diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 73354c9..9aeb350 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -15386,7 +15386,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..b66e93a 100644 +index 8416beb..4d615ff 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -15834,7 +15834,7 @@ index 8416beb..b66e93a 100644 ## ## ## -@@ -1878,117 +2085,190 @@ interface(`fs_search_fusefs',` +@@ -1878,135 +2085,151 @@ interface(`fs_search_fusefs',` ## ## # @@ -16004,83 +16004,93 @@ index 8416beb..b66e93a 100644 -## read, write, and delete files -## on a FUSEFS filesystem. +## Unmount a FUSE filesystem. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`fs_dontaudit_manage_fusefs_files',` +interface(`fs_unmount_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ + gen_require(` + type fusefs_t; + ') + +- dontaudit $1 fusefs_t:file manage_file_perms; + allow $1 fusefs_t:filesystem unmount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read symbolic links on a FUSEFS filesystem. +## Mounton a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2014,145 +2237,194 @@ interface(`fs_dontaudit_manage_fusefs_files',` + ## + ## + # +-interface(`fs_read_fusefs_symlinks',` +interface(`fs_mounton_fusefs',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ + gen_require(` + type fusefs_t; + ') + +- allow $1 fusefs_t:dir list_dir_perms; +- read_lnk_files_pattern($1, fusefs_t, fusefs_t) + allow $1 fusefs_t:dir mounton; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of an hugetlbfs +-## filesystem. +## Search directories +## on a FUSEFS filesystem. + ## + ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`fs_getattr_hugetlbfs',` ++interface(`fs_search_fusefs',` + gen_require(` +- type hugetlbfs_t; ++ type fusefs_t; + ') + +- allow $1 hugetlbfs_t:filesystem getattr; ++ allow $1 fusefs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## List hugetlbfs. ++## Do not audit attempts to list the contents ++## of directories on a FUSEFS filesystem. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## -+## +# -+interface(`fs_search_fusefs',` ++interface(`fs_dontaudit_list_fusefs',` + gen_require(` + type fusefs_t; + ') + -+ allow $1 fusefs_t:dir search_dir_perms; ++ dontaudit $1 fusefs_t:dir list_dir_perms; +') + +######################################## +## -+## Do not audit attempts to list the contents -+## of directories on a FUSEFS filesystem. - ## - ## - ## -@@ -1996,91 +2276,173 @@ interface(`fs_manage_fusefs_files',` - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_dontaudit_list_fusefs',` - gen_require(` - type fusefs_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; -+ dontaudit $1 fusefs_t:dir list_dir_perms; - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. +## Create, read, write, and delete directories +## on a FUSEFS filesystem. ## @@ -16091,21 +16101,20 @@ index 8416beb..b66e93a 100644 ## +## # --interface(`fs_read_fusefs_symlinks',` +-interface(`fs_list_hugetlbfs',` +interface(`fs_manage_fusefs_dirs',` gen_require(` - type fusefs_t; +- type hugetlbfs_t; ++ type fusefs_t; ') -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) +- allow $1 hugetlbfs_t:dir list_dir_perms; + allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## --## Get the attributes of an hugetlbfs --## filesystem. +-## Manage hugetlbfs dirs. +## Do not audit attempts to create, read, +## write, and delete directories +## on a FUSEFS filesystem. @@ -16135,20 +16144,20 @@ index 8416beb..b66e93a 100644 ## +## # --interface(`fs_getattr_hugetlbfs',` +-interface(`fs_manage_hugetlbfs_dirs',` +interface(`fs_read_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') -- allow $1 hugetlbfs_t:filesystem getattr; +- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) + read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## List hugetlbfs. +-## Read and write hugetlbfs files. +## Execute files on a FUSEFS filesystem. ## ## @@ -16158,58 +16167,69 @@ index 8416beb..b66e93a 100644 ## +## # --interface(`fs_list_hugetlbfs',` +-interface(`fs_rw_hugetlbfs_files',` +interface(`fs_exec_fusefs_files',` gen_require(` - type hugetlbfs_t; + type fusefs_t; ') -- allow $1 hugetlbfs_t:dir list_dir_perms; +- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) + exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Manage hugetlbfs dirs. +-## Allow the type to associate to hugetlbfs filesystems. +## Make general progams in FUSEFS an entrypoint for +## the specified domain. -+## + ## +-## +## -+## + ## +-## The type of the object to be associated. +## The domain for which fusefs_t is an entrypoint. -+## -+## -+# + ## + ## + # +-interface(`fs_associate_hugetlbfs',` +interface(`fs_fusefs_entry_type',` -+ gen_require(` + gen_require(` +- type hugetlbfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 hugetlbfs_t:filesystem associate; + domain_entry_file($1, fusefs_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Search inotifyfs filesystem. +## Make general progams in FUSEFS an entrypoint for +## the specified domain. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## The domain for which fusefs_t is an entrypoint. -+## -+## -+# + ## + ## + # +-interface(`fs_search_inotifyfs',` +interface(`fs_fusefs_entrypoint',` -+ gen_require(` + gen_require(` +- type inotifyfs_t; + type fusefs_t; -+ ') -+ + ') + +- allow $1 inotifyfs_t:dir search_dir_perms; + allow $1 fusefs_t:file entrypoint; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List inotifyfs filesystem. +## Create, read, write, and delete files +## on a FUSEFS filesystem. ## @@ -16220,87 +16240,85 @@ index 8416beb..b66e93a 100644 ## +## # --interface(`fs_manage_hugetlbfs_dirs',` +-interface(`fs_list_inotifyfs',` +interface(`fs_manage_fusefs_files',` gen_require(` -- type hugetlbfs_t; +- type inotifyfs_t; + type fusefs_t; ') -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) +- allow $1 inotifyfs_t:dir list_dir_perms; + manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## --## Read and write hugetlbfs files. +-## Dontaudit List inotifyfs filesystem. +## Do not audit attempts to create, +## read, write, and delete files +## on a FUSEFS filesystem. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_manage_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Read symbolic links on a FUSEFS filesystem. ## ## ## -@@ -2088,53 +2450,100 @@ interface(`fs_manage_hugetlbfs_dirs',` +@@ -2160,53 +2432,136 @@ interface(`fs_list_inotifyfs',` ## ## # --interface(`fs_rw_hugetlbfs_files',` -+interface(`fs_read_fusefs_symlinks',` +-interface(`fs_dontaudit_list_inotifyfs',` ++interface(`fs_dontaudit_manage_fusefs_files',` gen_require(` -- type hugetlbfs_t; +- type inotifyfs_t; + type fusefs_t; ') -- rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) +- dontaudit $1 inotifyfs_t:dir list_dir_perms; ++ dontaudit $1 fusefs_t:file manage_file_perms; ') ######################################## ## --## Allow the type to associate to hugetlbfs filesystems. -+## Manage symbolic links on a FUSEFS filesystem. +-## Create an object in a hugetlbfs filesystem, with a private +-## type using a type transition. ++## Read symbolic links on a FUSEFS filesystem. ## --## + ## + ## + ## Domain allowed access. + ## + ## +-## ++# ++interface(`fs_read_fusefs_symlinks',` ++ gen_require(` ++ type fusefs_t; ++ ') ++ ++ allow $1 fusefs_t:dir list_dir_perms; ++ read_lnk_files_pattern($1, fusefs_t, fusefs_t) ++') ++ ++######################################## ++## ++## Manage symbolic links on a FUSEFS filesystem. ++## +## ## --## The type of the object to be associated. +-## The type of the object to be created. +## Domain allowed access. ## ## - # --interface(`fs_associate_hugetlbfs',` +-## ++# +interface(`fs_manage_fusefs_symlinks',` - gen_require(` -- type hugetlbfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 hugetlbfs_t:filesystem associate; ++ ') ++ + manage_lnk_files_pattern($1, fusefs_t, fusefs_t) - ') - - ######################################## - ## --## Search inotifyfs filesystem. ++') ++ ++######################################## ++## +## Execute a file on a FUSE filesystem +## in the specified domain. +## @@ -16324,16 +16342,20 @@ index 8416beb..b66e93a 100644 +##

+## +## -+## + ## +-## The object class of the object being created. +## Domain allowed to transition. -+## -+## + ## + ## +-## +## -+## + ## +-## The name of the object being created. +## The type of the new process. -+## -+## -+# + ## + ## + # +-interface(`fs_hugetlbfs_filetrans',` +interface(`fs_fusefs_domtrans',` + gen_require(` + type fusefs_t; @@ -16346,83 +16368,80 @@ index 8416beb..b66e93a 100644 +######################################## +## +## Get the attributes of a FUSEFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## ++## ++## ++## ++## Domain allowed access. ++## ++## +## - # --interface(`fs_search_inotifyfs',` ++# +interface(`fs_getattr_fusefs',` - gen_require(` -- type inotifyfs_t; ++ gen_require(` + type fusefs_t; - ') - -- allow $1 inotifyfs_t:dir search_dir_perms; ++ ') ++ + allow $1 fusefs_t:filesystem getattr; - ') - - ######################################## - ## --## List inotifyfs filesystem. ++') ++ ++######################################## ++## +## Get the attributes of an hugetlbfs +## filesystem. - ## - ## - ## -@@ -2142,71 +2551,527 @@ interface(`fs_search_inotifyfs',` - ## - ## - # --interface(`fs_list_inotifyfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_getattr_hugetlbfs',` gen_require(` -- type inotifyfs_t; -+ type hugetlbfs_t; + type hugetlbfs_t; ') -- allow $1 inotifyfs_t:dir list_dir_perms; +- allow $2 hugetlbfs_t:filesystem associate; +- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) + allow $1 hugetlbfs_t:filesystem getattr; ') ######################################## ## --## Dontaudit List inotifyfs filesystem. +-## Mount an iso9660 filesystem, which +-## is usually used on CDs. +## List hugetlbfs. ## ## ## --## Domain to not audit. -+## Domain allowed access. +@@ -2214,19 +2569,17 @@ interface(`fs_hugetlbfs_filetrans',` ## ## # --interface(`fs_dontaudit_list_inotifyfs',` +-interface(`fs_mount_iso9660_fs',` +interface(`fs_list_hugetlbfs',` gen_require(` -- type inotifyfs_t; +- type iso9660_t; + type hugetlbfs_t; ') -- dontaudit $1 inotifyfs_t:dir list_dir_perms; +- allow $1 iso9660_t:filesystem mount; + allow $1 hugetlbfs_t:dir list_dir_perms; ') ######################################## ## --## Create an object in a hugetlbfs filesystem, with a private --## type using a type transition. +-## Remount an iso9660 filesystem, which +-## is usually used on CDs. This allows +-## some mount options to be changed. +## Manage hugetlbfs dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2234,18 +2587,533 @@ interface(`fs_mount_iso9660_fs',` + ## + ## + # +-interface(`fs_remount_iso9660_fs',` +interface(`fs_manage_hugetlbfs_dirs',` + gen_require(` + type hugetlbfs_t; @@ -16888,84 +16907,55 @@ index 8416beb..b66e93a 100644 +######################################## +## +## Manage kdbusfs directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. --## --## - # --interface(`fs_hugetlbfs_filetrans',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_manage_kdbus_dirs',` - gen_require(` -- type hugetlbfs_t; -- ') ++ gen_require(` + type kdbusfs_t; - -- allow $2 hugetlbfs_t:filesystem associate; -- filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ++ + ') + manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Mount an iso9660 filesystem, which --## is usually used on CDs. ++') ++ ++######################################## ++## +## Read kdbusfs files. - ## - ## - ## -@@ -2214,19 +3079,21 @@ interface(`fs_hugetlbfs_filetrans',` - ## - ## - # --interface(`fs_mount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_read_kdbus_files',` - gen_require(` -- type iso9660_t; ++ gen_require(` + type cgroup_t; + - ') - -- allow $1 iso9660_t:filesystem mount; ++ ') ++ + read_files_pattern($1, kdbusfs_t, kdbusfs_t) + read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) - ') - - ######################################## - ## --## Remount an iso9660 filesystem, which --## is usually used on CDs. This allows --## some mount options to be changed. ++') ++ ++######################################## ++## +## Write kdbusfs files. - ## - ## - ## -@@ -2234,18 +3101,19 @@ interface(`fs_mount_iso9660_fs',` - ## - ## - # --interface(`fs_remount_iso9660_fs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_write_kdbus_files', ` gen_require(` - type iso9660_t; @@ -17437,209 +17427,270 @@ index 8416beb..b66e93a 100644 ## ## ## -@@ -3769,17 +4833,53 @@ interface(`fs_rw_rpc_named_pipes',` - ## - ## - # --interface(`fs_mount_tmpfs',` -+interface(`fs_mount_tmpfs',` +@@ -3779,6 +4843,24 @@ interface(`fs_mount_tmpfs',` + + ######################################## + ## ++## Dontaudit remount a tmpfs filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`fs_dontaudit_remount_tmpfs',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:filesystem mount; ++ dontaudit $1 tmpfs_t:filesystem remount; +') + +######################################## +## -+## Dontaudit remount a tmpfs filesystem. + ## Remount a tmpfs filesystem. + ## + ## +@@ -3815,6 +4897,24 @@ interface(`fs_unmount_tmpfs',` + + ######################################## + ## ++## Mount on tmpfs directories. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`fs_dontaudit_remount_tmpfs',` ++interface(`fs_mounton_tmpfs', ` + gen_require(` + type tmpfs_t; + ') + -+ dontaudit $1 tmpfs_t:filesystem remount; ++ allow $1 tmpfs_t:dir mounton; ++') ++ ++######################################## ++## + ## Get the attributes of a tmpfs + ## filesystem. + ## +@@ -3839,39 +4939,76 @@ interface(`fs_getattr_tmpfs',` + ## + ## + ## +-## The type of the object to be associated. ++## The type of the object to be associated. ++## ++## ++# ++interface(`fs_associate_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:filesystem associate; +') + +######################################## +## -+## Remount a tmpfs filesystem. ++## Relabel from tmpfs filesystem. +## -+## ++## +## +## Domain allowed access. +## +## +# -+interface(`fs_remount_tmpfs',` ++interface(`fs_relabelfrom_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:filesystem relabelfrom; ++') ++ ++######################################## ++## ++## Get the attributes of tmpfs directories. ++## ++## ++## ++## Domain allowed access. + ## + ## + # +-interface(`fs_associate_tmpfs',` ++interface(`fs_getattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') -- allow $1 tmpfs_t:filesystem mount; -+ allow $1 tmpfs_t:filesystem remount; +- allow $1 tmpfs_t:filesystem associate; ++ allow $1 tmpfs_t:dir getattr; ') ######################################## ## --## Remount a tmpfs filesystem. -+## Unmount a tmpfs filesystem. +-## Relabel from tmpfs filesystem. ++## Do not audit attempts to get the attributes ++## of tmpfs directories. ## - ## +-## ++## ## -@@ -3787,17 +4887,17 @@ interface(`fs_mount_tmpfs',` +-## Domain allowed access. ++## Domain to not audit. ## ## # --interface(`fs_remount_tmpfs',` -+interface(`fs_unmount_tmpfs',` +-interface(`fs_relabelfrom_tmpfs',` ++interface(`fs_dontaudit_getattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') -- allow $1 tmpfs_t:filesystem remount; -+ allow $1 tmpfs_t:filesystem unmount; +- allow $1 tmpfs_t:filesystem relabelfrom; ++ dontaudit $1 tmpfs_t:dir getattr; ') ######################################## ## --## Unmount a tmpfs filesystem. -+## Mount on tmpfs directories. +-## Get the attributes of tmpfs directories. ++## Set the attributes of tmpfs directories. ## ## ## -@@ -3805,12 +4905,12 @@ interface(`fs_remount_tmpfs',` +@@ -3879,36 +5016,35 @@ interface(`fs_relabelfrom_tmpfs',` ## ## # --interface(`fs_unmount_tmpfs',` -+interface(`fs_mounton_tmpfs', ` +-interface(`fs_getattr_tmpfs_dirs',` ++interface(`fs_setattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') -- allow $1 tmpfs_t:filesystem unmount; -+ allow $1 tmpfs_t:dir mounton; +- allow $1 tmpfs_t:dir getattr; ++ allow $1 tmpfs_t:dir setattr; ') ######################################## -@@ -3908,7 +5008,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` + ## +-## Do not audit attempts to get the attributes +-## of tmpfs directories. ++## Search tmpfs directories. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`fs_dontaudit_getattr_tmpfs_dirs',` ++interface(`fs_search_tmpfs',` + gen_require(` + type tmpfs_t; + ') + +- dontaudit $1 tmpfs_t:dir getattr; ++ allow $1 tmpfs_t:dir search_dir_perms; + ') ######################################## ## -## Mount on tmpfs directories. -+## Set the attributes of tmpfs directories. ++## List the contents of generic tmpfs directories. ## ## ## -@@ -3916,17 +5016,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,35 +5052,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # -interface(`fs_mounton_tmpfs',` -+interface(`fs_setattr_tmpfs_dirs',` ++interface(`fs_list_tmpfs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir mounton; -+ allow $1 tmpfs_t:dir setattr; ++ allow $1 tmpfs_t:dir list_dir_perms; ') ######################################## ## -## Set the attributes of tmpfs directories. -+## Search tmpfs directories. ++## Do not audit attempts to list the ++## contents of generic tmpfs directories. ## ## ## -@@ -3934,17 +5034,17 @@ interface(`fs_mounton_tmpfs',` +-## Domain allowed access. ++## Domain to not audit. ## ## # -interface(`fs_setattr_tmpfs_dirs',` -+interface(`fs_search_tmpfs',` ++interface(`fs_dontaudit_list_tmpfs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir setattr; -+ allow $1 tmpfs_t:dir search_dir_perms; ++ dontaudit $1 tmpfs_t:dir list_dir_perms; ') ######################################## ## -## Search tmpfs directories. -+## List the contents of generic tmpfs directories. ++## Relabel directory on tmpfs filesystems. ## ## ## -@@ -3952,17 +5052,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5089,17 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # -interface(`fs_search_tmpfs',` -+interface(`fs_list_tmpfs',` ++interface(`fs_relabel_tmpfs_dirs',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir search_dir_perms; -+ allow $1 tmpfs_t:dir list_dir_perms; ++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## List the contents of generic tmpfs directories. -+## Do not audit attempts to list the -+## contents of generic tmpfs directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`fs_dontaudit_list_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ dontaudit $1 tmpfs_t:dir list_dir_perms; -+') -+ -+######################################## -+## -+## Relabel directory on tmpfs filesystems. ++## Relabel fifo_file on tmpfs filesystems. ## ## ## -@@ -3970,31 +5089,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5107,30 @@ interface(`fs_search_tmpfs',` ## ## # -interface(`fs_list_tmpfs',` -+interface(`fs_relabel_tmpfs_dirs',` ++interface(`fs_relabel_tmpfs_fifo_files',` gen_require(` type tmpfs_t; ') - allow $1 tmpfs_t:dir list_dir_perms; -+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ++ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## -## Do not audit attempts to list the -## contents of generic tmpfs directories. -+## Relabel fifo_file on tmpfs filesystems. ++## Relabel files on tmpfs filesystems. ## ## ## @@ -17649,30 +17700,12 @@ index 8416beb..b66e93a 100644 ## # -interface(`fs_dontaudit_list_tmpfs',` -+interface(`fs_relabel_tmpfs_fifo_files',` ++interface(`fs_relabel_tmpfs_files',` gen_require(` type tmpfs_t; ') - dontaudit $1 tmpfs_t:dir list_dir_perms; -+ relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) -+') -+ -+######################################## -+## -+## Relabel files on tmpfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_relabel_tmpfs_files',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ + relabel_files_pattern($1, tmpfs_t, tmpfs_t) ') @@ -17852,7 +17885,33 @@ index 8416beb..b66e93a 100644 ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## -@@ -4503,6 +5768,8 @@ interface(`fs_mount_all_fs',` +@@ -4407,6 +5672,25 @@ interface(`fs_search_xenfs',` + allow $1 xenfs_t:dir search_dir_perms; + ') + ++ ++######################################## ++## ++## Read files on a XENFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_xenfs_files',` ++ gen_require(` ++ type xenfs_t; ++ ') ++ ++ allow $1 xenfs_t:file read_file_perms; ++') ++ + ######################################## + ## + ## Create, read, write, and delete directories +@@ -4503,6 +5787,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -17861,7 +17920,7 @@ index 8416beb..b66e93a 100644 ') ######################################## -@@ -4549,7 +5816,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +5835,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -17870,7 +17929,7 @@ index 8416beb..b66e93a 100644 ## Example attributes: ##

##
    -@@ -4596,6 +5863,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +5882,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -17897,7 +17956,7 @@ index 8416beb..b66e93a 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +5958,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +5977,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -17923,7 +17982,7 @@ index 8416beb..b66e93a 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6218,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6237,63 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -33678,7 +33737,7 @@ index 79a45f6..9769b64 100644 + read_files_pattern($1, init_var_lib_t, init_var_lib_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..0fe1650 100644 +index 17eda24..137676e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -34031,7 +34090,7 @@ index 17eda24..0fe1650 100644 + +allow init_t self:system all_system_perms; +allow init_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow init_t self:process { setsockcreate setfscreate setrlimit setexec }; ++allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; +allow init_t self:process { getcap setcap }; +allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; +allow init_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -44877,10 +44936,10 @@ index 0000000..4f142e9 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..0920911 +index 0000000..ad113b6 --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,775 @@ +@@ -0,0 +1,782 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -45163,6 +45222,10 @@ index 0000000..0920911 +init_dbus_chat(systemd_machined_t) +init_status(systemd_machined_t) + ++userdom_dbus_send_all_users(systemd_machined_t) ++ ++term_use_ptmx(systemd_machined_t) ++ +optional_policy(` + dbus_connect_system_bus(systemd_machined_t) + dbus_system_bus_client(systemd_machined_t) @@ -45194,12 +45257,15 @@ index 0000000..0920911 +kernel_dgram_send(systemd_networkd_t) +kernel_request_load_module(systemd_networkd_t) +kernel_rw_net_sysctls(systemd_networkd_t) ++kernel_read_xen_state(systemd_networkd_t) + +corenet_tcp_bind_all_nodes(systemd_networkd_t) +corenet_udp_bind_all_nodes(systemd_networkd_t) +corenet_tcp_bind_dhcpc_port(systemd_networkd_t) +corenet_udp_bind_dhcpc_port(systemd_networkd_t) + ++fs_read_xenfs_files(systemd_networkd_t) ++ +dev_read_sysfs(systemd_networkd_t) + +auth_use_nsswitch(systemd_networkd_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 97bc967..98aaa5c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -81,13 +81,29 @@ index 1a93dc5..e948aef 100644 -/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) -/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0) diff --git a/abrt.if b/abrt.if -index 058d908..7da78c7 100644 +index 058d908..ee0c559 100644 --- a/abrt.if +++ b/abrt.if -@@ -1,4 +1,26 @@ +@@ -1,4 +1,42 @@ -## Automated bug-reporting tool. +## ABRT - automated bug-reporting tool + ++######################################## ++## ++## abrt stub interface. No access allowed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`abrt_stub',` ++ gen_require(` ++ type abrt_t; ++ ') ++') ++ +###################################### +## +## Creates types and rules for a basic @@ -112,7 +128,7 @@ index 058d908..7da78c7 100644 ###################################### ## -@@ -21,6 +43,25 @@ interface(`abrt_domtrans',` +@@ -21,6 +59,25 @@ interface(`abrt_domtrans',` ###################################### ## @@ -138,7 +154,7 @@ index 058d908..7da78c7 100644 ## Execute abrt in the caller domain. ## ## -@@ -40,7 +81,7 @@ interface(`abrt_exec',` +@@ -40,7 +97,7 @@ interface(`abrt_exec',` ######################################## ## @@ -147,7 +163,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -58,7 +99,7 @@ interface(`abrt_signull',` +@@ -58,7 +115,7 @@ interface(`abrt_signull',` ######################################## ## @@ -156,7 +172,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -71,12 +112,13 @@ interface(`abrt_read_state',` +@@ -71,12 +128,13 @@ interface(`abrt_read_state',` type abrt_t; ') @@ -171,7 +187,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -116,8 +158,7 @@ interface(`abrt_dbus_chat',` +@@ -116,8 +174,7 @@ interface(`abrt_dbus_chat',` ##################################### ## @@ -181,7 +197,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -130,15 +171,13 @@ interface(`abrt_domtrans_helper',` +@@ -130,15 +187,13 @@ interface(`abrt_domtrans_helper',` type abrt_helper_t, abrt_helper_exec_t; ') @@ -199,20 +215,23 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -163,8 +202,45 @@ interface(`abrt_run_helper',` +@@ -163,8 +218,7 @@ interface(`abrt_run_helper',` ######################################## ## -## Create, read, write, and delete -## abrt cache files. +## Read abrt cache -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -172,15 +226,56 @@ interface(`abrt_run_helper',` + ## + ## + # +-interface(`abrt_cache_manage',` +- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') +- abrt_manage_cache($1) +interface(`abrt_read_cache',` + gen_require(` + type abrt_var_cache_t; @@ -220,10 +239,12 @@ index 058d908..7da78c7 100644 + + read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) + read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## abrt cache content. +## Append abrt cache +## +## @@ -244,16 +265,13 @@ index 058d908..7da78c7 100644 +######################################## +## +## Read/Write inherited abrt cache - ## - ## - ## -@@ -172,15 +248,18 @@ interface(`abrt_run_helper',` - ## - ## - # --interface(`abrt_cache_manage',` -- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') -- abrt_manage_cache($1) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`abrt_rw_inherited_cache',` + gen_require(` + type abrt_var_cache_t; @@ -261,17 +279,15 @@ index 058d908..7da78c7 100644 + + + allow $1 abrt_var_cache_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete --## abrt cache content. ++') ++ ++######################################## ++## +## Manage abrt cache ## ## ## -@@ -193,7 +272,6 @@ interface(`abrt_manage_cache',` +@@ -193,7 +288,6 @@ interface(`abrt_manage_cache',` type abrt_var_cache_t; ') @@ -279,7 +295,7 @@ index 058d908..7da78c7 100644 manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) -@@ -201,7 +279,7 @@ interface(`abrt_manage_cache',` +@@ -201,7 +295,7 @@ interface(`abrt_manage_cache',` #################################### ## @@ -288,7 +304,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -218,9 +296,29 @@ interface(`abrt_read_config',` +@@ -218,9 +312,29 @@ interface(`abrt_read_config',` read_files_pattern($1, abrt_etc_t, abrt_etc_t) ') @@ -319,7 +335,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -258,8 +356,7 @@ interface(`abrt_read_pid_files',` +@@ -258,8 +372,7 @@ interface(`abrt_read_pid_files',` ###################################### ## @@ -329,7 +345,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -276,10 +373,52 @@ interface(`abrt_manage_pid_files',` +@@ -276,10 +389,52 @@ interface(`abrt_manage_pid_files',` manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) ') @@ -384,7 +400,7 @@ index 058d908..7da78c7 100644 ## ## ## -@@ -288,39 +427,174 @@ interface(`abrt_manage_pid_files',` +@@ -288,39 +443,174 @@ interface(`abrt_manage_pid_files',` ## ## ## @@ -485,7 +501,7 @@ index 058d908..7da78c7 100644 + manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) -+') + ') + +##################################### +## @@ -505,7 +521,7 @@ index 058d908..7da78c7 100644 + list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) + read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) - ') ++') + + +##################################### @@ -573,7 +589,7 @@ index 058d908..7da78c7 100644 +') + diff --git a/abrt.te b/abrt.te -index eb50f07..9bd797b 100644 +index eb50f07..853554d 100644 --- a/abrt.te +++ b/abrt.te @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -721,7 +737,7 @@ index eb50f07..9bd797b 100644 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) logging_log_filetrans(abrt_t, abrt_var_log_t, file) -@@ -125,48 +135,57 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) +@@ -125,48 +135,59 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -755,6 +771,8 @@ index eb50f07..9bd797b 100644 kernel_request_load_module(abrt_t) +kernel_rw_usermodehelper_state(abrt_t) kernel_rw_kernel_sysctl(abrt_t) ++# needed by docker BZ #1194280 ++kernel_read_net_sysctls(abrt_t) +kernel_rw_usermodehelper_state(abrt_t) corecmd_exec_bin(abrt_t) @@ -786,7 +804,7 @@ index eb50f07..9bd797b 100644 domain_getattr_all_domains(abrt_t) domain_read_all_domains_state(abrt_t) -@@ -176,29 +195,43 @@ files_getattr_all_files(abrt_t) +@@ -176,29 +197,43 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -833,7 +851,7 @@ index eb50f07..9bd797b 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -206,15 +239,11 @@ tunable_policy(`abrt_anon_write',` +@@ -206,15 +241,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -850,7 +868,7 @@ index eb50f07..9bd797b 100644 ') optional_policy(` -@@ -222,6 +251,28 @@ optional_policy(` +@@ -222,6 +253,28 @@ optional_policy(` ') optional_policy(` @@ -879,7 +897,7 @@ index eb50f07..9bd797b 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -234,6 +285,11 @@ optional_policy(` +@@ -234,6 +287,11 @@ optional_policy(` ') optional_policy(` @@ -891,7 +909,7 @@ index eb50f07..9bd797b 100644 rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) -@@ -243,6 +299,7 @@ optional_policy(` +@@ -243,6 +301,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -899,7 +917,7 @@ index eb50f07..9bd797b 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -253,9 +310,21 @@ optional_policy(` +@@ -253,9 +312,21 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -922,7 +940,7 @@ index eb50f07..9bd797b 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -266,9 +335,13 @@ tunable_policy(`abrt_handle_event',` +@@ -266,9 +337,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -937,7 +955,7 @@ index eb50f07..9bd797b 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -281,6 +354,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -281,6 +356,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -945,7 +963,7 @@ index eb50f07..9bd797b 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -289,15 +363,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -289,15 +365,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -966,7 +984,7 @@ index eb50f07..9bd797b 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -305,11 +384,25 @@ ifdef(`hide_broken_symptoms',` +@@ -305,11 +386,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -993,7 +1011,7 @@ index eb50f07..9bd797b 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -327,10 +420,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -327,10 +422,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -1007,7 +1025,7 @@ index eb50f07..9bd797b 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -343,10 +438,11 @@ optional_policy(` +@@ -343,10 +440,11 @@ optional_policy(` ####################################### # @@ -1021,7 +1039,7 @@ index eb50f07..9bd797b 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -365,38 +461,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -365,38 +463,64 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -1090,7 +1108,7 @@ index eb50f07..9bd797b 100644 ####################################### # -@@ -404,25 +526,60 @@ logging_read_generic_logs(abrt_dump_oops_t) +@@ -404,25 +528,60 @@ logging_read_generic_logs(abrt_dump_oops_t) # allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms; @@ -1153,7 +1171,7 @@ index eb50f07..9bd797b 100644 ') ####################################### -@@ -430,10 +587,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` +@@ -430,10 +589,7 @@ tunable_policy(`abrt_upload_watch_anon_write',` # Global local policy # @@ -28027,10 +28045,10 @@ index cf0e567..6c3ce35 100644 + apache_read_log(fail2ban_client_t) +') diff --git a/fcoe.te b/fcoe.te -index ce358fb..65ade3f 100644 +index ce358fb..8cc3ca2 100644 --- a/fcoe.te +++ b/fcoe.te -@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t) +@@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t) # Local policy # @@ -28040,6 +28058,7 @@ index ce358fb..65ade3f 100644 allow fcoemon_t self:unix_stream_socket { accept listen }; allow fcoemon_t self:netlink_socket create_socket_perms; allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; ++allow fcoemon_t self:netlink_scsitransport_socket create_socket_perms; +allow fcoemon_t self:packet_socket create_socket_perms; +allow fcoemon_t self:udp_socket create_socket_perms; @@ -47972,13 +47991,15 @@ index 0000000..f59af1b +') diff --git a/mock.fc b/mock.fc new file mode 100644 -index 0000000..8d0e473 +index 0000000..394bc46 --- /dev/null +++ b/mock.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,7 @@ + +/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0) + ++/usr/libexec/mock/mock -- gen_context(system_u:object_r:mock_exec_t,s0) ++ +/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0) +/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0) diff --git a/mock.if b/mock.if @@ -57342,7 +57363,7 @@ index 86dc29d..7380935 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..51cb268 100644 +index 55f2009..d63018d 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -57433,7 +57454,7 @@ index 55f2009..51cb268 100644 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file }) -@@ -68,6 +102,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ +@@ -68,30 +102,29 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t) logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file) @@ -57441,7 +57462,14 @@ index 55f2009..51cb268 100644 manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t) files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file }) -@@ -81,17 +116,15 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_ + + manage_dirs_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) + manage_files_pattern(NetworkManager_t, NetworkManager_var_lib_t, NetworkManager_var_lib_t) +-files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, dir) ++files_var_lib_filetrans(NetworkManager_t, NetworkManager_var_lib_t, { dir file }) + + manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) + manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) @@ -66381,10 +66409,10 @@ index 0000000..80246e6 + diff --git a/pcp.te b/pcp.te new file mode 100644 -index 0000000..b7242be +index 0000000..08c51d3 --- /dev/null +++ b/pcp.te -@@ -0,0 +1,266 @@ +@@ -0,0 +1,268 @@ +policy_module(pcp, 1.0.0) + +######################################## @@ -66647,6 +66675,8 @@ index 0000000..b7242be + +kernel_read_system_state(pcp_pmlogger_t) + ++corecmd_exec_bin(pcp_pmlogger_t) ++ +corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t) +corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t) +corenet_tcp_bind_generic_node(pcp_pmlogger_t) @@ -90754,7 +90784,7 @@ index b8b66ff..a93346e 100644 +/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0) +') diff --git a/samba.if b/samba.if -index 50d07fb..337a3e7 100644 +index 50d07fb..e9569d2 100644 --- a/samba.if +++ b/samba.if @@ -1,8 +1,12 @@ @@ -91133,7 +91163,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -421,33 +537,34 @@ interface(`samba_manage_var_files',` +@@ -421,33 +537,55 @@ interface(`samba_manage_var_files',` ') files_search_var_lib($1) @@ -91145,16 +91175,36 @@ index 50d07fb..337a3e7 100644 ######################################## ## -## Execute smbcontrol in the smbcontrol domain. -+## Execute a domain transition to run smbcontrol. ++## Allow the specified domain to ++## read and write samba /var directories. ## ## --## -+## - ## Domain allowed to transition. --## -+## + ## +-## Domain allowed to transition. ++## Domain allowed access. + ## ## # ++interface(`samba_manage_var_dirs',` ++ gen_require(` ++ type samba_var_t; ++ ') ++ ++ files_search_var_lib($1) ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, samba_var_t, samba_var_t) ++') ++ ++######################################## ++## ++## Execute a domain transition to run smbcontrol. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# interface(`samba_domtrans_smbcontrol',` gen_require(` - type smbcontrol_t, smbcontrol_exec_t; @@ -91176,7 +91226,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -462,16 +579,16 @@ interface(`samba_domtrans_smbcontrol',` +@@ -462,16 +600,16 @@ interface(`samba_domtrans_smbcontrol',` # interface(`samba_run_smbcontrol',` gen_require(` @@ -91196,7 +91246,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -488,9 +605,27 @@ interface(`samba_domtrans_smbd',` +@@ -488,9 +626,27 @@ interface(`samba_domtrans_smbd',` domtrans_pattern($1, smbd_exec_t, smbd_t) ') @@ -91225,7 +91275,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -505,10 +640,26 @@ interface(`samba_signal_smbd',` +@@ -505,10 +661,26 @@ interface(`samba_signal_smbd',` allow $1 smbd_t:process signal; ') @@ -91254,7 +91304,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -526,7 +677,7 @@ interface(`samba_dontaudit_use_fds',` +@@ -526,7 +698,7 @@ interface(`samba_dontaudit_use_fds',` ######################################## ## @@ -91263,7 +91313,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -544,7 +695,7 @@ interface(`samba_write_smbmount_tcp_sockets',` +@@ -544,7 +716,7 @@ interface(`samba_write_smbmount_tcp_sockets',` ######################################## ## @@ -91272,7 +91322,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -560,49 +711,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` +@@ -560,49 +732,47 @@ interface(`samba_rw_smbmount_tcp_sockets',` allow $1 smbmount_t:tcp_socket { read write }; ') @@ -91341,7 +91391,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -618,16 +767,16 @@ interface(`samba_getattr_winbind_exec',` +@@ -618,16 +788,16 @@ interface(`samba_getattr_winbind_exec',` # interface(`samba_run_winbind_helper',` gen_require(` @@ -91361,7 +91411,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -637,17 +786,71 @@ interface(`samba_run_winbind_helper',` +@@ -637,17 +807,71 @@ interface(`samba_run_winbind_helper',` # interface(`samba_read_winbind_pid',` gen_require(` @@ -91437,7 +91487,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -657,17 +860,61 @@ interface(`samba_read_winbind_pid',` +@@ -657,17 +881,61 @@ interface(`samba_read_winbind_pid',` # interface(`samba_stream_connect_winbind',` gen_require(` @@ -91504,7 +91554,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -676,7 +923,7 @@ interface(`samba_stream_connect_winbind',` +@@ -676,7 +944,7 @@ interface(`samba_stream_connect_winbind',` ## ## ## @@ -91513,7 +91563,7 @@ index 50d07fb..337a3e7 100644 ## ## ## -@@ -689,11 +936,30 @@ interface(`samba_admin',` +@@ -689,11 +957,30 @@ interface(`samba_admin',` type samba_etc_t, samba_share_t, samba_initrc_exec_t; type swat_var_run_t, swat_tmp_t, winbind_log_t; type winbind_var_run_t, winbind_tmp_t; @@ -91521,8 +91571,10 @@ index 50d07fb..337a3e7 100644 + type smbd_keytab_t, samba_unit_file_t; + type samba_unconfined_script_t; + type samba_unconfined_script_exec_t; -+ ') -+ + ') + +- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; +- ps_process_pattern($1, { nmbd_t smbd_t }) + allow $1 smbd_t:process signal_perms; + ps_process_pattern($1, smbd_t) + @@ -91530,10 +91582,8 @@ index 50d07fb..337a3e7 100644 + allow $1 smbd_t:process ptrace; + allow $1 nmbd_t:process ptrace; + allow $1 samba_unconfined_script_t:process ptrace; - ') - -- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; -- ps_process_pattern($1, { nmbd_t smbd_t }) ++ ') ++ + allow $1 nmbd_t:process signal_perms; + ps_process_pattern($1, nmbd_t) + @@ -91547,7 +91597,7 @@ index 50d07fb..337a3e7 100644 init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) -@@ -703,23 +969,34 @@ interface(`samba_admin',` +@@ -703,23 +990,34 @@ interface(`samba_admin',` files_list_etc($1) admin_pattern($1, { samba_etc_t smbd_keytab_t }) @@ -91562,10 +91612,10 @@ index 50d07fb..337a3e7 100644 - files_list_spool($1) - admin_pattern($1, smbd_spool_t) + admin_pattern($1, samba_share_t) -+ + + admin_pattern($1, samba_var_t) + files_list_var($1) - ++ + admin_pattern($1, smbd_var_run_t) files_list_pids($1) - admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) @@ -99404,7 +99454,7 @@ index 1499b0b..6950cab 100644 - spamassassin_role($2, $1) ') diff --git a/spamassassin.te b/spamassassin.te -index cc58e35..4b352a2 100644 +index cc58e35..2794505 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1) @@ -99931,7 +99981,7 @@ index cc58e35..4b352a2 100644 manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t) -@@ -317,12 +434,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +@@ -317,12 +434,14 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) @@ -99942,12 +99992,13 @@ index cc58e35..4b352a2 100644 kernel_read_all_sysctls(spamd_t) kernel_read_system_state(spamd_t) ++kernel_read_network_state(spamd_t) -corenet_all_recvfrom_unlabeled(spamd_t) corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -331,78 +449,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) +@@ -331,78 +450,59 @@ corenet_udp_sendrecv_generic_node(spamd_t) corenet_tcp_sendrecv_all_ports(spamd_t) corenet_udp_sendrecv_all_ports(spamd_t) corenet_tcp_bind_generic_node(spamd_t) @@ -100051,7 +100102,7 @@ index cc58e35..4b352a2 100644 ') optional_policy(` -@@ -421,21 +520,13 @@ optional_policy(` +@@ -421,21 +521,13 @@ optional_policy(` ') optional_policy(` @@ -100075,7 +100126,7 @@ index cc58e35..4b352a2 100644 ') optional_policy(` -@@ -443,8 +534,8 @@ optional_policy(` +@@ -443,8 +535,8 @@ optional_policy(` ') optional_policy(` @@ -100085,7 +100136,7 @@ index cc58e35..4b352a2 100644 ') optional_policy(` -@@ -455,7 +546,17 @@ optional_policy(` +@@ -455,7 +547,17 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) razor_read_lib_files(spamd_t) @@ -100104,7 +100155,7 @@ index cc58e35..4b352a2 100644 ') optional_policy(` -@@ -463,9 +564,9 @@ optional_policy(` +@@ -463,9 +565,9 @@ optional_policy(` ') optional_policy(` @@ -100115,7 +100166,7 @@ index cc58e35..4b352a2 100644 ') optional_policy(` -@@ -474,32 +575,32 @@ optional_policy(` +@@ -474,32 +576,32 @@ optional_policy(` ######################################## # @@ -100158,7 +100209,7 @@ index cc58e35..4b352a2 100644 corecmd_exec_bin(spamd_update_t) corecmd_exec_shell(spamd_update_t) -@@ -508,25 +609,21 @@ dev_read_urand(spamd_update_t) +@@ -508,25 +610,21 @@ dev_read_urand(spamd_update_t) domain_use_interactive_fds(spamd_update_t) @@ -101390,7 +101441,7 @@ index a240455..04419ae 100644 - admin_pattern($1, sssd_log_t) ') diff --git a/sssd.te b/sssd.te -index 2d8db1f..aafd7c8 100644 +index 2d8db1f..edad970 100644 --- a/sssd.te +++ b/sssd.te @@ -28,17 +28,25 @@ logging_log_file(sssd_var_log_t) @@ -101494,7 +101545,7 @@ index 2d8db1f..aafd7c8 100644 init_read_utmp(sssd_t) -@@ -112,18 +120,58 @@ logging_send_syslog_msg(sssd_t) +@@ -112,18 +120,63 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_generic_certs(sssd_t) @@ -101533,9 +101584,14 @@ index 2d8db1f..aafd7c8 100644 +') + +optional_policy(` -+ systemd_login_read_pid_files(sssd_t) ++ samba_manage_var_dirs(sssd_t) ++ samba_manage_var_files(sssd_t) ') + ++optional_policy(` ++ systemd_login_read_pid_files(sssd_t) ++') ++ +######################################## +# +# sssd SELinux manager local policy @@ -106707,10 +106763,10 @@ index 1ec5e99..5b6c80b 100644 + allow $1 usbmuxd_unit_file_t:service all_service_perms; +') diff --git a/usbmuxd.te b/usbmuxd.te -index 34a8917..a6b9e84 100644 +index 34a8917..933baa4 100644 --- a/usbmuxd.te +++ b/usbmuxd.te -@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles; +@@ -10,34 +10,58 @@ roleattribute system_r usbmuxd_roles; type usbmuxd_t; type usbmuxd_exec_t; @@ -106767,6 +106823,10 @@ index 34a8917..a6b9e84 100644 +seutil_dontaudit_read_file_contexts(usbmuxd_t) + +optional_policy(` ++ udev_read_pid_files(usbmuxd_t) ++') ++ ++optional_policy(` + virt_dontaudit_read_chr_dev(usbmuxd_t) +') diff --git a/userhelper.fc b/userhelper.fc @@ -109970,7 +110030,7 @@ index facdee8..efe9356 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..d15b4d3 100644 +index f03dcf5..a463e77 100644 --- a/virt.te +++ b/virt.te @@ -1,150 +1,241 @@ @@ -111535,89 +111595,7 @@ index f03dcf5..d15b4d3 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -111702,27 +111680,107 @@ index f03dcf5..d15b4d3 100644 + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + gear_read_pid_files(svirt_sandbox_domain) - ') - - optional_policy(` -- apache_exec_modules(svirt_lxc_domain) -- apache_read_sys_content(svirt_lxc_domain) ++') ++ ++optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain) +') + +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -111738,9 +111796,11 @@ index f03dcf5..d15b4d3 100644 + fs_manage_cifs_dirs(svirt_sandbox_domain) + fs_manage_cifs_named_sockets(svirt_sandbox_domain) + fs_manage_cifs_symlinks(svirt_sandbox_domain) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- apache_exec_modules(svirt_lxc_domain) +- apache_read_sys_content(svirt_lxc_domain) + #docker_read_share_files(svirt_sandbox_domain) + #docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file) + #docker_use_ptys(svirt_sandbox_domain) @@ -111903,13 +111963,13 @@ index f03dcf5..d15b4d3 100644 +dev_read_urand(svirt_qemu_net_t) + +files_read_kernel_modules(svirt_qemu_net_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +fs_noxattr_type(svirt_sandbox_file_t) +fs_mount_cgroup(svirt_qemu_net_t) +fs_manage_cgroup_dirs(svirt_qemu_net_t) +fs_manage_cgroup_files(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +term_pty(svirt_sandbox_file_t) + +auth_use_nsswitch(svirt_qemu_net_t) @@ -111964,8 +112024,13 @@ index f03dcf5..d15b4d3 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1207,5 +1535,242 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1205,7 +1533,247 @@ manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t) + kernel_read_network_state(virt_bridgehelper_t) + ++dev_read_urand(virt_bridgehelper_t) ++dev_read_rand(virt_bridgehelper_t) ++ corenet_rw_tun_tap_dev(virt_bridgehelper_t) -userdom_search_user_home_dirs(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index b9d3761..1f240c6 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 152%{?dist} +Release: 153%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -656,6 +656,24 @@ exit 0 %endif %changelog +* Tue Oct 13 2015 Lukas Vrabec 3.13.1-153 +- Allow abrt_t to read sysctl_net_t files. BZ(#1194280) +- Merge branch 'rawhide-contrib' of github.com:fedora-selinux/selinux-policy into rawhide-contrib +- Add abrt_stub interface. +- Add support for new mock location - /usr/libexec/mock/mock. BZ(#1270972) +- Allow usbmuxd to access /run/udev/data/+usb:*. BZ(#1269633) +- Allow qemu-bridge-helper to read /dev/random and /dev/urandom. BZ(#1267217) +- Allow sssd_t to manage samba var files/dirs to SSSD's GPO support which is enabled against an Active Directory domain. BZ(#1225200). +- Add samba_manage_var_dirs() interface. +- Allow pcp_pmlogger to exec bin_t BZ(#1258698) +- Allow spamd to read system network state. BZ(1260234) +- Allow fcoemon to create netlink scsitransport sockets BZ(#1260882) +- Allow networkmanager to create networkmanager_var_lib_t files. BZ(1270201) +- Allow systemd-networkd to read XEN state for Xen hypervisor. BZ(#1269916) +- Add fs_read_xenfs_files() interface. +- Allow systemd_machined_t to send dbus msgs to all users and read/write /dev/ptmx to make 'machinectl shell' working correctly. +- Allow systemd running as init_t to override the default context for key creation. BZ(#1267850) + * Thu Oct 08 2015 Lukas Vrabec 3.13.1-152 - Allow pcp_pmlogger to read system state. BZ(1258699) - Allow cupsd to connect on socket. BZ(1258089)