diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 26827c4..377dc48 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1017,16 +1017,18 @@ index d218387..c2541c2 100644 # MLS policy for the process class # diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc -index 7a6f06f..bf04b0a 100644 +index 7a6f06f..5745bb2 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,9 +1,16 @@ -- +/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0) - /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) - /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) -+/etc/zipl\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/lilo\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/yaboot\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) ++/etc/zipl\.conf.* gen_context(system_u:object_r:bootloader_etc_t,s0) +-/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +-/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) +- -/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) +/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) @@ -1195,7 +1197,7 @@ index cc8df9d..34c2a4e 100644 + files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") +') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te -index e3dbbb8..f766e86 100644 +index e3dbbb8..a99f6e9 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2) @@ -1301,18 +1303,19 @@ index e3dbbb8..f766e86 100644 init_getattr_initctl(bootloader_t) init_use_script_ptys(bootloader_t) init_use_script_fds(bootloader_t) -@@ -118,19 +142,21 @@ init_rw_script_pipes(bootloader_t) +@@ -118,19 +142,20 @@ init_rw_script_pipes(bootloader_t) libs_read_lib_files(bootloader_t) libs_exec_lib_files(bootloader_t) +libs_exec_ld_so(bootloader_t) -+ -+auth_use_nsswitch(bootloader_t) - logging_send_syslog_msg(bootloader_t) - logging_rw_generic_logs(bootloader_t) +-logging_send_syslog_msg(bootloader_t) +-logging_rw_generic_logs(bootloader_t) ++auth_use_nsswitch(bootloader_t) -miscfiles_read_localization(bootloader_t) ++logging_send_syslog_msg(bootloader_t) ++logging_manage_generic_logs(bootloader_t) modutils_domtrans_insmod(bootloader_t) @@ -1326,7 +1329,7 @@ index e3dbbb8..f766e86 100644 userdom_dontaudit_search_user_home_dirs(bootloader_t) ifdef(`distro_debian',` -@@ -166,7 +192,8 @@ ifdef(`distro_redhat',` +@@ -166,7 +191,8 @@ ifdef(`distro_redhat',` files_manage_isid_type_chr_files(bootloader_t) # for mke2fs @@ -1336,7 +1339,7 @@ index e3dbbb8..f766e86 100644 optional_policy(` unconfined_domain(bootloader_t) -@@ -174,6 +201,10 @@ ifdef(`distro_redhat',` +@@ -174,6 +200,10 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -1347,7 +1350,7 @@ index e3dbbb8..f766e86 100644 fstools_exec(bootloader_t) ') -@@ -183,6 +214,14 @@ optional_policy(` +@@ -183,6 +213,14 @@ optional_policy(` ') optional_policy(` @@ -1362,7 +1365,7 @@ index e3dbbb8..f766e86 100644 kudzu_domtrans(bootloader_t) ') -@@ -195,17 +234,18 @@ optional_policy(` +@@ -195,17 +233,18 @@ optional_policy(` optional_policy(` modutils_exec_insmod(bootloader_t) @@ -2373,7 +2376,7 @@ index 99e3903..7270808 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index d555767..ce0c1b4 100644 +index d555767..34e1e8c 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1) @@ -2846,7 +2849,7 @@ index d555767..ce0c1b4 100644 +') + +optional_policy(` -+ openshift_manage_lib_dirs(useradd_t) ++ openshift_manage_content(useradd_t) ') optional_policy(` @@ -5167,7 +5170,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..999b8f1 100644 +index 4edc40d..68176bb 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5283,8 +5286,9 @@ index 4edc40d..999b8f1 100644 network_port(epmap, tcp,135,s0, udp,135,s0) network_port(epmd, tcp,4369,s0, udp,4369,s0) network_port(fingerd, tcp,79,s0) +-network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0) - network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0) ++network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0) network_port(ftp_data, tcp,20,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(gds_db, tcp,3050,s0, udp,3050,s0) @@ -5642,7 +5646,7 @@ index b31c054..17e11e0 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..7a424f4 100644 +index 76f285e..48504fe 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -5878,7 +5882,32 @@ index 76f285e..7a424f4 100644 ') ######################################## -@@ -1003,6 +1112,26 @@ interface(`dev_getattr_all_blk_files',` +@@ -877,6 +986,24 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` + + ######################################## + ## ++## Read block device files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_generic_blk_files',` ++ gen_require(` ++ type device_t; ++ ') ++ ++ read_blk_files_pattern($1, device_t, device_t) ++') ++ ++######################################## ++## + ## Create, delete, read, and write block device files. + ## + ## +@@ -1003,6 +1130,26 @@ interface(`dev_getattr_all_blk_files',` ######################################## ## @@ -5905,7 +5934,7 @@ index 76f285e..7a424f4 100644 ## Dontaudit getattr on all block file device nodes. ## ## -@@ -1034,6 +1163,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` +@@ -1034,6 +1181,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; @@ -5913,7 +5942,7 @@ index 76f285e..7a424f4 100644 ') getattr_chr_files_pattern($1, device_t, device_node) -@@ -1206,6 +1336,42 @@ interface(`dev_create_all_chr_files',` +@@ -1206,6 +1354,42 @@ interface(`dev_create_all_chr_files',` ######################################## ## @@ -5956,7 +5985,7 @@ index 76f285e..7a424f4 100644 ## Delete all block device files. ## ## -@@ -1560,25 +1726,6 @@ interface(`dev_relabel_autofs_dev',` +@@ -1560,25 +1744,6 @@ interface(`dev_relabel_autofs_dev',` ######################################## ## @@ -5982,7 +6011,7 @@ index 76f285e..7a424f4 100644 ## Read and write the PCMCIA card manager device. ## ## -@@ -1682,6 +1829,26 @@ interface(`dev_filetrans_cardmgr',` +@@ -1682,6 +1847,26 @@ interface(`dev_filetrans_cardmgr',` ######################################## ## @@ -6009,7 +6038,7 @@ index 76f285e..7a424f4 100644 ## Get the attributes of the CPU ## microcode and id interfaces. ## -@@ -1791,6 +1958,24 @@ interface(`dev_rw_crypto',` +@@ -1791,6 +1976,24 @@ interface(`dev_rw_crypto',` rw_chr_files_pattern($1, device_t, crypt_device_t) ') @@ -6034,7 +6063,7 @@ index 76f285e..7a424f4 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -2402,7 +2587,7 @@ interface(`dev_filetrans_lirc',` +@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',` ######################################## ## @@ -6043,7 +6072,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -2410,17 +2595,17 @@ interface(`dev_filetrans_lirc',` +@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',` ## ## # @@ -6065,7 +6094,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -2428,17 +2613,17 @@ interface(`dev_getattr_lvm_control',` +@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',` ## ## # @@ -6087,7 +6116,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -2446,17 +2631,17 @@ interface(`dev_read_lvm_control',` +@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',` ## ## # @@ -6109,7 +6138,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -2464,17 +2649,17 @@ interface(`dev_rw_lvm_control',` +@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',` ## ## # @@ -6131,7 +6160,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -2482,35 +2667,35 @@ interface(`dev_dontaudit_rw_lvm_control',` +@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',` ## ## # @@ -6176,7 +6205,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -2518,44 +2703,134 @@ interface(`dev_dontaudit_getattr_memory_dev',` +@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',` ## ## # @@ -6193,40 +6222,32 @@ index 76f285e..7a424f4 100644 - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; + read_chr_files_pattern($1, device_t, lvm_control_t) - ') - - ######################################## - ## --## Do not audit attempts to read raw memory devices --## (e.g. /dev/mem). ++') ++ ++######################################## ++## +## Read and write the lvm control device. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`dev_dontaudit_read_raw_memory',` ++## ++## ++# +interface(`dev_rw_lvm_control',` - gen_require(` -- type memory_device_t; ++ gen_require(` + type device_t, lvm_control_t; - ') - -- dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++ ') ++ + rw_chr_files_pattern($1, device_t, lvm_control_t) - ') - - ######################################## - ## --## Write raw memory devices (e.g. /dev/mem). ++') ++ ++######################################## ++## +## Do not audit attempts to read and write lvm control device. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. +## +## @@ -6295,38 +6316,10 @@ index 76f285e..7a424f4 100644 + + allow $1 self:capability sys_rawio; + typeattribute $1 memory_raw_read; -+') -+ -+######################################## -+## -+## Do not audit attempts to read raw memory devices -+## (e.g. /dev/mem). -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_read_raw_memory',` -+ gen_require(` -+ type memory_device_t; -+ ') -+ -+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; -+') -+ -+######################################## -+## -+## Write raw memory devices (e.g. /dev/mem). -+## -+## -+## -+## Domain allowed access. - ## - ## - # -@@ -2725,7 +3000,7 @@ interface(`dev_write_misc',` + ') + + ######################################## +@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6335,7 +6328,7 @@ index 76f285e..7a424f4 100644 ## ## # -@@ -2903,20 +3178,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -6360,7 +6353,7 @@ index 76f285e..7a424f4 100644 ##

## ## -@@ -2925,43 +3200,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',` ##
## # @@ -6416,7 +6409,7 @@ index 76f285e..7a424f4 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3236,13 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',` ## ## # @@ -6433,7 +6426,7 @@ index 76f285e..7a424f4 100644 ') ######################################## -@@ -3144,6 +3410,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -6476,7 +6469,7 @@ index 76f285e..7a424f4 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3465,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -6501,7 +6494,7 @@ index 76f285e..7a424f4 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3574,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6528,7 +6521,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -3262,12 +3600,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6545,7 +6538,7 @@ index 76f285e..7a424f4 100644 ') ######################################## -@@ -3855,7 +4194,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6554,7 +6547,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -3863,53 +4202,53 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -6619,7 +6612,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -3917,37 +4256,35 @@ interface(`dev_list_sysfs',` +@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',` ## ## # @@ -6664,7 +6657,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -3955,47 +4292,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -6719,7 +6712,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -4003,20 +4328,18 @@ interface(`dev_read_sysfs',` +@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',` ## ## # @@ -6742,7 +6735,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -4024,21 +4347,210 @@ interface(`dev_rw_sysfs',` +@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',` ## ## # @@ -6766,6 +6759,7 @@ index 76f285e..7a424f4 100644 -## -##

-## Allow the specified domain to read from pseudo random number +-## generator devices (e.g., /dev/urandom). Typically this is +## +##

+## Domain to not audit. @@ -6957,10 +6951,11 @@ index 76f285e..7a424f4 100644 +## +##

+## Allow the specified domain to read from pseudo random number - ## generator devices (e.g., /dev/urandom). Typically this is ++## generator devices (e.g., /dev/urandom). Typically this is ## used in situations when a cryptographically secure random ## number is not necessarily needed. One example is the Stack -@@ -4113,6 +4625,25 @@ interface(`dev_write_urand',` + ## Smashing Protector (SSP, formerly known as ProPolice) support +@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',` ######################################## ##

@@ -6986,7 +6981,7 @@ index 76f285e..7a424f4 100644 ## Getattr generic the USB devices. ## ## -@@ -4409,9 +4940,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -6998,7 +6993,7 @@ index 76f285e..7a424f4 100644 ##
## ## -@@ -4419,17 +4950,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7021,7 +7016,7 @@ index 76f285e..7a424f4 100644 ## ## ## -@@ -4437,12 +4968,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7037,7 +7032,7 @@ index 76f285e..7a424f4 100644 ') ######################################## -@@ -4539,6 +5070,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7172,7 +7167,7 @@ index 76f285e..7a424f4 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5216,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7197,7 +7192,7 @@ index 76f285e..7a424f4 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5439,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7224,7 +7219,7 @@ index 76f285e..7a424f4 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5548,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -15703,6 +15698,20 @@ index 1700ef2..38b597e 100644 + dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19") + +') +diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te +index 156c333..02f5a3c 100644 +--- a/policy/modules/kernel/storage.te ++++ b/policy/modules/kernel/storage.te +@@ -57,3 +57,9 @@ dev_node(tape_device_t) + + allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *; + allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *; ++ ++# Since block devices are some times used before being labeled correctly ++ifdef(`hide_broken_symptoms',` ++ dev_read_generic_blk_files(fixed_disk_raw_read) ++ dev_manage_generic_blk_files(fixed_disk_raw_write) ++') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc index 7d45d15..22c9cfe 100644 --- a/policy/modules/kernel/terminal.fc @@ -19340,10 +19349,10 @@ index 346d011..3e23acb 100644 + ') +') diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 76d9f66..5cb2095 100644 +index 76d9f66..21c96cf 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc -@@ -1,4 +1,15 @@ +@@ -1,4 +1,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) + @@ -19353,13 +19362,14 @@ index 76d9f66..5cb2095 100644 +/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) ++/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) + +/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0) /etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0) /etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0) -@@ -8,9 +19,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +@@ -8,9 +20,16 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) @@ -20792,120 +20802,135 @@ index d1f64a0..8f50bb9 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 6bf0ecc..9388756 100644 +index 6bf0ecc..8715521 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if -@@ -19,9 +19,10 @@ +@@ -18,100 +18,37 @@ + # interface(`xserver_restricted_role',` gen_require(` - type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; +- type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t; - type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; -+ type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t; - type iceauth_t, iceauth_exec_t, iceauth_home_t; - type xauth_t, xauth_exec_t, xauth_home_t; -+ class dbus send_msg; +- type iceauth_t, iceauth_exec_t, iceauth_home_t; +- type xauth_t, xauth_exec_t, xauth_home_t; ++ type xserver_t, xauth_t, iceauth_t; ++ attribute dridomain, x_userdomain; ') role $1 types { xserver_t xauth_t iceauth_t }; -@@ -30,12 +31,13 @@ interface(`xserver_restricted_role',` - allow xserver_t $2:fd use; - allow xserver_t $2:shm rw_shm_perms; ++ typeattribute $2 x_userdomain, dridomain; +- # Xserver read/write client shm +- allow xserver_t $2:fd use; +- allow xserver_t $2:shm rw_shm_perms; +- - allow xserver_t $2:process signal; -+ allow xserver_t $2:process { getpgid signal }; - - allow xserver_t $2:shm rw_shm_perms; - - allow $2 user_fonts_t:dir list_dir_perms; - allow $2 user_fonts_t:file read_file_perms; -+ allow $2 user_fonts_t:lnk_file read_lnk_file_perms; - - allow $2 user_fonts_config_t:dir list_dir_perms; - allow $2 user_fonts_config_t:file read_file_perms; -@@ -44,6 +46,8 @@ interface(`xserver_restricted_role',` - manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) - - stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) -+ allow $2 xserver_tmp_t:sock_file delete_sock_file_perms; -+ dontaudit $2 xdm_tmp_t:sock_file setattr_sock_file_perms; - files_search_tmp($2) - - # Communicate via System V shared memory. -@@ -69,17 +73,21 @@ interface(`xserver_restricted_role',` - - # for when /tmp/.X11-unix is created by the system - allow $2 xdm_t:fd use; +- +- allow xserver_t $2:shm rw_shm_perms; +- +- allow $2 user_fonts_t:dir list_dir_perms; +- allow $2 user_fonts_t:file read_file_perms; +- +- allow $2 user_fonts_config_t:dir list_dir_perms; +- allow $2 user_fonts_config_t:file read_file_perms; +- +- manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) +- manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) +- +- stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t) +- files_search_tmp($2) +- +- # Communicate via System V shared memory. +- allow $2 xserver_t:shm r_shm_perms; +- allow $2 xserver_tmpfs_t:file read_file_perms; +- +- # allow ps to show iceauth +- ps_process_pattern($2, iceauth_t) +- +- domtrans_pattern($2, iceauth_exec_t, iceauth_t) +- +- allow $2 iceauth_home_t:file read_file_perms; +- +- domtrans_pattern($2, xauth_exec_t, xauth_t) +- +- allow $2 xauth_t:process signal; +- +- # allow ps to show xauth +- ps_process_pattern($2, xauth_t) +- allow $2 xserver_t:process signal; +- +- allow $2 xauth_home_t:file read_file_perms; +- +- # for when /tmp/.X11-unix is created by the system +- allow $2 xdm_t:fd use; - allow $2 xdm_t:fifo_file { getattr read write ioctl }; - allow $2 xdm_tmp_t:dir search; - allow $2 xdm_tmp_t:sock_file { read write }; -+ allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; -+ allow $2 xdm_tmp_t:dir search_dir_perms; -+ allow $2 xdm_tmp_t:sock_file rw_inherited_sock_file_perms; - dontaudit $2 xdm_t:tcp_socket { read write }; -+ dontaudit $2 xdm_tmp_t:dir setattr_dir_perms; -+ -+ allow $2 xdm_t:dbus send_msg; -+ allow xdm_t $2:dbus send_msg; - - # Client read xserver shm - allow $2 xserver_t:fd use; - allow $2 xserver_tmpfs_t:file read_file_perms; - - # Read /tmp/.X0-lock +- dontaudit $2 xdm_t:tcp_socket { read write }; +- +- # Client read xserver shm +- allow $2 xserver_t:fd use; +- allow $2 xserver_tmpfs_t:file read_file_perms; +- +- # Read /tmp/.X0-lock - allow $2 xserver_tmp_t:file { getattr read }; -+ allow $2 xserver_tmp_t:file read_inherited_file_perms; - - dev_rw_xserver_misc($2) - dev_rw_power_management($2) -@@ -88,15 +96,17 @@ interface(`xserver_restricted_role',` - dev_write_misc($2) - # open office is looking for the following - dev_getattr_agp_dev($2) +- +- dev_rw_xserver_misc($2) +- dev_rw_power_management($2) +- dev_read_input($2) +- dev_read_misc($2) +- dev_write_misc($2) +- # open office is looking for the following +- dev_getattr_agp_dev($2) - dev_dontaudit_rw_dri($2) -+ - # GNOME checks for usb and other devices: - dev_rw_usbfs($2) - - miscfiles_read_fonts($2) -+ miscfiles_setattr_fonts_cache_dirs($2) -+ miscfiles_read_hwdata($2) +- # GNOME checks for usb and other devices: +- dev_rw_usbfs($2) +- +- miscfiles_read_fonts($2) ++ xserver_common_x_domain_template(user,$2) ++ xserver_stream_connect_xdm($2) ++ xserver_xdm_append_log($2) - xserver_common_x_domain_template(user, $2) - xserver_domtrans($2) +- xserver_common_x_domain_template(user, $2) +- xserver_domtrans($2) - xserver_unconfined($2) -+ #xserver_unconfined($2) - xserver_xsession_entry_type($2) - xserver_dontaudit_write_log($2) - xserver_stream_connect_xdm($2) -@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',` - xserver_create_xdm_tmp_sockets($2) - # Needed for escd, remove if we get escd policy - xserver_manage_xdm_tmp_files($2) -+ xserver_read_xdm_etc_files($2) -+ xserver_xdm_append_log($2) -+ -+ term_use_virtio_console($2) -+ +- xserver_xsession_entry_type($2) +- xserver_dontaudit_write_log($2) +- xserver_stream_connect_xdm($2) +- # certain apps want to read xdm.pid file +- xserver_read_xdm_pid($2) +- # gnome-session creates socket under /tmp/.ICE-unix/ +- xserver_create_xdm_tmp_sockets($2) +- # Needed for escd, remove if we get escd policy +- xserver_manage_xdm_tmp_files($2) + modutils_run_insmod(xserver_t, $1) ++ xserver_dri_domain($2) ++') - # Client write xserver shm +- # Client write xserver shm - tunable_policy(`allow_write_xshm',` -+ tunable_policy(`xserver_clients_write_xshm',` - allow $2 xserver_t:shm rw_shm_perms; - allow $2 xserver_tmpfs_t:file rw_file_perms; +- allow $2 xserver_t:shm rw_shm_perms; +- allow $2 xserver_tmpfs_t:file rw_file_perms; ++######################################## ++## ++## Domain wants to use direct io devices ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`xserver_dri_domain',` ++ gen_require(` ++ attribute dridomain; ') + -+ tunable_policy(`selinuxuser_direct_dri_enabled',` -+ dev_rw_dri($2) -+ ') -+ -+ optional_policy(` -+ gnome_read_gconf_config($2) -+ ') ++ typeattribute $1 dridomain; ') ######################################## -@@ -143,13 +167,15 @@ interface(`xserver_role',` +@@ -143,13 +80,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -20923,7 +20948,7 @@ index 6bf0ecc..9388756 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +188,6 @@ interface(`xserver_role',` +@@ -162,7 +101,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -20931,7 +20956,7 @@ index 6bf0ecc..9388756 100644 ') ####################################### -@@ -197,7 +222,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +135,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -20940,7 +20965,7 @@ index 6bf0ecc..9388756 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +252,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +165,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -20949,7 +20974,7 @@ index 6bf0ecc..9388756 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +193,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -20958,7 +20983,7 @@ index 6bf0ecc..9388756 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +316,13 @@ interface(`xserver_user_client',` +@@ -291,13 +229,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -20976,7 +21001,7 @@ index 6bf0ecc..9388756 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -316,7 +341,7 @@ interface(`xserver_user_client',` +@@ -316,7 +254,7 @@ interface(`xserver_user_client',` xserver_read_xdm_tmp_files($1) # Client write xserver shm @@ -20985,7 +21010,7 @@ index 6bf0ecc..9388756 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -342,19 +367,23 @@ interface(`xserver_user_client',` +@@ -342,19 +280,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -21012,7 +21037,7 @@ index 6bf0ecc..9388756 100644 ') ############################## -@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +328,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -21028,7 +21053,7 @@ index 6bf0ecc..9388756 100644 ') ####################################### -@@ -444,8 +482,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +395,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -21040,7 +21065,7 @@ index 6bf0ecc..9388756 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +495,13 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +408,13 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -21056,7 +21081,7 @@ index 6bf0ecc..9388756 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +513,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +426,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -21086,7 +21111,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -517,6 +564,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +477,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -21094,7 +21119,7 @@ index 6bf0ecc..9388756 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -547,6 +595,42 @@ interface(`xserver_domtrans_xauth',` +@@ -547,6 +508,42 @@ interface(`xserver_domtrans_xauth',` domtrans_pattern($1, xauth_exec_t, xauth_t) ') @@ -21137,7 +21162,7 @@ index 6bf0ecc..9388756 100644 ######################################## ## ## Create a Xauthority file in the user home directory. -@@ -567,6 +651,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` +@@ -567,6 +564,24 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',` ######################################## ## @@ -21162,7 +21187,7 @@ index 6bf0ecc..9388756 100644 ## Read all users fonts, user font configurations, ## and manage all users font caches. ## -@@ -598,6 +700,25 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +613,25 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -21188,7 +21213,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -615,7 +736,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +649,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -21197,7 +21222,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -638,6 +759,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +672,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -21223,7 +21248,7 @@ index 6bf0ecc..9388756 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +791,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +704,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -21232,7 +21257,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -670,7 +810,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +723,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -21241,7 +21266,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -688,7 +828,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +741,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -21250,7 +21275,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -703,12 +843,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +756,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -21264,7 +21289,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -765,11 +904,92 @@ interface(`xserver_manage_xdm_spool_files',` +@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -21359,7 +21384,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -793,6 +1013,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -793,6 +926,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -21385,7 +21410,7 @@ index 6bf0ecc..9388756 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -806,7 +1045,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -806,7 +958,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -21412,7 +21437,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -846,7 +1103,26 @@ interface(`xserver_read_xdm_pid',` +@@ -846,7 +1016,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -21440,7 +21465,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -869,6 +1145,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -869,6 +1058,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -21465,14 +21490,15 @@ index 6bf0ecc..9388756 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -938,7 +1232,26 @@ interface(`xserver_getattr_log',` +@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) - allow $1 xserver_log_t:file getattr; + allow $1 xserver_log_t:file getattr_file_perms; -+') -+ + ') + +-######################################## +####################################### +## +## Allow domain to read X server logs. @@ -21490,10 +21516,13 @@ index 6bf0ecc..9388756 100644 + + logging_search_logs($1) + allow $1 xserver_log_t:file read_file_perms; - ') - - ######################################## -@@ -957,7 +1270,7 @@ interface(`xserver_dontaudit_write_log',` ++') ++ ++######################################## + ## + ## Do not audit attempts to write the X server + ## log files. +@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -21502,167 +21531,84 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -1004,7 +1317,7 @@ interface(`xserver_read_xkb_libs',` +@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',` ######################################## ## --## Read xdm temporary files. +## dontaudit access checks X keyboard extension libraries. - ## - ## - ## -@@ -1012,56 +1325,57 @@ interface(`xserver_read_xkb_libs',` - ## - ## - # --interface(`xserver_read_xdm_tmp_files',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`xserver_dontaudit_xkb_libs_access',` - gen_require(` -- type xdm_tmp_t; -+ type xkb_var_lib_t; - ') - -- files_search_tmp($1) -- read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ dontaudit $1 xkb_var_lib_t:dir audit_access; -+ dontaudit $1 xkb_var_lib_t:file audit_access; - ') - - ######################################## - ## --## Do not audit attempts to read xdm temporary files. -+## Read xdm config files. - ## - ## - ## --## Domain to not audit. -+## Domain to not audit - ## - ## - # --interface(`xserver_dontaudit_read_xdm_tmp_files',` -+interface(`xserver_read_xdm_etc_files',` - gen_require(` -- type xdm_tmp_t; -+ type xdm_etc_t; - ') - -- dontaudit $1 xdm_tmp_t:dir search_dir_perms; -- dontaudit $1 xdm_tmp_t:file read_file_perms; -+ files_search_etc($1) -+ read_files_pattern($1, xdm_etc_t, xdm_etc_t) -+ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) - ') - - ######################################## - ## --## Read write xdm temporary files. -+## Manage xdm config files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit - ## - ## - # --interface(`xserver_rw_xdm_tmp_files',` -+interface(`xserver_manage_xdm_etc_files',` - gen_require(` -- type xdm_tmp_t; -+ type xdm_etc_t; - ') - -- allow $1 xdm_tmp_t:dir search_dir_perms; -- allow $1 xdm_tmp_t:file rw_file_perms; -+ files_search_etc($1) -+ manage_files_pattern($1, xdm_etc_t, xdm_etc_t) - ') - - ######################################## - ## --## Create, read, write, and delete xdm temporary files. -+## Read xdm temporary files. - ## - ## - ## -@@ -1069,18 +1383,18 @@ interface(`xserver_rw_xdm_tmp_files',` - ## - ## - # --interface(`xserver_manage_xdm_tmp_files',` -+interface(`xserver_read_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - -- manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) -+ files_search_tmp($1) -+ read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) - ') - - ######################################## - ## --## Do not audit attempts to get the attributes of --## xdm temporary named sockets. -+## Do not audit attempts to read xdm temporary files. - ## - ## - ## -@@ -1088,12 +1402,105 @@ interface(`xserver_manage_xdm_tmp_files',` - ## - ## - # --interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` -+interface(`xserver_dontaudit_read_xdm_tmp_files',` + gen_require(` -+ type xdm_tmp_t; ++ type xkb_var_lib_t; + ') + -+ dontaudit $1 xdm_tmp_t:dir search_dir_perms; -+ dontaudit $1 xdm_tmp_t:file read_file_perms; ++ dontaudit $1 xkb_var_lib_t:dir audit_access; ++ dontaudit $1 xkb_var_lib_t:file audit_access; +') + +######################################## +## -+## Read write xdm temporary files. ++## Read xdm config files. +## +## +## -+## Domain allowed access. ++## Domain to not audit +## +## +# -+interface(`xserver_rw_xdm_tmp_files',` ++interface(`xserver_read_xdm_etc_files',` + gen_require(` -+ type xdm_tmp_t; ++ type xdm_etc_t; + ') + -+ allow $1 xdm_tmp_t:dir search_dir_perms; -+ allow $1 xdm_tmp_t:file rw_file_perms; ++ files_search_etc($1) ++ read_files_pattern($1, xdm_etc_t, xdm_etc_t) ++ read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## -+## Create, read, write, and delete xdm temporary files. ++## Manage xdm config files. +## +## +## -+## Domain allowed access. ++## Domain to not audit +## +## +# -+interface(`xserver_manage_xdm_tmp_files',` - gen_require(` - type xdm_tmp_t; - ') - -- dontaudit $1 xdm_tmp_t:sock_file getattr; -+ manage_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ++interface(`xserver_manage_xdm_etc_files',` ++ gen_require(` ++ type xdm_etc_t; ++ ') ++ ++ files_search_etc($1) ++ manage_files_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## + ## Read xdm temporary files. + ## + ## +@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',` + type xdm_tmp_t; + ') + +- files_search_tmp($1) ++ files_search_tmp($1) + read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) + ') + +@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',` + + ######################################## + ## +## Create, read, write, and delete xdm temporary dirs. +## +## @@ -21699,25 +21645,19 @@ index 6bf0ecc..9388756 100644 + +######################################## +## -+## Do not audit attempts to get the attributes of -+## xdm temporary named sockets. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` -+ gen_require(` -+ type xdm_tmp_t; -+ ') -+ + ## Do not audit attempts to get the attributes of + ## xdm temporary named sockets. + ## +@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` + type xdm_tmp_t; + ') + +- dontaudit $1 xdm_tmp_t:sock_file getattr; + dontaudit $1 xdm_tmp_t:sock_file getattr_sock_file_perms; ') ######################################## -@@ -1111,8 +1518,10 @@ interface(`xserver_domtrans',` +@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -21729,7 +21669,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -1210,6 +1619,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` +@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',` ######################################## ## @@ -21755,7 +21695,7 @@ index 6bf0ecc..9388756 100644 ## Connect to the X server over a unix domain ## stream socket. ## -@@ -1226,6 +1654,26 @@ interface(`xserver_stream_connect',` +@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -21782,7 +21722,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -1251,7 +1699,7 @@ interface(`xserver_read_tmp_files',` +@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -21791,7 +21731,7 @@ index 6bf0ecc..9388756 100644 ## ## ## -@@ -1261,13 +1709,23 @@ interface(`xserver_read_tmp_files',` +@@ -1261,13 +1622,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -21816,7 +21756,7 @@ index 6bf0ecc..9388756 100644 ') ######################################## -@@ -1284,10 +1742,604 @@ interface(`xserver_manage_core_devices',` +@@ -1284,10 +1655,604 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` @@ -22424,10 +22364,10 @@ index 6bf0ecc..9388756 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 2696452..4690551 100644 +index 2696452..fcf58c6 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te -@@ -26,27 +26,57 @@ gen_require(` +@@ -26,28 +26,59 @@ gen_require(` # ## @@ -22492,9 +22432,11 @@ index 2696452..4690551 100644 +attribute xdmhomewriter; +attribute x_userdomain; attribute x_domain; ++attribute dridomain; # X Events -@@ -107,44 +137,54 @@ xserver_object_types_template(remote) + attribute xevent_type; +@@ -107,44 +138,54 @@ xserver_object_types_template(remote) xserver_common_x_domain_template(remote, remote_t) type user_fonts_t; @@ -22550,7 +22492,7 @@ index 2696452..4690551 100644 typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) -@@ -154,19 +194,28 @@ files_type(xconsole_device_t) +@@ -154,19 +195,28 @@ files_type(xconsole_device_t) fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) @@ -22581,7 +22523,7 @@ index 2696452..4690551 100644 type xdm_var_lib_t; files_type(xdm_var_lib_t) -@@ -174,13 +223,27 @@ files_type(xdm_var_lib_t) +@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t) type xdm_var_run_t; files_pid_file(xdm_var_run_t) @@ -22610,7 +22552,7 @@ index 2696452..4690551 100644 # type for /var/lib/xkb type xkb_var_lib_t; files_type(xkb_var_lib_t) -@@ -193,14 +256,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; +@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t }; init_system_domain(xserver_t, xserver_exec_t) ubac_constrained(xserver_t) @@ -22629,7 +22571,7 @@ index 2696452..4690551 100644 userdom_user_tmpfs_file(xserver_tmpfs_t) type xsession_exec_t; -@@ -225,21 +286,33 @@ optional_policy(` +@@ -225,21 +287,33 @@ optional_policy(` # allow iceauth_t iceauth_home_t:file manage_file_perms; @@ -22672,7 +22614,7 @@ index 2696452..4690551 100644 ') ######################################## -@@ -247,48 +320,83 @@ tunable_policy(`use_samba_home_dirs',` +@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',` # Xauth local policy # @@ -22767,7 +22709,7 @@ index 2696452..4690551 100644 ssh_sigchld(xauth_t) ssh_read_pipes(xauth_t) ssh_dontaudit_rw_tcp_sockets(xauth_t) -@@ -299,64 +407,106 @@ optional_policy(` +@@ -299,64 +408,106 @@ optional_policy(` # XDM Local policy # @@ -22884,7 +22826,7 @@ index 2696452..4690551 100644 # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -365,20 +515,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) +@@ -365,20 +516,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -22914,7 +22856,7 @@ index 2696452..4690551 100644 corenet_all_recvfrom_netlabel(xdm_t) corenet_tcp_sendrecv_generic_if(xdm_t) corenet_udp_sendrecv_generic_if(xdm_t) -@@ -388,38 +545,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) +@@ -388,38 +546,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t) corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -22967,7 +22909,7 @@ index 2696452..4690551 100644 files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -430,9 +597,28 @@ files_list_mnt(xdm_t) +@@ -430,9 +598,28 @@ files_list_mnt(xdm_t) files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -22996,7 +22938,7 @@ index 2696452..4690551 100644 storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -441,28 +627,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) +@@ -441,28 +628,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t) storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -23043,7 +22985,7 @@ index 2696452..4690551 100644 userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -471,24 +672,144 @@ userdom_read_user_home_content_files(xdm_t) +@@ -471,24 +673,144 @@ userdom_read_user_home_content_files(xdm_t) # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -23194,7 +23136,7 @@ index 2696452..4690551 100644 tunable_policy(`xdm_sysadm_login',` userdom_xsession_spec_domtrans_all_users(xdm_t) # FIXME: -@@ -502,11 +823,26 @@ tunable_policy(`xdm_sysadm_login',` +@@ -502,11 +824,26 @@ tunable_policy(`xdm_sysadm_login',` ') optional_policy(` @@ -23221,7 +23163,7 @@ index 2696452..4690551 100644 ') optional_policy(` -@@ -514,12 +850,72 @@ optional_policy(` +@@ -514,12 +851,72 @@ optional_policy(` ') optional_policy(` @@ -23294,7 +23236,7 @@ index 2696452..4690551 100644 hostname_exec(xdm_t) ') -@@ -537,28 +933,78 @@ optional_policy(` +@@ -537,28 +934,78 @@ optional_policy(` ') optional_policy(` @@ -23382,7 +23324,7 @@ index 2696452..4690551 100644 ') optional_policy(` -@@ -570,6 +1016,14 @@ optional_policy(` +@@ -570,6 +1017,14 @@ optional_policy(` ') optional_policy(` @@ -23397,7 +23339,7 @@ index 2696452..4690551 100644 xfs_stream_connect(xdm_t) ') -@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send; +@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send; # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -23410,7 +23352,7 @@ index 2696452..4690551 100644 allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; -@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; +@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto }; allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -23426,7 +23368,7 @@ index 2696452..4690551 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -23437,7 +23379,7 @@ index 2696452..4690551 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) +@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -23459,7 +23401,7 @@ index 2696452..4690551 100644 kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t) +@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t) # Xorg wants to check if kernel is tainted kernel_read_kernel_sysctls(xserver_t) kernel_write_proc_files(xserver_t) @@ -23473,7 +23415,7 @@ index 2696452..4690551 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t) +@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -23505,7 +23447,7 @@ index 2696452..4690551 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t) +@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t) fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -23523,7 +23465,7 @@ index 2696452..4690551 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -708,20 +1197,18 @@ init_getpgid(xserver_t) +@@ -708,20 +1198,18 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -23547,7 +23489,7 @@ index 2696452..4690551 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t) +@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) @@ -23556,7 +23498,7 @@ index 2696452..4690551 100644 ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; domain_mmap_low_uncond(xserver_t) -@@ -775,16 +1260,44 @@ optional_policy(` +@@ -775,16 +1261,44 @@ optional_policy(` ') optional_policy(` @@ -23602,7 +23544,7 @@ index 2696452..4690551 100644 unconfined_domtrans(xserver_t) ') -@@ -793,6 +1306,10 @@ optional_policy(` +@@ -793,6 +1307,10 @@ optional_policy(` ') optional_policy(` @@ -23613,7 +23555,7 @@ index 2696452..4690551 100644 xfs_stream_connect(xserver_t) ') -@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -23627,7 +23569,7 @@ index 2696452..4690551 100644 # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) # Run xkbcomp. @@ -23636,7 +23578,7 @@ index 2696452..4690551 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -832,26 +1349,21 @@ init_use_fds(xserver_t) +@@ -832,26 +1350,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -23671,7 +23613,7 @@ index 2696452..4690551 100644 ') optional_policy(` -@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -23680,7 +23622,7 @@ index 2696452..4690551 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write }; +@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -23712,7 +23654,7 @@ index 2696452..4690551 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -982,18 +1514,41 @@ tunable_policy(`! xserver_object_manager',` +@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -23769,6 +23711,115 @@ index 2696452..4690551 100644 + unconfined_domain(xdm_unconfined_t) +') + ++# X Userdomain ++# Xserver read/write client shm ++allow xserver_t x_userdomain:fd use; ++allow xserver_t x_userdomain:shm rw_shm_perms; ++ ++allow xserver_t x_userdomain:process { getpgid signal }; ++ ++allow xserver_t x_userdomain:shm rw_shm_perms; ++ ++allow x_userdomain user_fonts_t:dir list_dir_perms; ++allow x_userdomain user_fonts_t:file read_file_perms; ++allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms; ++ ++allow x_userdomain user_fonts_config_t:dir list_dir_perms; ++allow x_userdomain user_fonts_config_t:file read_file_perms; ++ ++manage_dirs_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) ++manage_files_pattern(x_userdomain, user_fonts_cache_t, user_fonts_cache_t) ++ ++stream_connect_pattern(x_userdomain, xserver_tmp_t, xserver_tmp_t, xserver_t) ++allow x_userdomain xserver_tmp_t:sock_file delete_sock_file_perms; ++dontaudit x_userdomain xdm_tmp_t:sock_file setattr_sock_file_perms; ++files_search_tmp(x_userdomain) ++ ++# Communicate via System V shared memory. ++allow x_userdomain xserver_t:shm r_shm_perms; ++allow x_userdomain xserver_tmpfs_t:file read_file_perms; ++ ++# allow ps to show iceauth ++ps_process_pattern(x_userdomain, iceauth_t) ++ ++domtrans_pattern(x_userdomain, iceauth_exec_t, iceauth_t) ++ ++allow x_userdomain iceauth_home_t:file read_file_perms; ++ ++domtrans_pattern(x_userdomain, xauth_exec_t, xauth_t) ++ ++allow x_userdomain xauth_t:process signal; ++ ++# allow ps to show xauth ++ps_process_pattern(x_userdomain, xauth_t) ++allow x_userdomain xserver_t:process signal; ++ ++allow x_userdomain xauth_home_t:file read_file_perms; ++ ++# for when /tmp/.X11-unix is created by the system ++allow x_userdomain xdm_t:fd use; ++allow x_userdomain xdm_t:fifo_file rw_inherited_fifo_file_perms; ++allow x_userdomain xdm_tmp_t:dir search_dir_perms; ++allow x_userdomain xdm_tmp_t:sock_file rw_inherited_sock_file_perms; ++dontaudit x_userdomain xdm_t:tcp_socket { read write }; ++dontaudit x_userdomain xdm_tmp_t:dir setattr_dir_perms; ++ ++allow x_userdomain xdm_t:dbus send_msg; ++allow xdm_t x_userdomain:dbus send_msg; ++ ++# Client read xserver shm ++allow x_userdomain xserver_t:fd use; ++allow x_userdomain xserver_tmpfs_t:file read_file_perms; ++ ++# Read /tmp/.X0-lock ++allow x_userdomain xserver_tmp_t:file read_inherited_file_perms; ++ ++dev_rw_xserver_misc(x_userdomain) ++dev_rw_power_management(x_userdomain) ++dev_read_input(x_userdomain) ++dev_read_misc(x_userdomain) ++dev_write_misc(x_userdomain) ++# open office is looking for the following ++dev_getattr_agp_dev(x_userdomain) ++ ++# GNOME checks for usb and other devices: ++dev_rw_usbfs(x_userdomain) ++ ++miscfiles_read_fonts(x_userdomain) ++miscfiles_setattr_fonts_cache_dirs(x_userdomain) ++miscfiles_read_hwdata(x_userdomain) ++ ++#xserver_common_x_domain_template(user, x_userdomain) ++xserver_domtrans(x_userdomain) ++#xserver_unconfined(x_userdomain) ++xserver_xsession_entry_type(x_userdomain) ++xserver_dontaudit_write_log(x_userdomain) ++#xserver_stream_connect_xdm(x_userdomain) ++# certain apps want to read xdm.pid file ++xserver_read_xdm_pid(x_userdomain) ++# gnome-session creates socket under /tmp/.ICE-unix/ ++xserver_create_xdm_tmp_sockets(x_userdomain) ++# Needed for escd, remove if we get escd policy ++xserver_manage_xdm_tmp_files(x_userdomain) ++xserver_read_xdm_etc_files(x_userdomain) ++#xserver_xdm_append_log(x_userdomain) ++ ++term_use_virtio_console(x_userdomain) ++# Client write xserver shm ++tunable_policy(`xserver_clients_write_xshm',` ++ allow x_userdomain xserver_t:shm rw_shm_perms; ++ allow x_userdomain xserver_tmpfs_t:file rw_file_perms; ++') ++ ++optional_policy(` ++ gnome_read_gconf_config(x_userdomain) ++') ++ ++tunable_policy(`selinuxuser_direct_dri_enabled',` ++ dev_rw_dri(dridomain) ++',` ++ dev_dontaudit_rw_dri(dridomain) ++') diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if index 1b6619e..be02b96 100644 --- a/policy/modules/system/application.if @@ -34113,6 +34164,32 @@ index bea4629..06e2834 100644 + /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +/var/run/mcstransd\.pid gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh) +diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if +index efa9c27..536a514 100644 +--- a/policy/modules/system/setrans.if ++++ b/policy/modules/system/setrans.if +@@ -40,3 +40,21 @@ interface(`setrans_translate_context',` + stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) + files_list_pids($1) + ') ++####################################### ++## ++## Allow a domain to manage pid files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`setrans_manage_pid_files',` ++ gen_require(` ++ type setrans_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) ++') diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 1447687..d5e6fb9 100644 --- a/policy/modules/system/setrans.te @@ -34490,7 +34567,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..9c7aa79 100644 +index b7686d5..431d2f1 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -34706,13 +34783,14 @@ index b7686d5..9c7aa79 100644 ') optional_policy(` -@@ -259,12 +302,20 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +302,21 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; +allow ifconfig_t self:appletalk_socket create_socket_perms; # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; ++allow ifconfig_t self:netlink_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; allow ifconfig_t self:tcp_socket { create ioctl }; @@ -34727,7 +34805,7 @@ index b7686d5..9c7aa79 100644 kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -274,14 +325,29 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -274,14 +326,29 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -34757,7 +34835,7 @@ index b7686d5..9c7aa79 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +360,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +361,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -34785,7 +34863,7 @@ index b7686d5..9c7aa79 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +384,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +385,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -34808,7 +34886,7 @@ index b7686d5..9c7aa79 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +410,11 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +411,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -34822,7 +34900,7 @@ index b7686d5..9c7aa79 100644 ') optional_policy(` -@@ -339,7 +423,15 @@ optional_policy(` +@@ -339,7 +424,15 @@ optional_policy(` ') optional_policy(` @@ -34839,7 +34917,7 @@ index b7686d5..9c7aa79 100644 ') optional_policy(` -@@ -360,3 +452,13 @@ optional_policy(` +@@ -360,3 +453,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 74e826a..203ed18 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -6956,7 +6956,7 @@ index 1a7a97e..1d29dce 100644 domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; diff --git a/apm.te b/apm.te -index 3590e2f..5d9ac1d 100644 +index 3590e2f..e1494bd 100644 --- a/apm.te +++ b/apm.te @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t) @@ -6987,16 +6987,26 @@ index 3590e2f..5d9ac1d 100644 allow apmd_t self:process { signal_perms getsession }; allow apmd_t self:fifo_file rw_fifo_file_perms; allow apmd_t self:netlink_socket create_socket_perms; -@@ -115,8 +118,6 @@ fs_dontaudit_getattr_all_symlinks(apmd_t) +@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t) + fs_dontaudit_getattr_all_symlinks(apmd_t) fs_dontaudit_getattr_all_pipes(apmd_t) fs_dontaudit_getattr_all_sockets(apmd_t) - --selinux_search_fs(apmd_t) - +-selinux_search_fs(apmd_t) ++fs_read_cgroup_files(apmd_t) + corecmd_exec_all_executables(apmd_t) - domain_read_all_domains_state(apmd_t) -@@ -136,17 +137,16 @@ libs_exec_lib_files(apmd_t) +@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t) + auth_use_nsswitch(apmd_t) + + init_domtrans_script(apmd_t) ++init_read_utmp(apmd_t) ++init_telinit(apmd_t) + + libs_exec_ld_so(apmd_t) + libs_exec_lib_files(apmd_t) +@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t) logging_send_audit_msgs(apmd_t) logging_send_syslog_msg(apmd_t) @@ -7016,7 +7026,7 @@ index 3590e2f..5d9ac1d 100644 optional_policy(` automount_domtrans(apmd_t) -@@ -206,11 +206,15 @@ optional_policy(` +@@ -206,11 +209,15 @@ optional_policy(` ') optional_policy(` @@ -10908,7 +10918,7 @@ index 32e8265..0de4af3 100644 + allow $1 chronyd_unit_file_t:service all_service_perms; ') diff --git a/chronyd.te b/chronyd.te -index 914ee2d..1544e9b 100644 +index 914ee2d..72fab35 100644 --- a/chronyd.te +++ b/chronyd.te @@ -18,6 +18,9 @@ files_type(chronyd_keys_t) @@ -10926,7 +10936,7 @@ index 914ee2d..1544e9b 100644 # -allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time }; -+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time }; ++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time }; allow chronyd_t self:process { getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; +allow chronyd_t self:udp_socket create_socket_perms; @@ -19484,7 +19494,7 @@ index d294865..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index ff933af..101bc81 100644 +index ff933af..d75b565 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) @@ -19550,15 +19560,17 @@ index ff933af..101bc81 100644 dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) dev_read_urand(devicekit_disk_t) -@@ -117,7 +119,6 @@ files_manage_boot_dirs(devicekit_disk_t) +@@ -116,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t) + files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) ++files_manage_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) -files_read_usr_files(devicekit_disk_t) fs_getattr_all_fs(devicekit_disk_t) fs_list_inotifyfs(devicekit_disk_t) -@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) +@@ -134,16 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t) storage_raw_read_removable_device(devicekit_disk_t) storage_raw_write_removable_device(devicekit_disk_t) @@ -19579,7 +19591,7 @@ index ff933af..101bc81 100644 dbus_system_bus_client(devicekit_disk_t) allow devicekit_disk_t devicekit_t:dbus send_msg; -@@ -167,6 +170,7 @@ optional_policy(` +@@ -167,6 +171,7 @@ optional_policy(` optional_policy(` mount_domtrans(devicekit_disk_t) @@ -19587,7 +19599,7 @@ index ff933af..101bc81 100644 ') optional_policy(` -@@ -180,6 +184,11 @@ optional_policy(` +@@ -180,6 +185,11 @@ optional_policy(` ') optional_policy(` @@ -19599,7 +19611,7 @@ index ff933af..101bc81 100644 udev_domtrans(devicekit_disk_t) udev_read_db(devicekit_disk_t) ') -@@ -188,12 +197,19 @@ optional_policy(` +@@ -188,12 +198,19 @@ optional_policy(` virt_manage_images(devicekit_disk_t) ') @@ -19620,7 +19632,7 @@ index ff933af..101bc81 100644 allow devicekit_power_t self:process { getsched signal_perms }; allow devicekit_power_t self:fifo_file rw_fifo_file_perms; allow devicekit_power_t self:unix_dgram_socket create_socket_perms; -@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) +@@ -207,9 +224,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir) @@ -19631,7 +19643,7 @@ index ff933af..101bc81 100644 logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file) manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t) -@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t) +@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t) files_read_kernel_img(devicekit_power_t) files_read_etc_runtime_files(devicekit_power_t) @@ -19651,7 +19663,7 @@ index ff933af..101bc81 100644 sysnet_domtrans_ifconfig(devicekit_power_t) sysnet_domtrans_dhcpc(devicekit_power_t) -@@ -269,9 +282,11 @@ optional_policy(` +@@ -269,9 +283,11 @@ optional_policy(` optional_policy(` cron_initrc_domtrans(devicekit_power_t) @@ -19663,7 +19675,7 @@ index ff933af..101bc81 100644 dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -302,8 +317,11 @@ optional_policy(` +@@ -302,8 +318,11 @@ optional_policy(` ') optional_policy(` @@ -19676,7 +19688,7 @@ index ff933af..101bc81 100644 hal_manage_pid_dirs(devicekit_power_t) hal_manage_pid_files(devicekit_power_t) ') -@@ -341,3 +359,9 @@ optional_policy(` +@@ -341,3 +360,9 @@ optional_policy(` optional_policy(` vbetool_domtrans(devicekit_power_t) ') @@ -30142,7 +30154,7 @@ index 16b1666..01673a4 100644 - admin_pattern($1, jabberd_var_run_t) ') diff --git a/jabber.te b/jabber.te -index bb12c90..fb916e0 100644 +index bb12c90..62d511b 100644 --- a/jabber.te +++ b/jabber.te @@ -1,4 +1,4 @@ @@ -30151,7 +30163,7 @@ index bb12c90..fb916e0 100644 ######################################## # -@@ -9,129 +9,131 @@ attribute jabberd_domain; +@@ -9,129 +9,133 @@ attribute jabberd_domain; jabber_domain_template(jabberd) jabber_domain_template(jabberd_router) @@ -30264,65 +30276,67 @@ index bb12c90..fb916e0 100644 +userdom_dontaudit_search_user_home_dirs(jabberd_t) -manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t) ++miscfiles_read_certs(jabberd_t) + +-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) +-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +optional_policy(` + seutil_sigchld_newrole(jabberd_t) +') --manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t) --files_pid_filetrans(jabberd_t, jabberd_var_run_t, file) +-kernel_read_kernel_sysctls(jabberd_t) +optional_policy(` + udev_read_db(jabberd_t) +') --kernel_read_kernel_sysctls(jabberd_t) +-corenet_sendrecv_jabber_client_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_client_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_client_port(jabberd_t) +###################################### +# +# Local policy for pyicq-t +# --corenet_sendrecv_jabber_client_server_packets(jabberd_t) --corenet_tcp_bind_jabber_client_port(jabberd_t) --corenet_tcp_sendrecv_jabber_client_port(jabberd_t) +-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) +-corenet_tcp_bind_jabber_interserver_port(jabberd_t) +-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +# need for /var/log/pyicq-t.log +manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t) +logging_log_filetrans(pyicqt_t, pyicqt_log_t, file) --corenet_sendrecv_jabber_interserver_server_packets(jabberd_t) --corenet_tcp_bind_jabber_interserver_port(jabberd_t) --corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t) +-dev_read_rand(jabberd_t) +manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t); --dev_read_rand(jabberd_t) +-domain_use_interactive_fds(jabberd_t) +files_search_spool(pyicqt_t) +manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t); --domain_use_interactive_fds(jabberd_t) -+corenet_tcp_bind_jabber_router_port(pyicqt_t) -+corenet_tcp_connect_jabber_router_port(pyicqt_t) - -files_read_etc_files(jabberd_t) -files_read_etc_runtime_files(jabberd_t) -+corecmd_exec_bin(pyicqt_t) ++corenet_tcp_bind_jabber_router_port(pyicqt_t) ++corenet_tcp_connect_jabber_router_port(pyicqt_t) -fs_search_auto_mountpoints(jabberd_t) -+dev_read_urand(pyicqt_t) ++corecmd_exec_bin(pyicqt_t) -sysnet_read_config(jabberd_t) -+auth_use_nsswitch(pyicqt_t) ++dev_read_urand(pyicqt_t) -userdom_dontaudit_use_unpriv_user_fds(jabberd_t) -userdom_dontaudit_search_user_home_dirs(jabberd_t) -+# needed for pyicq-t-mysql -+optional_policy(` -+ corenet_tcp_connect_mysqld_port(pyicqt_t) -+') ++auth_use_nsswitch(pyicqt_t) ++# needed for pyicq-t-mysql optional_policy(` - udev_read_db(jabberd_t) -+ sysnet_use_ldap(pyicqt_t) ++ corenet_tcp_connect_mysqld_port(pyicqt_t) ') -######################################## ++optional_policy(` ++ sysnet_use_ldap(pyicqt_t) ++') ++ +####################################### # -# Router local policy @@ -38524,7 +38538,7 @@ index 6194b80..5fe7031 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..0a31eec 100644 +index 6a306ee..cfaf593 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -38968,7 +38982,7 @@ index 6a306ee..0a31eec 100644 ') optional_policy(` -@@ -300,221 +324,180 @@ optional_policy(` +@@ -300,221 +324,181 @@ optional_policy(` ######################################## # @@ -39169,14 +39183,14 @@ index 6a306ee..0a31eec 100644 +dev_write_sound(mozilla_plugin_t) +# for nvidia driver dev_rw_xserver_misc(mozilla_plugin_t) -- ++dev_rwx_zero(mozilla_plugin_t) ++dev_dontaudit_read_mtrr(mozilla_plugin_t) ++xserver_dri_domain(mozilla_plugin_t) + -dev_dontaudit_getattr_generic_files(mozilla_plugin_t) -dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t) -dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t) -dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t) -+dev_rwx_zero(mozilla_plugin_t) -+dev_dontaudit_read_mtrr(mozilla_plugin_t) -+dev_dontaudit_rw_dri(mozilla_plugin_t) +dev_dontaudit_getattr_all(mozilla_plugin_t) domain_use_interactive_fds(mozilla_plugin_t) @@ -39289,7 +39303,7 @@ index 6a306ee..0a31eec 100644 ') optional_policy(` -@@ -523,36 +506,48 @@ optional_policy(` +@@ -523,36 +507,48 @@ optional_policy(` ') optional_policy(` @@ -39351,7 +39365,7 @@ index 6a306ee..0a31eec 100644 ') optional_policy(` -@@ -560,7 +555,7 @@ optional_policy(` +@@ -560,7 +556,7 @@ optional_policy(` ') optional_policy(` @@ -39360,7 +39374,7 @@ index 6a306ee..0a31eec 100644 ') optional_policy(` -@@ -568,108 +563,118 @@ optional_policy(` +@@ -568,108 +564,118 @@ optional_policy(` ') optional_policy(` @@ -49486,10 +49500,10 @@ index 0000000..f2d6119 +/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0) diff --git a/openshift.if b/openshift.if new file mode 100644 -index 0000000..bddd4b3 +index 0000000..fdc4a03 --- /dev/null +++ b/openshift.if -@@ -0,0 +1,677 @@ +@@ -0,0 +1,700 @@ + +## policy for openshift + @@ -49814,7 +49828,8 @@ index 0000000..bddd4b3 + +######################################## +## -+## Manage openshift lib dirs files. ++## Create, read, write, and delete ++## openshift lib files. +## +## +## @@ -49831,6 +49846,28 @@ index 0000000..bddd4b3 + manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) +') + ++######################################## ++## ++## Manage openshift lib content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`openshift_manage_content',` ++ gen_require(` ++ attribute openshift_file_type; ++ ') ++ ++ files_search_var_lib($1) ++ manage_dirs_pattern($1, openshift_file_type, openshift_file_type) ++ manage_files_pattern($1, openshift_file_type, openshift_file_type) ++ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type) ++ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type) ++') ++ +####################################### +## +## Create private objects in the @@ -89001,7 +89038,7 @@ index 9dec06c..7877729 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..253d98d 100644 +index 1f22fba..7a305c4 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -89631,14 +89668,14 @@ index 1f22fba..253d98d 100644 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") +- +-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) +-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) --stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- -can_exec(virtd_t, virt_tmp_t) - -kernel_read_crypto_sysctls(virtd_t) @@ -89774,15 +89811,16 @@ index 1f22fba..253d98d 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -658,95 +496,321 @@ optional_policy(` +@@ -658,95 +496,325 @@ optional_policy(` ') optional_policy(` - firewalld_dbus_chat(virtd_t) + hal_dbus_chat(virtd_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- hal_dbus_chat(virtd_t) + networkmanager_dbus_chat(virtd_t) ') +') @@ -89848,6 +89886,10 @@ index 1f22fba..253d98d 100644 +') + +optional_policy(` ++ setrans_manage_pid_files(virtd_t) ++') ++ ++optional_policy(` + kernel_read_xen_state(virtd_t) + kernel_write_xen_state(virtd_t) + @@ -89981,21 +90023,18 @@ index 1f22fba..253d98d 100644 +storage_raw_read_removable_device(virt_domain) - optional_policy(` -- hal_dbus_chat(virtd_t) +- networkmanager_dbus_chat(virtd_t) - ') +sysnet_read_config(virt_domain) - optional_policy(` -- networkmanager_dbus_chat(virtd_t) +- policykit_dbus_chat(virtd_t) - ') +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) - -- optional_policy(` -- policykit_dbus_chat(virtd_t) -- ') ++ +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; ') @@ -90144,7 +90183,7 @@ index 1f22fba..253d98d 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +822,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +826,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -90157,12 +90196,12 @@ index 1f22fba..253d98d 100644 -dontaudit virsh_t virt_var_lib_t:file read_file_perms; - -allow virsh_t svirt_lxc_domain:process transition; -- --can_exec(virsh_t, virsh_exec_t) +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) +-can_exec(virsh_t, virsh_exec_t) +- -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) @@ -90174,7 +90213,7 @@ index 1f22fba..253d98d 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +841,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -90201,7 +90240,7 @@ index 1f22fba..253d98d 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +861,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -90233,7 +90272,7 @@ index 1f22fba..253d98d 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +894,20 @@ optional_policy(` +@@ -847,14 +898,20 @@ optional_policy(` ') optional_policy(` @@ -90255,7 +90294,7 @@ index 1f22fba..253d98d 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +932,44 @@ optional_policy(` +@@ -879,34 +936,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -90309,7 +90348,7 @@ index 1f22fba..253d98d 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +979,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +983,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -90327,7 +90366,7 @@ index 1f22fba..253d98d 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +1001,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +1005,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -90338,7 +90377,7 @@ index 1f22fba..253d98d 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +1010,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1014,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -90346,7 +90385,7 @@ index 1f22fba..253d98d 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1022,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1026,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -90365,7 +90404,7 @@ index 1f22fba..253d98d 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1036,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1040,40 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -90393,6 +90432,10 @@ index 1f22fba..253d98d 100644 +') + +optional_policy(` ++ setrans_manage_pid_files(virtd_lxc_t) ++') ++ ++optional_policy(` + unconfined_domain(virtd_lxc_t) +') @@ -90410,7 +90453,7 @@ index 1f22fba..253d98d 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1073,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -90437,7 +90480,7 @@ index 1f22fba..253d98d 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1091,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -90456,7 +90499,7 @@ index 1f22fba..253d98d 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1110,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -90483,7 +90526,7 @@ index 1f22fba..253d98d 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1135,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1143,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -90622,7 +90665,7 @@ index 1f22fba..253d98d 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1233,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1241,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -90637,7 +90680,7 @@ index 1f22fba..253d98d 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1251,8 @@ optional_policy(` +@@ -1183,9 +1259,8 @@ optional_policy(` ######################################## # @@ -90648,7 +90691,7 @@ index 1f22fba..253d98d 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1265,114 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1273,114 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index db4e2e3..eddfbfc 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 57%{?dist} +Release: 58%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -539,6 +539,20 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Jun 28 2013 Miroslav Grepl 3.12.1-58 +- Shrink the size of policy by moving to attributes, also add dridomain so that mozilla_plugin can follow selinuxuse_dri boolean. +- Allow bootloader to manage generic log files +- Allow ftp to bind to port 989 +- Fix label of new gear directory +- Add support for new directory /var/lib/openshift/gears/ +- Add openshift_manage_lib_dirs() +- allow virtd domains to manage setrans_var_run_t +- Allow useradd to manage all openshift content +- Add support so that mozilla_plugin_t can use dri devices +- Allow chronyd to change the scheduler +- Allow apmd to shut downthe system +- Devicekit_disk_t needs to manage /etc/fstab + * Wed Jun 26 2013 Miroslav Grepl 3.12.1-57 - Make DSPAM to act as a LDA working - Allow ntop to create netlink socket