diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2d6e729..402d0ff 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -8705,7 +8705,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..628d039 100644 +index cf04cb5..23627f4 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8842,7 +8842,7 @@ index cf04cb5..628d039 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,334 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -9153,6 +9153,10 @@ index cf04cb5..628d039 100644 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; + +optional_policy(` ++ rkhunter_append_lib_files(domain) ++') ++ ++optional_policy(` + rpm_rw_script_inherited_pipes(domain) + rpm_use_fds(domain) + rpm_read_pipes(domain) @@ -15887,7 +15891,7 @@ index e100d88..6f745f0 100644 + allow $1 usermodehelper_t:file relabelto; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..4b6c9ad 100644 +index 8dbab4c..b1a339b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -15916,7 +15920,7 @@ index 8dbab4c..4b6c9ad 100644 allow debugfs_t self:filesystem associate; genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) -@@ -95,9 +100,31 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) +@@ -95,9 +100,32 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh) type proc_mdstat_t, proc_type; genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0) @@ -15939,6 +15943,7 @@ index 8dbab4c..4b6c9ad 100644 +type usermodehelper_t, proc_type; +typealias usermodehelper_t alias sysctl_hotplug_t; +typealias usermodehelper_t alias sysctl_modprobe_t; ++dev_associate_sysfs(usermodehelper_t) +genfscon proc /sys/kernel/core_pattern gen_context(system_u:object_r:usermodehelper_t,s0) +genfscon proc /sys/kernel/hotplug gen_context(system_u:object_r:usermodehelper_t,s0) +genfscon proc /sys/kernel/modprobe gen_context(system_u:object_r:usermodehelper_t,s0) @@ -15948,7 +15953,7 @@ index 8dbab4c..4b6c9ad 100644 type proc_xen_t, proc_type; files_mountpoint(proc_xen_t) genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) -@@ -133,14 +160,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) +@@ -133,14 +161,6 @@ genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0) type sysctl_kernel_t, sysctl_type; genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0) @@ -15963,7 +15968,7 @@ index 8dbab4c..4b6c9ad 100644 # /proc/sys/net directory and files type sysctl_net_t, sysctl_type; genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0) -@@ -153,6 +172,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) +@@ -153,6 +173,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0) type sysctl_vm_t, sysctl_type; genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0) @@ -15974,7 +15979,7 @@ index 8dbab4c..4b6c9ad 100644 # /proc/sys/dev directory and files type sysctl_dev_t, sysctl_type; genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) -@@ -165,6 +188,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) +@@ -165,6 +189,14 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) type unlabeled_t; fs_associate(unlabeled_t) sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -15989,7 +15994,7 @@ index 8dbab4c..4b6c9ad 100644 # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -189,6 +220,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) +@@ -189,6 +221,7 @@ sid tcp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) # kernel local policy # @@ -15997,7 +16002,7 @@ index 8dbab4c..4b6c9ad 100644 allow kernel_t self:capability ~sys_module; allow kernel_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow kernel_t self:shm create_shm_perms; -@@ -233,7 +265,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; +@@ -233,7 +266,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out }; corenet_in_generic_if(unlabeled_t) corenet_in_generic_node(unlabeled_t) @@ -16005,7 +16010,7 @@ index 8dbab4c..4b6c9ad 100644 corenet_all_recvfrom_netlabel(kernel_t) # Kernel-generated traffic e.g., ICMP replies: corenet_raw_sendrecv_all_if(kernel_t) -@@ -244,17 +275,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) +@@ -244,17 +276,21 @@ corenet_tcp_sendrecv_all_if(kernel_t) corenet_tcp_sendrecv_all_nodes(kernel_t) corenet_raw_send_generic_node(kernel_t) corenet_send_all_packets(kernel_t) @@ -16031,7 +16036,7 @@ index 8dbab4c..4b6c9ad 100644 # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem -@@ -263,7 +298,8 @@ fs_unmount_all_fs(kernel_t) +@@ -263,7 +299,8 @@ fs_unmount_all_fs(kernel_t) selinux_load_policy(kernel_t) @@ -16041,7 +16046,7 @@ index 8dbab4c..4b6c9ad 100644 corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -277,25 +313,49 @@ files_list_root(kernel_t) +@@ -277,25 +314,49 @@ files_list_root(kernel_t) files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -16091,7 +16096,7 @@ index 8dbab4c..4b6c9ad 100644 ') optional_policy(` -@@ -305,6 +365,19 @@ optional_policy(` +@@ -305,6 +366,19 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(kernel_t) @@ -16111,7 +16116,7 @@ index 8dbab4c..4b6c9ad 100644 ') optional_policy(` -@@ -312,6 +385,11 @@ optional_policy(` +@@ -312,6 +386,11 @@ optional_policy(` ') optional_policy(` @@ -16123,7 +16128,7 @@ index 8dbab4c..4b6c9ad 100644 # nfs kernel server needs kernel UDP access. It is less risky and painful # to just give it everything. allow kernel_t self:tcp_socket create_stream_socket_perms; -@@ -332,9 +410,6 @@ optional_policy(` +@@ -332,9 +411,6 @@ optional_policy(` sysnet_read_config(kernel_t) @@ -16133,7 +16138,7 @@ index 8dbab4c..4b6c9ad 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +418,7 @@ optional_policy(` +@@ -343,9 +419,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16144,7 +16149,7 @@ index 8dbab4c..4b6c9ad 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +427,7 @@ optional_policy(` +@@ -354,7 +428,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -16153,7 +16158,7 @@ index 8dbab4c..4b6c9ad 100644 ') ') -@@ -367,6 +440,15 @@ optional_policy(` +@@ -367,6 +441,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -16169,7 +16174,7 @@ index 8dbab4c..4b6c9ad 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +491,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +492,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -24190,7 +24195,7 @@ index 6bf0ecc..115c533 100644 + dontaudit $1 xserver_log_t:dir search_dir_perms; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b40377..ef809dd 100644 +index 8b40377..39c8bbb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,59 @@ gen_require(` @@ -24660,7 +24665,7 @@ index 8b40377..ef809dd 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,20 +526,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -366,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -24675,6 +24680,7 @@ index 8b40377..ef809dd 100644 +manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t) manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t) -logging_log_filetrans(xdm_t, xserver_log_t, file) ++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm") kernel_read_system_state(xdm_t) +kernel_read_device_sysctls(xdm_t) @@ -24692,7 +24698,7 @@ index 8b40377..ef809dd 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -389,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -24746,7 +24752,7 @@ index 8b40377..ef809dd 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +611,28 @@ files_list_mnt(xdm_t) +@@ -431,9 +612,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -24775,7 +24781,7 @@ index 8b40377..ef809dd 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -442,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -24824,7 +24830,7 @@ index 8b40377..ef809dd 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -472,24 +689,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24975,7 +24981,7 @@ index 8b40377..ef809dd 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -503,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -503,11 +840,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -25002,7 +25008,7 @@ index 8b40377..ef809dd 100644 ') optional_policy(` -@@ -517,9 +868,34 @@ optional_policy(` +@@ -517,9 +869,34 @@ optional_policy(` optional_policy(` dbus_system_bus_client(xdm_t) dbus_connect_system_bus(xdm_t) @@ -25038,7 +25044,7 @@ index 8b40377..ef809dd 100644 ') ') -@@ -530,6 +906,20 @@ optional_policy(` +@@ -530,6 +907,20 @@ optional_policy(` ') optional_policy(` @@ -25059,7 +25065,7 @@ index 8b40377..ef809dd 100644 hostname_exec(xdm_t) ') -@@ -547,28 +937,78 @@ optional_policy(` +@@ -547,28 +938,78 @@ optional_policy(` ') optional_policy(` @@ -25147,7 +25153,7 @@ index 8b40377..ef809dd 100644 ') optional_policy(` -@@ -580,6 +1020,14 @@ optional_policy(` +@@ -580,6 +1021,14 @@ optional_policy(` ') optional_policy(` @@ -25162,7 +25168,7 @@ index 8b40377..ef809dd 100644 xfs_stream_connect(xdm_t) ') -@@ -594,7 +1042,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; +@@ -594,7 +1043,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t; type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t; allow xserver_t { root_xdrawable_t x_domain }:x_drawable send; @@ -25171,7 +25177,7 @@ index 8b40377..ef809dd 100644 # setuid/setgid for the wrapper program to change UID # sys_rawio is for iopl access - should not be needed for frame-buffer -@@ -604,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -604,8 +1053,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -25184,7 +25190,7 @@ index 8b40377..ef809dd 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -618,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -618,8 +1070,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -25200,7 +25206,7 @@ index 8b40377..ef809dd 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,6 +1086,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -25211,7 +25217,7 @@ index 8b40377..ef809dd 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1100,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -638,25 +1101,32 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -25248,7 +25254,7 @@ index 8b40377..ef809dd 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1146,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1147,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -25280,7 +25286,7 @@ index 8b40377..ef809dd 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -704,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -704,7 +1179,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -25298,7 +25304,7 @@ index 8b40377..ef809dd 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1201,18 @@ init_getpgid(xserver_t) +@@ -718,20 +1202,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -25322,7 +25328,7 @@ index 8b40377..ef809dd 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -739,8 +1221,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -25331,7 +25337,7 @@ index 8b40377..ef809dd 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1264,44 @@ optional_policy(` +@@ -785,17 +1265,44 @@ optional_policy(` ') optional_policy(` @@ -25378,7 +25384,7 @@ index 8b40377..ef809dd 100644 ') optional_policy(` -@@ -803,6 +1309,10 @@ optional_policy(` +@@ -803,6 +1310,10 @@ optional_policy(` ') optional_policy(` @@ -25389,7 +25395,7 @@ index 8b40377..ef809dd 100644 xfs_stream_connect(xserver_t) ') -@@ -818,10 +1328,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -25403,7 +25409,7 @@ index 8b40377..ef809dd 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -829,7 +1339,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -25412,7 +25418,7 @@ index 8b40377..ef809dd 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1352,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1353,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -25447,7 +25453,7 @@ index 8b40377..ef809dd 100644 ') optional_policy(` -@@ -912,7 +1417,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -25456,7 +25462,7 @@ index 8b40377..ef809dd 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1471,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -25488,7 +25494,7 @@ index 8b40377..ef809dd 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1517,150 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -39138,7 +39144,7 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..e9b0d55 +index 0000000..1605309 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,659 @@ @@ -39359,7 +39365,7 @@ index 0000000..e9b0d55 +# Local policy +# + -+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; ++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override net_admin }; +allow systemd_passwd_agent_t self:process { setsockcreate }; +allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; + @@ -39403,7 +39409,7 @@ index 0000000..e9b0d55 +# Local policy +# + -+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod }; ++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin }; +allow systemd_tmpfiles_t self:process { setfscreate }; + +allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 3c2bcc4..dbef4b0 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -531,7 +531,7 @@ index 058d908..70eb89d 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..517116e 100644 +index eb50f07..189ab37 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -653,7 +653,7 @@ index eb50f07..517116e 100644 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice }; -dontaudit abrt_t self:capability sys_rawio; +allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; -+dontaudit abrt_t self:capability { sys_rawio sys_ptrace }; ++dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + allow abrt_t self:fifo_file rw_fifo_file_perms; @@ -16445,7 +16445,7 @@ index 1303b30..72481a7 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..d8264c4 100644 +index 7de3859..ce147f1 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,46 @@ gen_require(` @@ -17130,7 +17130,7 @@ index 7de3859..d8264c4 100644 ') optional_policy(` -@@ -598,7 +595,19 @@ optional_policy(` +@@ -598,7 +595,23 @@ optional_policy(` ') optional_policy(` @@ -17147,10 +17147,14 @@ index 7de3859..d8264c4 100644 + prelink_manage_log(system_cronjob_t) + prelink_read_cache(system_cronjob_t) + prelink_relabel_lib(system_cronjob_t) ++') ++ ++optional_policy(` ++ rkhunter_manage_lib_files(system_cronjob_t) ') optional_policy(` -@@ -608,6 +617,7 @@ optional_policy(` +@@ -608,6 +621,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -17158,7 +17162,7 @@ index 7de3859..d8264c4 100644 ') optional_policy(` -@@ -615,12 +625,24 @@ optional_policy(` +@@ -615,12 +629,24 @@ optional_policy(` ') optional_policy(` @@ -17185,7 +17189,7 @@ index 7de3859..d8264c4 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +650,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +654,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -17219,7 +17223,7 @@ index 7de3859..d8264c4 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +683,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +687,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -19215,7 +19219,7 @@ index dda905b..31f269b 100644 /var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0) +') diff --git a/dbus.if b/dbus.if -index 62d22cb..fefd4b4 100644 +index 62d22cb..4d3ed7b 100644 --- a/dbus.if +++ b/dbus.if @@ -1,4 +1,4 @@ @@ -19224,16 +19228,33 @@ index 62d22cb..fefd4b4 100644 ######################################## ## -@@ -19,7 +19,7 @@ interface(`dbus_stub',` +@@ -19,7 +19,24 @@ interface(`dbus_stub',` ######################################## ## -## Role access for dbus. ++## Execute dbus-daemon in the caller domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`dbus_exec_dbusd',` ++ gen_require(` ++ type dbusd_exec_t; ++ ') ++ can_exec($1, dbusd_exec_t) ++') ++ ++######################################## ++## +## Role access for dbus ## ## ## -@@ -41,59 +41,68 @@ interface(`dbus_stub',` +@@ -41,59 +58,68 @@ interface(`dbus_stub',` template(`dbus_role_template',` gen_require(` class dbus { send_msg acquire_svc }; @@ -19323,7 +19344,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -103,65 +112,29 @@ template(`dbus_role_template',` +@@ -103,65 +129,29 @@ template(`dbus_role_template',` # interface(`dbus_system_bus_client',` gen_require(` @@ -19398,7 +19419,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',` +@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',` ## ## # @@ -19425,7 +19446,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',` +@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',` ## # interface(`dbus_session_bus_client',` @@ -19505,7 +19526,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',` +@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',` ## # interface(`dbus_send_session_bus',` @@ -19567,21 +19588,23 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -381,69 +265,32 @@ interface(`dbus_manage_lib_files',` +@@ -381,69 +282,32 @@ interface(`dbus_manage_lib_files',` ######################################## ## -## Allow a application domain to be -## started by the specified session bus. --## ++## Connect to the system DBUS ++## for service (acquire_svc). + ## -## -## -## The prefix of the user role (e.g., user -## is the prefix for user_r). -## -## --## --## + ## + ## -## Type to be used as a domain. -## -## @@ -19601,11 +19624,9 @@ index 62d22cb..fefd4b4 100644 -## -## Allow a application domain to be -## started by the specified session bus. -+## Connect to the system DBUS -+## for service (acquire_svc). - ## - ## - ## +-## +-## +-## -## Type to be used as a domain. -## -## @@ -19648,7 +19669,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -458,20 +305,21 @@ interface(`dbus_all_session_domain',` +@@ -458,20 +322,21 @@ interface(`dbus_all_session_domain',` ## ## # @@ -19674,7 +19695,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -490,7 +338,7 @@ interface(`dbus_connect_system_bus',` +@@ -490,7 +355,7 @@ interface(`dbus_connect_system_bus',` ######################################## ## @@ -19683,7 +19704,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -509,7 +357,7 @@ interface(`dbus_send_system_bus',` +@@ -509,7 +374,7 @@ interface(`dbus_send_system_bus',` ######################################## ## @@ -19692,7 +19713,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -528,8 +376,8 @@ interface(`dbus_system_bus_unconfined',` +@@ -528,8 +393,8 @@ interface(`dbus_system_bus_unconfined',` ######################################## ## @@ -19703,7 +19724,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -544,33 +392,24 @@ interface(`dbus_system_bus_unconfined',` +@@ -544,33 +409,24 @@ interface(`dbus_system_bus_unconfined',` # interface(`dbus_system_domain',` gen_require(` @@ -19741,7 +19762,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -588,26 +427,25 @@ interface(`dbus_use_system_bus_fds',` +@@ -588,26 +444,25 @@ interface(`dbus_use_system_bus_fds',` ######################################## ## @@ -19774,7 +19795,7 @@ index 62d22cb..fefd4b4 100644 ## ## ## -@@ -615,10 +453,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` +@@ -615,10 +470,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',` ## ## # @@ -25378,10 +25399,10 @@ index cf0e567..91d4dfb 100644 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) userdom_use_user_terminals(fail2ban_client_t) diff --git a/fcoe.te b/fcoe.te -index ce358fb..90e08d8 100644 +index ce358fb..aabd04f 100644 --- a/fcoe.te +++ b/fcoe.te -@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t) +@@ -20,25 +20,27 @@ files_pid_file(fcoemon_var_run_t) # Local policy # @@ -25406,6 +25427,13 @@ index ce358fb..90e08d8 100644 logging_send_syslog_msg(fcoemon_t) + miscfiles_read_localization(fcoemon_t) + ++userdom_dgram_send(fcoemon_t) ++ + optional_policy(` + lldpad_dgram_send(fcoemon_t) + ') diff --git a/fetchmail.fc b/fetchmail.fc index 133b8ee..a47a12f 100644 --- a/fetchmail.fc @@ -26532,7 +26560,7 @@ index 4498143..77bbcef 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..ab0eccc 100644 +index 36838c2..34b08ac 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -26636,7 +26664,7 @@ index 36838c2..ab0eccc 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +273,49 @@ sysnet_use_ldap(ftpd_t) +@@ -259,32 +273,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -26662,6 +26690,7 @@ index 36838c2..ab0eccc 100644 +tunable_policy(`ftpd_use_fusefs',` + fs_manage_fusefs_dirs(ftpd_t) + fs_manage_fusefs_files(ftpd_t) ++ fs_manage_fusefs_symlinks(ftpd_t) +',` + fs_search_fusefs(ftpd_t) +') @@ -26693,7 +26722,7 @@ index 36838c2..ab0eccc 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -304,22 +335,19 @@ tunable_policy(`ftpd_connect_db',` +@@ -304,22 +336,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -26721,7 +26750,7 @@ index 36838c2..ab0eccc 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -363,9 +391,8 @@ optional_policy(` +@@ -363,9 +392,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -26732,7 +26761,7 @@ index 36838c2..ab0eccc 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +443,20 @@ optional_policy(` +@@ -416,21 +444,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -26756,7 +26785,7 @@ index 36838c2..ab0eccc 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +469,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -443,23 +470,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -26797,7 +26826,7 @@ index 36838c2..ab0eccc 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +518,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -481,21 +519,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -37589,7 +37618,7 @@ index 3602712..fc7b071 100644 + allow $1 slapd_unit_file_t:service all_service_perms; ') diff --git a/ldap.te b/ldap.te -index 4c2b111..8915138 100644 +index 4c2b111..6effd5f 100644 --- a/ldap.te +++ b/ldap.te @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t) @@ -37602,6 +37631,15 @@ index 4c2b111..8915138 100644 type slapd_keytab_t; files_type(slapd_keytab_t) +@@ -49,7 +52,7 @@ files_pid_file(slapd_var_run_t) + + allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; + dontaudit slapd_t self:capability sys_tty_config; +-allow slapd_t self:process setsched; ++allow slapd_t self:process { setsched signal } ; + allow slapd_t self:fifo_file rw_fifo_file_perms; + allow slapd_t self:tcp_socket { accept listen }; + @@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) @@ -38089,7 +38127,7 @@ index d18c960..fb5b674 100644 domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; diff --git a/lldpad.te b/lldpad.te -index 2a491d9..db979c3 100644 +index 2a491d9..dcd3ae6 100644 --- a/lldpad.te +++ b/lldpad.te @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t) @@ -38101,7 +38139,7 @@ index 2a491d9..db979c3 100644 allow lldpad_t self:shm create_shm_perms; allow lldpad_t self:fifo_file rw_fifo_file_perms; allow lldpad_t self:unix_stream_socket { accept listen }; -@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t) +@@ -51,12 +51,14 @@ kernel_request_load_module(lldpad_t) dev_read_sysfs(lldpad_t) @@ -38114,6 +38152,11 @@ index 2a491d9..db979c3 100644 optional_policy(` fcoe_dgram_send_fcoemon(lldpad_t) + ') ++ ++optional_policy(` ++ networkmanager_dgram_send(lldpad_t) ++') diff --git a/loadkeys.te b/loadkeys.te index d2f4643..c8e6b37 100644 --- a/loadkeys.te @@ -38525,24 +38568,10 @@ index be0ab84..e4d6e6f 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..6f52140 100644 +index ab65034..ed34956 100644 --- a/logwatch.te +++ b/logwatch.te -@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2) - # - - ## -+##

-+## Allow epylog to send mail -+##

-+##
-+gen_tunable(logwatch_can_sendmail, false) -+ -+## - ##

- ## Determine whether logwatch can connect - ## to mail over the network. -@@ -15,7 +22,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) +@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false) type logwatch_t; type logwatch_exec_t; @@ -38552,7 +38581,7 @@ index ab65034..6f52140 100644 type logwatch_cache_t; files_type(logwatch_cache_t) -@@ -45,7 +53,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; +@@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) @@ -38562,7 +38591,7 @@ index ab65034..6f52140 100644 files_lock_filetrans(logwatch_t, logwatch_lock_t, file) manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) -@@ -61,6 +70,11 @@ kernel_read_system_state(logwatch_t) +@@ -61,6 +63,11 @@ kernel_read_system_state(logwatch_t) kernel_read_net_sysctls(logwatch_t) kernel_read_network_state(logwatch_t) @@ -38574,7 +38603,7 @@ index ab65034..6f52140 100644 corecmd_exec_bin(logwatch_t) corecmd_exec_shell(logwatch_t) -@@ -75,10 +89,11 @@ files_list_var(logwatch_t) +@@ -75,10 +82,11 @@ files_list_var(logwatch_t) files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) files_read_etc_runtime_files(logwatch_t) @@ -38587,7 +38616,7 @@ index ab65034..6f52140 100644 fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) -@@ -100,23 +115,14 @@ libs_read_lib_files(logwatch_t) +@@ -100,23 +108,14 @@ libs_read_lib_files(logwatch_t) logging_read_all_logs(logwatch_t) logging_send_syslog_msg(logwatch_t) @@ -38611,7 +38640,7 @@ index ab65034..6f52140 100644 corenet_sendrecv_smtp_client_packets(logwatch_t) corenet_tcp_connect_smtp_port(logwatch_t) corenet_tcp_sendrecv_smtp_port(logwatch_t) -@@ -160,6 +166,12 @@ optional_policy(` +@@ -160,6 +159,12 @@ optional_policy(` ') optional_policy(` @@ -38624,7 +38653,7 @@ index ab65034..6f52140 100644 rpc_search_nfs_state_data(logwatch_t) ') -@@ -187,6 +199,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -187,6 +192,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -49299,7 +49328,7 @@ index 94b9734..bb9c83e 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 86dc29d..5b73942 100644 +index 86dc29d..993ecf5 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -49570,7 +49599,7 @@ index 86dc29d..5b73942 100644 ##

## ## -@@ -287,33 +370,113 @@ interface(`networkmanager_stream_connect',` +@@ -287,33 +370,132 @@ interface(`networkmanager_stream_connect',` ## ## # @@ -49635,9 +49664,7 @@ index 86dc29d..5b73942 100644 + gen_require(` + type NetworkManager_var_lib_t; + ') - -- files_search_pids($1) -- admin_pattern($1, NetworkManager_var_run_t) ++ + manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +') + @@ -49661,6 +49688,26 @@ index 86dc29d..5b73942 100644 + allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; +') + ++####################################### ++## ++## Send to NetworkManager with a unix dgram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_dgram_send',` ++ gen_require(` ++ type NetworkManager_t, NetworkManager_var_run_t; ++ ') + + files_search_pids($1) +- admin_pattern($1, NetworkManager_var_run_t) ++ dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) ++') ++ +######################################## +## +## Transition to networkmanager named content @@ -49705,7 +49752,7 @@ index 86dc29d..5b73942 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..c8ed2bd 100644 +index 55f2009..8562dec 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -49959,7 +50006,7 @@ index 55f2009..c8ed2bd 100644 ') ') -@@ -231,18 +260,23 @@ optional_policy(` +@@ -231,18 +260,27 @@ optional_policy(` dnsmasq_kill(NetworkManager_t) dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) @@ -49982,11 +50029,15 @@ index 55f2009..c8ed2bd 100644 +') + +optional_policy(` ++ iscsid_domtrans(NetworkManager_t) ++') ++ ++optional_policy(` + iodined_domtrans(NetworkManager_t) ') optional_policy(` -@@ -250,6 +284,10 @@ optional_policy(` +@@ -250,6 +288,10 @@ optional_policy(` ipsec_kill_mgmt(NetworkManager_t) ipsec_signal_mgmt(NetworkManager_t) ipsec_signull_mgmt(NetworkManager_t) @@ -49997,7 +50048,7 @@ index 55f2009..c8ed2bd 100644 ') optional_policy(` -@@ -257,11 +295,14 @@ optional_policy(` +@@ -257,11 +299,14 @@ optional_policy(` ') optional_policy(` @@ -50014,7 +50065,7 @@ index 55f2009..c8ed2bd 100644 ') optional_policy(` -@@ -274,10 +315,17 @@ optional_policy(` +@@ -274,10 +319,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -50032,7 +50083,7 @@ index 55f2009..c8ed2bd 100644 ') optional_policy(` -@@ -289,6 +337,7 @@ optional_policy(` +@@ -289,6 +341,7 @@ optional_policy(` ') optional_policy(` @@ -50040,7 +50091,7 @@ index 55f2009..c8ed2bd 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +345,7 @@ optional_policy(` +@@ -296,7 +349,7 @@ optional_policy(` ') optional_policy(` @@ -50049,7 +50100,7 @@ index 55f2009..c8ed2bd 100644 ') optional_policy(` -@@ -307,6 +356,7 @@ optional_policy(` +@@ -307,6 +360,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -50057,7 +50108,7 @@ index 55f2009..c8ed2bd 100644 ') optional_policy(` -@@ -320,14 +370,20 @@ optional_policy(` +@@ -320,14 +374,20 @@ optional_policy(` ') optional_policy(` @@ -50083,7 +50134,7 @@ index 55f2009..c8ed2bd 100644 ') optional_policy(` -@@ -357,6 +413,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +417,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -58462,7 +58513,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..a5787c2 100644 +index 608f454..7ba84e6 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -58481,7 +58532,7 @@ index 608f454..a5787c2 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,293 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,297 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -58628,7 +58679,8 @@ index 608f454..a5787c2 100644 +# pegasus openlmi system (networking) local policy +# + -+allow pegasus_openlmi_system_t self:capability { net_admin }; ++allow pegasus_openlmi_system_t self:capability { net_admin sys_boot }; ++allow pegasus_openlmi_system_t self:process signal_perms; + +allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms; + @@ -58637,6 +58689,8 @@ index 608f454..a5787c2 100644 +dev_rw_sysfs(pegasus_openlmi_system_t) +dev_read_urand(pegasus_openlmi_system_t) + ++init_read_utmp(pegasus_openlmi_system_t) ++ +systemd_config_power_services(pegasus_openlmi_system_t) +systemd_dbus_chat_logind(pegasus_openlmi_system_t) + @@ -58708,6 +58762,7 @@ index 608f454..a5787c2 100644 + +seutil_read_file_contexts(pegasus_openlmi_storage_t) + ++storage_raw_read_removable_device(pegasus_openlmi_storage_t) +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + @@ -58780,7 +58835,7 @@ index 608f454..a5787c2 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +326,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +330,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -58811,7 +58866,7 @@ index 608f454..a5787c2 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +352,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +356,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -58844,7 +58899,7 @@ index 608f454..a5787c2 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +380,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +384,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -58856,7 +58911,7 @@ index 608f454..a5787c2 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +396,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +400,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -58892,7 +58947,7 @@ index 608f454..a5787c2 100644 ') optional_policy(` -@@ -151,16 +430,24 @@ optional_policy(` +@@ -151,16 +434,24 @@ optional_policy(` ') optional_policy(` @@ -58921,7 +58976,7 @@ index 608f454..a5787c2 100644 ') optional_policy(` -@@ -168,7 +455,7 @@ optional_policy(` +@@ -168,7 +459,7 @@ optional_policy(` ') optional_policy(` @@ -60062,10 +60117,10 @@ index 0000000..798efb6 +') diff --git a/pki.te b/pki.te new file mode 100644 -index 0000000..d656f71 +index 0000000..5c64daf --- /dev/null +++ b/pki.te -@@ -0,0 +1,271 @@ +@@ -0,0 +1,272 @@ +policy_module(pki,10.0.11) + +######################################## @@ -60240,6 +60295,7 @@ index 0000000..d656f71 + +corenet_tcp_bind_pki_ra_port(pki_ra_t) +# talk to other subsystems ++corenet_tcp_connect_http_port(pki_ra_t) +corenet_tcp_connect_pki_ca_port(pki_ra_t) +corenet_tcp_connect_smtp_port(pki_ra_t) + @@ -60366,7 +60422,7 @@ index 735500f..2ba6832 100644 -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) +/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 30e751f..78fb7c6 100644 +index 30e751f..61feb3a 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -1,4 +1,4 @@ @@ -60554,7 +60610,7 @@ index 30e751f..78fb7c6 100644 gen_require(` type plymouthd_var_run_t; ') -@@ -233,36 +228,113 @@ interface(`plymouthd_read_pid_files',` +@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',` ######################################## ## @@ -60562,12 +60618,13 @@ index 30e751f..78fb7c6 100644 -## administrate an plymouthd environment. +## Allow the specified domain to read +## to plymouthd log files. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +# +interface(`plymouthd_read_log',` + gen_require(` @@ -60590,26 +60647,27 @@ index 30e751f..78fb7c6 100644 +# +interface(`plymouthd_create_log',` + gen_require(` -+ type plymouthd_log_t; ++ type plymouthd_var_log_t; + ') + + logging_search_logs($1) -+ create_files_pattern($1, plymouthd_log_t, plymouthd_log_t) ++ create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) +') + -+ +######################################## +## +## Allow the specified domain to manage +## to plymouthd log files. - ## - ## ++##
++## ## - ## Domain allowed access. +-## Role allowed access. ++## Domain allowed access. ## ## --## -+# +-## + # +-interface(`plymouthd_admin',` +interface(`plymouthd_manage_log',` + gen_require(` + type plymouthd_var_log_t; @@ -60646,14 +60704,11 @@ index 30e751f..78fb7c6 100644 +## an plymouthd environment +##
+## - ## --## Role allowed access. ++## +## Domain allowed access. - ## - ## --## - # --interface(`plymouthd_admin',` ++## ++## ++# +interface(`plymouthd_admin', ` gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; @@ -63095,7 +63150,7 @@ index ded95ec..3cf7146 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") ') diff --git a/postfix.te b/postfix.te -index 5cfb83e..efec4cc 100644 +index 5cfb83e..ab42dca 100644 --- a/postfix.te +++ b/postfix.te @@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1) @@ -63358,13 +63413,13 @@ index 5cfb83e..efec4cc 100644 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t) -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t) -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid") -+kernel_read_all_sysctls(postfix_master_t) - +- -can_exec(postfix_master_t, postfix_exec_t) - -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t) -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t) -- ++kernel_read_all_sysctls(postfix_master_t) + -corenet_all_recvfrom_unlabeled(postfix_master_t) corenet_all_recvfrom_netlabel(postfix_master_t) corenet_tcp_sendrecv_generic_if(postfix_master_t) @@ -63674,7 +63729,7 @@ index 5cfb83e..efec4cc 100644 stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t) rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) -@@ -532,16 +443,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; +@@ -532,21 +443,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms; read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t) @@ -63694,7 +63749,24 @@ index 5cfb83e..efec4cc 100644 # allow postfix_pipe_t self:process setrlimit; -@@ -584,19 +494,26 @@ optional_policy(` + + write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) ++write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) + + write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t) + +@@ -557,6 +468,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) + corecmd_exec_bin(postfix_pipe_t) + + optional_policy(` ++ cyrus_stream_connect(postfix_pipe_t) ++') ++ ++optional_policy(` + dovecot_domtrans_deliver(postfix_pipe_t) + ') + +@@ -584,19 +499,26 @@ optional_policy(` ######################################## # @@ -63726,7 +63798,7 @@ index 5cfb83e..efec4cc 100644 term_dontaudit_use_all_ptys(postfix_postdrop_t) term_dontaudit_use_all_ttys(postfix_postdrop_t) -@@ -611,10 +528,7 @@ optional_policy(` +@@ -611,10 +533,7 @@ optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) ') @@ -63738,7 +63810,7 @@ index 5cfb83e..efec4cc 100644 optional_policy(` fstools_read_pipes(postfix_postdrop_t) ') -@@ -629,17 +543,24 @@ optional_policy(` +@@ -629,17 +548,24 @@ optional_policy(` ####################################### # @@ -63766,7 +63838,7 @@ index 5cfb83e..efec4cc 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -655,69 +576,78 @@ optional_policy(` +@@ -655,69 +581,78 @@ optional_policy(` ######################################## # @@ -63863,7 +63935,7 @@ index 5cfb83e..efec4cc 100644 ') optional_policy(` -@@ -730,29 +660,30 @@ optional_policy(` +@@ -730,29 +665,30 @@ optional_policy(` ######################################## # @@ -63902,7 +63974,7 @@ index 5cfb83e..efec4cc 100644 optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) -@@ -764,6 +695,7 @@ optional_policy(` +@@ -764,6 +700,7 @@ optional_policy(` optional_policy(` milter_stream_connect_all(postfix_smtpd_t) @@ -63910,7 +63982,7 @@ index 5cfb83e..efec4cc 100644 ') optional_policy(` -@@ -774,31 +706,100 @@ optional_policy(` +@@ -774,31 +711,100 @@ optional_policy(` sasl_connect(postfix_smtpd_t) ') @@ -76473,7 +76545,7 @@ index 6dbc905..4b17c93 100644 - admin_pattern($1, rhsmcertd_lock_t) ') diff --git a/rhsmcertd.te b/rhsmcertd.te -index d32e1a2..73051fc 100644 +index d32e1a2..64b5dee 100644 --- a/rhsmcertd.te +++ b/rhsmcertd.te @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t) @@ -76494,7 +76566,7 @@ index d32e1a2..73051fc 100644 manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t) files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file) -@@ -52,23 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) +@@ -52,23 +51,40 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir }) kernel_read_network_state(rhsmcertd_t) kernel_read_system_state(rhsmcertd_t) @@ -76537,6 +76609,7 @@ index d32e1a2..73051fc 100644 + +optional_policy(` rpm_read_db(rhsmcertd_t) ++ rpm_signull(rhsmcertd_t) ') diff --git a/ricci.if b/ricci.if index 2ab3ed1..23d579c 100644 @@ -76927,6 +77000,68 @@ index 0ba2569..64a0237 100644 optional_policy(` ccs_stream_connect(ricci_modstorage_t) +diff --git a/rkhunter.fc b/rkhunter.fc +new file mode 100644 +index 0000000..645a9cc +--- /dev/null ++++ b/rkhunter.fc +@@ -0,0 +1 @@ ++/var/lib/rkhunter(/.*)? gen_context(system_u:object_r:rkhunter_var_lib_t,s0) +diff --git a/rkhunter.if b/rkhunter.if +new file mode 100644 +index 0000000..0be4cee +--- /dev/null ++++ b/rkhunter.if +@@ -0,0 +1,39 @@ ++## policy for rkhunter ++ ++######################################## ++## ++## Append rkhunter lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkhunter_append_lib_files',` ++ gen_require(` ++ type rkhunter_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t) ++') ++ ++######################################## ++## ++## Manage rkhunter lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rkhunter_manage_lib_files',` ++ gen_require(` ++ type rkhunter_var_lib_t; ++ ') ++ ++ files_search_var_lib($1) ++ manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t) ++') +diff --git a/rkhunter.te b/rkhunter.te +new file mode 100644 +index 0000000..aa2d09e +--- /dev/null ++++ b/rkhunter.te +@@ -0,0 +1,4 @@ ++policy_module(rhhunter, 1.0) ++ ++type rkhunter_var_lib_t; ++files_type(rkhunter_var_lib_t) diff --git a/rlogin.fc b/rlogin.fc index f111877..e361ee9 100644 --- a/rlogin.fc @@ -81317,7 +81452,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..d06a165 100644 +index 2b7c441..71cbfc7 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -81484,7 +81619,14 @@ index 2b7c441..d06a165 100644 type smbd_t; type smbd_exec_t; -@@ -152,9 +135,10 @@ type smbd_var_run_t; +@@ -148,13 +131,17 @@ files_type(smbd_keytab_t) + type smbd_tmp_t; + files_tmp_file(smbd_tmp_t) + ++type smbd_tmpfs_t; ++files_tmpfs_file(smbd_tmpfs_t) ++ + type smbd_var_run_t; files_pid_file(smbd_var_run_t) type smbmount_t; @@ -81497,7 +81639,7 @@ index 2b7c441..d06a165 100644 type swat_t; type swat_exec_t; -@@ -173,28 +157,29 @@ type winbind_exec_t; +@@ -173,28 +160,29 @@ type winbind_exec_t; init_daemon_domain(winbind_t, winbind_exec_t) type winbind_helper_t; @@ -81535,7 +81677,7 @@ index 2b7c441..d06a165 100644 allow samba_net_t samba_etc_t:file read_file_perms; -@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) +@@ -210,17 +198,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") @@ -81562,7 +81704,7 @@ index 2b7c441..d06a165 100644 dev_read_urand(samba_net_t) -@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t) +@@ -233,15 +226,16 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -81583,7 +81725,7 @@ index 2b7c441..d06a165 100644 ') optional_policy(` -@@ -249,46 +240,58 @@ optional_policy(` +@@ -249,46 +243,58 @@ optional_policy(` ') optional_policy(` @@ -81626,11 +81768,11 @@ index 2b7c441..d06a165 100644 -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }; +allow smbd_t nmbd_t:process { signal signull }; -+ -+allow smbd_t nmbd_var_run_t:file rw_file_perms; -+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms }; ++allow smbd_t nmbd_var_run_t:file rw_file_perms; ++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) ++ +allow smbd_t samba_etc_t:file { rw_file_perms setattr }; allow smbd_t smbd_keytab_t:file read_file_perms; @@ -81654,7 +81796,7 @@ index 2b7c441..d06a165 100644 manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) allow smbd_t samba_share_t:filesystem { getattr quotaget }; -@@ -298,6 +301,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) +@@ -298,20 +304,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) files_var_filetrans(smbd_t, samba_var_t, dir, "samba") @@ -81663,7 +81805,13 @@ index 2b7c441..d06a165 100644 manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) -@@ -307,11 +312,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + ++manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t) ++manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t) ++fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir }) ++ + manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) + manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) @@ -81679,7 +81827,7 @@ index 2b7c441..d06a165 100644 kernel_getattr_core_if(smbd_t) kernel_getattr_message_if(smbd_t) -@@ -321,43 +326,33 @@ kernel_read_kernel_sysctls(smbd_t) +@@ -321,43 +333,33 @@ kernel_read_kernel_sysctls(smbd_t) kernel_read_software_raid_state(smbd_t) kernel_read_system_state(smbd_t) @@ -81734,7 +81882,7 @@ index 2b7c441..d06a165 100644 fs_getattr_all_fs(smbd_t) fs_getattr_all_dirs(smbd_t) fs_get_xattr_fs_quotas(smbd_t) -@@ -366,44 +361,55 @@ fs_getattr_rpc_dirs(smbd_t) +@@ -366,44 +368,55 @@ fs_getattr_rpc_dirs(smbd_t) fs_list_inotifyfs(smbd_t) fs_get_all_fs_quotas(smbd_t) @@ -81801,7 +81949,7 @@ index 2b7c441..d06a165 100644 ') tunable_policy(`samba_domain_controller',` -@@ -419,20 +425,10 @@ tunable_policy(`samba_domain_controller',` +@@ -419,20 +432,10 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -81824,7 +81972,7 @@ index 2b7c441..d06a165 100644 tunable_policy(`samba_share_nfs',` fs_manage_nfs_dirs(smbd_t) fs_manage_nfs_files(smbd_t) -@@ -441,6 +437,7 @@ tunable_policy(`samba_share_nfs',` +@@ -441,6 +444,7 @@ tunable_policy(`samba_share_nfs',` fs_manage_nfs_named_sockets(smbd_t) ') @@ -81832,7 +81980,7 @@ index 2b7c441..d06a165 100644 tunable_policy(`samba_share_fusefs',` fs_manage_fusefs_dirs(smbd_t) fs_manage_fusefs_files(smbd_t) -@@ -448,17 +445,6 @@ tunable_policy(`samba_share_fusefs',` +@@ -448,17 +452,6 @@ tunable_policy(`samba_share_fusefs',` fs_search_fusefs(smbd_t) ') @@ -81850,7 +81998,7 @@ index 2b7c441..d06a165 100644 optional_policy(` ccs_read_config(smbd_t) ') -@@ -466,6 +452,7 @@ optional_policy(` +@@ -466,6 +459,7 @@ optional_policy(` optional_policy(` ctdbd_stream_connect(smbd_t) ctdbd_manage_lib_files(smbd_t) @@ -81858,7 +82006,7 @@ index 2b7c441..d06a165 100644 ') optional_policy(` -@@ -479,6 +466,11 @@ optional_policy(` +@@ -479,6 +473,11 @@ optional_policy(` ') optional_policy(` @@ -81870,7 +82018,7 @@ index 2b7c441..d06a165 100644 lpd_exec_lpr(smbd_t) ') -@@ -488,6 +480,10 @@ optional_policy(` +@@ -488,6 +487,10 @@ optional_policy(` ') optional_policy(` @@ -81881,7 +82029,7 @@ index 2b7c441..d06a165 100644 rpc_search_nfs_state_data(smbd_t) ') -@@ -499,9 +495,33 @@ optional_policy(` +@@ -499,9 +502,33 @@ optional_policy(` udev_read_db(smbd_t) ') @@ -81916,7 +82064,7 @@ index 2b7c441..d06a165 100644 # dontaudit nmbd_t self:capability sys_tty_config; -@@ -512,9 +532,11 @@ allow nmbd_t self:msg { send receive }; +@@ -512,9 +539,11 @@ allow nmbd_t self:msg { send receive }; allow nmbd_t self:msgq create_msgq_perms; allow nmbd_t self:sem create_sem_perms; allow nmbd_t self:shm create_shm_perms; @@ -81931,7 +82079,7 @@ index 2b7c441..d06a165 100644 manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) -@@ -526,20 +548,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) +@@ -526,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -81955,7 +82103,7 @@ index 2b7c441..d06a165 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) -@@ -548,52 +565,42 @@ kernel_read_network_state(nmbd_t) +@@ -548,52 +572,42 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -82004,14 +82152,14 @@ index 2b7c441..d06a165 100644 - userdom_use_unpriv_users_fds(nmbd_t) -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) -- ++userdom_dontaudit_search_user_home_dirs(nmbd_t) + -tunable_policy(`samba_export_all_ro',` - fs_read_noxattr_fs_files(nmbd_t) - files_list_non_auth_dirs(nmbd_t) - files_read_non_auth_files(nmbd_t) -') -+userdom_dontaudit_search_user_home_dirs(nmbd_t) - +- -tunable_policy(`samba_export_all_rw',` - fs_read_noxattr_fs_files(nmbd_t) - files_manage_non_auth_files(nmbd_t) @@ -82022,7 +82170,7 @@ index 2b7c441..d06a165 100644 ') optional_policy(` -@@ -606,16 +613,22 @@ optional_policy(` +@@ -606,16 +620,22 @@ optional_policy(` ######################################## # @@ -82030,7 +82178,7 @@ index 2b7c441..d06a165 100644 +# smbcontrol local policy # -+ ++allow smbcontrol_t self:capability2 block_suspend; allow smbcontrol_t self:process signal; -allow smbcontrol_t self:fifo_file rw_fifo_file_perms; +# internal communication is often done using fifo and unix sockets. @@ -82049,7 +82197,7 @@ index 2b7c441..d06a165 100644 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) -@@ -627,16 +640,11 @@ domain_use_interactive_fds(smbcontrol_t) +@@ -627,16 +647,11 @@ domain_use_interactive_fds(smbcontrol_t) dev_read_urand(smbcontrol_t) @@ -82067,7 +82215,7 @@ index 2b7c441..d06a165 100644 optional_policy(` ctdbd_stream_connect(smbcontrol_t) -@@ -644,22 +652,23 @@ optional_policy(` +@@ -644,22 +659,23 @@ optional_policy(` ######################################## # @@ -82099,7 +82247,7 @@ index 2b7c441..d06a165 100644 allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -668,26 +677,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) +@@ -668,26 +684,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t) manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t) files_var_filetrans(smbmount_t, samba_var_t, dir, "samba") @@ -82135,7 +82283,7 @@ index 2b7c441..d06a165 100644 fs_getattr_cifs(smbmount_t) fs_mount_cifs(smbmount_t) -@@ -699,58 +704,77 @@ fs_read_cifs_files(smbmount_t) +@@ -699,58 +711,77 @@ fs_read_cifs_files(smbmount_t) storage_raw_read_fixed_disk(smbmount_t) storage_raw_write_fixed_disk(smbmount_t) @@ -82227,7 +82375,7 @@ index 2b7c441..d06a165 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -759,17 +783,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) +@@ -759,17 +790,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir }) manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t) files_pid_filetrans(swat_t, swat_var_run_t, file) @@ -82251,7 +82399,7 @@ index 2b7c441..d06a165 100644 kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) -@@ -777,36 +797,25 @@ kernel_read_network_state(swat_t) +@@ -777,36 +804,25 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -82294,7 +82442,7 @@ index 2b7c441..d06a165 100644 auth_domtrans_chk_passwd(swat_t) auth_use_nsswitch(swat_t) -@@ -818,10 +827,11 @@ logging_send_syslog_msg(swat_t) +@@ -818,10 +834,11 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -82308,7 +82456,7 @@ index 2b7c441..d06a165 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -840,17 +850,20 @@ optional_policy(` +@@ -840,17 +857,20 @@ optional_policy(` # Winbind local policy # @@ -82334,7 +82482,7 @@ index 2b7c441..d06a165 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -860,9 +873,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) +@@ -860,9 +880,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t) filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t) @@ -82345,7 +82493,7 @@ index 2b7c441..d06a165 100644 manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t) manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t) -@@ -873,23 +884,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") +@@ -873,23 +891,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba") rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) @@ -82375,7 +82523,7 @@ index 2b7c441..d06a165 100644 manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) kernel_read_network_state(winbind_t) -@@ -898,13 +907,17 @@ kernel_read_system_state(winbind_t) +@@ -898,13 +914,17 @@ kernel_read_system_state(winbind_t) corecmd_exec_bin(winbind_t) @@ -82396,7 +82544,7 @@ index 2b7c441..d06a165 100644 corenet_tcp_connect_smbd_port(winbind_t) corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -912,10 +925,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) +@@ -912,10 +932,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t) dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) @@ -82407,7 +82555,7 @@ index 2b7c441..d06a165 100644 fs_getattr_all_fs(winbind_t) fs_search_auto_mountpoints(winbind_t) -@@ -924,26 +933,39 @@ auth_domtrans_chk_passwd(winbind_t) +@@ -924,26 +940,39 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) auth_manage_cache(winbind_t) @@ -82449,7 +82597,7 @@ index 2b7c441..d06a165 100644 ') optional_policy(` -@@ -959,31 +981,29 @@ optional_policy(` +@@ -959,31 +988,29 @@ optional_policy(` # Winbind helper local policy # @@ -82487,7 +82635,7 @@ index 2b7c441..d06a165 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -997,25 +1017,38 @@ optional_policy(` +@@ -997,25 +1024,38 @@ optional_policy(` ######################################## # @@ -85567,10 +85715,10 @@ index 3a9a70b..903109c 100644 logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) diff --git a/setroubleshoot.te b/setroubleshoot.te -index ce67935..b58792f 100644 +index ce67935..b3df839 100644 --- a/setroubleshoot.te +++ b/setroubleshoot.te -@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.12.1) +@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.12.1) type setroubleshootd_t alias setroubleshoot_t; type setroubleshootd_exec_t; @@ -85602,6 +85750,8 @@ index ce67935..b58792f 100644 allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config }; -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack }; ++dontaudit setroubleshootd_t self:capability net_admin; ++ +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal }; +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run +allow setroubleshootd_t self:process { execmem execstack }; @@ -85632,7 +85782,7 @@ index ce67935..b58792f 100644 manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) -@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t) +@@ -61,14 +70,13 @@ corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) corecmd_read_all_executables(setroubleshootd_t) @@ -85650,7 +85800,7 @@ index ce67935..b58792f 100644 dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) -@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) +@@ -76,10 +84,9 @@ dev_getattr_all_blk_files(setroubleshootd_t) dev_getattr_all_chr_files(setroubleshootd_t) dev_getattr_mtrr_dev(setroubleshootd_t) @@ -85662,7 +85812,7 @@ index ce67935..b58792f 100644 files_list_all(setroubleshootd_t) files_getattr_all_files(setroubleshootd_t) files_getattr_all_pipes(setroubleshootd_t) -@@ -109,27 +114,24 @@ init_read_utmp(setroubleshootd_t) +@@ -109,27 +116,24 @@ init_read_utmp(setroubleshootd_t) init_dontaudit_write_utmp(setroubleshootd_t) libs_exec_ld_so(setroubleshootd_t) @@ -85695,7 +85845,7 @@ index ce67935..b58792f 100644 ') optional_policy(` -@@ -137,10 +139,18 @@ optional_policy(` +@@ -137,10 +141,18 @@ optional_policy(` ') optional_policy(` @@ -85714,7 +85864,7 @@ index ce67935..b58792f 100644 rpm_exec(setroubleshootd_t) rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) -@@ -150,26 +160,36 @@ optional_policy(` +@@ -150,26 +162,36 @@ optional_policy(` ######################################## # @@ -85753,7 +85903,7 @@ index ce67935..b58792f 100644 files_list_tmp(setroubleshoot_fixit_t) auth_use_nsswitch(setroubleshoot_fixit_t) -@@ -177,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) +@@ -177,23 +199,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t) logging_send_audit_msgs(setroubleshoot_fixit_t) logging_send_syslog_msg(setroubleshoot_fixit_t) @@ -86556,10 +86706,29 @@ index ca32e89..98278dd 100644 + ') diff --git a/slpd.te b/slpd.te -index 731512a..645dad6 100644 +index 731512a..4ce76cd 100644 --- a/slpd.te +++ b/slpd.te -@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) +@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t) + # Local policy + # + +-allow slpd_t self:capability { kill setgid setuid }; ++allow slpd_t self:capability { kill net_admin setgid setuid }; + allow slpd_t self:process signal; + allow slpd_t self:fifo_file rw_fifo_file_perms; + allow slpd_t self:tcp_socket { accept listen }; +@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file) + manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t) + files_pid_filetrans(slpd_t, slpd_var_run_t, file) + ++kernel_read_system_state(slpd_t) ++kernel_read_network_state(slpd_t) ++ + corenet_all_recvfrom_unlabeled(slpd_t) + corenet_all_recvfrom_netlabel(slpd_t) + corenet_tcp_sendrecv_generic_if(slpd_t) +@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t) corenet_tcp_bind_svrloc_port(slpd_t) corenet_udp_bind_svrloc_port(slpd_t) @@ -86570,6 +86739,8 @@ index 731512a..645dad6 100644 auth_use_nsswitch(slpd_t) -miscfiles_read_localization(slpd_t) ++logging_send_syslog_msg(slpd_t) ++ +sysnet_dns_name_resolve(slpd_t) diff --git a/slrnpull.te b/slrnpull.te index 59eb07f..4626942 100644 @@ -87249,11 +87420,13 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..3f412d5 +index 0000000..48c0623 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1 @@ +@@ -0,0 +1,3 @@ +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) ++ ++/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 index 0000000..94105ee @@ -87304,10 +87477,10 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..ad232be +index 0000000..3df20a6 --- /dev/null +++ b/snapper.te -@@ -0,0 +1,33 @@ +@@ -0,0 +1,56 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -87319,6 +87492,12 @@ index 0000000..ad232be +type snapperd_exec_t; +init_daemon_domain(snapperd_t, snapperd_exec_t) + ++type snapperd_log_t; ++logging_log_file(snapperd_log_t) ++ ++type snapperd_data_t; ++files_type(snapperd_data_t) ++ +######################################## +# +# snapperd local policy @@ -87327,13 +87506,29 @@ index 0000000..ad232be +allow snapperd_t self:fifo_file rw_fifo_file_perms; +allow snapperd_t self:unix_stream_socket create_stream_socket_perms; + ++manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t) ++logging_log_filetrans(snapperd_t, snapperd_log_t, file) ++ ++manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) ++manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) ++manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t) ++ ++domain_read_all_domains_state(snapperd_t) ++ ++corecmd_exec_shell(snapperd_t) ++corecmd_exec_bin(snapperd_t) ++ ++files_read_all_files(snapperd_t) ++files_list_all(snapperd_t) ++ ++fs_getattr_all_fs(snapperd_t) ++ +storage_raw_read_fixed_disk(snapperd_t) + +auth_use_nsswitch(snapperd_t) + -+miscfiles_read_localization(snapperd_t) -+ +optional_policy(` ++ dbus_system_domain(snapperd_t, snapperd_exec_t) + dbus_system_bus_client(snapperd_t) + dbus_connect_system_bus(snapperd_t) +') @@ -87341,6 +87536,7 @@ index 0000000..ad232be +optional_policy(` + mount_domtrans(snapperd_t) +') ++ diff --git a/snmp.fc b/snmp.fc index 2f0a2f2..1569e33 100644 --- a/snmp.fc @@ -93321,10 +93517,10 @@ index 0000000..c1fd8b4 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..ed78f6f +index 0000000..81e8be9 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,154 @@ +@@ -0,0 +1,155 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -93444,6 +93640,7 @@ index 0000000..ed78f6f +') + +optional_policy(` ++ dbus_exec_dbusd(thumb_t) + dbus_dontaudit_stream_connect_session_bus(thumb_t) + dbus_dontaudit_chat_session_bus(thumb_t) +') @@ -100137,10 +100334,10 @@ index 0000000..044be2f +') diff --git a/vmtools.te b/vmtools.te new file mode 100644 -index 0000000..7918651 +index 0000000..b4d2dac --- /dev/null +++ b/vmtools.te -@@ -0,0 +1,27 @@ +@@ -0,0 +1,42 @@ +policy_module(vmtools, 1.0.0) + +######################################## @@ -100155,17 +100352,32 @@ index 0000000..7918651 +type vmtools_unit_file_t; +systemd_unit_file(vmtools_unit_file_t) + ++type vmtools_tmp_t; ++files_tmp_file(vmtools_tmp_t) ++ +######################################## +# +# vmtools local policy +# ++allow vmtools_t self:capability { sys_time sys_rawio }; +allow vmtools_t self:fifo_file rw_fifo_file_perms; +allow vmtools_t self:unix_stream_socket create_stream_socket_perms; +allow vmtools_t self:unix_dgram_socket create_socket_perms; + -+auth_use_nsswitch(vmtools_t) ++manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t) ++manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t) ++manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t) ++files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir }) ++ ++kernel_read_system_state(vmtools_t) ++kernel_read_network_state(vmtools_t) ++ ++corecmd_exec_shell(vmtools_t) + +dev_read_urand(vmtools_t) ++dev_getattr_all_blk_files(vmtools_t) ++ ++auth_use_nsswitch(vmtools_t) + +logging_send_syslog_msg(vmtools_t) diff --git a/vmware.if b/vmware.if diff --git a/selinux-policy.spec b/selinux-policy.spec index ca49964..d2c5efd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 18%{?dist} +Release: 19%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -578,6 +578,45 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Jan 28 2014 Miroslav Grepl 3.13.1-19 +- Add net_admin also for systemd_passwd_agent_t +- Allow Associate usermodehelper_t to sysfs filesystem +- Allow gdm to create /var/gdm with correct labeling +- Allow domains to append rkhunterl lib files. #1057982 +- Allow systemd_tmpfiles_t net_admin to communicate with journald +- update libs_filetrans_named_content() to have support for /usr/lib/debug directory +- Adding a new service script to enable setcheckreqprot +- Add interface to getattr on an isid_type for any type of file +- Allow initrc_t domtrans to authconfig if unconfined is enabled +- Add labeling for snapper.log +- Allow tumbler to execute dbusd-daemon in thumb_t +- Add dbus_exec_dbusd() +- Add snapperd_data_t type +- Add additional fixes for snapperd +- FIx bad calling in samba.te +- Allow smbd to create tmpfs +- Allow rhsmcertd-worker send signull to rpm process +- Allow net_admin capability and send system log msgs +- Allow lldpad send dgram to NM +- Add networkmanager_dgram_send() +- rkhunter_var_lib_t is correct type +- Allow openlmi-storage to read removable devices +- Allow system cron jobs to manage rkhunter lib files +- Add rkhunter_manage_lib_files() +- Fix ftpd_use_fusefs boolean to allow manage also symlinks +- Allow smbcontrob block_suspend cap2 +- Allow slpd to read network and system state info +- Allow NM domtrans to iscsid_t if iscsiadm is executed +- Allow slapd to send a signal itself +- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA. +- Fix plymouthd_create_log() interface +- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package +- Allow postfix and cyrus-imapd to work out of box +- Remove logwatch_can_sendmail which is no longer used +- Allow fcoemon to talk with unpriv user domain using unix_stream_socket +- snapperd is D-Bus service +- Allow OpenLMI PowerManagement to call 'systemctl --force reboot' + * Fri Jan 24 2014 Miroslav Grepl 3.13.1-18 - Add haproxy_connect_any boolean - Allow haproxy also to use http cache port by default