diff --git a/modules-targeted.conf b/modules-targeted.conf index 770508a..e3b5d24 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -2437,3 +2437,10 @@ ctdbd = module # fcoemon # fcoemon = module + +# Layer: services +# Module: sblim +# +# sblim +# +sblim = module diff --git a/policy-F16.patch b/policy-F16.patch index 93056ad..f9db5f9 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -6147,7 +6147,7 @@ index 4f9dc90..8dc8a5f 100644 + relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t) ') diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te -index 66beb80..702a727 100644 +index 66beb80..b69a628 100644 --- a/policy/modules/apps/irc.te +++ b/policy/modules/apps/irc.te @@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t) @@ -6190,7 +6190,7 @@ index 66beb80..702a727 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(irc_t) -@@ -101,3 +125,73 @@ tunable_policy(`use_samba_home_dirs',` +@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` nis_use_ypbind(irc_t) ') @@ -6221,6 +6221,11 @@ index 66beb80..702a727 100644 +corenet_tcp_sendrecv_ircd_port(irssi_t) +corenet_sendrecv_ircd_client_packets(irssi_t) + ++# tcp:7000 is often used for SSL irc ++corenet_tcp_connect_gatekeeper_port(irssi_t) ++corenet_tcp_sendrecv_gatekeeper_port(irssi_t) ++corenet_sendrecv_gatekeeper_client_packets(irssi_t) ++ +# Privoxy +corenet_tcp_connect_http_cache_port(irssi_t) +corenet_tcp_sendrecv_http_cache_port(irssi_t) @@ -6491,10 +6496,19 @@ index 0000000..bb02f40 +') + diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te -index 2dde73a..12281bb 100644 +index 2dde73a..e4ccac2 100644 --- a/policy/modules/apps/kdumpgui.te +++ b/policy/modules/apps/kdumpgui.te -@@ -47,6 +47,12 @@ miscfiles_read_localization(kdumpgui_t) +@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t) + files_etc_filetrans_etc_runtime(kdumpgui_t, file) + files_read_usr_files(kdumpgui_t) + ++fs_read_dos_files(kdumpgui_t) ++ + storage_raw_read_fixed_disk(kdumpgui_t) + storage_raw_write_fixed_disk(kdumpgui_t) + +@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t) init_dontaudit_read_all_script_files(kdumpgui_t) @@ -11876,7 +11890,7 @@ index 4f3b542..5a41e58 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..7345e5f 100644 +index 99b71cb..fd75b96 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,14 @@ attribute netif_type; @@ -11921,7 +11935,19 @@ index 99b71cb..7345e5f 100644 type client_packet_t, packet_type, client_packet_type; # -@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; +@@ -50,6 +66,11 @@ type port_t, port_type; + sid port gen_context(system_u:object_r:port_t,s0) + + # ++# port_t is the default type of INET port numbers. ++# ++type unreserved_port_t, unreserved_port_type; ++ ++# + # reserved_port_t is the type of INET port numbers below 1024. + # + type reserved_port_t, port_type, reserved_port_type; +@@ -65,22 +86,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type; type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -11949,7 +11975,7 @@ index 99b71cb..7345e5f 100644 type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict network_port(certmaster, tcp,51235,s0) network_port(chronyd, udp,323,s0) -@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0) +@@ -88,7 +113,9 @@ network_port(clamd, tcp,3310,s0) network_port(clockspeed, udp,4041,s0) network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0) network_port(cobbler, tcp,25151,s0) @@ -11959,7 +11985,7 @@ index 99b71cb..7345e5f 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) +@@ -99,9 +126,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0) network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -11974,7 +12000,7 @@ index 99b71cb..7345e5f 100644 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) -@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0) +@@ -129,20 +161,25 @@ network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -12003,7 +12029,7 @@ index 99b71cb..7345e5f 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +@@ -155,13 +192,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) @@ -12017,7 +12043,7 @@ index 99b71cb..7345e5f 100644 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) network_port(pingd, tcp,9125,s0) +network_port(piranha, tcp,3636,s0) -+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0) ++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0) +network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0) +network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0) +network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0) @@ -12026,7 +12052,12 @@ index 99b71cb..7345e5f 100644 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0) +@@ -179,29 +224,34 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) + network_port(radius, udp,1645,s0, udp,1812,s0) + network_port(radsec, tcp,2083,s0) + network_port(razor, tcp,2703,s0) ++network_port(repository, tcp, 6363, s0) + network_port(ricci, tcp,11111,s0, udp,11111,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) network_port(rndc, tcp,953,s0) @@ -12059,7 +12090,7 @@ index 99b71cb..7345e5f 100644 network_port(syslogd, udp,514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) -@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0) +@@ -215,7 +265,7 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -12068,7 +12099,7 @@ index 99b71cb..7345e5f 100644 network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +279,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -12076,7 +12107,16 @@ index 99b71cb..7345e5f 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -238,6 +289,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) + portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) + portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) ++portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) ++portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0) + + ######################################## + # +@@ -282,9 +335,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -13651,7 +13691,7 @@ index fae1ab1..da927bb 100644 +dontaudit can_change_object_identity can_change_object_identity:key link; + diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index c19518a..ba08cfe 100644 +index c19518a..b630279c 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -13662,7 +13702,12 @@ index c19518a..ba08cfe 100644 ') ifdef(`distro_suse',` -@@ -57,6 +58,13 @@ ifdef(`distro_suse',` +@@ -53,10 +54,18 @@ ifdef(`distro_suse',` + /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) ++/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -13676,7 +13721,7 @@ index c19518a..ba08cfe 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -68,7 +76,10 @@ ifdef(`distro_suse',` +@@ -68,7 +77,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -13688,7 +13733,7 @@ index c19518a..ba08cfe 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <> +@@ -102,10 +114,9 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -13700,7 +13745,7 @@ index c19518a..ba08cfe 100644 # # /lost+found -@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -146,7 +157,7 @@ HOME_ROOT/lost\+found/.* <> /opt -d gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) @@ -13709,7 +13754,7 @@ index c19518a..ba08cfe 100644 # # /proc -@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <> +@@ -154,6 +165,12 @@ HOME_ROOT/lost\+found/.* <> /proc -d <> /proc/.* <> @@ -13722,7 +13767,7 @@ index c19518a..ba08cfe 100644 # # /run # -@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <> +@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <> ifndef(`distro_redhat',` /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0) @@ -13730,7 +13775,7 @@ index c19518a..ba08cfe 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -230,17 +245,20 @@ ifndef(`distro_redhat',` +@@ -230,17 +246,20 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -13752,14 +13797,14 @@ index c19518a..ba08cfe 100644 /var/run/.* gen_context(system_u:object_r:var_run_t,s0) /var/run/.*\.*pid <> -@@ -257,3 +275,5 @@ ifndef(`distro_redhat',` +@@ -257,3 +276,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..a049775 100644 +index ff006ea..367d234 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -14713,7 +14758,7 @@ index ff006ea..a049775 100644 ## Read all process ID files. ## ## -@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',` +@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',` list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -14740,6 +14785,24 @@ index ff006ea..a049775 100644 + +######################################## +## ++## Execute generic programs in /var/run in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_exec_generic_pid_files',` ++ gen_require(` ++ type var_run_t; ++ ') ++ ++ exec_files_pattern($1, var_run_t, var_run_t) ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. +## @@ -14758,7 +14821,7 @@ index ff006ea..a049775 100644 ') ######################################## -@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',` +@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -14849,7 +14912,7 @@ index ff006ea..a049775 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',` +@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14858,7 +14921,7 @@ index ff006ea..a049775 100644 ') ######################################## -@@ -6117,3 +6751,284 @@ interface(`files_unconfined',` +@@ -6117,3 +6769,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -15941,7 +16004,7 @@ index 6346378..edbe041 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index d91c62f..2860a62 100644 +index d91c62f..9740613 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -15981,7 +16044,7 @@ index d91c62f..2860a62 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -269,19 +276,40 @@ files_list_root(kernel_t) +@@ -269,25 +276,47 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -16022,7 +16085,14 @@ index d91c62f..2860a62 100644 optional_policy(` hotplug_search_config(kernel_t) ') -@@ -297,6 +325,19 @@ optional_policy(` + + optional_policy(` + init_sigchld(kernel_t) ++ init_dyntrans(kernel_t) + ') + + optional_policy(` +@@ -297,6 +326,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -16042,7 +16112,7 @@ index d91c62f..2860a62 100644 ') optional_policy(` -@@ -334,9 +375,7 @@ optional_policy(` +@@ -334,9 +376,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16053,7 +16123,7 @@ index d91c62f..2860a62 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -345,7 +384,7 @@ optional_policy(` +@@ -345,7 +385,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16062,7 +16132,7 @@ index d91c62f..2860a62 100644 ') ') -@@ -358,6 +397,15 @@ optional_policy(` +@@ -358,6 +398,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -16377,7 +16447,7 @@ index ca7e808..23a065c 100644 +') + diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if -index 1700ef2..02ff02d7 100644 +index 1700ef2..6b7eabb 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',` @@ -16397,7 +16467,7 @@ index 1700ef2..02ff02d7 100644 dev_add_entry_generic_dirs($1) ') -@@ -808,3 +811,358 @@ interface(`storage_unconfined',` +@@ -808,3 +811,368 @@ interface(`storage_unconfined',` typeattribute $1 storage_unconfined_type; ') @@ -16498,6 +16568,16 @@ index 1700ef2..02ff02d7 100644 + dev_filetrans($1, removable_device_t, blk_file, "cm207") + dev_filetrans($1, removable_device_t, blk_file, "cm208") + dev_filetrans($1, removable_device_t, blk_file, "cm209") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8") ++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0") + dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1") @@ -17771,7 +17851,7 @@ index 2be17d2..1a6d9d1 100644 + userdom_execmod_user_home_files(staff_usertype) +') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index e14b961..a9aeb68 100644 +index e14b961..9db59b0 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -24,20 +24,55 @@ ifndef(`enable_mls',` @@ -17946,7 +18026,7 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -225,12 +278,20 @@ optional_policy(` +@@ -225,17 +278,29 @@ optional_policy(` ') optional_policy(` @@ -17967,7 +18047,16 @@ index e14b961..a9aeb68 100644 ntp_stub() corenet_udp_bind_ntp_port(sysadm_t) ') -@@ -253,19 +314,19 @@ optional_policy(` + + optional_policy(` ++ nx_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` + oav_run_update(sysadm_t, sysadm_r) + ') + +@@ -253,19 +318,19 @@ optional_policy(` ') optional_policy(` @@ -17991,7 +18080,7 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -274,10 +335,7 @@ optional_policy(` +@@ -274,10 +339,7 @@ optional_policy(` optional_policy(` rpm_run(sysadm_t, sysadm_r) @@ -18003,7 +18092,7 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -302,12 +360,18 @@ optional_policy(` +@@ -302,12 +364,18 @@ optional_policy(` ') optional_policy(` @@ -18023,7 +18112,7 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -332,7 +396,7 @@ optional_policy(` +@@ -332,7 +400,7 @@ optional_policy(` ') optional_policy(` @@ -18032,7 +18121,7 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -343,19 +407,15 @@ optional_policy(` +@@ -343,19 +411,15 @@ optional_policy(` ') optional_policy(` @@ -18054,7 +18143,7 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -367,45 +427,45 @@ optional_policy(` +@@ -367,45 +431,45 @@ optional_policy(` ') optional_policy(` @@ -18111,7 +18200,7 @@ index e14b961..a9aeb68 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,6 +499,7 @@ ifndef(`distro_redhat',` +@@ -439,6 +503,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -18119,20 +18208,20 @@ index e14b961..a9aeb68 100644 ') optional_policy(` -@@ -446,11 +507,62 @@ ifndef(`distro_redhat',` +@@ -446,11 +511,62 @@ ifndef(`distro_redhat',` ') optional_policy(` - irc_role(sysadm_r, sysadm_t) + java_role(sysadm_r, sysadm_t) ++ ') ++ ++ optional_policy(` ++ lockdev_role(sysadm_r, sysadm_t) ') optional_policy(` - java_role(sysadm_r, sysadm_t) -+ lockdev_role(sysadm_r, sysadm_t) -+ ') -+ -+ optional_policy(` + mozilla_role(sysadm_r, sysadm_t) + ') + @@ -18894,10 +18983,10 @@ index 0000000..8b2cdf3 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..f35e36b +index 0000000..fc2c9ec --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,549 @@ +@@ -0,0 +1,553 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -19307,6 +19396,10 @@ index 0000000..f35e36b +') + +optional_policy(` ++ nx_filetrans_named_content(unconfined_t) ++') ++ ++optional_policy(` + oddjob_run_mkhomedir(unconfined_t, unconfined_r) +') + @@ -19991,13 +20084,14 @@ index 0b827c5..e03a970 100644 + read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..ced411a 100644 +index 30861ec..5f4db0c 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te -@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0) +@@ -5,7 +5,17 @@ policy_module(abrt, 1.2.0) # Declarations # +-type abrt_t; +## +##

+## Allow ABRT to modify public files @@ -20006,14 +20100,17 @@ index 30861ec..ced411a 100644 +## +gen_tunable(abrt_anon_write, false) + - type abrt_t; ++attribute abrt_domain; ++ ++type abrt_t, abrt_domain; type abrt_exec_t; init_daemon_domain(abrt_t, abrt_exec_t) -@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t) + +@@ -32,9 +42,15 @@ files_type(abrt_var_cache_t) type abrt_var_run_t; files_pid_file(abrt_var_run_t) -+type abrt_dump_oops_t; ++type abrt_dump_oops_t, abrt_domain; +type abrt_dump_oops_exec_t; +init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t) + @@ -20021,8 +20118,12 @@ index 30861ec..ced411a 100644 + # type needed to allow all domains # to handle /var/cache/abrt - type abrt_helper_t; -@@ -43,14 +57,37 @@ ifdef(`enable_mcs',` +-type abrt_helper_t; ++type abrt_helper_t, abrt_domain; + type abrt_helper_exec_t; + application_domain(abrt_helper_t, abrt_helper_exec_t) + role system_r types abrt_helper_t; +@@ -43,14 +59,37 @@ ifdef(`enable_mcs',` init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) ') @@ -20030,12 +20131,12 @@ index 30861ec..ced411a 100644 +# Support for ABRT retrace server +# + -+type abrt_retrace_worker_t; ++type abrt_retrace_worker_t, abrt_domain; +type abrt_retrace_worker_exec_t; +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) +role system_r types abrt_retrace_worker_t; + -+type abrt_retrace_coredump_t; ++type abrt_retrace_coredump_t, abrt_domain; +type abrt_retrace_coredump_exec_t; +application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) +role system_r types abrt_retrace_coredump_t; @@ -20062,7 +20163,7 @@ index 30861ec..ced411a 100644 allow abrt_t self:fifo_file rw_fifo_file_perms; allow abrt_t self:tcp_socket create_stream_socket_perms; -@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; +@@ -59,6 +98,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms; allow abrt_t self:netlink_route_socket r_netlink_socket_perms; # abrt etc files @@ -20070,7 +20171,7 @@ index 30861ec..ced411a 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -69,6 +109,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -20078,7 +20179,7 @@ index 30861ec..ced411a 100644 # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +123,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -20086,8 +20187,11 @@ index 30861ec..ced411a 100644 +files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) kernel_read_ring_buffer(abrt_t) - kernel_read_system_state(abrt_t) -@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t) +-kernel_read_system_state(abrt_t) + kernel_rw_kernel_sysctl(abrt_t) + + corecmd_exec_bin(abrt_t) +@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -20095,7 +20199,7 @@ index 30861ec..ced411a 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -20105,7 +20209,7 @@ index 30861ec..ced411a 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -20114,7 +20218,7 @@ index 30861ec..ced411a 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t) +@@ -131,15 +175,23 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -20122,9 +20226,10 @@ index 30861ec..ced411a 100644 +sysnet_dns_name_resolve(abrt_t) logging_read_generic_logs(abrt_t) - logging_send_syslog_msg(abrt_t) -@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t) - miscfiles_read_localization(abrt_t) +-logging_send_syslog_msg(abrt_t) + + miscfiles_read_generic_certs(abrt_t) +-miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) +userdom_dontaudit_read_admin_home_files(abrt_t) @@ -20140,7 +20245,7 @@ index 30861ec..ced411a 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +203,11 @@ optional_policy(` +@@ -150,6 +202,11 @@ optional_policy(` ') optional_policy(` @@ -20152,7 +20257,7 @@ index 30861ec..ced411a 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +225,7 @@ optional_policy(` +@@ -167,6 +224,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -20160,7 +20265,7 @@ index 30861ec..ced411a 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +237,18 @@ optional_policy(` +@@ -178,12 +236,18 @@ optional_policy(` ') optional_policy(` @@ -20180,7 +20285,7 @@ index 30861ec..ced411a 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +264,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -20188,12 +20293,18 @@ index 30861ec..ced411a 100644 + domain_read_all_domains_state(abrt_helper_t) - files_read_etc_files(abrt_helper_t) +-files_read_etc_files(abrt_helper_t) +files_dontaudit_all_non_security_leaks(abrt_helper_t) fs_list_inotifyfs(abrt_helper_t) fs_getattr_all_fs(abrt_helper_t) -@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t) + + auth_use_nsswitch(abrt_helper_t) + +-logging_send_syslog_msg(abrt_helper_t) +- +-miscfiles_read_localization(abrt_helper_t) +- term_dontaudit_use_all_ttys(abrt_helper_t) term_dontaudit_use_all_ptys(abrt_helper_t) @@ -20203,7 +20314,7 @@ index 30861ec..ced411a 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +287,124 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -20211,7 +20322,7 @@ index 30861ec..ced411a 100644 + optional_policy(` + rpm_dontaudit_leaks(abrt_helper_t) + ') - ') ++') + +ifdef(`hide_broken_symptoms',` + gen_require(` @@ -20221,7 +20332,7 @@ index 30861ec..ced411a 100644 + allow abrt_t self:capability sys_resource; + allow abrt_t domain:file write; + allow abrt_t domain:process setrlimit; -+') + ') + +####################################### +# @@ -20238,20 +20349,13 @@ index 30861ec..ced411a 100644 +read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) +read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t) + -+kernel_read_system_state(abrt_retrace_coredump_t) -+ +corecmd_exec_bin(abrt_retrace_coredump_t) +corecmd_exec_shell(abrt_retrace_coredump_t) + +dev_read_urand(abrt_retrace_coredump_t) + -+files_read_etc_files(abrt_retrace_coredump_t) +files_read_usr_files(abrt_retrace_coredump_t) + -+logging_send_syslog_msg(abrt_retrace_coredump_t) -+ -+miscfiles_read_localization(abrt_retrace_coredump_t) -+ +sysnet_dns_name_resolve(abrt_retrace_coredump_t) + +# to install debuginfo packages @@ -20285,20 +20389,13 @@ index 30861ec..ced411a 100644 + +can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) + -+kernel_read_system_state(abrt_retrace_worker_t) -+ +corecmd_exec_bin(abrt_retrace_worker_t) +corecmd_exec_shell(abrt_retrace_worker_t) + +dev_read_urand(abrt_retrace_worker_t) + -+files_read_etc_files(abrt_retrace_worker_t) +files_read_usr_files(abrt_retrace_worker_t) + -+logging_send_syslog_msg(abrt_retrace_worker_t) -+ -+miscfiles_read_localization(abrt_retrace_worker_t) -+ +sysnet_dns_name_resolve(abrt_retrace_worker_t) + +optional_policy(` @@ -20325,16 +20422,23 @@ index 30861ec..ced411a 100644 + +kernel_read_kernel_sysctls(abrt_dump_oops_t) +kernel_read_ring_buffer(abrt_dump_oops_t) -+kernel_read_system_state(abrt_dump_oops_t) + +domain_use_interactive_fds(abrt_dump_oops_t) + -+files_read_etc_files(abrt_dump_oops_t) -+ +logging_read_generic_logs(abrt_dump_oops_t) -+logging_send_syslog_msg(abrt_dump_oops_t) + -+miscfiles_read_localization(abrt_dump_oops_t) ++####################################### ++# ++# Local policy for all abrt domain ++# ++ ++kernel_read_system_state(abrt_domain) ++ ++files_read_etc_files(abrt_domain) ++ ++logging_send_syslog_msg(abrt_domain) ++ ++miscfiles_read_localization(abrt_domain) diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if index c0f858d..d639ae0 100644 --- a/policy/modules/services/accountsd.if @@ -23155,7 +23259,7 @@ index 0197980..f8bce2c 100644 +/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) +/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te -index f4e7ad3..68aebc4 100644 +index f4e7ad3..2faf42a 100644 --- a/policy/modules/services/bitlbee.te +++ b/policy/modules/services/bitlbee.te @@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t) @@ -23172,7 +23276,7 @@ index f4e7ad3..68aebc4 100644 -allow bitlbee_t self:capability { setgid setuid }; -allow bitlbee_t self:process signal; -+allow bitlbee_t self:capability { setgid setuid sys_nice }; ++allow bitlbee_t self:capability { dac_override setgid setuid sys_nice }; +allow bitlbee_t self:process { setsched signal }; + +allow bitlbee_t self:fifo_file rw_fifo_file_perms; @@ -23211,6 +23315,16 @@ index f4e7ad3..68aebc4 100644 # Allow bitlbee to connect to jabber servers corenet_tcp_connect_jabber_client_port(bitlbee_t) corenet_tcp_sendrecv_jabber_client_port(bitlbee_t) +@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t) + corenet_tcp_sendrecv_http_port(bitlbee_t) + corenet_tcp_connect_http_cache_port(bitlbee_t) + corenet_tcp_sendrecv_http_cache_port(bitlbee_t) ++corenet_tcp_bind_ircd_port(bitlbee_t) ++corenet_tcp_sendrecv_ircd_port(bitlbee_t) ++corenet_sendrecv_ircd_server_packets(bitlbee_t) + + dev_read_rand(bitlbee_t) + dev_read_urand(bitlbee_t) diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if index 3e45431..4aa8fb1 100644 --- a/policy/modules/services/bluetooth.if @@ -26353,7 +26467,7 @@ index 5220c9d..a2e6830 100644 ##

## Allow the specified domain to read corosync's log files. diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te -index 04969e5..4e1d434 100644 +index 04969e5..f0f7e1a 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t) @@ -26396,7 +26510,7 @@ index 04969e5..4e1d434 100644 auth_use_nsswitch(corosync_t) -@@ -83,19 +89,37 @@ logging_send_syslog_msg(corosync_t) +@@ -83,19 +89,42 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) @@ -26417,13 +26531,17 @@ index 04969e5..4e1d434 100644 - rhcs_rw_dlm_controld_semaphores(corosync_t) + cmirrord_rw_shm(corosync_t) +') - -- rhcs_rw_fenced_semaphores(corosync_t) ++ +optional_policy(` -+ drbd_domtrans(corosync_t) ++ dbus_system_bus_client(corosync_t) +') + +optional_policy(` ++ drbd_domtrans(corosync_t) ++') + +- rhcs_rw_fenced_semaphores(corosync_t) ++optional_policy(` + lvm_rw_clvmd_tmpfs_files(corosync_t) + lvm_delete_clvmd_tmpfs_files(corosync_t) +') @@ -26435,6 +26553,7 @@ index 04969e5..4e1d434 100644 + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) + rhcs_read_cluster_lib_files(corosync_t) ++ rhcs_manage_cluster_lib_files(corosync_t) ') optional_policy(` @@ -27476,24 +27595,27 @@ index f7583ab..3c9cf5a 100644 diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc new file mode 100644 -index 0000000..e490a2a +index 0000000..2db6b61 --- /dev/null +++ b/policy/modules/services/ctdbd.fc -@@ -0,0 +1,15 @@ +@@ -0,0 +1,18 @@ + +/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0) + -+/var/log/log.ctdb gen_context(system_u:object_r:ctdbd_log_t,s0) ++/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++ ++/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) ++ ++/var/log/log\.ctdb -- gen_context(system_u:object_r:ctdbd_log_t,s0) + +/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0) + +/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0) + -+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0) + +/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) -+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) ++/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0) + diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if new file mode 100644 @@ -27758,7 +27880,7 @@ index 0000000..9146ef1 + diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te new file mode 100644 -index 0000000..5e2a4bd +index 0000000..579e420 --- /dev/null +++ b/policy/modules/services/ctdbd.te @@ -0,0 +1,114 @@ @@ -27835,11 +27957,13 @@ index 0000000..5e2a4bd +kernel_read_system_state(ctdbd_t) + +corenet_tcp_bind_generic_node(ctdbd_t) ++corenet_tcp_bind_ctdb_port(ctdbd_t) + +corecmd_exec_bin(ctdbd_t) +corecmd_exec_shell(ctdbd_t) + +dev_read_sysfs(ctdbd_t) ++dev_read_urand(ctdbd_t) + +domain_use_interactive_fds(ctdbd_t) +domain_dontaudit_read_all_domains_state(ctdbd_t) @@ -27852,8 +27976,6 @@ index 0000000..5e2a4bd +miscfiles_read_localization(ctdbd_t) +miscfiles_read_public_files(ctdbd_t) + -+#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t) -+#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t) + +optional_policy(` + consoletype_exec(ctdbd_t) @@ -27870,7 +27992,7 @@ index 0000000..5e2a4bd +optional_policy(` + samba_initrc_domtrans(ctdbd_t) + samba_domtrans_net(ctdbd_t) -+ samba_read_var_files(ctdbd_t) ++ samba_rw_var_files(ctdbd_t) +') + +optional_policy(` @@ -36210,10 +36332,10 @@ index 0000000..e2cda9b + diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te new file mode 100644 -index 0000000..1c74e98 +index 0000000..b5ba929 --- /dev/null +++ b/policy/modules/services/lldpad.te -@@ -0,0 +1,68 @@ +@@ -0,0 +1,70 @@ +policy_module(lldpad, 1.0.0) + +######################################## @@ -36279,6 +36401,8 @@ index 0000000..1c74e98 + +miscfiles_read_localization(lldpad_t) + ++userdom_dgram_send(lldpad_t) ++ +optional_policy(` + fcoemon_dgram_send(lldpad_t) +') @@ -40365,7 +40489,7 @@ index ff962dd..c856c64 100644 dev_rw_generic_usb_dev(nut_upsdrvctl_t) diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if -index 79a225c..cbb2bce 100644 +index 79a225c..d82b231 100644 --- a/policy/modules/services/nx.if +++ b/policy/modules/services/nx.if @@ -33,8 +33,10 @@ interface(`nx_read_home_files',` @@ -40387,13 +40511,31 @@ index 79a225c..cbb2bce 100644 allow $1 nx_server_var_lib_t:dir search_dir_perms; ') -@@ -81,5 +84,6 @@ interface(`nx_var_lib_filetrans',` +@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',` type nx_server_var_lib_t; ') + files_search_var_lib($1) filetrans_pattern($1, nx_server_var_lib_t, $2, $3) ') ++ ++######################################## ++## ++## Transition to nx named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nx_filetrans_named_content',` ++ gen_require(` ++ type nx_server_home_ssh_t, nx_server_var_lib_t; ++ ') ++ ++ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") ++') diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te index ebb9582..1c72c6e 100644 --- a/policy/modules/services/nx.te @@ -44224,7 +44366,7 @@ index 2855a44..c71fa1e 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..81cc685 100644 +index 64c5f95..313f77d 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0) @@ -44346,7 +44488,7 @@ index 64c5f95..81cc685 100644 # allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config }; -@@ -171,29 +239,34 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; +@@ -171,29 +239,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms; allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms; allow puppetmaster_t self:socket create; allow puppetmaster_t self:tcp_socket create_stream_socket_perms; @@ -44365,6 +44507,7 @@ index 64c5f95..81cc685 100644 manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t) +allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms; ++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms; setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) +create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t) @@ -44384,7 +44527,7 @@ index 64c5f95..81cc685 100644 corecmd_exec_bin(puppetmaster_t) corecmd_exec_shell(puppetmaster_t) -@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) +@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t) corenet_tcp_bind_puppet_port(puppetmaster_t) corenet_sendrecv_puppet_server_packets(puppetmaster_t) @@ -44434,7 +44577,7 @@ index 64c5f95..81cc685 100644 optional_policy(` hostname_exec(puppetmaster_t) ') -@@ -231,3 +329,9 @@ optional_policy(` +@@ -231,3 +330,9 @@ optional_policy(` rpm_exec(puppetmaster_t) rpm_read_db(puppetmaster_t) ') @@ -45882,7 +46025,7 @@ index c2ba53b..853eeb5 100644 /var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0) /var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0) diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if -index de37806..229a3c7 100644 +index de37806..175c89b 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -13,7 +13,7 @@ @@ -46007,7 +46150,7 @@ index de37806..229a3c7 100644 ###################################### ## ## Execute a domain transition to run qdiskd. -@@ -353,3 +410,41 @@ interface(`rhcs_domtrans_qdiskd',` +@@ -353,3 +410,60 @@ interface(`rhcs_domtrans_qdiskd',` corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) ') @@ -46049,6 +46192,25 @@ index de37806..229a3c7 100644 + files_search_var_lib($1) + read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) +') ++ ++##################################### ++## ++## Allow domain to manage cluster lib files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rhcs_manage_cluster_lib_files',` ++ gen_require(` ++ type cluster_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) ++') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index 93c896a..2331615 100644 --- a/policy/modules/services/rhcs.te @@ -48313,7 +48475,7 @@ index 82cb169..9e72970 100644 + admin_pattern($1, samba_unconfined_script_exec_t) ') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te -index e30bb63..a23112b 100644 +index e30bb63..2977339 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t) @@ -48410,17 +48572,18 @@ index e30bb63..a23112b 100644 ') # Support Samba sharing of NFS mount points -@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',` +@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') +optional_policy(` + ctdbd_stream_connect(smbd_t) ++ ctdbd_manage_lib_files(smbd_t) +') optional_policy(` cups_read_rw_config(smbd_t) -@@ -445,26 +445,25 @@ optional_policy(` +@@ -445,26 +446,25 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -48454,7 +48617,7 @@ index e30bb63..a23112b 100644 ######################################## # # nmbd Local policy -@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -48465,7 +48628,7 @@ index e30bb63..a23112b 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; +@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; allow smbcontrol_t nmbd_t:process { signal signull }; @@ -48483,7 +48646,7 @@ index e30bb63..a23112b 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t) +@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) @@ -48492,7 +48655,7 @@ index e30bb63..a23112b 100644 ######################################## # -@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t) +@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t) miscfiles_read_localization(smbmount_t) @@ -48517,7 +48680,7 @@ index e30bb63..a23112b 100644 ######################################## # # SWAT Local policy -@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t) +@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -48526,7 +48689,7 @@ index e30bb63..a23112b 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -48541,7 +48704,7 @@ index e30bb63..a23112b 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -48549,7 +48712,7 @@ index e30bb63..a23112b 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -754,6 +759,8 @@ logging_search_logs(swat_t) +@@ -754,6 +760,8 @@ logging_search_logs(swat_t) miscfiles_read_localization(swat_t) @@ -48558,7 +48721,7 @@ index e30bb63..a23112b 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -48580,7 +48743,7 @@ index e30bb63..a23112b 100644 kernel_read_kernel_sysctls(winbind_t) kernel_read_system_state(winbind_t) -@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -48588,7 +48751,7 @@ index e30bb63..a23112b 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t) +@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t) miscfiles_read_localization(winbind_helper_t) @@ -48597,7 +48760,7 @@ index e30bb63..a23112b 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -922,6 +931,18 @@ optional_policy(` +@@ -922,6 +932,18 @@ optional_policy(` # optional_policy(` @@ -48616,7 +48779,7 @@ index e30bb63..a23112b 100644 type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -932,9 +953,12 @@ optional_policy(` +@@ -932,9 +954,12 @@ optional_policy(` allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -48775,10 +48938,10 @@ index 0000000..486d53d +') diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te new file mode 100644 -index 0000000..f050bc5 +index 0000000..dae577a --- /dev/null +++ b/policy/modules/services/sanlock.te -@@ -0,0 +1,61 @@ +@@ -0,0 +1,65 @@ +policy_module(sanlock,1.0.0) + +######################################## @@ -48819,12 +48982,16 @@ index 0000000..f050bc5 +manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t) +files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file }) + ++kernel_read_system_state(sanlock_t) ++ +domain_use_interactive_fds(sanlock_t) + +files_read_etc_files(sanlock_t) + +storage_raw_rw_fixed_disk(sanlock_t) + ++dev_read_urand(sanlock_t) ++ +logging_send_syslog_msg(sanlock_t) + +init_read_utmp(sanlock_t) @@ -48914,6 +49081,205 @@ index cfc60dd..53a9d2d 100644 ') optional_policy(` +diff --git a/policy/modules/services/sblim.fc b/policy/modules/services/sblim.fc +new file mode 100644 +index 0000000..d5c3c3f +--- /dev/null ++++ b/policy/modules/services/sblim.fc +@@ -0,0 +1,6 @@ ++ ++/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0) ++ ++/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0) ++ ++/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0) +diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if +new file mode 100644 +index 0000000..8aef188 +--- /dev/null ++++ b/policy/modules/services/sblim.if +@@ -0,0 +1,78 @@ ++ ++## policy for SBLIM Gatherer ++ ++######################################## ++## ++## Transition to gatherd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`sblim_gatherd_domtrans',` ++ gen_require(` ++ type sblim_gatherd_t, sblim_gatherd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) ++') ++ ++ ++######################################## ++## ++## Read gatherd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sblim_read_pid_files',` ++ gen_require(` ++ type sblim_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 gatherd_var_run_t:file read_file_perms; ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an gatherd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`sblim_admin',` ++ gen_require(` ++ type sblim_gatherd_t; ++ type sblim_reposd_t; ++ type sblim_var_run_t; ++ ') ++ ++ allow $1 sblim_gatherd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sblim_gatherd_t) ++ ++ allow $1 sblim_reposd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, sblim_reposd_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, sblim_var_run_t) ++ ++') ++ +diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te +new file mode 100644 +index 0000000..3ced316 +--- /dev/null ++++ b/policy/modules/services/sblim.te +@@ -0,0 +1,97 @@ ++policy_module(sblim, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute sblim_domain; ++ ++type sblim_gatherd_t, sblim_domain; ++type sblim_gatherd_exec_t; ++init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t) ++ ++permissive sblim_gatherd_t; ++ ++type sblim_reposd_t, sblim_domain; ++type sblim_reposd_exec_t; ++init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t) ++ ++permissive sblim_gatherd_t; ++ ++type sblim_var_run_t; ++files_pid_file(sblim_var_run_t) ++ ++######################################## ++# ++# sblim_gatherd local policy ++# ++ ++#needed by ps ++allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override }; ++ ++allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms; ++allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms; ++ ++kernel_read_fs_sysctls(sblim_gatherd_t) ++kernel_read_kernel_sysctls(sblim_gatherd_t) ++ ++corecmd_exec_bin(sblim_gatherd_t) ++corecmd_exec_shell(sblim_gatherd_t) ++ ++corenet_tcp_connect_repository_port(sblim_gatherd_t) ++ ++domain_read_all_domains_state(sblim_gatherd_t) ++ ++fs_getattr_all_fs(sblim_gatherd_t) ++ ++term_getattr_pty_fs(sblim_gatherd_t) ++ ++init_read_utmp(sblim_gatherd_t) ++ ++userdom_signull_unpriv_users(sblim_gatherd_t) ++ ++optional_policy(` ++ sysnet_dns_name_resolve(sblim_gatherd_t) ++') ++ ++optional_policy(` ++ virt_stream_connect(sblim_gatherd_t) ++') ++ ++optional_policy(` ++ xen_stream_connect(sblim_gatherd_t) ++ xen_stream_connect_xenstore(sblim_gatherd_t) ++') ++ ++####################################### ++# ++# sblim_reposd local policy ++# ++ ++domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t) ++ ++corenet_tcp_bind_all_nodes(sblim_reposd_t) ++corenet_tcp_bind_repository_port(sblim_reposd_t) ++ ++###################################### ++# ++# sblim_domain local policy ++# ++ ++allow sblim_domain self:tcp_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t) ++ ++kernel_read_network_state(sblim_domain) ++kernel_read_system_state(sblim_domain) ++ ++dev_read_sysfs(sblim_domain) ++ ++logging_send_syslog_msg(sblim_domain) ++ ++files_read_etc_files(sblim_domain) ++ ++miscfiles_read_localization(sblim_domain) diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc index a86ec50..ef4199b 100644 --- a/policy/modules/services/sendmail.fc @@ -51987,6 +52353,270 @@ index d4349e9..f14d337 100644 - nscd_socket_use(uux_t) + postfix_rw_master_pipes(uux_t) ') +diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc +new file mode 100644 +index 0000000..c184667 +--- /dev/null ++++ b/policy/modules/services/uuidd.fc +@@ -0,0 +1,9 @@ ++ ++/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0) ++ ++ ++/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0) ++ ++/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0) ++ ++/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0) +diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if +new file mode 100644 +index 0000000..5a2fd4c +--- /dev/null ++++ b/policy/modules/services/uuidd.if +@@ -0,0 +1,193 @@ ++## policy for uuidd ++ ++######################################## ++## ++## Transition to uuidd. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`uuidd_domtrans',` ++ gen_require(` ++ type uuidd_t, uuidd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, uuidd_exec_t, uuidd_t) ++') ++ ++######################################## ++## ++## Execute uuidd server in the uuidd domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_initrc_domtrans',` ++ gen_require(` ++ type uuidd_initrc_exec_t; ++ ') ++ ++ init_labeled_script_domtrans($1, uuidd_initrc_exec_t) ++') ++ ++######################################## ++## ++## Search uuidd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_search_lib',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ allow $1 uuidd_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ ++######################################## ++## ++## Read uuidd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_read_lib_files',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage uuidd lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_manage_lib_files',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ++') ++ ++######################################## ++## ++## Manage uuidd lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_manage_lib_dirs',` ++ gen_require(` ++ type uuidd_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) ++') ++ ++ ++######################################## ++## ++## Read uuidd PID files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_read_pid_files',` ++ gen_require(` ++ type uuidd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ allow $1 uuidd_var_run_t:file read_file_perms; ++') ++ ++######################################## ++## ++## Connect to uuidd over an unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`uuidd_stream_connect_manager',` ++ gen_require(` ++ type uuidd_t, uuidd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an uuidd environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`uuidd_admin',` ++ gen_require(` ++ type uuidd_t; ++ type uuidd_initrc_exec_t; ++ type uuidd_var_lib_t; ++ type uuidd_var_run_t; ++ ') ++ ++ allow $1 uuidd_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, uuidd_t) ++ ++ uuidd_initrc_domtrans($1) ++ domain_system_change_exemption($1) ++ role_transition $2 uuidd_initrc_exec_t system_r; ++ allow $2 system_r; ++ ++ files_search_var_lib($1) ++ admin_pattern($1, uuidd_var_lib_t) ++ ++ files_search_pids($1) ++ admin_pattern($1, uuidd_var_run_t) ++') +diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te +new file mode 100644 +index 0000000..1adb81a +--- /dev/null ++++ b/policy/modules/services/uuidd.te +@@ -0,0 +1,44 @@ ++policy_module(uuidd, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type uuidd_t; ++type uuidd_exec_t; ++init_daemon_domain(uuidd_t, uuidd_exec_t) ++ ++permissive uuidd_t; ++ ++type uuidd_initrc_exec_t; ++init_script_file(uuidd_initrc_exec_t) ++ ++type uuidd_var_lib_t; ++files_type(uuidd_var_lib_t) ++ ++type uuidd_var_run_t; ++files_pid_file(uuidd_var_run_t) ++ ++######################################## ++# ++# uuidd local policy ++# ++allow uuidd_t self:capability { kill setuid }; ++allow uuidd_t self:process { signal }; ++ ++allow uuidd_t self:fifo_file rw_fifo_file_perms; ++allow uuidd_t self:unix_stream_socket create_stream_socket_perms; ++ ++manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) ++manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t) ++ ++manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) ++manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) ++manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t) ++ ++domain_use_interactive_fds(uuidd_t) ++ ++files_read_etc_files(uuidd_t) ++ ++miscfiles_read_localization(uuidd_t) diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te index f9310f3..064171e 100644 --- a/policy/modules/services/varnishd.te @@ -52801,7 +53431,7 @@ index 7c5d8d8..4feaf88 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..5a0c2ce 100644 +index 3eca020..e18ede2 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0) @@ -52976,7 +53606,12 @@ index 3eca020..5a0c2ce 100644 fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file) list_dirs_pattern(svirt_t, virt_content_t, virt_content_t) -@@ -133,6 +170,8 @@ dev_list_sysfs(svirt_t) +@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t) + + dev_list_sysfs(svirt_t) + ++fs_getattr_xattr_fs(svirt_t) ++ userdom_search_user_home_content(svirt_t) userdom_read_user_home_content_symlinks(svirt_t) userdom_read_all_users_state(svirt_t) @@ -52985,7 +53620,7 @@ index 3eca020..5a0c2ce 100644 tunable_policy(`virt_use_comm',` term_use_unallocated_ttys(svirt_t) -@@ -147,11 +186,15 @@ tunable_policy(`virt_use_fusefs',` +@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',` tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(svirt_t) fs_manage_nfs_files(svirt_t) @@ -53001,7 +53636,7 @@ index 3eca020..5a0c2ce 100644 ') tunable_policy(`virt_use_sysfs',` -@@ -160,11 +203,22 @@ tunable_policy(`virt_use_sysfs',` +@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',` tunable_policy(`virt_use_usb',` dev_rw_usbfs(svirt_t) @@ -53024,7 +53659,7 @@ index 3eca020..5a0c2ce 100644 xen_rw_image_files(svirt_t) ') -@@ -174,21 +228,35 @@ optional_policy(` +@@ -174,21 +230,35 @@ optional_policy(` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; @@ -53065,7 +53700,7 @@ index 3eca020..5a0c2ce 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -200,8 +268,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) +@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) @@ -53083,7 +53718,7 @@ index 3eca020..5a0c2ce 100644 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -217,9 +292,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -53099,7 +53734,7 @@ index 3eca020..5a0c2ce 100644 kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) -@@ -239,22 +320,31 @@ corenet_tcp_connect_soundd_port(virtd_t) +@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t) corenet_rw_tun_tap_dev(virtd_t) dev_rw_sysfs(virtd_t) @@ -53132,7 +53767,7 @@ index 3eca020..5a0c2ce 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_xattr_fs(virtd_t) -@@ -262,6 +352,18 @@ fs_rw_anon_inodefs_files(virtd_t) +@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) fs_rw_cgroup_files(virtd_t) @@ -53151,14 +53786,14 @@ index 3eca020..5a0c2ce 100644 mcs_process_set_categories(virtd_t) -@@ -285,16 +387,29 @@ modutils_read_module_config(virtd_t) +@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t) modutils_manage_module_config(virtd_t) logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -53181,7 +53816,7 @@ index 3eca020..5a0c2ce 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -313,6 +428,10 @@ optional_policy(` +@@ -313,6 +430,10 @@ optional_policy(` ') optional_policy(` @@ -53192,7 +53827,7 @@ index 3eca020..5a0c2ce 100644 dbus_system_bus_client(virtd_t) optional_policy(` -@@ -329,11 +448,17 @@ optional_policy(` +@@ -329,11 +450,17 @@ optional_policy(` ') optional_policy(` @@ -53210,7 +53845,7 @@ index 3eca020..5a0c2ce 100644 ') optional_policy(` -@@ -365,6 +490,12 @@ optional_policy(` +@@ -365,6 +492,12 @@ optional_policy(` qemu_signal(virtd_t) qemu_kill(virtd_t) qemu_setsched(virtd_t) @@ -53223,7 +53858,7 @@ index 3eca020..5a0c2ce 100644 ') optional_policy(` -@@ -385,23 +516,37 @@ optional_policy(` +@@ -385,29 +518,45 @@ optional_policy(` udev_read_db(virtd_t) ') @@ -53266,7 +53901,15 @@ index 3eca020..5a0c2ce 100644 append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) + + kernel_read_system_state(virt_domain) + ++fs_getattr_xattr_fs(virt_domain) ++ + corecmd_exec_bin(virt_domain) + corecmd_exec_shell(virt_domain) + +@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain) corenet_tcp_sendrecv_all_ports(virt_domain) corenet_tcp_bind_generic_node(virt_domain) corenet_tcp_bind_vnc_port(virt_domain) @@ -53279,7 +53922,7 @@ index 3eca020..5a0c2ce 100644 dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +575,12 @@ dev_write_sound(virt_domain) +@@ -429,10 +579,12 @@ dev_write_sound(virt_domain) dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -53292,7 +53935,7 @@ index 3eca020..5a0c2ce 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,14 +588,20 @@ files_search_all(virt_domain) +@@ -440,14 +592,20 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -53300,12 +53943,12 @@ index 3eca020..5a0c2ce 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) -+ + +-term_use_all_terms(virt_domain) +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - --term_use_all_terms(virt_domain) ++ +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) @@ -53316,7 +53959,7 @@ index 3eca020..5a0c2ce 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +611,176 @@ optional_policy(` +@@ -457,8 +615,176 @@ optional_policy(` ') optional_policy(` @@ -53913,7 +54556,7 @@ index 4966c94..cb2e1a3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..1772fa2 100644 +index 130ced9..b6fb17a 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -53998,11 +54641,12 @@ index 130ced9..1772fa2 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -106,12 +116,23 @@ interface(`xserver_restricted_role',` +@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',` xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + xserver_read_xdm_etc_files($2) ++ xserver_xdm_append_log($2) + + modutils_run_insmod(xserver_t, $1) @@ -54022,7 +54666,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -143,13 +164,15 @@ interface(`xserver_role',` +@@ -143,13 +165,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -54040,7 +54684,7 @@ index 130ced9..1772fa2 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +185,6 @@ interface(`xserver_role',` +@@ -162,7 +186,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -54048,7 +54692,7 @@ index 130ced9..1772fa2 100644 ') ####################################### -@@ -197,7 +219,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +220,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -54057,7 +54701,7 @@ index 130ced9..1772fa2 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +249,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +250,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -54066,7 +54710,7 @@ index 130ced9..1772fa2 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -54075,7 +54719,7 @@ index 130ced9..1772fa2 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +313,13 @@ interface(`xserver_user_client',` +@@ -291,13 +314,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -54093,7 +54737,7 @@ index 130ced9..1772fa2 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -342,19 +364,23 @@ interface(`xserver_user_client',` +@@ -342,19 +365,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -54120,7 +54764,7 @@ index 130ced9..1772fa2 100644 ') ############################## -@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -54136,7 +54780,7 @@ index 130ced9..1772fa2 100644 ') ####################################### -@@ -444,8 +479,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +480,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -54148,7 +54792,7 @@ index 130ced9..1772fa2 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +492,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -54169,7 +54813,7 @@ index 130ced9..1772fa2 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +515,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -54198,7 +54842,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -517,6 +566,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -54206,7 +54850,7 @@ index 130ced9..1772fa2 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -549,6 +599,24 @@ interface(`xserver_domtrans_xauth',` +@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',` ######################################## ## @@ -54231,7 +54875,7 @@ index 130ced9..1772fa2 100644 ## Create a Xauthority file in the user home directory. ## ## -@@ -598,6 +666,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -54239,7 +54883,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -615,7 +684,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -54248,7 +54892,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -638,6 +707,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +708,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -54274,7 +54918,7 @@ index 130ced9..1772fa2 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +739,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -54283,7 +54927,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -670,7 +758,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -54292,7 +54936,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -688,7 +776,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -54301,7 +54945,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -703,12 +791,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -54315,7 +54959,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -724,11 +811,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -54349,7 +54993,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -752,6 +859,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -54375,7 +55019,7 @@ index 130ced9..1772fa2 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +891,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -54384,7 +55028,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -805,7 +931,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -54412,7 +55056,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -828,6 +973,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -54437,7 +55081,7 @@ index 130ced9..1772fa2 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1060,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -54446,7 +55090,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -916,7 +1079,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -54455,7 +55099,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -963,6 +1126,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -54501,7 +55145,7 @@ index 130ced9..1772fa2 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1178,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -54510,7 +55154,7 @@ index 130ced9..1772fa2 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1240,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -54553,7 +55197,7 @@ index 130ced9..1772fa2 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1290,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -54562,7 +55206,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -1070,8 +1308,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -54574,7 +55218,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -1185,6 +1425,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -54601,7 +55245,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -1210,7 +1470,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -54610,7 +55254,7 @@ index 130ced9..1772fa2 100644 ## ## ## -@@ -1220,13 +1480,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -54635,7 +55279,7 @@ index 130ced9..1772fa2 100644 ') ######################################## -@@ -1243,10 +1513,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -57556,7 +58200,7 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..354e39c 100644 +index 94fd8dd..417ec32 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -79,6 +79,42 @@ interface(`init_script_domain',` @@ -57724,7 +58368,7 @@ index 94fd8dd..354e39c 100644 ') ') -@@ -401,16 +428,19 @@ interface(`init_system_domain',` +@@ -401,20 +428,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -57744,7 +58388,29 @@ index 94fd8dd..354e39c 100644 mls_rangetrans_target($1) ') ') -@@ -451,6 +481,10 @@ interface(`init_exec',` + ++###################################### ++## ++## Allow domain dyntransition to init_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`init_dyntrans',` ++ gen_require(` ++ type anon_sftpd_t; ++ ') ++ ++ dyntrans_pattern($1, init_t) ++') ++ + ######################################## + ## + ## Execute init (/sbin/init) with a domain transition. +@@ -451,6 +499,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -57755,7 +58421,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -509,6 +543,24 @@ interface(`init_sigchld',` +@@ -509,6 +561,24 @@ interface(`init_sigchld',` ######################################## ## @@ -57780,7 +58446,7 @@ index 94fd8dd..354e39c 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +571,29 @@ interface(`init_sigchld',` +@@ -519,10 +589,29 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -57812,7 +58478,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -688,19 +759,25 @@ interface(`init_telinit',` +@@ -688,19 +777,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -57839,7 +58505,7 @@ index 94fd8dd..354e39c 100644 ') ') -@@ -730,7 +807,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +825,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -57848,7 +58514,7 @@ index 94fd8dd..354e39c 100644 ## ## # -@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +868,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -57872,7 +58538,7 @@ index 94fd8dd..354e39c 100644 ') ') -@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,23 +896,45 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -57895,11 +58561,11 @@ index 94fd8dd..354e39c 100644 ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; -+ ') -+') -+ -+######################################## -+## + ') + ') + + ######################################## + ## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -57912,13 +58578,17 @@ index 94fd8dd..354e39c 100644 +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; - ') ++ ') + + corecmd_bin_domtrans($1, initrc_t) - ') - - ######################################## -@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',` ++') ++ ++######################################## ++## + ## Execute a init script in a specified domain. + ## + ## +@@ -868,9 +986,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -57933,7 +58603,7 @@ index 94fd8dd..354e39c 100644 files_search_etc($1) ') -@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1202,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -57958,7 +58628,7 @@ index 94fd8dd..354e39c 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -57972,7 +58642,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -58000,7 +58670,7 @@ index 94fd8dd..354e39c 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -58026,7 +58696,7 @@ index 94fd8dd..354e39c 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1695,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -58051,7 +58721,7 @@ index 94fd8dd..354e39c 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -58060,7 +58730,7 @@ index 94fd8dd..354e39c 100644 ') ######################################## -@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1909,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -58189,7 +58859,7 @@ index 94fd8dd..354e39c 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2065,156 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -58347,7 +59017,7 @@ index 94fd8dd..354e39c 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..de6dda5 100644 +index 29a9565..4d20828 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -58525,7 +59195,7 @@ index 29a9565..de6dda5 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +246,135 @@ tunable_policy(`init_upstart',` +@@ -186,16 +246,136 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -58578,9 +59248,9 @@ index 29a9565..de6dda5 100644 + files_relabel_all_pid_dirs(init_t) + files_relabel_all_pid_files(init_t) + files_create_all_pid_sockets(init_t) -+ files_delete_all_pid_sockets(init_t) ++ files_delete_all_pids(init_t) ++ files_exec_generic_pid_files(init_t) + files_create_all_pid_pipes(init_t) -+ files_delete_all_pid_pipes(init_t) + files_create_all_spool_sockets(init_t) + files_delete_all_spool_sockets(init_t) + files_manage_urandom_seed(init_t) @@ -58629,9 +59299,6 @@ index 29a9565..de6dda5 100644 + + create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) + -+# miscfiles_delete_man_pages(init_t) -+# miscfiles_relabel_man_pages(init_t) -+ +') + +auth_use_nsswitch(init_t) @@ -58639,10 +59306,14 @@ index 29a9565..de6dda5 100644 + optional_policy(` - auth_rw_login_records(init_t) -+ consolekit_manage_log(init_t) ++ lvm_rw_pipes(init_t) ') optional_policy(` ++ consolekit_manage_log(init_t) ++') ++ ++optional_policy(` + dbus_connect_system_bus(init_t) dbus_system_bus_client(init_t) + dbus_delete_pid_files(init_t) @@ -58663,7 +59334,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -203,6 +382,17 @@ optional_policy(` +@@ -203,6 +383,17 @@ optional_policy(` ') optional_policy(` @@ -58681,7 +59352,7 @@ index 29a9565..de6dda5 100644 unconfined_domain(init_t) ') -@@ -212,7 +402,7 @@ optional_policy(` +@@ -212,7 +403,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -58690,7 +59361,7 @@ index 29a9565..de6dda5 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +431,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -58706,7 +59377,7 @@ index 29a9565..de6dda5 100644 init_write_initctl(initrc_t) -@@ -258,20 +451,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -58743,7 +59414,7 @@ index 29a9565..de6dda5 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +484,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -58751,7 +59422,7 @@ index 29a9565..de6dda5 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +495,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -58762,7 +59433,7 @@ index 29a9565..de6dda5 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +506,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -58779,7 +59450,7 @@ index 29a9565..de6dda5 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +525,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -58787,7 +59458,7 @@ index 29a9565..de6dda5 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +533,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -58799,7 +59470,7 @@ index 29a9565..de6dda5 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +552,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -58813,7 +59484,7 @@ index 29a9565..de6dda5 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +567,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -58822,7 +59493,7 @@ index 29a9565..de6dda5 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +581,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -58830,7 +59501,7 @@ index 29a9565..de6dda5 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +593,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -58838,7 +59509,7 @@ index 29a9565..de6dda5 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +614,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -58860,7 +59531,7 @@ index 29a9565..de6dda5 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +677,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -58871,7 +59542,7 @@ index 29a9565..de6dda5 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +701,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +702,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -58880,7 +59551,7 @@ index 29a9565..de6dda5 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +716,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +717,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -58888,7 +59559,7 @@ index 29a9565..de6dda5 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +746,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +747,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -58922,7 +59593,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -531,10 +780,26 @@ ifdef(`distro_redhat',` +@@ -531,10 +781,26 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -58949,7 +59620,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -549,6 +814,39 @@ ifdef(`distro_suse',` +@@ -549,6 +815,39 @@ ifdef(`distro_suse',` ') ') @@ -58989,7 +59660,7 @@ index 29a9565..de6dda5 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +859,8 @@ optional_policy(` +@@ -561,6 +860,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -58998,7 +59669,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -577,6 +877,7 @@ optional_policy(` +@@ -577,6 +878,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -59006,7 +59677,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -589,6 +890,11 @@ optional_policy(` +@@ -589,6 +891,11 @@ optional_policy(` ') optional_policy(` @@ -59018,7 +59689,7 @@ index 29a9565..de6dda5 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +911,13 @@ optional_policy(` +@@ -605,9 +912,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -59032,7 +59703,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -649,6 +959,11 @@ optional_policy(` +@@ -649,6 +960,11 @@ optional_policy(` ') optional_policy(` @@ -59044,7 +59715,7 @@ index 29a9565..de6dda5 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1004,7 @@ optional_policy(` +@@ -689,6 +1005,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -59052,7 +59723,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -706,7 +1022,13 @@ optional_policy(` +@@ -706,7 +1023,13 @@ optional_policy(` ') optional_policy(` @@ -59066,7 +59737,7 @@ index 29a9565..de6dda5 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1051,10 @@ optional_policy(` +@@ -729,6 +1052,10 @@ optional_policy(` ') optional_policy(` @@ -59077,7 +59748,7 @@ index 29a9565..de6dda5 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1064,20 @@ optional_policy(` +@@ -738,10 +1065,20 @@ optional_policy(` ') optional_policy(` @@ -59098,7 +59769,7 @@ index 29a9565..de6dda5 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1086,10 @@ optional_policy(` +@@ -750,6 +1087,10 @@ optional_policy(` ') optional_policy(` @@ -59109,7 +59780,7 @@ index 29a9565..de6dda5 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1111,6 @@ optional_policy(` +@@ -771,8 +1112,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -59118,7 +59789,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -790,10 +1128,12 @@ optional_policy(` +@@ -790,10 +1129,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -59131,7 +59802,7 @@ index 29a9565..de6dda5 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1145,6 @@ optional_policy(` +@@ -805,7 +1146,6 @@ optional_policy(` ') optional_policy(` @@ -59139,7 +59810,7 @@ index 29a9565..de6dda5 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1154,24 @@ optional_policy(` +@@ -815,11 +1155,24 @@ optional_policy(` ') optional_policy(` @@ -59165,7 +59836,7 @@ index 29a9565..de6dda5 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1181,25 @@ optional_policy(` +@@ -829,6 +1182,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -59191,7 +59862,7 @@ index 29a9565..de6dda5 100644 ') optional_policy(` -@@ -844,6 +1215,10 @@ optional_policy(` +@@ -844,6 +1216,10 @@ optional_policy(` ') optional_policy(` @@ -59202,7 +59873,7 @@ index 29a9565..de6dda5 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1229,149 @@ optional_policy(` +@@ -854,3 +1230,149 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -59296,7 +59967,7 @@ index 29a9565..de6dda5 100644 + +tunable_policy(`init_systemd',` + # Handle upstart/systemd direct transition to a executable -+ allow init_t systemprocess:process siginh; ++ allow init_t systemprocess:process { dyntransition siginh }; + allow init_t systemprocess:unix_stream_socket create_stream_socket_perms; + allow init_t systemprocess:unix_dgram_socket create_socket_perms; + allow systemprocess init_t:unix_dgram_socket sendto; @@ -60306,7 +60977,7 @@ index e5836d3..b32b945 100644 +#') + diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index a0b379d..7d88511 100644 +index a0b379d..2a55eab 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -32,9 +32,8 @@ role system_r types sulogin_t; @@ -60369,7 +61040,7 @@ index a0b379d..7d88511 100644 unconfined_shell_domtrans(local_login_t) ') -@@ -225,6 +226,7 @@ files_read_etc_files(sulogin_t) +@@ -225,11 +226,14 @@ files_read_etc_files(sulogin_t) files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) @@ -60377,7 +61048,14 @@ index a0b379d..7d88511 100644 init_getpgid_script(sulogin_t) -@@ -238,14 +240,23 @@ userdom_use_unpriv_users_fds(sulogin_t) + logging_send_syslog_msg(sulogin_t) + ++miscfiles_read_localization(sulogin_t) ++ + seutil_read_config(sulogin_t) + seutil_read_default_contexts(sulogin_t) + +@@ -238,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) @@ -60403,7 +61081,7 @@ index a0b379d..7d88511 100644 init_getpgid(sulogin_t) ', ` allow sulogin_t self:process setexec; -@@ -256,11 +267,3 @@ ifdef(`sulogin_no_pam', ` +@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', ` selinux_compute_relabel_context(sulogin_t) selinux_compute_user_contexts(sulogin_t) ') @@ -60599,7 +61277,7 @@ index 831b909..57064ad 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..fa034d6 100644 +index b6ec597..2674701 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -20,6 +20,7 @@ files_security_file(auditd_log_t) @@ -60759,7 +61437,7 @@ index b6ec597..fa034d6 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -496,6 +535,10 @@ optional_policy(` +@@ -496,11 +535,20 @@ optional_policy(` ') optional_policy(` @@ -60770,17 +61448,16 @@ index b6ec597..fa034d6 100644 postgresql_stream_connect(syslogd_t) ') -@@ -504,6 +547,10 @@ optional_policy(` - ') - optional_policy(` -+ daemontools_search_svc_dir(syslogd_t) + seutil_sigchld_newrole(syslogd_t) ++ snmp_read_snmp_var_lib_files(syslogd_t) +') + +optional_policy(` - udev_read_db(syslogd_t) ++ daemontools_search_svc_dir(syslogd_t) ') + optional_policy(` diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index 879bb1e..7b22111 100644 --- a/policy/modules/system/lvm.fc @@ -60820,10 +61497,10 @@ index 879bb1e..7b22111 100644 +/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0) /var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index 58bc27f..bcc0758 100644 +index 58bc27f..51e9872 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if -@@ -123,3 +123,77 @@ interface(`lvm_domtrans_clvmd',` +@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',` corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) ') @@ -60901,8 +61578,25 @@ index 58bc27f..bcc0758 100644 + allow $1 lvm_t:unix_dgram_socket sendto; +') + ++######################################## ++## ++## Read and write a lvm unnamed pipe. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_rw_pipes',` ++ gen_require(` ++ type lvm_var_run_t; ++ ') ++ ++ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; ++') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index a0a0ebf..895cc10 100644 +index a0a0ebf..4513ab9 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -60978,16 +61672,18 @@ index a0a0ebf..895cc10 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -201,7 +215,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -200,8 +214,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) + manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) ++manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) -files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) -+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file }) ++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -213,11 +227,13 @@ files_search_mnt(lvm_t) +@@ -213,11 +228,13 @@ files_search_mnt(lvm_t) kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) @@ -61001,7 +61697,7 @@ index a0a0ebf..895cc10 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -228,6 +244,7 @@ dev_delete_generic_dirs(lvm_t) +@@ -228,6 +245,7 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -61009,7 +61705,7 @@ index a0a0ebf..895cc10 100644 dev_manage_generic_symlinks(lvm_t) dev_relabel_generic_dev_dirs(lvm_t) dev_manage_generic_blk_files(lvm_t) -@@ -244,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -61017,7 +61713,7 @@ index a0a0ebf..895cc10 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -253,17 +271,21 @@ files_read_etc_files(lvm_t) +@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -61040,7 +61736,7 @@ index a0a0ebf..895cc10 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -283,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -61049,7 +61745,7 @@ index a0a0ebf..895cc10 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -292,6 +314,8 @@ init_read_script_state(lvm_t) +@@ -292,6 +315,8 @@ init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -61058,7 +61754,7 @@ index a0a0ebf..895cc10 100644 miscfiles_read_localization(lvm_t) seutil_read_config(lvm_t) -@@ -299,15 +323,23 @@ seutil_read_file_contexts(lvm_t) +@@ -299,15 +324,23 @@ seutil_read_file_contexts(lvm_t) seutil_search_default_contexts(lvm_t) seutil_sigchld_newrole(lvm_t) @@ -61085,7 +61781,7 @@ index a0a0ebf..895cc10 100644 ') optional_policy(` -@@ -331,14 +363,26 @@ optional_policy(` +@@ -331,14 +364,26 @@ optional_policy(` ') optional_policy(` @@ -63485,7 +64181,7 @@ index ff80d0a..752e031 100644 + role_transition $1 dhcpc_exec_t system_r; +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 34d0ec5..0cdb0be 100644 +index 34d0ec5..ba27f13 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2) @@ -63638,7 +64334,7 @@ index 34d0ec5..0cdb0be 100644 nis_read_ypbind_pid(dhcpc_t) ') -@@ -213,6 +253,10 @@ optional_policy(` +@@ -213,6 +253,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) @@ -63646,10 +64342,11 @@ index 34d0ec5..0cdb0be 100644 +') +optional_policy(` + systemd_passwd_agent_domtrans(dhcpc_t) ++ systemd_signal_passwd_agent(dhcpc_t) ') optional_policy(` -@@ -255,6 +299,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -255,6 +300,7 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -63657,7 +64354,7 @@ index 34d0ec5..0cdb0be 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -276,8 +321,11 @@ dev_read_urand(ifconfig_t) +@@ -276,8 +322,11 @@ dev_read_urand(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -63669,7 +64366,7 @@ index 34d0ec5..0cdb0be 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -301,11 +349,12 @@ logging_send_syslog_msg(ifconfig_t) +@@ -301,11 +350,12 @@ logging_send_syslog_msg(ifconfig_t) miscfiles_read_localization(ifconfig_t) @@ -63684,7 +64381,7 @@ index 34d0ec5..0cdb0be 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -314,7 +363,14 @@ ifdef(`distro_ubuntu',` +@@ -314,7 +364,18 @@ ifdef(`distro_ubuntu',` ') ') @@ -63692,6 +64389,10 @@ index 34d0ec5..0cdb0be 100644 + brctl_domtrans(ifconfig_t) +') + ++optional_policy(` ++ ctdbd_read_lib_files(ifconfig_t) ++') ++ ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit ifconfig_t self:capability sys_module; @@ -63699,7 +64400,7 @@ index 34d0ec5..0cdb0be 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -325,8 +381,14 @@ ifdef(`hide_broken_symptoms',` +@@ -325,8 +386,14 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -63714,7 +64415,7 @@ index 34d0ec5..0cdb0be 100644 ') optional_policy(` -@@ -335,6 +397,18 @@ optional_policy(` +@@ -335,6 +402,18 @@ optional_policy(` ') optional_policy(` @@ -63733,7 +64434,7 @@ index 34d0ec5..0cdb0be 100644 nis_use_ypbind(ifconfig_t) ') -@@ -356,3 +430,9 @@ optional_policy(` +@@ -356,3 +435,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -63770,10 +64471,10 @@ index 0000000..3248032 + diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..11fbd0f +index 0000000..7501ef8 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,360 @@ +@@ -0,0 +1,377 @@ +## SELinux policy for systemd components + +####################################### @@ -64063,6 +64764,23 @@ index 0000000..11fbd0f + allow $2 systemd_passwd_agent_t:process signal; +') + ++######################################## ++## ++## Send generic signals to systemd_passwd_agent processes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_signal_passwd_agent',` ++ gen_require(` ++ type systemd_passwd_agent_t; ++ ') ++ ++ allow $1 systemd_passwd_agent_t:process signal; ++') + +###################################### +## @@ -64081,12 +64799,12 @@ index 0000000..11fbd0f + type systemd_passwd_agent_t; + ') + -+ type systemd_$1_device_t; ++ type systemd_$1_device_t; + files_type(systemd_$1_device_t) + dev_associate(systemd_$1_device_t) + -+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) -+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file }) ++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) ++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file }) + allow $1_t systemd_$1_device_t:file manage_file_perms; + allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms; + @@ -64136,10 +64854,10 @@ index 0000000..11fbd0f + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..4936451 +index 0000000..0185280 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,317 @@ +@@ -0,0 +1,319 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -64164,11 +64882,11 @@ index 0000000..4936451 + +# /run/systemd/sessions +type systemd_logind_sessions_t; -+files_type(systemd_logind_sessions_t) ++files_pid_file(systemd_logind_sessions_t) + +# /run/systemd/{seats, users} +type systemd_logind_var_run_t; -+files_type(systemd_logind_var_run_t) ++files_pid_file(systemd_logind_var_run_t) + +# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent +# systemd components @@ -64219,6 +64937,8 @@ index 0000000..4936451 +init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir) + +dev_read_sysfs(systemd_logind_t) ++dev_setattr_input_dev(systemd_logind_t) ++dev_setattr_mouse_dev(systemd_logind_t) + +dev_getattr_all_chr_files(systemd_logind_t) +dev_getattr_all_blk_files(systemd_logind_t) @@ -64679,7 +65399,7 @@ index 025348a..c15e57c 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..d26f45a 100644 +index d88f7c3..4485816 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t) @@ -64761,7 +65481,7 @@ index d88f7c3..d26f45a 100644 dev_rw_generic_files(udev_t) dev_delete_generic_files(udev_t) dev_search_usbfs(udev_t) -@@ -105,21 +112,27 @@ dev_relabel_all_dev_nodes(udev_t) +@@ -105,21 +112,28 @@ dev_relabel_all_dev_nodes(udev_t) # preserved, instead of short circuiting the relabel dev_relabel_generic_symlinks(udev_t) dev_manage_generic_symlinks(udev_t) @@ -64773,6 +65493,7 @@ index d88f7c3..d26f45a 100644 files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) -files_read_etc_files(udev_t) ++files_read_system_conf_files(udev_t) + +# console_init manages files in /etc/sysconfig +files_manage_etc_files(udev_t) @@ -64790,7 +65511,7 @@ index d88f7c3..d26f45a 100644 mcs_ptrace_all(udev_t) -@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t) +@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t) init_read_utmp(udev_t) init_dontaudit_write_utmp(udev_t) init_getattr_initctl(udev_t) @@ -64798,7 +65519,7 @@ index d88f7c3..d26f45a 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t) +@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t) sysnet_manage_config(udev_t) sysnet_etc_filetrans_config(udev_t) @@ -64807,7 +65528,7 @@ index d88f7c3..d26f45a 100644 userdom_dontaudit_search_user_home_content(udev_t) ifdef(`distro_gentoo',` -@@ -186,15 +202,16 @@ ifdef(`distro_redhat',` +@@ -186,15 +203,16 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) @@ -64828,7 +65549,7 @@ index d88f7c3..d26f45a 100644 ') optional_policy(` -@@ -216,11 +233,16 @@ optional_policy(` +@@ -216,11 +234,16 @@ optional_policy(` ') optional_policy(` @@ -64846,7 +65567,7 @@ index d88f7c3..d26f45a 100644 ') optional_policy(` -@@ -230,10 +252,20 @@ optional_policy(` +@@ -230,10 +253,20 @@ optional_policy(` optional_policy(` devicekit_read_pid_files(udev_t) devicekit_dgram_send(udev_t) @@ -64867,7 +65588,7 @@ index d88f7c3..d26f45a 100644 ') optional_policy(` -@@ -259,6 +291,10 @@ optional_policy(` +@@ -259,6 +292,10 @@ optional_policy(` ') optional_policy(` @@ -64878,7 +65599,7 @@ index d88f7c3..d26f45a 100644 openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +309,11 @@ optional_policy(` +@@ -273,6 +310,11 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index b498729..1d7c776 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 11%{?dist} +Release: 13%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -452,6 +452,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Aug 2 2011 Miroslav Grepl 3.10.0-13 +- Add abrt_domain attribute +- Allow corosync to manage cluster lib files +- Allow corosync to connect to the system DBUS + +* Mon Aug 1 2011 Miroslav Grepl 3.10.0-12 +- Add sblim, uuidd policies +- Allow kernel_t dyntrasition to init_t + * Fri Jul 29 2011 Miroslav Grepl 3.10.0-11 - More fixes of rules which cause an explosion in rules by Dan Walsh