tmp files. -+## Allow caller to read inherited tmp files. - ## - ## - ## --## Domain not to audit. ++## Manage temporary files and directories in /tmp. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_getattr_all_tmp_files',` -+interface(`files_read_inherited_tmp_files',` - gen_require(` - attribute tmpfile; - ') - -- dontaudit $1 tmpfile:file getattr; -+ allow $1 tmpfile:file { append read_inherited_file_perms }; - ') - - ######################################## - ## --## Allow attempts to get the attributes --## of all tmp files. -+## Allow caller to append inherited tmp files. - ## - ## - ## -@@ -4524,25 +5062,121 @@ interface(`files_dontaudit_getattr_all_tmp_files',` - ## - ## ++## ++## # --interface(`files_getattr_all_tmp_files',` -+interface(`files_append_inherited_tmp_files',` + interface(`files_manage_generic_tmp_files',` gen_require(` - attribute tmpfile; - ') - -- allow $1 tmpfile:file getattr; -+ allow $1 tmpfile:file append_inherited_file_perms; - ') +@@ -4438,6 +5000,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Relabel to and from all temporary --## file types. -+## Allow caller to read and write inherited tmp files. - ## - ## - ## - ## Domain allowed access. - ## - ## --## ++## Relabel a dir from the type used in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## +# -+interface(`files_rw_inherited_tmp_file',` ++interface(`files_relabelfrom_tmp_dirs',` + gen_require(` -+ attribute tmpfile; ++ type tmp_t; + ') + -+ allow $1 tmpfile:file rw_inherited_file_perms; ++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## List all tmp directories. ++## Relabel a file from the type used in /tmp. +## +## +## @@ -212151,59 +212151,60 @@ index 64ff4d7..eaf2611 100644 +## +## +# -+interface(`files_list_all_tmp',` ++interface(`files_relabelfrom_tmp_files',` + gen_require(` -+ attribute tmpfile; ++ type tmp_t; + ') + -+ allow $1 tmpfile:dir list_dir_perms; ++ relabelfrom_files_pattern($1, tmp_t, tmp_t) +') + +######################################## +## -+## Relabel to and from all temporary -+## directory types. + ## Set the attributes of all tmp directories. + ## + ## +@@ -4456,6 +5054,60 @@ interface(`files_setattr_all_tmp_dirs',` + + ######################################## + ## ++## Allow caller to read inherited tmp files. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_relabel_all_tmp_dirs',` ++interface(`files_read_inherited_tmp_files',` + gen_require(` + attribute tmpfile; -+ type var_t; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ relabel_dirs_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:file { append read_inherited_file_perms }; +') + +######################################## +## -+## Do not audit attempts to get the attributes -+## of all tmp files. ++## Allow caller to append inherited tmp files. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`files_dontaudit_getattr_all_tmp_files',` ++interface(`files_append_inherited_tmp_files',` + gen_require(` + attribute tmpfile; + ') + -+ dontaudit $1 tmpfile:file getattr; ++ allow $1 tmpfile:file append_inherited_file_perms; +') + +######################################## +## -+## Allow attempts to get the attributes -+## of all tmp files. ++## Allow caller to read and write inherited tmp files. +## +## +## @@ -212211,29 +212212,29 @@ index 64ff4d7..eaf2611 100644 +## +## +# -+interface(`files_getattr_all_tmp_files',` ++interface(`files_rw_inherited_tmp_file',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:file getattr; ++ allow $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Relabel to and from all temporary -+## file types. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## + ## List all tmp directories. + ## + ## +@@ -4501,7 +5153,7 @@ interface(`files_relabel_all_tmp_dirs',` + ## + ## + ## +-## Domain not to audit. ++## Domain to not audit. + ## + ## # - interface(`files_relabel_all_tmp_files',` - gen_require(` -@@ -4561,7 +5195,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5213,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -212242,7 +212243,7 @@ index 64ff4d7..eaf2611 100644 ## ## # -@@ -4593,6 +5227,44 @@ interface(`files_read_all_tmp_files',` +@@ -4593,6 +5245,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -212287,7 +212288,7 @@ index 64ff4d7..eaf2611 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4646,6 +5318,16 @@ interface(`files_purge_tmp',` +@@ -4646,6 +5336,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -212304,7 +212305,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -5223,6 +5905,24 @@ interface(`files_list_var',` +@@ -5223,6 +5923,24 @@ interface(`files_list_var',` ######################################## ## @@ -212329,7 +212330,7 @@ index 64ff4d7..eaf2611 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5578,6 +6278,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5578,6 +6296,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -212355,7 +212356,7 @@ index 64ff4d7..eaf2611 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6342,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6360,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -212364,7 +212365,7 @@ index 64ff4d7..eaf2611 100644 ## ## ## -@@ -5631,12 +6350,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6368,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -212380,7 +212381,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -5654,6 +6374,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6392,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -212388,7 +212389,7 @@ index 64ff4d7..eaf2611 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6401,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6419,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -212416,7 +212417,7 @@ index 64ff4d7..eaf2611 100644 ## ## ## -@@ -5688,13 +6428,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6446,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -212433,7 +212434,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -5713,7 +6452,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6470,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -212442,7 +212443,7 @@ index 64ff4d7..eaf2611 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6485,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6503,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -212450,7 +212451,7 @@ index 64ff4d7..eaf2611 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5774,8 +6512,7 @@ interface(`files_getattr_generic_locks',` +@@ -5774,8 +6530,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -212460,7 +212461,7 @@ index 64ff4d7..eaf2611 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6528,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6546,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -212478,7 +212479,7 @@ index 64ff4d7..eaf2611 100644 ') ######################################## -@@ -5816,9 +6552,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6570,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -212489,7 +212490,7 @@ index 64ff4d7..eaf2611 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6594,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6612,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -212499,7 +212500,7 @@ index 64ff4d7..eaf2611 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6616,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6634,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -212509,7 +212510,7 @@ index 64ff4d7..eaf2611 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6653,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6671,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -212519,7 +212520,7 @@ index 64ff4d7..eaf2611 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5985,6 +6716,43 @@ interface(`files_search_pids',` +@@ -5985,6 +6734,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -212563,7 +212564,7 @@ index 64ff4d7..eaf2611 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +6775,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6793,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -212589,7 +212590,7 @@ index 64ff4d7..eaf2611 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6122,7 +6909,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +6927,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -212597,7 +212598,7 @@ index 64ff4d7..eaf2611 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6231,55 +7017,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,46 +7035,230 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -212646,34 +212647,24 @@ index 64ff4d7..eaf2611 100644 - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) + allow $1 pidfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Create all pid sockets - ## - ## - ## -@@ -6287,25 +7061,136 @@ interface(`files_delete_all_pids',` - ## - ## - # --interface(`files_delete_all_pid_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file create_sock_file_perms; +') + @@ -212789,72 +212780,58 @@ index 64ff4d7..eaf2611 100644 + ') + + exec_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # -@@ -6314,9 +7199,7 @@ interface(`files_manage_all_pids',` - attribute pidfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++## ++## ++# ++interface(`files_manage_all_pids',` ++ gen_require(` ++ attribute pidfile; ++ ') ++ + manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## -@@ -6340,6 +7223,158 @@ interface(`files_mounton_all_poly_members',` - - ######################################## - ## -+## Delete all process IDs. ++') ++ ++######################################## ++## ++## Mount filesystems on all polyinstantiation ++## member directories. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`files_delete_all_pids',` ++interface(`files_mounton_all_poly_members',` + gen_require(` -+ attribute pidfile; -+ type var_t, var_run_t; ++ attribute polymember; + ') + -+ allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 polymember:dir mounton; +') + +######################################## +## -+## Delete all process ID directories. ++## Delete all process IDs. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_delete_all_pid_dirs',` ++interface(`files_delete_all_pids',` + gen_require(` + attribute pidfile; + type var_t, var_run_t; @@ -212862,11 +212839,16 @@ index 64ff4d7..eaf2611 100644 + + allow $1 var_t:dir search_dir_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') -+ -+######################################## -+## ++ allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) +@@ -6300,29 +7288,73 @@ interface(`files_delete_all_pid_dirs',` + + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Make the specified type a file +## used for spool files. +## @@ -212916,36 +212898,47 @@ index 64ff4d7..eaf2611 100644 +######################################## +## +## Create all spool sockets -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_create_all_spool_sockets',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute spoolfile; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 spoolfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6330,12 +7362,33 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_spool_sockets',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute spoolfile; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -212968,14 +212961,10 @@ index 64ff4d7..eaf2611 100644 + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+## - ## Search the contents of generic spool - ## directories (/var/spool). - ## -@@ -6562,3 +7597,459 @@ interface(`files_unconfined',` + ') + + ######################################## +@@ -6562,3 +7615,459 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -216349,10 +216338,17 @@ index 522ab32..cb9c3a2 100644 ') } diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc -index 54f1827..a2d5eaa 100644 +index 54f1827..409df4f 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc -@@ -28,7 +28,8 @@ +@@ -23,12 +23,15 @@ + /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) + /dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) + /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/infiniband/.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) ++/dev/infiniband/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) + /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) @@ -216362,7 +216358,7 @@ index 54f1827..a2d5eaa 100644 /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -51,7 +52,7 @@ ifdef(`distro_redhat', ` +@@ -51,7 +54,7 @@ ifdef(`distro_redhat', ` /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/tape.* -c gen_context(system_u:object_r:tape_device_t,s0) @@ -216371,7 +216367,7 @@ index 54f1827..a2d5eaa 100644 /dev/ub[a-z][^/]+ -b gen_context(system_u:object_r:removable_device_t,mls_systemhigh) /dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) -@@ -81,3 +82,6 @@ ifdef(`distro_redhat', ` +@@ -81,3 +84,6 @@ ifdef(`distro_redhat', ` /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) @@ -217736,10 +217732,10 @@ index 234a940..d340f20 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 5da7870..d98e924 100644 +index 5da7870..b66bc2a 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1) +@@ -8,12 +8,67 @@ policy_module(staff, 2.3.1) role staff_r; userdom_unpriv_user_template(staff) @@ -217801,14 +217797,13 @@ index 5da7870..d98e924 100644 +') + +optional_policy(` -+ accountsd_dbus_chat(staff_t) + accountsd_read_lib_files(staff_t) +') + optional_policy(` apache_role(staff_r, staff_t) ') -@@ -23,11 +79,102 @@ optional_policy(` +@@ -23,11 +78,102 @@ optional_policy(` ') optional_policy(` @@ -217912,7 +217907,7 @@ index 5da7870..d98e924 100644 ') optional_policy(` -@@ -35,15 +182,31 @@ optional_policy(` +@@ -35,15 +181,31 @@ optional_policy(` ') optional_policy(` @@ -217946,7 +217941,7 @@ index 5da7870..d98e924 100644 ') optional_policy(` -@@ -52,10 +215,55 @@ optional_policy(` +@@ -52,10 +214,55 @@ optional_policy(` ') optional_policy(` @@ -218002,7 +217997,7 @@ index 5da7870..d98e924 100644 xserver_role(staff_r, staff_t) ') -@@ -65,10 +273,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +272,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -218013,7 +218008,7 @@ index 5da7870..d98e924 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +282,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +281,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -218024,7 +218019,7 @@ index 5da7870..d98e924 100644 ') optional_policy(` -@@ -101,10 +301,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +300,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -218035,7 +218030,7 @@ index 5da7870..d98e924 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +321,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +320,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -218046,7 +218041,7 @@ index 5da7870..d98e924 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +333,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +332,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -218057,7 +218052,7 @@ index 5da7870..d98e924 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +364,20 @@ ifndef(`distro_redhat',` +@@ -176,3 +363,20 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -219324,10 +219319,10 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..1c11aac +index 0000000..699d0dd --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,369 @@ +@@ -0,0 +1,336 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -219472,10 +219467,6 @@ index 0000000..1c11aac + ') + + optional_policy(` -+ policykit_role(unconfined_r, unconfined_t) -+ ') -+ -+ optional_policy(` + rtkit_scheduled(unconfined_t) + ') + @@ -219498,16 +219489,11 @@ index 0000000..1c11aac + ') + + optional_policy(` -+ shutdown_run(unconfined_t, unconfined_r) -+ ') -+ -+ optional_policy(` + gen_require(` + type user_tmpfs_t; + ') + + xserver_rw_session(unconfined_t, user_tmpfs_t) -+ xserver_run_xauth(unconfined_t, unconfined_r) + xserver_dbus_chat_xdm(unconfined_t) + ') +') @@ -219522,14 +219508,6 @@ index 0000000..1c11aac +') + +optional_policy(` -+ apache_run_helper(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` -+ bind_run_ndc(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + chrome_role_notrans(unconfined_r, unconfined_t) + + tunable_policy(`unconfined_chrome_sandbox_transition',` @@ -219613,10 +219591,6 @@ index 0000000..1c11aac +') + +optional_policy(` -+ ftp_run_ftpdctl(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + gpsd_run(unconfined_t, unconfined_r) +') + @@ -219628,19 +219602,11 @@ index 0000000..1c11aac + livecd_run(unconfined_t, unconfined_r) +') + -+optional_policy(` -+ lpd_run_checkpc(unconfined_t, unconfined_r) -+') -+ +#optional_policy(` +# mock_role(unconfined_r, unconfined_t) +#') + +optional_policy(` -+ modutils_run_update_mods(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + mozilla_role_plugin(unconfined_r) + + tunable_policy(`unconfined_mozilla_plugin_transition', ` @@ -219653,10 +219619,6 @@ index 0000000..1c11aac +') + +optional_policy(` -+ portmap_run_helper(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -230816,7 +230778,7 @@ index 39ea221..4dd92d4 100644 + +logging_stream_connect_syslog(syslog_client_type) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc -index 879bb1e..c11d48b 100644 +index 879bb1e..e2a9f15 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -23,28 +23,34 @@ ifdef(`distro_gentoo',` @@ -230927,10 +230889,11 @@ index 879bb1e..c11d48b 100644 # # /var -@@ -97,5 +164,7 @@ ifdef(`distro_gentoo',` +@@ -97,5 +164,8 @@ ifdef(`distro_gentoo',` /var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0) /var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0) /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) ++/var/lock/dmraid(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) +/var/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) /var/run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) @@ -231035,7 +230998,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index e8c59a5..7622d77 100644 +index e8c59a5..ea56d23 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -231113,7 +231076,7 @@ index e8c59a5..7622d77 100644 allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -191,6 +200,7 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) +@@ -191,10 +200,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t) can_exec(lvm_t, lvm_exec_t) # Creating lock files @@ -231121,7 +231084,12 @@ index e8c59a5..7622d77 100644 manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t) create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t) files_lock_filetrans(lvm_t, lvm_lock_t, file) -@@ -202,8 +212,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) + files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm") ++files_lock_filetrans(lvm_t, lvm_lock_t, dir, "dmraid") + + manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) + manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) +@@ -202,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -231132,7 +231100,7 @@ index e8c59a5..7622d77 100644 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +231,7 @@ kernel_read_kernel_sysctls(lvm_t) +@@ -220,6 +232,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -231140,7 +231108,7 @@ index e8c59a5..7622d77 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +242,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -231155,7 +231123,7 @@ index e8c59a5..7622d77 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +260,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -231163,7 +231131,7 @@ index e8c59a5..7622d77 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +270,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -231186,7 +231154,7 @@ index e8c59a5..7622d77 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +304,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -231195,7 +231163,7 @@ index e8c59a5..7622d77 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +312,20 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -231217,7 +231185,7 @@ index e8c59a5..7622d77 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +337,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +338,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -231229,7 +231197,7 @@ index e8c59a5..7622d77 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -333,14 +362,26 @@ optional_policy(` +@@ -333,14 +363,26 @@ optional_policy(` ') optional_policy(` @@ -235870,10 +235838,10 @@ index 0000000..a4b0917 + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..c0a85ab +index 0000000..6c712b8 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,624 @@ +@@ -0,0 +1,618 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -235885,11 +235853,11 @@ index 0000000..c0a85ab +attribute systemd_domain; +attribute systemctl_domain; + -+type systemd_logger_t; ++type systemd_logger_t, systemd_domain; +type systemd_logger_exec_t; +init_daemon_domain(systemd_logger_t, systemd_logger_exec_t) + -+type systemd_logind_t; ++type systemd_logind_t, systemd_domain; +type systemd_logind_exec_t; +init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) + @@ -235913,7 +235881,7 @@ index 0000000..c0a85ab +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components + -+type systemd_passwd_agent_t; ++type systemd_passwd_agent_t, systemd_domain; +type systemd_passwd_agent_exec_t; +init_daemon_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) + @@ -235921,11 +235889,11 @@ index 0000000..c0a85ab +files_pid_file(systemd_passwd_var_run_t) + +# domain for systemd-tmpfiles component -+type systemd_tmpfiles_t; ++type systemd_tmpfiles_t, systemd_domain; +type systemd_tmpfiles_exec_t; +init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t) + -+type systemd_notify_t; ++type systemd_notify_t, systemd_domain; +type systemd_notify_exec_t; +init_daemon_domain(systemd_notify_t, systemd_notify_exec_t) + @@ -235940,19 +235908,21 @@ index 0000000..c0a85ab +type systemd_systemctl_exec_t; +corecmd_executable_file(systemd_systemctl_exec_t) + -+type systemd_localed_t; ++type systemd_localed_t, systemd_domain; +type systemd_localed_exec_t; +init_daemon_domain(systemd_localed_t, systemd_localed_exec_t) + -+type systemd_hostnamed_t; ++type systemd_hostnamed_t, systemd_domain; +type systemd_hostnamed_exec_t; +init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t) + -+type systemd_timedated_t alias gnomeclock_t; ++type systemd_timedated_t, systemd_domain; +type systemd_timedated_exec_t; +init_daemon_domain(systemd_timedated_t, systemd_timedated_exec_t) ++typeattribute systemd_timedated_t systemd_domain; ++typealias systemd_timedated_t alias gnomeclock_t; + -+type systemd_sysctl_t; ++type systemd_sysctl_t, systemd_domain; +type systemd_sysctl_exec_t; +init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t) + @@ -235963,7 +235933,7 @@ index 0000000..c0a85ab + +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER) +allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config }; -+allow systemd_logind_t self:process { getcap }; ++allow systemd_logind_t self:process getcap; +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; +allow systemd_logind_t self:unix_dgram_socket create_socket_perms; + @@ -236008,7 +235978,6 @@ index 0000000..c0a85ab + +# /etc/udev/udev.conf should probably have a private type if only for confined administration +# /etc/nsswitch.conf -+files_read_etc_files(systemd_logind_t) + +# /sys/fs/cgroup/systemd/user +fs_manage_cgroup_dirs(systemd_logind_t) @@ -236049,7 +236018,6 @@ index 0000000..c0a85ab +init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) -+logging_stream_connect_syslog(systemd_logind_t) + +udev_read_db(systemd_logind_t) +udev_manage_rules_files(systemd_logind_t) @@ -236115,8 +236083,6 @@ index 0000000..c0a85ab + +kernel_stream_connect(systemd_passwd_agent_t) + -+files_read_etc_files(systemd_passwd_agent_t) -+ +dev_create_generic_dirs(systemd_passwd_agent_t) +dev_read_generic_files(systemd_passwd_agent_t) +dev_write_generic_sock_files(systemd_passwd_agent_t) @@ -236131,7 +236097,6 @@ index 0000000..c0a85ab +init_stream_connect(systemd_passwd_agent_t) + +logging_send_syslog_msg(systemd_passwd_agent_t) -+logging_stream_connect_syslog(systemd_passwd_agent_t) + +userdom_use_user_ptys(systemd_passwd_agent_t) +userdom_use_inherited_user_ttys(systemd_passwd_agent_t) @@ -236172,7 +236137,6 @@ index 0000000..c0a85ab +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t) +fs_list_all(systemd_tmpfiles_t) + -+files_read_etc_files(systemd_tmpfiles_t) +files_getattr_all_dirs(systemd_tmpfiles_t) +files_getattr_all_files(systemd_tmpfiles_t) +files_getattr_all_sockets(systemd_tmpfiles_t) @@ -236217,7 +236181,6 @@ index 0000000..c0a85ab + +logging_create_devlog_dev(systemd_tmpfiles_t) +logging_send_syslog_msg(systemd_tmpfiles_t) -+logging_stream_connect_syslog(systemd_tmpfiles_t) + +miscfiles_filetrans_named_content(systemd_tmpfiles_t) +miscfiles_manage_man_pages(systemd_tmpfiles_t) @@ -236287,9 +236250,6 @@ index 0000000..c0a85ab + +domain_use_interactive_fds(systemd_notify_t) + -+files_read_etc_files(systemd_notify_t) -+files_read_usr_files(systemd_notify_t) -+ +fs_getattr_cgroup_files(systemd_notify_t) + +auth_use_nsswitch(systemd_notify_t) @@ -236317,9 +236277,6 @@ index 0000000..c0a85ab + +domain_use_interactive_fds(systemd_logger_t) + -+files_read_etc_files(systemd_logger_t) -+files_read_usr_files(systemd_logger_t) -+ +# only needs write +term_use_generic_ptys(systemd_logger_t) + @@ -236329,7 +236286,6 @@ index 0000000..c0a85ab +init_write_pid_socket(systemd_logger_t) + +logging_send_syslog_msg(systemd_logger_t) -+logging_stream_connect_syslog(systemd_logger_t) + +######################################## +# @@ -236355,6 +236311,9 @@ index 0000000..c0a85ab +allow systemd_localed_t self:process setfscreate; +allow systemd_localed_t self:fifo_file rw_fifo_file_perms; +allow systemd_localed_t self:unix_stream_socket create_stream_socket_perms; ++allow systemd_localed_t self:unix_dgram_socket create_socket_perms; ++ ++dev_write_kmsg(systemd_localed_t) + +seutil_read_config(systemd_localed_t) +seutil_read_file_contexts(systemd_localed_t) @@ -236386,8 +236345,6 @@ index 0000000..c0a85ab +init_read_state(systemd_hostnamed_t) +init_stream_connect(systemd_hostnamed_t) + -+logging_stream_connect_syslog(systemd_hostnamed_t) -+ +optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) @@ -236416,8 +236373,6 @@ index 0000000..c0a85ab +dev_write_kmsg(systemd_timedated_t) +dev_read_sysfs(systemd_timedated_t) + -+files_read_etc_runtime_files(systemd_timedated_t) -+ +fs_getattr_xattr_fs(systemd_timedated_t) + +auth_use_nsswitch(systemd_timedated_t) @@ -236425,7 +236380,6 @@ index 0000000..c0a85ab +init_dbus_chat(systemd_timedated_t) +init_status(systemd_timedated_t) + -+logging_stream_connect_syslog(systemd_timedated_t) +logging_send_syslog_msg(systemd_timedated_t) + +miscfiles_manage_localization(systemd_timedated_t) @@ -236493,11 +236447,19 @@ index 0000000..c0a85ab + +domain_use_interactive_fds(systemd_sysctl_t) + -+files_read_etc_files(systemd_sysctl_t) -+ +init_stream_connect(systemd_sysctl_t) + -+logging_stream_connect_syslog(systemd_sysctl_t) ++######################################## ++# ++# Common rules for systemd domains ++# ++ ++files_read_etc_files(systemd_domain) ++files_read_etc_runtime_files(systemd_domain) ++files_read_usr_files(systemd_domain) ++ ++logging_stream_connect_syslog(systemd_domain) ++ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..49fd32e 100644 --- a/policy/modules/system/udev.fc @@ -237869,7 +237831,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..a598a86 100644 +index 3c5dba7..4efa151 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -238950,7 +238912,7 @@ index 3c5dba7..a598a86 100644 ############################## # # Local policy -@@ -908,41 +1120,91 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -908,41 +1120,97 @@ template(`userdom_restricted_xwindows_user_template',` # Local policy # @@ -238973,6 +238935,8 @@ index 3c5dba7..a598a86 100644 + + libs_dontaudit_setattr_lib_files($1_usertype) + ++ init_read_state($1_usertype) ++ + tunable_policy(`selinuxuser_rw_noexattrfile',` + dev_rw_usbfs($1_t) + dev_rw_generic_usb_dev($1_usertype) @@ -239028,6 +238992,10 @@ index 3c5dba7..a598a86 100644 + ') + + optional_policy(` ++ accountsd_dbus_chat($1_usertype) ++ ') ++ ++ optional_policy(` + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') @@ -239055,7 +239023,7 @@ index 3c5dba7..a598a86 100644 ') optional_policy(` -@@ -951,12 +1213,30 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -951,12 +1219,30 @@ template(`userdom_restricted_xwindows_user_template',` ') optional_policy(` @@ -239087,7 +239055,7 @@ index 3c5dba7..a598a86 100644 ') ####################################### -@@ -990,27 +1270,33 @@ template(`userdom_unpriv_user_template', ` +@@ -990,27 +1276,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -239125,7 +239093,7 @@ index 3c5dba7..a598a86 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1021,23 +1307,57 @@ template(`userdom_unpriv_user_template', ` +@@ -1021,23 +1313,57 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -239170,11 +239138,9 @@ index 3c5dba7..a598a86 100644 + optional_policy(` + systemd_dbus_chat_timedated($1_t) + systemd_dbus_chat_hostnamed($1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + gpm_stream_connect($1_usertype) + ') + @@ -239185,15 +239151,17 @@ index 3c5dba7..a598a86 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1046,7 +1366,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -239204,7 +239172,7 @@ index 3c5dba7..a598a86 100644 ') ') -@@ -1082,7 +1404,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -239213,7 +239181,7 @@ index 3c5dba7..a598a86 100644 ') ############################## -@@ -1109,6 +1431,7 @@ template(`userdom_admin_user_template',` +@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -239221,7 +239189,7 @@ index 3c5dba7..a598a86 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1117,6 +1440,9 @@ template(`userdom_admin_user_template',` +@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -239231,7 +239199,7 @@ index 3c5dba7..a598a86 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1131,6 +1457,7 @@ template(`userdom_admin_user_template',` +@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -239239,7 +239207,7 @@ index 3c5dba7..a598a86 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1148,10 +1475,14 @@ template(`userdom_admin_user_template',` +@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -239254,7 +239222,7 @@ index 3c5dba7..a598a86 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1162,29 +1493,38 @@ template(`userdom_admin_user_template',` +@@ -1162,30 +1499,39 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -239290,14 +239258,16 @@ index 3c5dba7..a598a86 100644 logging_send_syslog_msg($1_t) - modutils_domtrans_insmod($1_t) +- + optional_policy(` + modutils_domtrans_insmod($1_t) + modutils_domtrans_depmod($1_t) + ') - ++ # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1194,6 +1534,8 @@ template(`userdom_admin_user_template',` + # cannot directly manipulate policy files with arbitrary programs. +@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -239306,7 +239276,7 @@ index 3c5dba7..a598a86 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1201,13 +1543,17 @@ template(`userdom_admin_user_template',` +@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -239325,7 +239295,7 @@ index 3c5dba7..a598a86 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1253,6 +1599,8 @@ template(`userdom_security_admin_template',` +@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -239334,7 +239304,7 @@ index 3c5dba7..a598a86 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1265,8 +1613,10 @@ template(`userdom_security_admin_template',` +@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -239346,7 +239316,7 @@ index 3c5dba7..a598a86 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1277,29 +1627,31 @@ template(`userdom_security_admin_template',` +@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -239389,7 +239359,7 @@ index 3c5dba7..a598a86 100644 ') optional_policy(` -@@ -1360,14 +1712,17 @@ interface(`userdom_user_home_content',` +@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -239408,7 +239378,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1408,6 +1763,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -239460,7 +239430,7 @@ index 3c5dba7..a598a86 100644 ## ## ## Domain allowed access. -@@ -1512,11 +1912,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -239492,7 +239462,7 @@ index 3c5dba7..a598a86 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1558,6 +1978,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -239507,7 +239477,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1573,9 +2001,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -239519,7 +239489,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1632,6 +2062,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -239562,7 +239532,7 @@ index 3c5dba7..a598a86 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1711,6 +2177,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -239571,7 +239541,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1744,10 +2212,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -239586,7 +239556,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1772,7 +2242,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1772,7 +2248,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -239595,7 +239565,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -1780,19 +2250,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1780,19 +2256,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -239619,7 +239589,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -1800,31 +2268,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1800,31 +2274,31 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -239659,7 +239629,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1848,6 +2316,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1848,6 +2322,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -239685,7 +239655,7 @@ index 3c5dba7..a598a86 100644 ## Mmap user home files. ## ## -@@ -1878,14 +2365,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1878,14 +2371,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -239723,7 +239693,7 @@ index 3c5dba7..a598a86 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1896,11 +2405,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1896,11 +2411,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -239741,7 +239711,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -1941,7 +2453,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1941,7 +2459,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -239768,7 +239738,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -1951,17 +2481,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1951,17 +2487,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',` # interface(`userdom_delete_all_user_home_content_files',` gen_require(` @@ -239789,7 +239759,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -1969,12 +2497,48 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1969,12 +2503,48 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -239840,7 +239810,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -2010,8 +2574,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2010,8 +2580,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -239850,7 +239820,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -2027,20 +2590,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2027,20 +2596,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -239875,7 +239845,7 @@ index 3c5dba7..a598a86 100644 ######################################## ## -@@ -2123,7 +2680,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2123,7 +2686,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -239884,7 +239854,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -2131,19 +2688,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2131,19 +2694,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -239908,7 +239878,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -2151,12 +2706,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2151,12 +2712,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -239924,7 +239894,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -2393,11 +2948,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2393,11 +2954,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -239939,7 +239909,7 @@ index 3c5dba7..a598a86 100644 files_search_tmp($1) ') -@@ -2417,7 +2972,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2417,7 +2978,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -239948,7 +239918,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -2664,6 +3219,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2664,6 +3225,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -239974,7 +239944,7 @@ index 3c5dba7..a598a86 100644 ######################################## ## ## Read user tmpfs files. -@@ -2680,13 +3254,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2680,13 +3260,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -239990,7 +239960,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -2707,7 +3282,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2707,7 +3288,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -239999,7 +239969,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -2715,14 +3290,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2715,19 +3296,17 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -240013,28 +239983,61 @@ index 3c5dba7..a598a86 100644 - allow $1 user_tmpfs_t:dir list_dir_perms; - fs_search_tmpfs($1) + allow $1 user_tmpfs_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of a user domain tty. +## Execute user tmpfs files. -+## -+## -+## + ## + ## + ## +@@ -2735,21 +3314,39 @@ interface(`userdom_manage_user_tmpfs_files',` + ## + ## + # +-interface(`userdom_getattr_user_ttys',` ++interface(`userdom_execute_user_tmpfs_files',` + gen_require(` +- type user_tty_device_t; ++ type user_tmpfs_t; + ') + +- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++ allow $1 user_tmpfs_t:file execute; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes of a user domain tty. ++## Get the attributes of a user domain tty. + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. +## +## +# -+interface(`userdom_execute_user_tmpfs_files',` ++interface(`userdom_getattr_user_ttys',` + gen_require(` -+ type user_tmpfs_t; ++ type user_tty_device_t; + ') + -+ allow $1 user_tmpfs_t:file execute; - ') - - ######################################## -@@ -2817,6 +3408,24 @@ interface(`userdom_use_user_ttys',` ++ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes of a user domain tty. ++## ++## ++## ++## Domain to not audit. + ## + ## + # +@@ -2817,6 +3414,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -240059,7 +240062,7 @@ index 3c5dba7..a598a86 100644 ## Read and write a user domain pty. ## ## -@@ -2835,22 +3444,34 @@ interface(`userdom_use_user_ptys',` +@@ -2835,22 +3450,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -240102,7 +240105,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -2859,14 +3480,33 @@ interface(`userdom_use_user_ptys',` +@@ -2859,14 +3486,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -240140,7 +240143,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -2885,8 +3525,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2885,8 +3531,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -240170,7 +240173,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -2958,69 +3617,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2958,69 +3623,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -240271,7 +240274,7 @@ index 3c5dba7..a598a86 100644 ## ## ## -@@ -3028,12 +3686,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3028,12 +3692,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -240286,7 +240289,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -3097,7 +3755,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3097,7 +3761,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -240295,7 +240298,7 @@ index 3c5dba7..a598a86 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3113,29 +3771,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3113,29 +3777,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -240329,7 +240332,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -3217,7 +3859,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3217,7 +3865,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -240338,7 +240341,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -3272,7 +3914,64 @@ interface(`userdom_write_user_tmp_files',` +@@ -3272,7 +3920,64 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -240404,7 +240407,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -3290,7 +3989,7 @@ interface(`userdom_dontaudit_use_user_ttys',` +@@ -3290,7 +3995,7 @@ interface(`userdom_dontaudit_use_user_ttys',` type user_tty_device_t; ') @@ -240413,7 +240416,7 @@ index 3c5dba7..a598a86 100644 ') ######################################## -@@ -3309,6 +4008,7 @@ interface(`userdom_read_all_users_state',` +@@ -3309,6 +4014,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -240421,7 +240424,7 @@ index 3c5dba7..a598a86 100644 kernel_search_proc($1) ') -@@ -3385,6 +4085,42 @@ interface(`userdom_signal_all_users',` +@@ -3385,6 +4091,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -240464,7 +240467,7 @@ index 3c5dba7..a598a86 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3405,6 +4141,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3405,6 +4147,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -240489,7 +240492,7 @@ index 3c5dba7..a598a86 100644 ## Create keys for all user domains. ## ## -@@ -3439,3 +4193,1365 @@ interface(`userdom_dbus_send_all_users',` +@@ -3439,3 +4199,1365 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 1726b5d..0c8a316 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10067,7 +10067,7 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..11c8537 +index 0000000..45057f8 --- /dev/null +++ b/chrome.te @@ -0,0 +1,200 @@ @@ -10257,7 +10257,7 @@ index 0000000..11c8537 + +dev_read_urand(chrome_sandbox_nacl_t) +dev_read_sysfs(chrome_sandbox_nacl_t) -+ ++dev_rwx_zero(chrome_sandbox_nacl_t) + +init_read_state(chrome_sandbox_nacl_t) + @@ -12270,7 +12270,7 @@ index 3fe3cb8..684b700 100644 + ') ') diff --git a/condor.te b/condor.te -index 3f2b672..a7aaf98 100644 +index 3f2b672..22ddc47 100644 --- a/condor.te +++ b/condor.te @@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t) @@ -12309,18 +12309,18 @@ index 3f2b672..a7aaf98 100644 corenet_tcp_sendrecv_generic_if(condor_domain) corenet_tcp_sendrecv_generic_node(condor_domain) -@@ -106,10 +107,6 @@ dev_read_rand(condor_domain) +@@ -106,9 +107,7 @@ dev_read_rand(condor_domain) dev_read_sysfs(condor_domain) dev_read_urand(condor_domain) -logging_send_syslog_msg(condor_domain) - -miscfiles_read_localization(condor_domain) -- ++auth_read_passwd(condor_domain) + tunable_policy(`condor_tcp_network_connect',` corenet_sendrecv_all_client_packets(condor_domain) - corenet_tcp_connect_all_ports(condor_domain) -@@ -150,8 +147,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) +@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t) domain_read_all_domains_state(condor_master_t) @@ -12329,7 +12329,7 @@ index 3f2b672..a7aaf98 100644 optional_policy(` mta_send_mail(condor_master_t) mta_read_config(condor_master_t) -@@ -178,6 +173,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; +@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid }; allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms; allow condor_negotiator_t condor_master_t:udp_socket getattr; @@ -12338,7 +12338,7 @@ index 3f2b672..a7aaf98 100644 ###################################### # # Procd local policy -@@ -209,6 +206,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) +@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t) files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir }) @@ -12347,7 +12347,7 @@ index 3f2b672..a7aaf98 100644 ##################################### # # Startd local policy -@@ -233,11 +232,10 @@ domain_read_all_domains_state(condor_startd_t) +@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t) mcs_process_set_categories(condor_startd_t) init_domtrans_script(condor_startd_t) @@ -12360,7 +12360,7 @@ index 3f2b672..a7aaf98 100644 optional_policy(` ssh_basic_client_template(condor_startd, condor_startd_t, system_r) ssh_domtrans(condor_startd_t) -@@ -249,3 +247,7 @@ optional_policy(` +@@ -249,3 +249,7 @@ optional_policy(` kerberos_use(condor_startd_ssh_t) ') ') @@ -20080,7 +20080,7 @@ index 19aa0b8..b303b37 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index ba14bcf..12a8962 100644 +index ba14bcf..07bcb8e 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -20093,15 +20093,18 @@ index ba14bcf..12a8962 100644 ######################################## # # Local policy -@@ -56,7 +59,6 @@ kernel_read_network_state(dnsmasq_t) +@@ -56,7 +59,9 @@ kernel_read_network_state(dnsmasq_t) kernel_read_system_state(dnsmasq_t) kernel_request_load_module(dnsmasq_t) -corenet_all_recvfrom_unlabeled(dnsmasq_t) ++corecmd_exec_bin(dnsmasq_t) ++corecmd_exec_shell(dnsmasq_t) ++ corenet_all_recvfrom_netlabel(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -88,8 +90,6 @@ auth_use_nsswitch(dnsmasq_t) +@@ -88,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t) logging_send_syslog_msg(dnsmasq_t) @@ -20110,7 +20113,7 @@ index ba14bcf..12a8962 100644 userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) -@@ -98,11 +98,20 @@ optional_policy(` +@@ -98,12 +101,21 @@ optional_policy(` ') optional_policy(` @@ -20123,15 +20126,17 @@ index ba14bcf..12a8962 100644 ') optional_policy(` +- networkmanager_read_pid_files(dnsmasq_t) + dnsmasq_domtrans(dnsmasq_t) +') + +optional_policy(` + networkmanager_read_conf(dnsmasq_t) - networkmanager_read_pid_files(dnsmasq_t) ++ networkmanager_manage_pid_files(dnsmasq_t) ') -@@ -124,6 +133,7 @@ optional_policy(` + optional_policy(` +@@ -124,6 +136,7 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -23523,7 +23528,7 @@ index e0a4f46..70277e8 100644 +') diff --git a/glusterd.fc b/glusterd.fc new file mode 100644 -index 0000000..4bd6ade +index 0000000..9614520 --- /dev/null +++ b/glusterd.fc @@ -0,0 +1,16 @@ @@ -23537,7 +23542,7 @@ index 0000000..4bd6ade + +/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) + -+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) ++/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0) + +/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) + @@ -23701,10 +23706,10 @@ index 0000000..1ed97fe + diff --git a/glusterd.te b/glusterd.te new file mode 100644 -index 0000000..8f595f8 +index 0000000..6704414 --- /dev/null +++ b/glusterd.te -@@ -0,0 +1,102 @@ +@@ -0,0 +1,104 @@ +policy_module(glusterfs, 1.0.1) + +######################################## @@ -23802,6 +23807,8 @@ index 0000000..8f595f8 + +auth_use_nsswitch(glusterd_t) + ++fs_getattr_all_fs(glusterd_t) ++ +logging_send_syslog_msg(glusterd_t) + +miscfiles_read_localization(glusterd_t) @@ -34906,10 +34913,10 @@ index 0000000..8d0e473 +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/mock.if b/mock.if new file mode 100644 -index 0000000..7f6f2d6 +index 0000000..1446e6a --- /dev/null +++ b/mock.if -@@ -0,0 +1,307 @@ +@@ -0,0 +1,303 @@ +## policy for mock + +######################################## @@ -35125,10 +35132,6 @@ index 0000000..7f6f2d6 + mock_domtrans($1) + role $2 types mock_t; + role $2 types mock_build_t; -+ -+ optional_policy(` -+ mount_run(mock_t, $2) -+ ') +') + +######################################## @@ -35600,10 +35603,10 @@ index 4462c0e..84944d1 100644 userdom_dontaudit_use_unpriv_user_fds(monopd_t) diff --git a/mozilla.fc b/mozilla.fc -index 6ffaba2..ce28024 100644 +index 6ffaba2..379066c 100644 --- a/mozilla.fc +++ b/mozilla.fc -@@ -1,38 +1,60 @@ +@@ -1,38 +1,61 @@ -HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) -HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0) @@ -35632,6 +35635,7 @@ index 6ffaba2..ce28024 100644 +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) ++HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) +HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0) @@ -35699,7 +35703,7 @@ index 6ffaba2..ce28024 100644 +/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0) +') diff --git a/mozilla.if b/mozilla.if -index 6194b80..60bb004 100644 +index 6194b80..97b8462 100644 --- a/mozilla.if +++ b/mozilla.if @@ -1,146 +1,75 @@ @@ -36320,7 +36324,7 @@ index 6194b80..60bb004 100644 ## ## ## -@@ -530,45 +430,47 @@ interface(`mozilla_plugin_delete_tmpfs_files',` +@@ -530,45 +430,48 @@ interface(`mozilla_plugin_delete_tmpfs_files',` ## ## # @@ -36390,10 +36394,11 @@ index 6194b80..60bb004 100644 + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") + userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") ++ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..046b1af 100644 +index 6a306ee..de62123 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -36826,7 +36831,7 @@ index 6a306ee..046b1af 100644 ') optional_policy(` -@@ -300,63 +316,54 @@ optional_policy(` +@@ -300,221 +316,171 @@ optional_policy(` ######################################## # @@ -36920,7 +36925,10 @@ index 6a306ee..046b1af 100644 kernel_read_all_sysctls(mozilla_plugin_t) kernel_read_system_state(mozilla_plugin_t) -@@ -366,155 +373,113 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t) + kernel_read_network_state(mozilla_plugin_t) + kernel_request_load_module(mozilla_plugin_t) + kernel_dontaudit_getattr_core_if(mozilla_plugin_t) ++files_dontaudit_read_root_files(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -37138,7 +37146,7 @@ index 6a306ee..046b1af 100644 ') optional_policy(` -@@ -523,36 +488,43 @@ optional_policy(` +@@ -523,36 +489,43 @@ optional_policy(` ') optional_policy(` @@ -37196,7 +37204,7 @@ index 6a306ee..046b1af 100644 ') optional_policy(` -@@ -560,7 +532,7 @@ optional_policy(` +@@ -560,7 +533,7 @@ optional_policy(` ') optional_policy(` @@ -37205,7 +37213,7 @@ index 6a306ee..046b1af 100644 ') optional_policy(` -@@ -568,108 +540,108 @@ optional_policy(` +@@ -568,108 +541,108 @@ optional_policy(` ') optional_policy(` @@ -41733,7 +41741,7 @@ index a1fb3c3..8fe1d63 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..163b870 100644 +index 0e8508c..b9c69d2 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -41896,39 +41904,52 @@ index 0e8508c..163b870 100644 ## ## ## -@@ -171,29 +218,28 @@ interface(`networkmanager_read_lib_files',` +@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',` read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) ') --######################################## +####################################### - ## --## Append networkmanager log files. ++## +## Read NetworkManager conf files. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`networkmanager_append_log_files',` -- gen_require(` -- type NetworkManager_log_t; -- ') ++## ++# +interface(`networkmanager_read_conf',` + gen_require(` + type NetworkManager_etc_t; + ') ++ ++ allow $1 NetworkManager_etc_t:dir list_dir_perms; ++ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) ++') ++ + ######################################## + ## +-## Append networkmanager log files. ++## Read NetworkManager PID files. + ## + ## + ## +@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',` + ## + ## + # +-interface(`networkmanager_append_log_files',` ++interface(`networkmanager_read_pid_files',` + gen_require(` +- type NetworkManager_log_t; ++ type NetworkManager_var_run_t; + ') - logging_search_logs($1) - allow $1 NetworkManager_log_t:dir list_dir_perms; - append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) -+ allow $1 NetworkManager_etc_t:dir list_dir_perms; -+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) ++ files_search_pids($1) ++ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## @@ -41938,12 +41959,19 @@ index 0e8508c..163b870 100644 ## ## ## -@@ -207,17 +253,17 @@ interface(`networkmanager_read_pid_files',` +@@ -201,23 +266,23 @@ interface(`networkmanager_append_log_files',` + ## + ## + # +-interface(`networkmanager_read_pid_files',` ++interface(`networkmanager_manage_pid_files',` + gen_require(` + type NetworkManager_var_run_t; ') files_search_pids($1) - allow $1 NetworkManager_var_run_t:file read_file_perms; -+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ++ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) ') ######################################## @@ -41960,7 +41988,7 @@ index 0e8508c..163b870 100644 ## ## ## -@@ -227,33 +273,92 @@ interface(`networkmanager_read_pid_files',` +@@ -227,33 +292,92 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -46332,14 +46360,16 @@ index cd29ea8..efbf8f8 100644 ') ') diff --git a/oddjob.fc b/oddjob.fc -index dd1d9ef..7e2287c 100644 +index dd1d9ef..fbbe3ff 100644 --- a/oddjob.fc +++ b/oddjob.fc -@@ -1,10 +1,7 @@ +@@ -1,10 +1,10 @@ -/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -- - /usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -- + +-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) ++/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0) + ++/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) /usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0) -/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0) @@ -46350,7 +46380,7 @@ index dd1d9ef..7e2287c 100644 -/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) +/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0) diff --git a/oddjob.if b/oddjob.if -index c87bd2a..dec6bc7 100644 +index c87bd2a..7de054a 100644 --- a/oddjob.if +++ b/oddjob.if @@ -1,4 +1,8 @@ @@ -46462,7 +46492,7 @@ index c87bd2a..dec6bc7 100644 ## ## ## -@@ -105,46 +141,47 @@ interface(`oddjob_domtrans_mkhomedir',` +@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',` # interface(`oddjob_run_mkhomedir',` gen_require(` @@ -46476,36 +46506,54 @@ index c87bd2a..dec6bc7 100644 ') -##################################### -+######################################## ++####################################### ## -## Do not audit attempts to read and write -## oddjob fifo files. -+## Create a domain which can be started by init, -+## with a range transition. ++## Execute oddjob in the oddjob domain. ## ## - ## +-## -## Domain to not audit. -+## Type to be used as a domain. - ## +-## ++## ++## Domain allowed to transition. ++## ## --# + # -interface(`oddjob_dontaudit_rw_fifo_files',` - gen_require(` - type oddjob_t; - ') -- ++interface(`oddjob_systemctl',` ++ gen_require(` ++ type oddjob_unit_file_t; ++ type oddjob_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ allow $1 oddjob_unit_file_t:file read_file_perms; ++ allow $1 oddjob_unit_file_t:service manage_service_perms; + - dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms; --') -- ++ ps_process_pattern($1, oddjob_t) + ') + -###################################### --## ++######################################## + ## -## Send child terminated signals to oddjob. --## --## -+## ++## Create a domain which can be started by init, ++## with a range transition. + ## + ## ## -## Domain allowed access. ++## Type to be used as a domain. ++## ++## ++## ++## +## Type of the program to be used as an entry point to this domain. +## +## @@ -46534,7 +46582,7 @@ index c87bd2a..dec6bc7 100644 + ') ') diff --git a/oddjob.te b/oddjob.te -index 296a1d3..467700e 100644 +index 296a1d3..edc3e32 100644 --- a/oddjob.te +++ b/oddjob.te @@ -1,12 +1,10 @@ @@ -46551,7 +46599,7 @@ index 296a1d3..467700e 100644 type oddjob_t; type oddjob_exec_t; domain_type(oddjob_t) -@@ -20,8 +18,9 @@ type oddjob_mkhomedir_exec_t; +@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t; domain_type(oddjob_mkhomedir_t) domain_obj_id_change_exemption(oddjob_mkhomedir_t) init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t) @@ -46562,7 +46610,12 @@ index 296a1d3..467700e 100644 type oddjob_var_run_t; files_pid_file(oddjob_var_run_t) -@@ -31,7 +30,7 @@ ifdef(`enable_mcs',` ++type oddjob_unit_file_t; ++systemd_unit_file(oddjob_unit_file_t) ++ + ifdef(`enable_mcs',` + init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh) + ') ######################################## # @@ -46571,7 +46624,7 @@ index 296a1d3..467700e 100644 # allow oddjob_t self:capability setgid; -@@ -43,8 +42,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) +@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t) files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file }) @@ -46580,7 +46633,7 @@ index 296a1d3..467700e 100644 kernel_read_system_state(oddjob_t) corecmd_exec_bin(oddjob_t) -@@ -54,9 +51,9 @@ mcs_process_set_categories(oddjob_t) +@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t) selinux_compute_create_context(oddjob_t) @@ -46591,7 +46644,7 @@ index 296a1d3..467700e 100644 locallogin_dontaudit_use_fds(oddjob_t) -@@ -71,13 +68,13 @@ optional_policy(` +@@ -71,13 +71,13 @@ optional_policy(` ######################################## # @@ -46607,7 +46660,7 @@ index 296a1d3..467700e 100644 kernel_read_system_state(oddjob_mkhomedir_t) -@@ -85,7 +82,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) +@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t) logging_send_syslog_msg(oddjob_mkhomedir_t) @@ -46615,7 +46668,7 @@ index 296a1d3..467700e 100644 selinux_get_fs_mount(oddjob_mkhomedir_t) selinux_validate_context(oddjob_mkhomedir_t) -@@ -98,8 +94,11 @@ seutil_read_config(oddjob_mkhomedir_t) +@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t) seutil_read_file_contexts(oddjob_mkhomedir_t) seutil_read_default_contexts(oddjob_mkhomedir_t) @@ -46979,10 +47032,10 @@ index 0000000..e108d48 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..1a26cd5 +index 0000000..407386d --- /dev/null +++ b/openshift.if -@@ -0,0 +1,664 @@ +@@ -0,0 +1,646 @@ + +## policy for openshift + @@ -47063,24 +47116,6 @@ index 0000000..1a26cd5 + +######################################## +## -+## Send a signal to openshift init scripts. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`openshift_initrc_signl',` -+ gen_require(` -+ type openshift_initrc_t; -+ ') -+ -+ allow $1 openshift_initrc_t:process signal; -+') -+ -+######################################## -+## +## Search openshift cache directories. +## +## @@ -47649,10 +47684,10 @@ index 0000000..1a26cd5 +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..30757e2 +index 0000000..a23c70a --- /dev/null +++ b/openshift.te -@@ -0,0 +1,467 @@ +@@ -0,0 +1,472 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -47905,6 +47940,7 @@ index 0000000..30757e2 + +term_dontaudit_search_ptys(openshift_domain) +term_use_generic_ptys(openshift_domain) ++term_dontaudit_getattr_generic_ptys(openshift_domain) +term_use_ptmx(openshift_domain) + +userdom_use_inherited_user_ptys(openshift_domain) @@ -48022,6 +48058,10 @@ index 0000000..30757e2 +allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms; +allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; + ++kernel_read_system_state(openshift_cgroup_read_t) ++ ++miscfiles_read_localization(openshift_cgroup_read_t) ++ +optional_policy(` + ssh_use_ptys(openshift_cgroup_read_t) +') @@ -62491,7 +62531,7 @@ index bff31df..e38693b 100644 ## ## diff --git a/realmd.te b/realmd.te -index 9a8f052..ecd8eaf 100644 +index 9a8f052..727d60a 100644 --- a/realmd.te +++ b/realmd.te @@ -1,4 +1,4 @@ @@ -62564,7 +62604,7 @@ index 9a8f052..ecd8eaf 100644 optional_policy(` dbus_system_domain(realmd_t, realmd_exec_t) -@@ -67,17 +76,21 @@ optional_policy(` +@@ -67,17 +76,25 @@ optional_policy(` optional_policy(` nis_exec_ypbind(realmd_t) @@ -62586,20 +62626,41 @@ index 9a8f052..ecd8eaf 100644 samba_manage_config(realmd_t) - samba_getattr_winbind_exec(realmd_t) + samba_getattr_winbind(realmd_t) ++') ++ ++optional_policy(` ++ rpm_dbus_chat(realmd_t) ') optional_policy(` -@@ -86,5 +99,9 @@ optional_policy(` +@@ -86,5 +103,26 @@ optional_policy(` sssd_manage_lib_files(realmd_t) sssd_manage_public_files(realmd_t) sssd_read_pid_files(realmd_t) - sssd_initrc_domtrans(realmd_t) + sssd_systemctl(realmd_t) -+') + ') + +optional_policy(` + xserver_read_state_xdm(realmd_t) - ') ++') ++ ++##################################### ++# ++# realmd consolehelper local policy ++# ++ ++ ++optional_policy(` ++ userhelper_console_role_template(realmd, system_r, realmd_t) ++ authconfig_manage_lib_files(realmd_consolehelper_t) ++ ++ oddjob_systemctl(realmd_consolehelper_t) ++ ++ unconfined_domain_noaudit(realmd_consolehelper_t) ++') ++ ++ diff --git a/remotelogin.fc b/remotelogin.fc index 327baf0..d8691bd 100644 --- a/remotelogin.fc @@ -69142,7 +69203,7 @@ index aee75af..a6bab06 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 57c034b..89b9b6a 100644 +index 57c034b..4d983f7 100644 --- a/samba.te +++ b/samba.te @@ -1,4 +1,4 @@ @@ -69675,7 +69736,7 @@ index 57c034b..89b9b6a 100644 lpd_exec_lpr(smbd_t) ') -@@ -493,9 +476,32 @@ optional_policy(` +@@ -493,9 +476,34 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -69687,6 +69748,7 @@ index 57c034b..89b9b6a 100644 +userdom_home_filetrans_user_home_dir(smbd_t) + +tunable_policy(`samba_export_all_ro',` ++ allow nmbd_t self:capability { dac_read_search dac_override }; + fs_read_noxattr_fs_files(smbd_t) + files_read_non_security_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) @@ -69694,6 +69756,7 @@ index 57c034b..89b9b6a 100644 +') + +tunable_policy(`samba_export_all_rw',` ++ allow nmbd_t self:capability { dac_read_search dac_override }; + fs_read_noxattr_fs_files(smbd_t) + files_manage_non_security_files(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) @@ -69709,7 +69772,7 @@ index 57c034b..89b9b6a 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -506,9 +512,11 @@ allow nmbd_t self:msg { send receive }; +@@ -506,9 +514,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -69724,7 +69787,7 @@ index 57c034b..89b9b6a 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -520,20 +528,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -520,20 +530,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -69747,7 +69810,7 @@ index 57c034b..89b9b6a 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -542,52 +544,39 @@ kernel_read_network_state(nmbd_t) +@@ -542,52 +546,40 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -69771,12 +69834,14 @@ index 57c034b..89b9b6a 100644 corenet_tcp_connect_smbd_port(nmbd_t) -corenet_tcp_sendrecv_smbd_port(nmbd_t) - dev_read_sysfs(nmbd_t) +-dev_read_sysfs(nmbd_t) dev_getattr_mtrr_dev(nmbd_t) - ++dev_read_sysfs(nmbd_t) ++dev_read_urand(nmbd_t) ++ +fs_getattr_all_fs(nmbd_t) +fs_search_auto_mountpoints(nmbd_t) -+ + domain_use_interactive_fds(nmbd_t) -files_read_usr_files(nmbd_t) @@ -69794,14 +69859,14 @@ index 57c034b..89b9b6a 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -69810,7 +69875,7 @@ index 57c034b..89b9b6a 100644 ') optional_policy(` -@@ -600,17 +589,24 @@ optional_policy(` +@@ -600,17 +592,24 @@ optional_policy(` ######################################## # @@ -69839,7 +69904,7 @@ index 57c034b..89b9b6a 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -620,16 +616,12 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -620,16 +619,12 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -69857,7 +69922,7 @@ index 57c034b..89b9b6a 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -637,22 +629,23 @@ optional_policy(` +@@ -637,22 +632,23 @@ optional_policy(` ######################################## # @@ -69889,7 +69954,7 @@ index 57c034b..89b9b6a 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -661,26 +654,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -661,26 +657,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -69925,7 +69990,7 @@ index 57c034b..89b9b6a 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -692,58 +681,77 @@ fs_read_cifs_files(smbmount_t) +@@ -692,58 +684,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -70017,7 +70082,7 @@ index 57c034b..89b9b6a 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -752,17 +760,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -752,17 +763,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -70041,7 +70106,7 @@ index 57c034b..89b9b6a 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -770,36 +774,25 @@ kernel_read_network_state(swat_t) +@@ -770,36 +777,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -70084,7 +70149,7 @@ index 57c034b..89b9b6a 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -811,10 +804,11 @@ logging_send_syslog_msg(swat_t) +@@ -811,10 +807,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -70098,7 +70163,7 @@ index 57c034b..89b9b6a 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -837,13 +831,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +@@ -837,13 +834,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; @@ -70118,7 +70183,7 @@ index 57c034b..89b9b6a 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -853,9 +849,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -853,9 +852,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -70129,7 +70194,7 @@ index 57c034b..89b9b6a 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -866,23 +860,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -866,23 +863,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -70159,7 +70224,7 @@ index 57c034b..89b9b6a 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -891,13 +883,17 @@ kernel_read_system_state(winbind_t) +@@ -891,13 +886,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -70180,7 +70245,7 @@ index 57c034b..89b9b6a 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -905,10 +901,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -905,10 +904,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -70191,7 +70256,7 @@ index 57c034b..89b9b6a 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -917,11 +909,17 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -917,11 +912,17 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -70210,7 +70275,7 @@ index 57c034b..89b9b6a 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) userdom_manage_user_home_content_files(winbind_t) -@@ -936,6 +934,10 @@ optional_policy(` +@@ -936,6 +937,10 @@ optional_policy(` ') optional_policy(` @@ -70221,7 +70286,7 @@ index 57c034b..89b9b6a 100644 kerberos_use(winbind_t) ') -@@ -952,31 +954,29 @@ optional_policy(` +@@ -952,31 +957,29 @@ optional_policy(` # Winbind helper local policy # @@ -70259,7 +70324,7 @@ index 57c034b..89b9b6a 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -990,25 +990,38 @@ optional_policy(` +@@ -990,25 +993,38 @@ optional_policy(` ######################################## # @@ -81731,7 +81796,7 @@ index cf118fd..cd80e83 100644 + can_exec($1, consolehelper_exec_t) +') diff --git a/userhelper.te b/userhelper.te -index 274ed9c..4d8adf9 100644 +index 274ed9c..9294dd6 100644 --- a/userhelper.te +++ b/userhelper.te @@ -1,15 +1,12 @@ @@ -81752,7 +81817,7 @@ index 274ed9c..4d8adf9 100644 type userhelper_conf_t; files_config_file(userhelper_conf_t) -@@ -22,141 +19,67 @@ application_executable_file(consolehelper_exec_t) +@@ -22,141 +19,71 @@ application_executable_file(consolehelper_exec_t) ######################################## # @@ -81828,19 +81893,21 @@ index 274ed9c..4d8adf9 100644 -userdom_manage_user_tmp_dirs(consolehelper_type) -userdom_manage_user_tmp_files(consolehelper_type) -userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file }) -- --tunable_policy(`use_nfs_home_dirs',` -- fs_search_nfs(consolehelper_type) --') +userhelper_exec(consolehelper_domain) --tunable_policy(`use_samba_home_dirs',` -- fs_search_cifs(consolehelper_type) +-tunable_policy(`use_nfs_home_dirs',` +- fs_search_nfs(consolehelper_type) -') +userdom_use_user_ptys(consolehelper_domain) +userdom_use_user_ttys(consolehelper_domain) +userdom_read_user_home_content_files(consolehelper_domain) +-tunable_policy(`use_samba_home_dirs',` +- fs_search_cifs(consolehelper_type) ++optional_policy(` ++ dbus_session_bus_client(consolehelper_domain) + ') + optional_policy(` - shutdown_run(consolehelper_type, consolehelper_roles) - shutdown_signal(consolehelper_type) @@ -84144,7 +84211,7 @@ index 9dec06c..d8a2b54 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..64b70d6 100644 +index 1f22fba..d984f26 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -84440,7 +84507,9 @@ index 1f22fba..64b70d6 100644 -append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) - -kernel_read_system_state(virt_domain) -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -fs_getattr_xattr_fs(virt_domain) - -corecmd_exec_bin(virt_domain) @@ -84558,9 +84627,7 @@ index 1f22fba..64b70d6 100644 - fs_manage_dos_dirs(virt_domain) - fs_manage_dos_files(virt_domain) -') -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -optional_policy(` - tunable_policy(`virt_use_xserver',` - xserver_read_xdm_pid(virt_domain) @@ -84611,7 +84678,9 @@ index 1f22fba..64b70d6 100644 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- ++allow svirt_tcg_t self:process { execmem execstack }; ++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; + -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) @@ -84635,9 +84704,7 @@ index 1f22fba..64b70d6 100644 -corenet_sendrecv_all_server_packets(svirt_t) -corenet_udp_bind_all_ports(svirt_t) -corenet_tcp_bind_all_ports(svirt_t) -+allow svirt_tcg_t self:process { execmem execstack }; -+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_sendrecv_all_client_packets(svirt_t) -corenet_tcp_connect_all_ports(svirt_t) +corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -84650,7 +84717,7 @@ index 1f22fba..64b70d6 100644 ######################################## # -@@ -407,38 +248,41 @@ corenet_tcp_connect_all_ports(svirt_t) +@@ -407,38 +248,42 @@ corenet_tcp_connect_all_ports(svirt_t) # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; @@ -84698,6 +84765,7 @@ index 1f22fba..64b70d6 100644 +allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill }; +allow virt_domain virtd_t:fd use; +dontaudit virt_domain virtd_t:unix_stream_socket { read write }; ++allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms }; + +can_exec(virtd_t, qemu_exec_t) +can_exec(virt_domain, qemu_exec_t) @@ -84711,7 +84779,7 @@ index 1f22fba..64b70d6 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +293,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -84757,7 +84825,7 @@ index 1f22fba..64b70d6 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +327,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -84767,18 +84835,18 @@ index 1f22fba..64b70d6 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +- +-can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --can_exec(virtd_t, virt_tmp_t) -- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +338,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +339,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -84786,7 +84854,7 @@ index 1f22fba..64b70d6 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,22 +346,12 @@ corecmd_exec_shell(virtd_t) +@@ -520,22 +347,12 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -84810,7 +84878,7 @@ index 1f22fba..64b70d6 100644 corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) -@@ -548,22 +364,22 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +365,22 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -84838,7 +84906,7 @@ index 1f22fba..64b70d6 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +410,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +411,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -84858,7 +84926,7 @@ index 1f22fba..64b70d6 100644 selinux_validate_context(virtd_t) -@@ -613,18 +432,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +433,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -84893,7 +84961,7 @@ index 1f22fba..64b70d6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +458,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +459,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -84902,7 +84970,7 @@ index 1f22fba..64b70d6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -646,107 +471,326 @@ optional_policy(` +@@ -646,107 +472,326 @@ optional_policy(` consoletype_exec(virtd_t) ') @@ -85287,7 +85355,7 @@ index 1f22fba..64b70d6 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +802,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +803,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -85317,7 +85385,7 @@ index 1f22fba..64b70d6 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +821,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +822,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -85344,7 +85412,7 @@ index 1f22fba..64b70d6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +841,21 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +842,21 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -85375,7 +85443,7 @@ index 1f22fba..64b70d6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,6 +873,10 @@ optional_policy(` +@@ -847,6 +874,10 @@ optional_policy(` ') optional_policy(` @@ -85386,7 +85454,7 @@ index 1f22fba..64b70d6 100644 rpm_exec(virsh_t) ') -@@ -854,7 +884,7 @@ optional_policy(` +@@ -854,7 +885,7 @@ optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) xen_domtrans(virsh_t) @@ -85395,7 +85463,7 @@ index 1f22fba..64b70d6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +909,40 @@ optional_policy(` +@@ -879,34 +910,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -85413,20 +85481,23 @@ index 1f22fba..64b70d6 100644 -# Lxc local policy +# virt_lxc local policy # -- - allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; ++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid }; ++allow virtd_lxc_t self:process { transition setpgid signal_perms }; +allow virtd_lxc_t self:capability2 compromise_kernel; -+ + +-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; -allow virtd_lxc_t self:netlink_route_socket nlmsg_write; -allow virtd_lxc_t self:unix_stream_socket { accept listen }; +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; -+allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms; ++allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow virtd_lxc_t self:packet_socket create_socket_perms; -- --allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; +ps_process_pattern(virtd_lxc_t, svirt_lxc_domain) ++allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms; + +-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill }; ++files_entrypoint_all_files(virtd_lxc_t) allow virtd_lxc_t virt_image_type:dir mounton; manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t) @@ -85446,7 +85517,7 @@ index 1f22fba..64b70d6 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +952,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +957,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -85462,7 +85533,7 @@ index 1f22fba..64b70d6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +972,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +977,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -85473,7 +85544,7 @@ index 1f22fba..64b70d6 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +981,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +986,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -85481,7 +85552,7 @@ index 1f22fba..64b70d6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +993,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +998,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -85500,7 +85571,7 @@ index 1f22fba..64b70d6 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,20 +1007,38 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,20 +1012,44 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -85521,6 +85592,12 @@ index 1f22fba..64b70d6 100644 + +sysnet_exec_ifconfig(virtd_lxc_t) + ++userdom_read_admin_home_files(virtd_lxc_t) ++ ++optional_policy(` ++ gnome_read_generic_cache_files(virtd_lxc_t) ++') ++ +optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -85545,7 +85622,7 @@ index 1f22fba..64b70d6 100644 allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; -@@ -995,19 +1047,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,19 +1058,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -85565,7 +85642,7 @@ index 1f22fba..64b70d6 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1054,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1065,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -85584,7 +85661,7 @@ index 1f22fba..64b70d6 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1073,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1084,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -85611,7 +85688,7 @@ index 1f22fba..64b70d6 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,11 +1098,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,11 +1109,16 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -85630,7 +85707,7 @@ index 1f22fba..64b70d6 100644 optional_policy(` udev_read_pid_files(svirt_lxc_domain) -@@ -1078,81 +1118,67 @@ optional_policy(` +@@ -1078,81 +1129,67 @@ optional_policy(` apache_read_sys_content(svirt_lxc_domain) ') @@ -85738,7 +85815,7 @@ index 1f22fba..64b70d6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1191,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1202,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -85753,7 +85830,7 @@ index 1f22fba..64b70d6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1209,8 @@ optional_policy(` +@@ -1183,9 +1220,8 @@ optional_policy(` ######################################## # @@ -85764,7 +85841,7 @@ index 1f22fba..64b70d6 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1223,65 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1234,70 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -85777,7 +85854,7 @@ index 1f22fba..64b70d6 100644 +# virt_qemu_ga local policy +# + -+allow virt_qemu_ga_t self:capability sys_tty_config; ++allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config }; + +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; @@ -85792,11 +85869,15 @@ index 1f22fba..64b70d6 100644 +corecmd_exec_shell(virt_qemu_ga_t) +corecmd_exec_bin(virt_qemu_ga_t) + -+ +dev_rw_sysfs(virt_qemu_ga_t) + ++files_list_all_mountpoints(virt_qemu_ga_t) ++files_write_all_mountpoints(virt_qemu_ga_t) ++fs_list_all(virt_qemu_ga_t) ++ +term_use_virtio_console(virt_qemu_ga_t) +term_use_all_ttys(virt_qemu_ga_t) ++term_use_unallocated_ttys(virt_qemu_ga_t) + +logging_send_syslog_msg(virt_qemu_ga_t) + @@ -85831,6 +85912,7 @@ index 1f22fba..64b70d6 100644 + +type svirt_socket_t; +role system_r types svirt_socket_t; ++allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; +allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms }; diff --git a/vlock.te b/vlock.te index 9ead775..b5285e7 100644 @@ -87974,7 +88056,7 @@ index 0cea2cd..7668014 100644 userdom_dontaudit_use_unpriv_user_fds(xfs_t) diff --git a/xguest.te b/xguest.te -index 2882821..32ace1c 100644 +index 2882821..521232e 100644 --- a/xguest.te +++ b/xguest.te @@ -1,4 +1,4 @@ @@ -88103,7 +88185,7 @@ index 2882821..32ace1c 100644 ') optional_policy(` -@@ -97,75 +113,78 @@ optional_policy(` +@@ -97,75 +113,82 @@ optional_policy(` ') optional_policy(` @@ -88123,6 +88205,10 @@ index 2882821..32ace1c 100644 +') +optional_policy(` ++ mount_run_fusermount(xguest_t, xguest_r) ++') ++ ++optional_policy(` + pcscd_read_pid_files(xguest_t) + pcscd_stream_connect(xguest_t) +') diff --git a/selinux-policy.spec b/selinux-policy.spec index 064274e..9fe3c0b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 13%{?dist} +Release: 14%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -522,6 +522,47 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Feb 20 2013 Miroslav Grepl 3.12.1-14 +- Allow gluster to get attrs on all fs +- New access required for virt-sandbox +- Allow dnsmasq to execute bin_t +- Allow dnsmasq to create content in /var/run/NetworkManager +- Fix openshift_initrc_signal() interface +- Dontaudit openshift domains doing getattr on other domains +- Allow consolehelper domain to communicate with session bus +- Mock should not be transitioning to any other domains, we should keep mock_t as mock_t +- Update virt_qemu_ga_t policy +- Allow authconfig running from realmd to restart oddjob service +- Add systemd support for oddjob +- Add initial policy for realmd_consolehelper_t which if for authconfig executed by realmd +- Add labeling for gnashpluginrc +- Allow chrome_nacl to execute /dev/zero +- Allow condor domains to read /proc +- mozilla_plugin_t will getattr on /core if firefox crashes +- Allow condor domains to read /etc/passwd +- Allow dnsmasq to execute shell scripts, openstack requires this access +- Fix glusterd labeling +- Allow virtd_t to interact with the socket type +- Allow nmbd_t to override dac if you turned on sharing all files +- Allow tuned to created kobject_uevent socket +- Allow guest user to run fusermount +- Allow openshift to read /proc and locale +- Allow realmd to dbus chat with rpm +- Add new interface for virt +- Remove depracated interfaces +- Allow systemd_domains read access on etc, etc_runtime and usr files, also allow them to connect stream to syslog socket +- /usr/share/munin/plugins/plugin.sh should be labeled as bin_t +- Remove some more unconfined_t process transitions, that I don't believe are necessary +- Stop transitioning uncofnined_t to checkpc +- dmraid creates /var/lock/dmraid +- Allow systemd_localed to creatre unix_dgram_sockets +- Allow systemd_localed to write kernel messages. +- Also cleanup systemd definition a little. +- Fix userdom_restricted_xwindows_user_template() interface +- Label any block devices or char devices under /dev/infiniband as fixed_disk_device_t +- User accounts need to dbus chat with accountsd daemon +- Gnome requires all users to be able to read /proc/1/ + * Thu Feb 14 2013 Miroslav Grepl 3.12.1-13 - virsh now does a setexeccon call - Additional rules required by openshift domains