diff --git a/policy-F16.patch b/policy-F16.patch index f4b4dfe..94909b5 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -3875,7 +3875,7 @@ index 00a19e3..55075f9 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..c9f63b0 100644 +index f5afe78..bf930fc 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,623 @@ @@ -4642,7 +4642,7 @@ index f5afe78..c9f63b0 100644 ## ## ## -@@ -140,51 +719,335 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +719,378 @@ interface(`gnome_domtrans_gconfd',` ## ## # @@ -4992,6 +4992,49 @@ index f5afe78..c9f63b0 100644 + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-10) + userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-12) +') ++###################################### ++## ++## Execute gnome-keyring executable ++## in the specified domain. ++## ++## ++##

++## Execute a telepathy executable ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## the ssh-agent policy. ++##

++##
++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`gnome_command_domtrans_gkeyringd', ` ++ gen_require(` ++ type gkeyringd_exec_t; ++ ') ++ ++ allow $2 gkeyringd_exec_t:file entrypoint; ++ domain_transition_pattern($1, gkeyringd_exec_t, $2) ++ type_transition $1 gkeyringd_exec_t:process $2; ++') diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te index 2505654..93e68ff 100644 --- a/policy/modules/apps/gnome.te @@ -7364,10 +7407,10 @@ index 0000000..37449c0 +') diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te new file mode 100644 -index 0000000..6cc919e +index 0000000..d3500a4 --- /dev/null +++ b/policy/modules/apps/nsplugin.te -@@ -0,0 +1,323 @@ +@@ -0,0 +1,324 @@ +policy_module(nsplugin, 1.0.0) + +######################################## @@ -7605,6 +7648,7 @@ index 0000000..6cc919e +allow nsplugin_config_t self:fifo_file rw_file_perms; +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms; + ++dev_search_sysfs(nsplugin_config_t) +dev_read_urand(nsplugin_config_t) +dev_dontaudit_read_rand(nsplugin_config_t) +dev_dontaudit_rw_dri(nsplugin_config_t) @@ -8740,10 +8784,10 @@ index 0000000..0fedd57 +') diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te new file mode 100644 -index 0000000..fc0e3f7 +index 0000000..c06a38c --- /dev/null +++ b/policy/modules/apps/sandbox.te -@@ -0,0 +1,483 @@ +@@ -0,0 +1,484 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8804,6 +8848,7 @@ index 0000000..fc0e3f7 +fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + +kernel_dontaudit_request_load_module(sandbox_xserver_t) ++kernel_read_system_state(sandbox_xserver_t) + +corecmd_exec_bin(sandbox_xserver_t) +corecmd_exec_shell(sandbox_xserver_t) @@ -8821,7 +8866,9 @@ index 0000000..fc0e3f7 +corenet_sendrecv_xserver_server_packets(sandbox_xserver_t) +corenet_sendrecv_all_client_packets(sandbox_xserver_t) + ++dev_search_sysfs(sandbox_xserver_t) +dev_rwx_zero(sandbox_xserver_t) ++dev_read_urand(sandbox_xserver_t) + +files_read_config_files(sandbox_xserver_t) +files_read_usr_files(sandbox_xserver_t) @@ -8833,8 +8880,6 @@ index 0000000..fc0e3f7 +miscfiles_read_fonts(sandbox_xserver_t) +miscfiles_read_localization(sandbox_xserver_t) + -+kernel_read_system_state(sandbox_xserver_t) -+ +selinux_validate_context(sandbox_xserver_t) +selinux_compute_access_vector(sandbox_xserver_t) +selinux_compute_create_context(sandbox_xserver_t) @@ -8888,6 +8933,10 @@ index 0000000..fc0e3f7 + attribute exec_type, configfile; +') + ++kernel_dontaudit_read_system_state(sandbox_domain) ++ ++corecmd_exec_all_executables(sandbox_domain) ++ +files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t ) +files_entrypoint_all_files(sandbox_domain) + @@ -8898,9 +8947,6 @@ index 0000000..fc0e3f7 + +miscfiles_read_localization(sandbox_domain) + -+kernel_dontaudit_read_system_state(sandbox_domain) -+corecmd_exec_all_executables(sandbox_domain) -+ +userdom_dontaudit_use_user_terminals(sandbox_domain) + +mta_dontaudit_read_spool_symlinks(sandbox_domain) @@ -8940,21 +8986,20 @@ index 0000000..fc0e3f7 +manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t); +dontaudit sandbox_x_domain sandbox_file_t:dir mounton; + -+domain_dontaudit_read_all_domains_state(sandbox_x_domain) -+ -+files_search_home(sandbox_x_domain) -+files_dontaudit_list_all_mountpoints(sandbox_x_domain) -+ +kernel_getattr_proc(sandbox_x_domain) +kernel_read_network_state(sandbox_x_domain) +kernel_read_system_state(sandbox_x_domain) + ++domain_dontaudit_read_all_domains_state(sandbox_x_domain) ++ +corecmd_exec_all_executables(sandbox_x_domain) + +dev_read_urand(sandbox_x_domain) +dev_dontaudit_read_rand(sandbox_x_domain) +dev_read_sysfs(sandbox_x_domain) + ++files_search_home(sandbox_x_domain) ++files_dontaudit_list_all_mountpoints(sandbox_x_domain) +files_entrypoint_all_files(sandbox_x_domain) +files_read_config_files(sandbox_x_domain) +files_read_usr_files(sandbox_x_domain) @@ -9466,10 +9511,10 @@ index 0000000..8a7ed4f +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if new file mode 100644 -index 0000000..f6acf24 +index 0000000..6d94c9b --- /dev/null +++ b/policy/modules/apps/telepathy.if -@@ -0,0 +1,191 @@ +@@ -0,0 +1,266 @@ + +## Telepathy framework. + @@ -9521,6 +9566,22 @@ index 0000000..f6acf24 +template(`telepathy_dbus_session_role', ` + gen_require(` + attribute telepathy_domain; ++ type telepathy_gabble_t; ++ type telepathy_sofiasip_t; ++ type telepathy_idle_t; ++ type telepathy_mission_control_t; ++ type telepathy_salut_t; ++ type telepathy_sunshine_t; ++ type telepathy_stream_engine_t; ++ type telepathy_msn_t; ++ type telepathy_gabble_exec_t; ++ type telepathy_sofiasip_exec_t; ++ type telepathy_idle_exec_t; ++ type telepathy_mission_control_exec_t; ++ type telepathy_salut_exec_t; ++ type telepathy_sunshine_exec_t; ++ type telepathy_stream_engine_exec_t; ++ type telepathy_msn_exec_t; + ') + + role $1 types telepathy_domain; @@ -9535,6 +9596,16 @@ index 0000000..f6acf24 + telepathy_gabble_stream_connect($2) + telepathy_msn_stream_connect($2) + telepathy_salut_stream_connect($2) ++ ++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) ++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) ++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) ++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) ++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) ++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) ++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) ++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) ++ +') + +######################################## @@ -9661,12 +9732,61 @@ index 0000000..f6acf24 + ps_process_pattern($1, telepathy_mission_control_t) +') + ++####################################### ++## ++## Execute telepathy executable ++## in the specified domain. ++## ++## ++##

++## Execute a telepathy executable ++## in the specified domain. This allows ++## the specified domain to execute any file ++## on these filesystems in the specified ++## domain. ++##

++##

++## No interprocess communication (signals, pipes, ++## etc.) is provided by this interface since ++## the domains are not owned by this module. ++##

++##

++## This interface was added to handle ++## the ssh-agent policy. ++##

++##
++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The type of the new process. ++## ++## ++# ++interface(`telepathy_command_domtrans', ` ++ gen_require(` ++ attribute telepathy_executable; ++ ') ++ ++ allow $2 telepathy_executable:file entrypoint; ++ domain_transition_pattern($1, telepathy_executable, $2) ++ type_transition $1 telepathy_executable:process $2; ++ ++ # needs to dbus chat with unconfined_t and unconfined_dbusd_t ++ optional_policy(` ++ telepathy_dbus_chat($1) ++ telepathy_dbus_chat($2) ++ ') ++') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te new file mode 100644 -index 0000000..a6cb11d +index 0000000..6b89128 --- /dev/null +++ b/policy/modules/apps/telepathy.te -@@ -0,0 +1,336 @@ +@@ -0,0 +1,346 @@ + +policy_module(telepathy, 1.0.0) + @@ -10003,6 +10123,16 @@ index 0000000..a6cb11d +optional_policy(` + xserver_rw_xdm_pipes(telepathy_domain) +') ++ ++ ++# Just for F15 ++optional_policy(` ++ gen_require(` ++ role unconfined_r; ++ ') ++ ++ role unconfined_r types telepathy_domain; ++') diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te index 11fe4f2..98bfbf3 100644 --- a/policy/modules/apps/tvtime.te @@ -11144,7 +11274,7 @@ index 6cf8784..5b25039 100644 +# +/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index e9313fb..ddb84e0 100644 +index e9313fb..1d51170 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',` @@ -11680,7 +11810,7 @@ index e9313fb..ddb84e0 100644 ## Write to watchdog devices. ## ## -@@ -4748,3 +5034,752 @@ interface(`dev_unconfined',` +@@ -4748,3 +5034,772 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -11915,6 +12045,16 @@ index e9313fb..ddb84e0 100644 + filetrans_pattern($1, device_t, usb_device_t, chr_file, fw7) + filetrans_pattern($1, device_t, usb_device_t, chr_file, fw8) + filetrans_pattern($1, device_t, usb_device_t, chr_file, fw9) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 000) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 001) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 002) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 003) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 004) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 005) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 006) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 007) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 008) ++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 009) + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, gfx) + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, graphics) + filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc0) @@ -11984,6 +12124,16 @@ index e9313fb..ddb84e0 100644 + filetrans_pattern($1, device_t, mouse_device_t, chr_file, js7) + filetrans_pattern($1, device_t, mouse_device_t, chr_file, js8) + filetrans_pattern($1, device_t, mouse_device_t, chr_file, js9) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse0) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse1) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse2) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse3) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse4) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse5) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse6) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse7) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse8) ++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse9) + filetrans_pattern($1, device_t, memory_device_t, chr_file, kmem) + filetrans_pattern($1, device_t, kmsg_device_t, chr_file, kmsg) + filetrans_pattern($1, device_t, qemu_device_t, chr_file, kqemu) @@ -12586,7 +12736,7 @@ index aad8c52..53b0624 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index bc534c1..b70ea07 100644 +index bc534c1..6190297 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,21 @@ policy_module(domain, 1.9.0) @@ -12599,7 +12749,7 @@ index bc534c1..b70ea07 100644 +##

+## +# -+gen_tunable(allow_domain_fd_use, true) ++gen_tunable(allow_domain_fd_use, false) + +## +##

@@ -15666,7 +15816,7 @@ index a9b8982..57c4a6a 100644 +/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 3723150..097a2cc 100644 +index 3723150..8320396 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -15756,7 +15906,7 @@ index 3723150..097a2cc 100644 ## Set attributes of the device nodes ## for the SCSI generic inerface. ## -@@ -807,3 +865,265 @@ interface(`storage_unconfined',` +@@ -807,3 +865,304 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -15857,6 +16007,39 @@ index 3723150..097a2cc 100644 + dev_filetrans($1, removable_device_t, blk_file, cm207) + dev_filetrans($1, removable_device_t, blk_file, cm208) + dev_filetrans($1, removable_device_t, blk_file, cm209) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc0) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc1) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc2) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc3) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc4) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc5) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc6) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc7) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc8) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc9) + dev_filetrans($1, fixed_disk_device_t, blk_file, dm-0) + dev_filetrans($1, fixed_disk_device_t, blk_file, dm-1) + dev_filetrans($1, fixed_disk_device_t, blk_file, dm-2) @@ -15965,6 +16148,12 @@ index 3723150..097a2cc 100644 + dev_filetrans($1, fixed_disk_device_t, blk_file, ram7) + dev_filetrans($1, fixed_disk_device_t, blk_file, ram8) + dev_filetrans($1, fixed_disk_device_t, blk_file, ram9) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram10) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram11) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram12) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram13) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram14) ++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram15) + dev_filetrans($1, fixed_disk_device_t, blk_file, rd0) + dev_filetrans($1, fixed_disk_device_t, blk_file, rd1) + dev_filetrans($1, fixed_disk_device_t, blk_file, rd2) @@ -16049,7 +16238,7 @@ index 3994e57..a1923fe 100644 + +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index f3acfee..5260651 100644 +index f3acfee..7691aff 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -208,6 +208,27 @@ interface(`term_use_all_terms',` @@ -16307,7 +16496,7 @@ index f3acfee..5260651 100644 ## ## # -@@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1475,3 +1578,392 @@ interface(`term_dontaudit_use_all_user_ttys',` refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) ') @@ -16658,6 +16847,16 @@ index f3acfee..5260651 100644 + dev_filetrans($1, tty_device_t, chr_file, slamr7) + dev_filetrans($1, tty_device_t, chr_file, slamr8) + dev_filetrans($1, tty_device_t, chr_file, slamr9) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS0) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS1) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS2) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS3) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS4) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS5) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS6) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS7) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS8) ++ dev_filetrans($1, tty_device_t, chr_file, ttyS9) + dev_filetrans($1, tty_device_t, chr_file, ttySG0) + dev_filetrans($1, tty_device_t, chr_file, ttySG1) + dev_filetrans($1, tty_device_t, chr_file, ttySG2) @@ -16816,7 +17015,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..1663532 100644 +index 2be17d2..7f56ac0 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) @@ -16986,9 +17185,9 @@ index 2be17d2..1663532 100644 + sudo_role_template(staff, staff_r, staff_t) +') + -+optional_policy(` -+ telepathy_dbus_session_role(staff_r, staff_t) -+') ++#optional_policy(` ++# telepathy_dbus_session_role(staff_r, staff_t) ++#') + +optional_policy(` + userhelper_console_role_template(staff, staff_r, staff_usertype) @@ -18123,10 +18322,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..4cf791b +index 0000000..b3b2479 --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,525 @@ +@@ -0,0 +1,526 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -18429,6 +18628,7 @@ index 0000000..4cf791b + gnomeclock_dbus_chat(unconfined_usertype) + gnome_dbus_chat_gconfdefault(unconfined_usertype) + gnome_filetrans_admin_home_content(unconfined_usertype) ++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t) + ') + + optional_policy(` @@ -18440,6 +18640,10 @@ index 0000000..4cf791b + ') + + optional_policy(` ++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t) ++ ') ++ ++ optional_policy(` + oddjob_dbus_chat(unconfined_usertype) + ') + @@ -18565,10 +18769,6 @@ index 0000000..4cf791b +') + +optional_policy(` -+ telepathy_dbus_session_role(unconfined_r, unconfined_t) -+') -+ -+optional_policy(` + vbetool_run(unconfined_t, unconfined_r) +') + @@ -18773,7 +18973,7 @@ index 0ecc786..dbf2710 100644 userdom_dontaudit_search_user_home_dirs(webadm_t) diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te -index e88b95f..9d37855 100644 +index e88b95f..4b5f106 100644 --- a/policy/modules/roles/xguest.te +++ b/policy/modules/roles/xguest.te @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true) @@ -18862,9 +19062,10 @@ index e88b95f..9d37855 100644 + +optional_policy(` + gnome_role(xguest_r, xguest_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- mozilla_role(xguest_r, xguest_t) + gnomeclock_dontaudit_dbus_chat(xguest_t) +') + @@ -18874,10 +19075,9 @@ index e88b95f..9d37855 100644 + +optional_policy(` + mono_role_template(xguest, xguest_r, xguest_t) - ') - - optional_policy(` -- mozilla_role(xguest_r, xguest_t) ++') ++ ++optional_policy(` + mozilla_run_plugin(xguest_t, xguest_r) +') + @@ -18932,9 +19132,9 @@ index e88b95f..9d37855 100644 + corenet_tcp_connect_transproxy_port(xguest_usertype) ') + -+ optional_policy(` -+ telepathy_dbus_session_role(xguest_r, xguest_t) -+ ') ++ #optional_policy(` ++ # telepathy_dbus_session_role(xguest_r, xguest_t) ++ #') +') + +optional_policy(` @@ -20786,7 +20986,7 @@ index 6480167..1440827 100644 + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web) ') diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te -index 3136c6a..26669be 100644 +index 3136c6a..5bbc3c3 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1) @@ -21166,18 +21366,20 @@ index 3136c6a..26669be 100644 files_read_var_lib_files(httpd_t) files_search_home(httpd_t) files_getattr_home_dir(httpd_t) -@@ -402,6 +492,10 @@ files_read_etc_files(httpd_t) +@@ -402,6 +492,12 @@ files_read_etc_files(httpd_t) files_read_var_lib_symlinks(httpd_t) fs_search_auto_mountpoints(httpd_sys_script_t) +# php uploads a file to /tmp and then execs programs to acton them +manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) ++manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t) +files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file }) libs_read_lib_files(httpd_t) -@@ -416,34 +510,74 @@ seutil_dontaudit_search_config(httpd_t) +@@ -416,34 +512,74 @@ seutil_dontaudit_search_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -21254,7 +21456,7 @@ index 3136c6a..26669be 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -456,6 +590,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -456,6 +592,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) @@ -21265,7 +21467,7 @@ index 3136c6a..26669be 100644 manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) manage_files_pattern(httpd_t, httpdcontent, httpdcontent) -@@ -466,15 +604,27 @@ tunable_policy(`httpd_enable_ftp_server',` +@@ -466,15 +606,27 @@ tunable_policy(`httpd_enable_ftp_server',` corenet_tcp_bind_ftp_port(httpd_t) ') @@ -21295,7 +21497,7 @@ index 3136c6a..26669be 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_t) fs_read_cifs_symlinks(httpd_t) -@@ -484,7 +634,16 @@ tunable_policy(`httpd_can_sendmail',` +@@ -484,7 +636,16 @@ tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) @@ -21312,7 +21514,7 @@ index 3136c6a..26669be 100644 ') tunable_policy(`httpd_ssi_exec',` -@@ -499,9 +658,19 @@ tunable_policy(`httpd_ssi_exec',` +@@ -499,9 +660,19 @@ tunable_policy(`httpd_ssi_exec',` # to run correctly without this permission, so the permission # are dontaudited here. tunable_policy(`httpd_tty_comm',` @@ -21333,7 +21535,7 @@ index 3136c6a..26669be 100644 ') optional_policy(` -@@ -513,7 +682,13 @@ optional_policy(` +@@ -513,7 +684,13 @@ optional_policy(` ') optional_policy(` @@ -21348,7 +21550,7 @@ index 3136c6a..26669be 100644 ') optional_policy(` -@@ -528,7 +703,18 @@ optional_policy(` +@@ -528,7 +705,18 @@ optional_policy(` daemontools_service_domain(httpd_t, httpd_exec_t) ') @@ -21368,7 +21570,7 @@ index 3136c6a..26669be 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -537,8 +723,13 @@ optional_policy(` +@@ -537,8 +725,13 @@ optional_policy(` ') optional_policy(` @@ -21383,7 +21585,7 @@ index 3136c6a..26669be 100644 ') ') -@@ -556,7 +747,13 @@ optional_policy(` +@@ -556,7 +749,13 @@ optional_policy(` ') optional_policy(` @@ -21397,7 +21599,7 @@ index 3136c6a..26669be 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -567,6 +764,7 @@ optional_policy(` +@@ -567,6 +766,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -21405,7 +21607,7 @@ index 3136c6a..26669be 100644 ') optional_policy(` -@@ -577,6 +775,16 @@ optional_policy(` +@@ -577,6 +777,16 @@ optional_policy(` ') optional_policy(` @@ -21422,7 +21624,7 @@ index 3136c6a..26669be 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -591,6 +799,11 @@ optional_policy(` +@@ -591,6 +801,11 @@ optional_policy(` ') optional_policy(` @@ -21434,7 +21636,7 @@ index 3136c6a..26669be 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -603,6 +816,11 @@ optional_policy(` +@@ -603,6 +818,11 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -21446,7 +21648,7 @@ index 3136c6a..26669be 100644 ######################################## # # Apache helper local policy -@@ -616,7 +834,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -616,7 +836,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -21459,7 +21661,7 @@ index 3136c6a..26669be 100644 ######################################## # -@@ -654,28 +876,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -654,28 +878,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -21503,7 +21705,7 @@ index 3136c6a..26669be 100644 ') ######################################## -@@ -699,17 +923,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -699,17 +925,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -21529,7 +21731,7 @@ index 3136c6a..26669be 100644 files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -740,13 +969,27 @@ tunable_policy(`httpd_can_network_connect',` +@@ -740,13 +971,27 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -21558,7 +21760,7 @@ index 3136c6a..26669be 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -769,6 +1012,25 @@ optional_policy(` +@@ -769,6 +1014,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -21584,7 +21786,7 @@ index 3136c6a..26669be 100644 ######################################## # # Apache system script local policy -@@ -789,12 +1051,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -789,12 +1053,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -21602,7 +21804,7 @@ index 3136c6a..26669be 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -803,18 +1070,50 @@ tunable_policy(`httpd_can_sendmail',` +@@ -803,18 +1072,50 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -21659,7 +21861,7 @@ index 3136c6a..26669be 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -822,14 +1121,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -822,14 +1123,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -21690,7 +21892,7 @@ index 3136c6a..26669be 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -842,10 +1156,20 @@ optional_policy(` +@@ -842,10 +1158,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -21711,7 +21913,7 @@ index 3136c6a..26669be 100644 ') ######################################## -@@ -891,11 +1215,21 @@ optional_policy(` +@@ -891,11 +1217,21 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -24806,10 +25008,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..d8c9b6e +index 0000000..c0e81e5 --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,106 @@ +@@ -0,0 +1,107 @@ +policy_module(colord,1.0.0) + +######################################## @@ -24834,6 +25036,7 @@ index 0000000..d8c9b6e +# +# colord local policy +# ++allow colord_t self:capability { dac_read_search dac_override }; +allow colord_t self:process signal; +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -26517,7 +26720,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..a0c951e 100644 +index 0d5711c..1564a13 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -26697,7 +26900,7 @@ index 0d5711c..a0c951e 100644 ') ######################################## -@@ -431,14 +473,28 @@ interface(`dbus_system_domain',` +@@ -431,14 +473,29 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -26708,7 +26911,8 @@ index 0d5711c..a0c951e 100644 + init_stream_connect($1) + init_dgram_send($1) -+ ++ init_use_fds($1) ++ ps_process_pattern(system_dbusd_t, $1) + userdom_dontaudit_search_admin_dir($1) @@ -26727,7 +26931,7 @@ index 0d5711c..a0c951e 100644 dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write }; ') ') -@@ -497,3 +553,23 @@ interface(`dbus_unconfined',` +@@ -497,3 +554,23 @@ interface(`dbus_unconfined',` typeattribute $1 dbusd_unconfined; ') @@ -27065,10 +27269,17 @@ index 8ba9425..b10da2c 100644 + gnome_dontaudit_search_config(denyhosts_t) +') diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc -index 418a5a0..28d9e41 100644 +index 418a5a0..c25fbdc 100644 --- a/policy/modules/services/devicekit.fc +++ b/policy/modules/services/devicekit.fc -@@ -8,7 +8,12 @@ +@@ -2,13 +2,19 @@ + /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) ++/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0) + /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0) + + /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) /var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0) @@ -27082,7 +27293,7 @@ index 418a5a0..28d9e41 100644 /var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) /var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if -index f706b99..30954ba 100644 +index f706b99..f0c629f 100644 --- a/policy/modules/services/devicekit.if +++ b/policy/modules/services/devicekit.if @@ -5,9 +5,9 @@ @@ -27097,7 +27308,32 @@ index f706b99..30954ba 100644 ## # interface(`devicekit_domtrans',` -@@ -81,6 +81,27 @@ interface(`devicekit_dbus_chat_disk',` +@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',` + + ######################################## + ##

++## Execute a domain transition to run devicekit_disk. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`devicekit_domtrans_disk',` ++ gen_require(` ++ type devicekit_disk_t, devicekit_disk_exec_t; ++ ') ++ ++ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) ++') ++ ++######################################## ++## + ## Send to devicekit over a unix domain + ## datagram socket. + ## +@@ -81,6 +99,27 @@ interface(`devicekit_dbus_chat_disk',` ######################################## ## @@ -27125,7 +27361,7 @@ index f706b99..30954ba 100644 ## Send signal devicekit power ## ## -@@ -118,6 +139,44 @@ interface(`devicekit_dbus_chat_power',` +@@ -118,6 +157,44 @@ interface(`devicekit_dbus_chat_power',` allow devicekit_power_t $1:dbus send_msg; ') @@ -27170,7 +27406,7 @@ index f706b99..30954ba 100644 ######################################## ## ## Read devicekit PID files. -@@ -139,22 +198,52 @@ interface(`devicekit_read_pid_files',` +@@ -139,22 +216,52 @@ interface(`devicekit_read_pid_files',` ######################################## ## @@ -27230,7 +27466,7 @@ index f706b99..30954ba 100644 ## ## ## -@@ -165,21 +254,21 @@ interface(`devicekit_admin',` +@@ -165,21 +272,21 @@ interface(`devicekit_admin',` type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') @@ -30381,7 +30617,7 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..6ee7b93 100644 +index 4fde46b..4417f4e 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te @@ -9,24 +9,31 @@ type gnomeclock_t; @@ -30419,7 +30655,7 @@ index 4fde46b..6ee7b93 100644 miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,12 +42,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -30464,6 +30700,7 @@ index 4fde46b..6ee7b93 100644 +# needed by systemctl +init_stream_connect(gnomeclock_systemctl_t) +init_read_state(gnomeclock_systemctl_t) ++init_list_pid_dirs(gnomeclock_systemctl_t) + +systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t) + @@ -31267,6 +31504,22 @@ index 9fab1dc..dc7dd01 100644 mta_send_mail(innd_t) +diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te +index 9aeeaf9..28fdfc5 100644 +--- a/policy/modules/services/irqbalance.te ++++ b/policy/modules/services/irqbalance.te +@@ -19,6 +19,11 @@ files_pid_file(irqbalance_var_run_t) + + allow irqbalance_t self:capability { setpcap net_admin }; + dontaudit irqbalance_t self:capability sys_tty_config; ++ifdef(`hide_broken_symptoms',` ++ # caused by some bogus kernel code ++ dontaudit irqbalance_t self:capability sys_module; ++') ++ + allow irqbalance_t self:process { getcap setcap signal_perms }; + allow irqbalance_t self:udp_socket create_socket_perms; + diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc index 4c9acec..deef4c7 100644 --- a/policy/modules/services/jabber.fc @@ -41482,10 +41735,31 @@ index 852840b..4427b21 100644 + ') ') diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te -index 0a76027..7083808 100644 +index 0a76027..adc198d 100644 --- a/policy/modules/services/remotelogin.te +++ b/policy/modules/services/remotelogin.te -@@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t) +@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t) + auth_login_pgm_domain(remote_login_t) + auth_login_entry_type(remote_login_t) + +-type remote_login_tmp_t; +-files_tmp_file(remote_login_tmp_t) +- + ######################################## + # + # Remote login remote policy +@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms; + allow remote_login_t self:msg { send receive }; + allow remote_login_t self:key write; + +-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t) +-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir }) +- + kernel_read_system_state(remote_login_t) + kernel_read_kernel_sysctls(remote_login_t) + +@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t) fs_search_auto_mountpoints(remote_login_t) term_relabel_all_ptys(remote_login_t) @@ -41494,7 +41768,7 @@ index 0a76027..7083808 100644 auth_rw_login_records(remote_login_t) auth_rw_faillog(remote_login_t) -@@ -77,7 +79,7 @@ files_list_mnt(remote_login_t) +@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t) # for when /var/mail is a sym-link files_read_var_symlinks(remote_login_t) @@ -41503,19 +41777,21 @@ index 0a76027..7083808 100644 miscfiles_read_localization(remote_login_t) -@@ -87,9 +89,8 @@ userdom_search_user_home_content(remote_login_t) +@@ -87,9 +82,11 @@ userdom_search_user_home_content(remote_login_t) # since very weak authentication is used. userdom_signal_unpriv_users(remote_login_t) userdom_spec_domtrans_unpriv_users(remote_login_t) -- ++userdom_use_user_ptys(remote_login_t) + -# Search for mail spool file. -mta_getattr_spool(remote_login_t) -+userdom_use_user_ptys(remote_login_t) -+userdom_rw_user_tmp_files(remote_login_t) ++userdom_manage_user_tmp_dirs(remote_login_t) ++userdom_manage_user_tmp_files(remote_login_t) ++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir }) tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(remote_login_t) -@@ -106,15 +107,15 @@ optional_policy(` +@@ -106,15 +103,15 @@ optional_policy(` ') optional_policy(` @@ -42674,7 +42950,7 @@ index 63e78c6..ffa4f37 100644 ## # diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te -index 779fa44..13556c1 100644 +index 779fa44..4bcaacc 100644 --- a/policy/modules/services/rlogin.te +++ b/policy/modules/services/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -42714,7 +42990,7 @@ index 779fa44..13556c1 100644 files_read_etc_files(rlogind_t) files_read_etc_runtime_files(rlogind_t) -@@ -88,9 +88,9 @@ seutil_read_config(rlogind_t) +@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t) userdom_setattr_user_ptys(rlogind_t) # cjp: this is egregious userdom_read_user_home_content_files(rlogind_t) @@ -42724,10 +43000,11 @@ index 779fa44..13556c1 100644 +userdom_search_admin_dir(rlogind_t) +userdom_manage_user_tmp_files(rlogind_t) +userdom_tmp_filetrans_user_tmp(rlogind_t, file) ++userdom_use_user_terminals(rlogind_t) rlogin_read_home_content(rlogind_t) -@@ -112,5 +112,10 @@ optional_policy(` +@@ -112,5 +113,10 @@ optional_policy(` ') optional_policy(` @@ -44361,16 +44638,17 @@ index 740994a..a92ba26 100644 allow smokeping_t self:udp_socket create_socket_perms; allow smokeping_t self:unix_stream_socket create_stream_socket_perms; diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc -index 623c8fa..ac10740 100644 +index 623c8fa..0a802f7 100644 --- a/policy/modules/services/snmp.fc +++ b/policy/modules/services/snmp.fc -@@ -18,7 +18,7 @@ +@@ -18,7 +18,8 @@ /var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0) -/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0) +/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0) ++/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0) /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0) diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if @@ -52540,7 +52818,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index cc83689..e4f13ca 100644 +index cc83689..48662f1 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,41 @@ interface(`init_script_domain',` @@ -52886,7 +53164,7 @@ index cc83689..e4f13ca 100644 ') ') -@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,23 +962,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -52909,11 +53187,11 @@ index cc83689..e4f13ca 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -52926,12 +53204,16 @@ index cc83689..e4f13ca 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## @@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` @@ -53074,7 +53356,7 @@ index cc83689..e4f13ca 100644 ') ######################################## -@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1975,92 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -53093,6 +53375,24 @@ index cc83689..e4f13ca 100644 + type init_var_run_t; + ') + ++ allow $1 init_var_run_t:dir search_dir_perms; ++') ++ ++###################################### ++## ++## Allow listing of the /run/systemd directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_list_pid_dirs',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ + allow $1 init_var_run_t:dir list_dir_perms; +') + @@ -53149,7 +53449,7 @@ index cc83689..e4f13ca 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2095,139 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -56516,10 +56816,10 @@ index a0eef20..7a8241b 100644 ifdef(`distro_gentoo',` diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc -index 72c746e..9f9124f 100644 +index 72c746e..704d2d7 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc -@@ -1,4 +1,15 @@ +@@ -1,4 +1,16 @@ +/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -56536,6 +56836,7 @@ index 72c746e..9f9124f 100644 + +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) ++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 8b5c196..f66d272 100644 --- a/policy/modules/system/mount.if @@ -58543,7 +58844,7 @@ index ff80d0a..95e705c 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index df32316..e372b51 100644 +index df32316..0c5f46e 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1) @@ -58735,7 +59036,7 @@ index df32316..e372b51 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,6 +361,10 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +361,15 @@ ifdef(`distro_ubuntu',` ') ') @@ -58744,9 +59045,14 @@ index df32316..e372b51 100644 +') + ifdef(`hide_broken_symptoms',` ++ ++ # caused by some bogus kernel code ++ dontaudit ifconfig_t self:capability sys_module; ++ optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) -@@ -325,12 +376,31 @@ ifdef(`hide_broken_symptoms',` + ') +@@ -325,12 +380,31 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -58778,7 +59084,7 @@ index df32316..e372b51 100644 ') optional_policy(` -@@ -355,3 +425,9 @@ optional_policy(` +@@ -355,3 +429,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -59454,7 +59760,7 @@ index 025348a..4e2ca03 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..7f59b32 100644 +index d88f7c3..a90decc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -59528,7 +59834,7 @@ index d88f7c3..7f59b32 100644 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182 kernel_rw_net_sysctls(udev_t) -@@ -95,8 +101,17 @@ kernel_read_software_raid_state(udev_t) +@@ -95,8 +101,19 @@ kernel_read_software_raid_state(udev_t) corecmd_exec_all_executables(udev_t) @@ -59544,10 +59850,12 @@ index d88f7c3..7f59b32 100644 +dev_create_all_chr_dev_nodes(udev_t) +dev_setattr_all_chr_dev_nodes(udev_t) +dev_setattr_all_blk_dev_nodes(udev_t) ++dev_rw_generic_usb_dev(udev_t) ++ dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +120,27 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,21 +122,27 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -59576,7 +59884,7 @@ index d88f7c3..7f59b32 100644 mcs_ptrace_all(udev_t) -@@ -136,6 +157,13 @@ selinux_compute_create_context(udev_t) +@@ -136,6 +159,13 @@ selinux_compute_create_context(udev_t) selinux_compute_relabel_context(udev_t) selinux_compute_user_contexts(udev_t) @@ -59590,7 +59898,7 @@ index d88f7c3..7f59b32 100644 auth_read_pam_console_data(udev_t) auth_domtrans_pam_console(udev_t) auth_use_nsswitch(udev_t) -@@ -143,6 +171,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +173,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -59598,7 +59906,7 @@ index d88f7c3..7f59b32 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,15 +215,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +217,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -59619,7 +59927,7 @@ index d88f7c3..7f59b32 100644 ') optional_policy(` -@@ -216,11 +246,16 @@ optional_policy(` +@@ -216,11 +248,16 @@ optional_policy(` ') optional_policy(` @@ -59636,22 +59944,23 @@ index d88f7c3..7f59b32 100644 ') optional_policy(` -@@ -233,6 +268,14 @@ optional_policy(` - ') - +@@ -230,6 +267,15 @@ optional_policy(` optional_policy(` -+ gnome_read_home_config(udev_t) + devicekit_read_pid_files(udev_t) + devicekit_dgram_send(udev_t) ++ devicekit_domtrans_disk(udev_t) +') + +optional_policy(` -+ gpsd_domtrans(udev_t) ++ gnome_read_home_config(udev_t) +') + +optional_policy(` - lvm_domtrans(udev_t) ++ gpsd_domtrans(udev_t) ') -@@ -259,6 +302,10 @@ optional_policy(` + optional_policy(` +@@ -259,6 +305,10 @@ optional_policy(` ') optional_policy(` @@ -59662,7 +59971,7 @@ index d88f7c3..7f59b32 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +320,11 @@ optional_policy(` +@@ -273,6 +323,11 @@ optional_policy(` ') optional_policy(` @@ -60446,7 +60755,7 @@ index db75976..392d1ee 100644 +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 28b88de..d933851 100644 +index 28b88de..73fd082 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -60460,7 +60769,7 @@ index 28b88de..d933851 100644 domain_type($1_t) corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) -@@ -43,69 +44,101 @@ template(`userdom_base_user_template',` +@@ -43,69 +44,103 @@ template(`userdom_base_user_template',` term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) @@ -60591,8 +60900,7 @@ index 28b88de..d933851 100644 + storage_rw_fuse($1_usertype) + + auth_use_nsswitch($1_usertype) - -- libs_exec_ld_so($1_t) ++ + init_stream_connect($1_usertype) + # The library functions always try to open read-write first, + # then fall back to read-only if it fails. @@ -60600,6 +60908,9 @@ index 28b88de..d933851 100644 + + libs_exec_ld_so($1_usertype) +- libs_exec_ld_so($1_t) ++ logging_send_audit_msgs($1_t) + miscfiles_read_localization($1_t) miscfiles_read_generic_certs($1_t) @@ -60611,7 +60922,7 @@ index 28b88de..d933851 100644 tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. -@@ -116,6 +149,16 @@ template(`userdom_base_user_template',` +@@ -116,6 +151,16 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') @@ -60628,7 +60939,7 @@ index 28b88de..d933851 100644 ') ####################################### -@@ -149,6 +192,8 @@ interface(`userdom_ro_home_role',` +@@ -149,6 +194,8 @@ interface(`userdom_ro_home_role',` type user_home_t, user_home_dir_t; ') @@ -60637,7 +60948,7 @@ index 28b88de..d933851 100644 ############################## # # Domain access to home dir -@@ -166,27 +211,6 @@ interface(`userdom_ro_home_role',` +@@ -166,27 +213,6 @@ interface(`userdom_ro_home_role',` read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) @@ -60665,7 +60976,7 @@ index 28b88de..d933851 100644 ') ####################################### -@@ -218,8 +242,11 @@ interface(`userdom_ro_home_role',` +@@ -218,8 +244,11 @@ interface(`userdom_ro_home_role',` interface(`userdom_manage_home_role',` gen_require(` type user_home_t, user_home_dir_t; @@ -60677,7 +60988,7 @@ index 28b88de..d933851 100644 ############################## # # Domain access to home dir -@@ -228,17 +255,21 @@ interface(`userdom_manage_home_role',` +@@ -228,17 +257,21 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory @@ -60709,7 +61020,7 @@ index 28b88de..d933851 100644 filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) files_list_home($2) -@@ -246,25 +277,23 @@ interface(`userdom_manage_home_role',` +@@ -246,25 +279,23 @@ interface(`userdom_manage_home_role',` allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` @@ -60739,7 +61050,7 @@ index 28b88de..d933851 100644 ') ') -@@ -289,6 +318,8 @@ interface(`userdom_manage_tmp_role',` +@@ -289,6 +320,8 @@ interface(`userdom_manage_tmp_role',` type user_tmp_t; ') @@ -60748,7 +61059,7 @@ index 28b88de..d933851 100644 files_poly_member_tmp($2, user_tmp_t) manage_dirs_pattern($2, user_tmp_t, user_tmp_t) -@@ -297,6 +328,45 @@ interface(`userdom_manage_tmp_role',` +@@ -297,6 +330,45 @@ interface(`userdom_manage_tmp_role',` manage_sock_files_pattern($2, user_tmp_t, user_tmp_t) manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) @@ -60794,7 +61105,7 @@ index 28b88de..d933851 100644 ') ####################################### -@@ -316,6 +386,7 @@ interface(`userdom_exec_user_tmp_files',` +@@ -316,6 +388,7 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -60802,7 +61113,7 @@ index 28b88de..d933851 100644 files_search_tmp($1) ') -@@ -350,6 +421,8 @@ interface(`userdom_manage_tmpfs_role',` +@@ -350,6 +423,8 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') @@ -60811,7 +61122,7 @@ index 28b88de..d933851 100644 manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t) -@@ -360,46 +433,41 @@ interface(`userdom_manage_tmpfs_role',` +@@ -360,46 +435,41 @@ interface(`userdom_manage_tmpfs_role',` ####################################### ## @@ -60880,7 +61191,7 @@ index 28b88de..d933851 100644 ') ####################################### -@@ -430,6 +498,7 @@ template(`userdom_xwindows_client_template',` +@@ -430,6 +500,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -60888,7 +61199,7 @@ index 28b88de..d933851 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -490,7 +559,7 @@ template(`userdom_common_user_template',` +@@ -490,7 +561,7 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -60897,7 +61208,7 @@ index 28b88de..d933851 100644 ############################## # -@@ -500,73 +569,81 @@ template(`userdom_common_user_template',` +@@ -500,73 +571,81 @@ template(`userdom_common_user_template',` # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -61018,7 +61329,7 @@ index 28b88de..d933851 100644 ') tunable_policy(`user_ttyfile_stat',` -@@ -574,67 +651,123 @@ template(`userdom_common_user_template',` +@@ -574,67 +653,123 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -61036,19 +61347,19 @@ index 28b88de..d933851 100644 + + optional_policy(` + canna_stream_connect($1_usertype) -+ ') -+ -+ optional_policy(` -+ chrome_role($1_r, $1_usertype) ') optional_policy(` - canna_stream_connect($1_t) -+ colord_read_lib_files($1_usertype) ++ chrome_role($1_r, $1_usertype) ') optional_policy(` - dbus_system_bus_client($1_t) ++ colord_read_lib_files($1_usertype) ++ ') ++ ++ optional_policy(` + dbus_system_bus_client($1_usertype) + + allow $1_usertype $1_usertype:dbus send_msg; @@ -61080,40 +61391,42 @@ index 28b88de..d933851 100644 + evolution_dbus_chat($1_usertype) + evolution_alarm_dbus_chat($1_usertype) + ') ++ ++ optional_policy(` ++ gnome_dbus_chat_gconfdefault($1_usertype) ++ ') optional_policy(` - bluetooth_dbus_chat($1_t) -+ gnome_dbus_chat_gconfdefault($1_usertype) ++ hal_dbus_chat($1_usertype) ') optional_policy(` - evolution_dbus_chat($1_t) - evolution_alarm_dbus_chat($1_t) -+ hal_dbus_chat($1_usertype) ++ kde_dbus_chat_backlighthelper($1_usertype) ') optional_policy(` - cups_dbus_chat_config($1_t) -+ kde_dbus_chat_backlighthelper($1_usertype) ++ modemmanager_dbus_chat($1_usertype) ') optional_policy(` - hal_dbus_chat($1_t) -+ modemmanager_dbus_chat($1_usertype) ++ networkmanager_dbus_chat($1_usertype) ++ networkmanager_read_lib_files($1_usertype) ') optional_policy(` - networkmanager_dbus_chat($1_t) -+ networkmanager_dbus_chat($1_usertype) -+ networkmanager_read_lib_files($1_usertype) - ') -+ -+ optional_policy(` + vpn_dbus_chat($1_usertype) -+ ') -+ ') -+ -+ optional_policy(` + ') + ') + + optional_policy(` +- inetd_use_fds($1_t) +- inetd_rw_tcp_sockets($1_t) + git_session_role($1_r, $1_usertype) + ') + @@ -61123,22 +61436,20 @@ index 28b88de..d933851 100644 ') optional_policy(` -- inetd_use_fds($1_t) -- inetd_rw_tcp_sockets($1_t) -+ inn_read_config($1_usertype) -+ inn_read_news_lib($1_usertype) -+ inn_read_news_spool($1_usertype) - ') - - optional_policy(` - inn_read_config($1_t) - inn_read_news_lib($1_t) - inn_read_news_spool($1_t) -+ lircd_stream_connect($1_usertype) ++ inn_read_config($1_usertype) ++ inn_read_news_lib($1_usertype) ++ inn_read_news_spool($1_usertype) ') optional_policy(` - locate_read_lib_files($1_t) ++ lircd_stream_connect($1_usertype) ++ ') ++ ++ optional_policy(` + locate_read_lib_files($1_usertype) ') @@ -61160,7 +61471,7 @@ index 28b88de..d933851 100644 ') optional_policy(` -@@ -650,41 +783,50 @@ template(`userdom_common_user_template',` +@@ -650,41 +785,50 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -61222,7 +61533,7 @@ index 28b88de..d933851 100644 ') ####################################### -@@ -712,13 +854,26 @@ template(`userdom_login_user_template', ` +@@ -712,13 +856,26 @@ template(`userdom_login_user_template', ` userdom_base_user_template($1) @@ -61236,9 +61547,7 @@ index 28b88de..d933851 100644 - userdom_manage_tmpfs_role($1_r, $1_t) + ifelse(`$1',`unconfined',`',` + gen_tunable(allow_$1_exec_content, true) - -- userdom_exec_user_tmp_files($1_t) -- userdom_exec_user_home_content_files($1_t) ++ + tunable_policy(`allow_$1_exec_content',` + userdom_exec_user_tmp_files($1_usertype) + userdom_exec_user_home_content_files($1_usertype) @@ -61246,7 +61555,9 @@ index 28b88de..d933851 100644 + tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` + fs_exec_nfs_files($1_usertype) + ') -+ + +- userdom_exec_user_tmp_files($1_t) +- userdom_exec_user_home_content_files($1_t) + tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` + fs_exec_cifs_files($1_usertype) + ') @@ -61254,7 +61565,7 @@ index 28b88de..d933851 100644 userdom_change_password_template($1) -@@ -736,72 +891,71 @@ template(`userdom_login_user_template', ` +@@ -736,72 +893,71 @@ template(`userdom_login_user_template', ` allow $1_t self:context contains; @@ -61363,7 +61674,7 @@ index 28b88de..d933851 100644 ') ') -@@ -833,6 +987,9 @@ template(`userdom_restricted_user_template',` +@@ -833,6 +989,9 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -61373,7 +61684,7 @@ index 28b88de..d933851 100644 ############################## # # Local policy -@@ -874,45 +1031,113 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -874,45 +1033,116 @@ template(`userdom_restricted_xwindows_user_template',` # auth_role($1_r, $1_t) @@ -61431,6 +61742,9 @@ index 28b88de..d933851 100644 + # bug: #682499 + optional_policy(` + gnome_read_usr_config($1_usertype) ++ gnome_role_gkeyringd($1, $1_r, $1_t) ++ # cjp: telepathy F15 bugs ++ telepathy_dbus_session_role($1_r, $1_t, $1) ') optional_policy(` @@ -61449,39 +61763,39 @@ index 28b88de..d933851 100644 + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') -+ -+ optional_policy(` + + optional_policy(` +- consolekit_dbus_chat($1_t) + cups_dbus_chat($1_usertype) + cups_dbus_chat_config($1_usertype) -+ ') + ') optional_policy(` -- consolekit_dbus_chat($1_t) +- cups_dbus_chat($1_t) + devicekit_dbus_chat($1_usertype) + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) ') - - optional_policy(` -- cups_dbus_chat($1_t) ++ ++ optional_policy(` + fprintd_dbus_chat($1_t) - ') - ') - - optional_policy(` -- java_role($1_r, $1_t) -+ openoffice_role_template($1, $1_r, $1_usertype) ++ ') + ') + + optional_policy(` -+ policykit_role($1_r, $1_usertype) ++ openoffice_role_template($1, $1_r, $1_usertype) + ') + + optional_policy(` -+ pulseaudio_role($1_r, $1_usertype) ++ policykit_role($1_r, $1_usertype) + ') + + optional_policy(` ++ pulseaudio_role($1_r, $1_usertype) + ') + + optional_policy(` +- java_role($1_r, $1_t) + rtkit_scheduled($1_usertype) ') @@ -61498,7 +61812,7 @@ index 28b88de..d933851 100644 ') ') -@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', ` +@@ -947,7 +1177,7 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -61507,7 +61821,7 @@ index 28b88de..d933851 100644 userdom_common_user_template($1) ############################## -@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', ` +@@ -956,54 +1186,83 @@ template(`userdom_unpriv_user_template', ` # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -61597,31 +61911,31 @@ index 28b88de..d933851 100644 + + optional_policy(` + mono_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` -+ mount_run_fusermount($1_t, $1_r) -+ mount_read_pid_files($1_t) -+ ') -+ -+ optional_policy(` -+ wine_role_template($1, $1_r, $1_t) ') - # Run pppd in pppd_t by default for user optional_policy(` - ppp_run_cond($1_t,$1_r) -+ postfix_run_postdrop($1_t, $1_r) ++ mount_run_fusermount($1_t, $1_r) ++ mount_read_pid_files($1_t) ') -+ # Run pppd in pppd_t by default for user optional_policy(` - setroubleshoot_stream_connect($1_t) ++ wine_role_template($1, $1_r, $1_t) ++ ') ++ ++ optional_policy(` ++ postfix_run_postdrop($1_t, $1_r) ++ ') ++ ++ # Run pppd in pppd_t by default for user ++ optional_policy(` + ppp_run_cond($1_t, $1_r) ') ') -@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', ` +@@ -1039,7 +1298,7 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -61630,7 +61944,7 @@ index 28b88de..d933851 100644 ') ############################## -@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',` +@@ -1066,6 +1325,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -61638,7 +61952,7 @@ index 28b88de..d933851 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',` +@@ -1074,6 +1334,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -61648,7 +61962,7 @@ index 28b88de..d933851 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',` +@@ -1088,6 +1351,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -61656,7 +61970,7 @@ index 28b88de..d933851 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',` +@@ -1105,10 +1369,13 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -61670,7 +61984,7 @@ index 28b88de..d933851 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1119,17 +1381,21 @@ template(`userdom_admin_user_template',` +@@ -1119,17 +1386,21 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -61693,7 +62007,7 @@ index 28b88de..d933851 100644 auth_getattr_shadow($1_t) # Manage almost all files -@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',` +@@ -1141,7 +1412,10 @@ template(`userdom_admin_user_template',` logging_send_syslog_msg($1_t) @@ -61705,7 +62019,7 @@ index 28b88de..d933851 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',` +@@ -1210,6 +1484,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -61714,7 +62028,7 @@ index 28b88de..d933851 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',` +@@ -1222,6 +1498,7 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -61722,7 +62036,7 @@ index 28b88de..d933851 100644 auth_relabel_all_files_except_shadow($1) auth_relabel_shadow($1) -@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',` +@@ -1237,6 +1514,7 @@ template(`userdom_security_admin_template',` seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) @@ -61730,7 +62044,7 @@ index 28b88de..d933851 100644 seutil_run_setfiles($1, $2) optional_policy(` -@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',` +@@ -1279,11 +1557,37 @@ template(`userdom_security_admin_template',` interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -61768,7 +62082,7 @@ index 28b88de..d933851 100644 ubac_constrained($1) ') -@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',` +@@ -1395,6 +1699,7 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -61776,7 +62090,7 @@ index 28b88de..d933851 100644 files_search_home($1) ') -@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1441,6 +1746,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -61791,7 +62105,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1456,9 +1769,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -61803,7 +62117,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1515,10 +1830,10 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -61816,7 +62130,7 @@ index 28b88de..d933851 100644 ## ## ## -@@ -1526,22 +1836,58 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1526,19 +1841,55 @@ interface(`userdom_relabelto_user_home_dirs',` ## ## # @@ -61837,9 +62151,7 @@ index 28b88de..d933851 100644 -## domain when executing a program in the -## user home directory. +## Relabel user home files. - ## --## --##

++##

+## +## +## Domain allowed access. @@ -61878,13 +62190,10 @@ index 28b88de..d933851 100644 +## Do a domain transition to the specified +## domain when executing a program in the +## user home directory. -+## -+## -+##

- ## Do a domain transition to the specified - ## domain when executing a program in the - ## user home directory. -@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',` + ##

+ ## + ##

+@@ -1589,6 +1940,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -61893,7 +62202,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1603,10 +1956,12 @@ interface(`userdom_dontaudit_search_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -61908,7 +62217,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',` +@@ -1649,6 +2004,25 @@ interface(`userdom_delete_user_home_content_dirs',` ######################################## ##

@@ -61934,7 +62243,7 @@ index 28b88de..d933851 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',` +@@ -1700,12 +2074,32 @@ interface(`userdom_read_user_home_content_files',` type user_home_dir_t, user_home_t; ') @@ -61967,7 +62276,7 @@ index 28b88de..d933851 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1716,11 +2110,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -61985,7 +62294,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',` +@@ -1779,6 +2176,24 @@ interface(`userdom_delete_user_home_content_files',` ######################################## ## @@ -62010,7 +62319,7 @@ index 28b88de..d933851 100644 ## Do not audit attempts to write user home files. ## ## -@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1810,8 +2225,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -62020,7 +62329,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -1827,21 +2236,15 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -1827,20 +2241,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -62034,19 +62343,18 @@ index 28b88de..d933851 100644 - - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1) +- ') +- +- tunable_policy(`use_samba_home_dirs',` +- fs_exec_cifs_files($1) + exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) + dontaudit $1 user_home_type:sock_file execute; ') - -- tunable_policy(`use_samba_home_dirs',` -- fs_exec_cifs_files($1) -- ') -') -- + ######################################## ## - ## Do not audit attempts to execute user home files. -@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',` +@@ -2008,7 +2416,7 @@ interface(`userdom_user_home_dir_filetrans',` type user_home_dir_t; ') @@ -62055,7 +62363,7 @@ index 28b88de..d933851 100644 files_search_home($1) ') -@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2182,7 +2590,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -62064,7 +62372,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2435,13 +2843,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -62080,7 +62388,7 @@ index 28b88de..d933851 100644 ## ## ## -@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2462,26 +2871,6 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -62107,7 +62415,7 @@ index 28b88de..d933851 100644 ## Get the attributes of a user domain tty. ## ## -@@ -2572,6 +2956,24 @@ interface(`userdom_use_user_ttys',` +@@ -2572,6 +2961,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -62132,7 +62440,7 @@ index 28b88de..d933851 100644 ## Read and write a user domain pty. ## ## -@@ -2590,22 +2992,34 @@ interface(`userdom_use_user_ptys',` +@@ -2590,22 +2997,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -62175,7 +62483,7 @@ index 28b88de..d933851 100644 ## ## ## -@@ -2614,14 +3028,33 @@ interface(`userdom_use_user_ptys',` +@@ -2614,14 +3033,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -62213,7 +62521,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -2815,7 +3248,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2815,7 +3253,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -62222,7 +62530,7 @@ index 28b88de..d933851 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -2831,11 +3264,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -2831,11 +3269,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -62238,7 +62546,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -2917,7 +3352,7 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -2917,7 +3357,7 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -62247,7 +62555,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -2972,7 +3407,45 @@ interface(`userdom_write_user_tmp_files',` +@@ -2972,7 +3412,45 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -62294,7 +62602,7 @@ index 28b88de..d933851 100644 ') ######################################## -@@ -3009,6 +3482,7 @@ interface(`userdom_read_all_users_state',` +@@ -3009,6 +3487,7 @@ interface(`userdom_read_all_users_state',` ') read_files_pattern($1, userdomain, userdomain) @@ -62302,7 +62610,7 @@ index 28b88de..d933851 100644 kernel_search_proc($1) ') -@@ -3087,6 +3561,24 @@ interface(`userdom_signal_all_users',` +@@ -3087,6 +3566,24 @@ interface(`userdom_signal_all_users',` ######################################## ## @@ -62327,7 +62635,7 @@ index 28b88de..d933851 100644 ## Send a SIGCHLD signal to all user domains. ## ## -@@ -3139,3 +3631,1058 @@ interface(`userdom_dbus_send_all_users',` +@@ -3139,3 +3636,1058 @@ interface(`userdom_dbus_send_all_users',` allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 1921a1e..147db60 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,12 @@ exit 0 %endif %changelog +* Mon May 9 2011 Miroslav Grepl 3.9.16-21 +- Dontaudit sys_module for ifconfig +- Make telepathy and gkeyringd daemon working with confined users +- colord wants to read files in users homedir +- Remote login should be creating user_tmp_t not its own tmp files + * Thu May 5 2011 Miroslav Grepl 3.9.16-20 - Fix label for /usr/share/munin/plugins/munin_* plugins - Add support for zarafa-indexer