diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index f05841c..699d224 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5074,7 +5074,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 4edc40d..f678b45 100644 +index 4edc40d..fba95c8 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4) @@ -5250,7 +5250,7 @@ index 4edc40d..f678b45 100644 -network_port(milter) # no defined portcon +network_port(milter, tcp, 8891, s0) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) -+network_port(mongod, tcp,27017,s0) ++network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0) network_port(monopd, tcp,1234,s0) network_port(mountd, tcp,20048,s0, udp,20048,s0) network_port(movaz_ssc, tcp,5252,s0, udp,5252,s0) @@ -8320,10 +8320,10 @@ index c2c6e05..96aeeef 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..90999af 100644 +index 64ff4d7..87c124c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -19,6 +19,119 @@ +@@ -19,6 +19,136 @@ ## Comains the file initial SID. ## @@ -8425,6 +8425,23 @@ index 64ff4d7..90999af 100644 + +##################################### +## ++## files stub var_run_t interface. No access allowed. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_stub_var',` ++ gen_require(` ++ type var_t; ++ ') ++') ++ ++ ++##################################### ++## +## files stub tmp_t interface. No access allowed. +## +## @@ -8443,7 +8460,7 @@ index 64ff4d7..90999af 100644 ######################################## ## ## Make the specified type usable for files -@@ -55,6 +168,7 @@ +@@ -55,6 +185,7 @@ ##
  • files_pid_file()
  • ##
  • files_security_file()
  • ##
  • files_security_mountpoint()
  • @@ -8451,7 +8468,7 @@ index 64ff4d7..90999af 100644 ##
  • files_tmp_file()
  • ##
  • files_tmpfs_file()
  • ##
  • logging_log_file()
  • -@@ -125,30 +239,31 @@ interface(`files_security_file',` +@@ -125,30 +256,31 @@ interface(`files_security_file',` typeattribute $1 file_type, security_file_type, non_auth_file_type; ') @@ -8489,7 +8506,7 @@ index 64ff4d7..90999af 100644 ##
    ## ## -@@ -156,33 +271,33 @@ interface(`files_lock_file',` +@@ -156,33 +288,33 @@ interface(`files_lock_file',` ## ## # @@ -8531,7 +8548,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -521,7 +636,7 @@ interface(`files_mounton_non_security',` +@@ -521,7 +653,7 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') @@ -8540,7 +8557,7 @@ index 64ff4d7..90999af 100644 allow $1 non_security_file_type:file mounton; ') -@@ -620,6 +735,63 @@ interface(`files_dontaudit_getattr_non_security_files',` +@@ -620,6 +752,63 @@ interface(`files_dontaudit_getattr_non_security_files',` ######################################## ## @@ -8604,7 +8621,7 @@ index 64ff4d7..90999af 100644 ## Read all files. ## ## -@@ -683,12 +855,82 @@ interface(`files_read_non_security_files',` +@@ -683,12 +872,82 @@ interface(`files_read_non_security_files',` attribute non_security_file_type; ') @@ -8687,7 +8704,7 @@ index 64ff4d7..90999af 100644 ## Read all directories on the filesystem, except ## the listed exceptions. ## -@@ -953,6 +1195,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` +@@ -953,6 +1212,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',` ######################################## ## @@ -8713,7 +8730,7 @@ index 64ff4d7..90999af 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1252,25 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1269,25 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -8739,7 +8756,7 @@ index 64ff4d7..90999af 100644 ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,10 +1353,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1370,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -8752,7 +8769,7 @@ index 64ff4d7..90999af 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1460,6 @@ interface(`files_list_all',` +@@ -1182,24 +1477,6 @@ interface(`files_list_all',` ######################################## ## @@ -8777,7 +8794,7 @@ index 64ff4d7..90999af 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,9 +1703,6 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1720,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) @@ -8787,7 +8804,7 @@ index 64ff4d7..90999af 100644 ') ############################################# -@@ -1583,6 +1840,24 @@ interface(`files_getattr_all_mountpoints',` +@@ -1583,6 +1857,24 @@ interface(`files_getattr_all_mountpoints',` ######################################## ## @@ -8812,58 +8829,55 @@ index 64ff4d7..90999af 100644 ## Set the attributes of all mount points. ## ## -@@ -1673,6 +1948,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1673,25 +1965,61 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## +-## Do not audit attempts to write to mount points. +## Write all mount points. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_dontaudit_write_all_mountpoints',` +- gen_require(` +- attribute mountpoint; +- ') +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') -+ + +- dontaudit $1 mountpoint:dir write; + allow $1 mountpoint:dir write; -+') -+ -+######################################## -+## - ## Do not audit attempts to write to mount points. - ## - ## -@@ -1691,7 +1984,7 @@ interface(`files_dontaudit_write_all_mountpoints',` + ') ######################################## ## -## List the contents of the root directory. -+## Write all file type directories. - ## - ## - ## -@@ -1699,12 +1992,30 @@ interface(`files_dontaudit_write_all_mountpoints',` - ## - ## - # --interface(`files_list_root',` -+interface(`files_write_all_dirs',` - gen_require(` -- type root_t; -+ attribute file_type; - ') - -- allow $1 root_t:dir list_dir_perms; -+ allow $1 file_type:dir write; ++## Do not audit attempts to write to mount points. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_write_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ dontaudit $1 mountpoint:dir write; +') + +######################################## +## -+## List the contents of the root directory. ++## Write all file type directories. +## +## +## @@ -8871,16 +8885,21 @@ index 64ff4d7..90999af 100644 +## +## +# -+interface(`files_list_root',` ++interface(`files_write_all_dirs',` + gen_require(` -+ type root_t; ++ attribute file_type; + ') + -+ allow $1 root_t:dir list_dir_perms; - allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; - ') - -@@ -1874,25 +2185,25 @@ interface(`files_delete_root_dir_entry',` ++ allow $1 file_type:dir write; ++') ++ ++######################################## ++## ++## List the contents of the root directory. + ## + ## + ## +@@ -1874,25 +2202,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -8912,7 +8931,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -1905,7 +2216,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2233,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -8921,7 +8940,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -1928,6 +2239,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2256,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -8946,7 +8965,7 @@ index 64ff4d7..90999af 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +2956,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +2973,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -8971,7 +8990,7 @@ index 64ff4d7..90999af 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +3045,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3062,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -8979,7 +8998,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -2706,7 +3054,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3071,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -8988,7 +9007,7 @@ index 64ff4d7..90999af 100644 ## ## # -@@ -2762,6 +3110,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3127,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -9014,7 +9033,7 @@ index 64ff4d7..90999af 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +3147,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3164,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -9039,7 +9058,7 @@ index 64ff4d7..90999af 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3330,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3347,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -9064,7 +9083,7 @@ index 64ff4d7..90999af 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3003,9 +3370,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3387,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -9075,7 +9094,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -3013,18 +3378,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3395,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -9097,7 +9116,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -3042,6 +3406,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3423,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -9124,7 +9143,7 @@ index 64ff4d7..90999af 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3443,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3460,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -9132,7 +9151,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -3080,6 +3465,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3482,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -9140,7 +9159,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -3132,6 +3518,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3535,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -9166,7 +9185,7 @@ index 64ff4d7..90999af 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3613,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3630,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -9192,7 +9211,7 @@ index 64ff4d7..90999af 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3879,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3896,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -9218,7 +9237,7 @@ index 64ff4d7..90999af 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4239,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4256,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -9262,7 +9281,7 @@ index 64ff4d7..90999af 100644 ') ######################################## -@@ -4199,156 +4660,176 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,156 +4677,176 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9515,7 +9534,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4356,53 +4837,56 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4356,53 +4854,56 @@ interface(`files_delete_tmp_dir_entry',` ## ## # @@ -9584,7 +9603,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4410,35 +4894,36 @@ interface(`files_manage_generic_tmp_files',` +@@ -4410,35 +4911,36 @@ interface(`files_manage_generic_tmp_files',` ## ## # @@ -9627,7 +9646,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4446,77 +4931,74 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4446,77 +4948,74 @@ interface(`files_rw_generic_tmp_sockets',` ## ## # @@ -9732,7 +9751,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4524,58 +5006,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',` +@@ -4524,58 +5023,61 @@ interface(`files_dontaudit_getattr_all_tmp_files',` ## ## # @@ -9811,7 +9830,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4583,51 +5068,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` +@@ -4583,51 +5085,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',` ## ## # @@ -9870,7 +9889,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4635,22 +5104,17 @@ interface(`files_tmp_filetrans',` +@@ -4635,22 +5121,17 @@ interface(`files_tmp_filetrans',` ## ## # @@ -9897,7 +9916,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4658,17 +5122,17 @@ interface(`files_purge_tmp',` +@@ -4658,17 +5139,17 @@ interface(`files_purge_tmp',` ## ## # @@ -9919,7 +9938,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4676,18 +5140,17 @@ interface(`files_setattr_usr_dirs',` +@@ -4676,18 +5157,17 @@ interface(`files_setattr_usr_dirs',` ## ## # @@ -9942,7 +9961,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4695,35 +5158,35 @@ interface(`files_search_usr',` +@@ -4695,35 +5175,35 @@ interface(`files_search_usr',` ## ## # @@ -9987,7 +10006,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4731,36 +5194,35 @@ interface(`files_dontaudit_write_usr_dirs',` +@@ -4731,36 +5211,35 @@ interface(`files_dontaudit_write_usr_dirs',` ## ## # @@ -10033,7 +10052,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4768,111 +5230,100 @@ interface(`files_dontaudit_rw_usr_dirs',` +@@ -4768,111 +5247,100 @@ interface(`files_dontaudit_rw_usr_dirs',` ## ## # @@ -10177,7 +10196,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4880,35 +5331,17 @@ interface(`files_exec_usr_files',` +@@ -4880,35 +5348,17 @@ interface(`files_exec_usr_files',` ## ## # @@ -10217,7 +10236,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4916,67 +5349,70 @@ interface(`files_manage_usr_files',` +@@ -4916,67 +5366,70 @@ interface(`files_manage_usr_files',` ## ## # @@ -10306,7 +10325,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -4985,35 +5421,50 @@ interface(`files_read_usr_symlinks',` +@@ -4985,35 +5438,50 @@ interface(`files_read_usr_symlinks',` ## ## # @@ -10366,7 +10385,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5021,20 +5472,17 @@ interface(`files_dontaudit_search_src',` +@@ -5021,20 +5489,17 @@ interface(`files_dontaudit_search_src',` ## ## # @@ -10391,7 +10410,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5042,20 +5490,18 @@ interface(`files_getattr_usr_src_files',` +@@ -5042,20 +5507,18 @@ interface(`files_getattr_usr_src_files',` ## ## # @@ -10416,7 +10435,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5063,38 +5509,35 @@ interface(`files_read_usr_src_files',` +@@ -5063,38 +5526,35 @@ interface(`files_read_usr_src_files',` ## ## # @@ -10464,7 +10483,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5102,37 +5545,36 @@ interface(`files_create_kernel_symbol_table',` +@@ -5102,37 +5562,36 @@ interface(`files_create_kernel_symbol_table',` ## ## # @@ -10512,7 +10531,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5140,35 +5582,35 @@ interface(`files_delete_kernel_symbol_table',` +@@ -5140,35 +5599,35 @@ interface(`files_delete_kernel_symbol_table',` ## ## # @@ -10557,7 +10576,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5176,36 +5618,55 @@ interface(`files_dontaudit_write_var_dirs',` +@@ -5176,36 +5635,55 @@ interface(`files_dontaudit_write_var_dirs',` ## ## # @@ -10623,7 +10642,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5213,36 +5674,37 @@ interface(`files_dontaudit_search_var',` +@@ -5213,36 +5691,37 @@ interface(`files_dontaudit_search_var',` ## ## # @@ -10671,7 +10690,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5250,17 +5712,17 @@ interface(`files_manage_var_dirs',` +@@ -5250,17 +5729,17 @@ interface(`files_manage_var_dirs',` ## ## # @@ -10693,7 +10712,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5268,17 +5730,17 @@ interface(`files_read_var_files',` +@@ -5268,17 +5747,17 @@ interface(`files_read_var_files',` ## ## # @@ -10715,7 +10734,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5286,73 +5748,86 @@ interface(`files_append_var_files',` +@@ -5286,73 +5765,86 @@ interface(`files_append_var_files',` ## ## # @@ -10822,7 +10841,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5360,50 +5835,41 @@ interface(`files_read_var_symlinks',` +@@ -5360,50 +5852,41 @@ interface(`files_read_var_symlinks',` ## ## # @@ -10887,7 +10906,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5411,69 +5877,57 @@ interface(`files_var_filetrans',` +@@ -5411,69 +5894,57 @@ interface(`files_var_filetrans',` ## ## # @@ -10974,7 +10993,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5481,17 +5935,18 @@ interface(`files_dontaudit_search_var_lib',` +@@ -5481,17 +5952,18 @@ interface(`files_dontaudit_search_var_lib',` ## ## # @@ -10998,7 +11017,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5499,51 +5954,35 @@ interface(`files_list_var_lib',` +@@ -5499,51 +5971,35 @@ interface(`files_list_var_lib',` ## ## # @@ -11059,7 +11078,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5551,40 +5990,36 @@ interface(`files_var_lib_filetrans',` +@@ -5551,40 +6007,36 @@ interface(`files_var_lib_filetrans',` ## ## # @@ -11110,7 +11129,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5592,38 +6027,36 @@ interface(`files_read_var_lib_symlinks',` +@@ -5592,38 +6044,36 @@ interface(`files_read_var_lib_symlinks',` ## ## # @@ -11159,7 +11178,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5631,17 +6064,17 @@ interface(`files_manage_mounttab',` +@@ -5631,17 +6081,17 @@ interface(`files_manage_mounttab',` ## ## # @@ -11181,7 +11200,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5649,38 +6082,35 @@ interface(`files_setattr_lock_dirs',` +@@ -5649,38 +6099,35 @@ interface(`files_setattr_lock_dirs',` ## ## # @@ -11229,7 +11248,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5688,80 +6118,73 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,80 +6135,73 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11331,7 +11350,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5769,41 +6192,50 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5769,41 +6209,50 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11396,7 +11415,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5811,65 +6243,69 @@ interface(`files_delete_generic_locks',` +@@ -5811,65 +6260,69 @@ interface(`files_delete_generic_locks',` ## ## # @@ -11491,7 +11510,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5877,37 +6313,49 @@ interface(`files_read_all_locks',` +@@ -5877,37 +6330,49 @@ interface(`files_read_all_locks',` ## ## # @@ -11555,7 +11574,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5916,39 +6364,37 @@ interface(`files_manage_all_locks',` +@@ -5916,39 +6381,37 @@ interface(`files_manage_all_locks',` ## ## # @@ -11605,7 +11624,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5956,19 +6402,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` +@@ -5956,19 +6419,18 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## ## # @@ -11630,7 +11649,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -5976,39 +6421,41 @@ interface(`files_setattr_pid_dirs',` +@@ -5976,19 +6438,1114 @@ interface(`files_setattr_pid_dirs',` ## ## # @@ -11655,41 +11674,33 @@ index 64ff4d7..90999af 100644 -## the /var/run directory. +## Create, read, write, and delete the +## pseudorandom number generator seed. - ## - ## - ## --## Domain to not audit. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_dontaudit_search_pids',` ++## ++## ++# +interface(`files_manage_urandom_seed',` - gen_require(` -- type var_run_t; ++ gen_require(` + type var_t, var_lib_t; - ') - -- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; -- dontaudit $1 var_run_t:dir search_dir_perms; ++ ') ++ + allow $1 var_t:dir search_dir_perms; + manage_files_pattern($1, var_lib_t, var_lib_t) - ') - - ######################################## - ## --## List the contents of the runtime process --## ID directories (/var/run). ++') ++ ++######################################## ++## +## Allow domain to manage mount tables +## necessary for rpcd, nfsd, etc. - ## - ## - ## -@@ -6016,18 +6463,1012 @@ interface(`files_dontaudit_search_pids',` - ## - ## - # --interface(`files_list_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_mounttab',` + gen_require(` + type var_t, var_lib_t; @@ -12051,7 +12062,7 @@ index 64ff4d7..90999af 100644 + type var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:dir setattr; +') + @@ -12071,6 +12082,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + ++ allow $1 var_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:lnk_file read_lnk_file_perms; + search_dirs_pattern($1, var_t, var_run_t) +') @@ -12167,7 +12179,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) +') + @@ -12186,7 +12198,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) +') @@ -12206,7 +12218,7 @@ index 64ff4d7..90999af 100644 + type var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + allow $1 var_run_t:fifo_file write; +') + @@ -12309,7 +12321,7 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + rw_files_pattern($1, var_run_t, var_run_t) +') @@ -12597,8 +12609,8 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) @@ -12622,8 +12634,8 @@ index 64ff4d7..90999af 100644 + type var_t, var_run_t; + ') + ++ files_search_pids($1) + allow $1 var_t:dir search_dir_perms; -+ allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') + @@ -12686,71 +12698,174 @@ index 64ff4d7..90999af 100644 +## +# +interface(`files_create_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file create_sock_file_perms; ++') ++ ++######################################## ++## ++## Delete all spool sockets ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_all_spool_sockets',` ++ gen_require(` ++ attribute spoolfile; ++ ') ++ ++ allow $1 spoolfile:sock_file delete_sock_file_perms; ++') ++ ++######################################## ++## ++## Relabel to and from all spool ++## directory types. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_relabel_all_spool_dirs',` ++ gen_require(` ++ attribute spoolfile; ++ type var_t; ++ ') ++ ++ relabel_dirs_pattern($1, spoolfile, spoolfile) ++') ++ ++######################################## ++## ++## Search the contents of generic spool ++## directories (/var/spool). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_search_spool',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ search_dirs_pattern($1, var_t, var_spool_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to search generic ++## spool directories. + ## + ## + ## +@@ -5996,19 +7553,18 @@ interface(`files_search_pids',` + ## + ## + # +-interface(`files_dontaudit_search_pids',` ++interface(`files_dontaudit_search_spool',` + gen_require(` +- type var_run_t; ++ type var_spool_t; + ') + +- dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; +- dontaudit $1 var_run_t:dir search_dir_perms; ++ dontaudit $1 var_spool_t:dir search_dir_perms; + ') + + ######################################## + ## +-## List the contents of the runtime process +-## ID directories (/var/run). ++## List the contents of generic spool ++## (/var/spool) directories. + ## + ## + ## +@@ -6016,18 +7572,18 @@ interface(`files_dontaudit_search_pids',` + ## + ## + # +-interface(`files_list_pids',` ++interface(`files_list_spool',` gen_require(` - type var_t, var_run_t; -+ attribute spoolfile; ++ type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) -+ allow $1 spoolfile:sock_file create_sock_file_perms; ++ list_dirs_pattern($1, var_t, var_spool_t) ') ######################################## ## -## Read generic process ID files. -+## Delete all spool sockets ++## Create, read, write, and delete generic ++## spool directories (/var/spool). ## ## ## -@@ -6035,123 +7476,336 @@ interface(`files_list_pids',` +@@ -6035,19 +7591,18 @@ interface(`files_list_pids',` ## ## # -interface(`files_read_generic_pids',` -+interface(`files_delete_all_spool_sockets',` ++interface(`files_manage_generic_spool_dirs',` gen_require(` - type var_t, var_run_t; -+ attribute spoolfile; ++ type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_run_t) - read_files_pattern($1, var_run_t, var_run_t) -+ allow $1 spoolfile:sock_file delete_sock_file_perms; ++ allow $1 var_t:dir search_dir_perms; ++ manage_dirs_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## -## Write named generic process ID pipes -+## Relabel to and from all spool -+## directory types. ++## Read generic spool files. ## ## ## - ## Domain allowed access. +@@ -6055,103 +7610,220 @@ interface(`files_read_generic_pids',` ## ## -+## # -interface(`files_write_generic_pid_pipes',` -+interface(`files_relabel_all_spool_dirs',` ++interface(`files_read_generic_spool',` gen_require(` - type var_run_t; -+ attribute spoolfile; -+ type var_t; ++ type var_t, var_spool_t; ') - allow $1 var_run_t:lnk_file read_lnk_file_perms; - allow $1 var_run_t:fifo_file write; -+ relabel_dirs_pattern($1, spoolfile, spoolfile) ++ list_dirs_pattern($1, var_t, var_spool_t) ++ read_files_pattern($1, var_spool_t, var_spool_t) ') ######################################## ## -## Create an object in the process ID directory, with a private type. -+## Search the contents of generic spool -+## directories (/var/spool). ++## Create, read, write, and delete generic ++## spool files. ## -## -##

    @@ -12785,105 +12900,6 @@ index 64ff4d7..90999af 100644 ## -## +# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+##

    -+## Do not audit attempts to search generic -+## spool directories. -+## -+## - ## --## The type of the object to be created. -+## Domain to not audit. - ## - ## --## -+# -+interface(`files_dontaudit_search_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+ -+ dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of generic spool -+## (/var/spool) directories. -+## -+## - ## --## The object class of the object being created. -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool_dirs',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# +interface(`files_manage_generic_spool',` + gen_require(` + type var_t, var_spool_t; @@ -12899,12 +12915,15 @@ index 64ff4d7..90999af 100644 +## with a private type with a type transition. +## +## -+## + ## +-## The type of the object to be created. +## Domain allowed access. -+## -+## + ## + ## +-## +## -+## + ## +-## The object class of the object being created. +## Type to which the created node will be transitioned. +## +## @@ -13099,7 +13118,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',` ## ## # @@ -13125,7 +13144,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',` +@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',` ## ## # @@ -13149,7 +13168,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',` +@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',` ## ## # @@ -13172,7 +13191,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -13230,7 +13249,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',` +@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',` ## ## # @@ -13315,7 +13334,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',` +@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',` ## ## # @@ -13364,7 +13383,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6368,186 +8007,169 @@ interface(`files_search_spool',` +@@ -6368,186 +8025,169 @@ interface(`files_search_spool',` ## ## # @@ -13631,7 +13650,7 @@ index 64ff4d7..90999af 100644 ## ## ## -@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',` +@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -31807,7 +31826,7 @@ index e8c59a5..ea56d23 100644 ') diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc -index 9fe8e01..06fa481 100644 +index 9fe8e01..fa82aac 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -9,11 +9,13 @@ ifdef(`distro_gentoo',` @@ -31826,7 +31845,7 @@ index 9fe8e01..06fa481 100644 ifdef(`distro_redhat',` /etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0) -@@ -37,11 +39,6 @@ ifdef(`distro_redhat',` +@@ -37,14 +39,10 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) @@ -31838,7 +31857,19 @@ index 9fe8e01..06fa481 100644 /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -77,7 +74,7 @@ ifdef(`distro_redhat',` ++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) + /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) +@@ -53,6 +51,7 @@ ifdef(`distro_redhat',` + /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) + /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0) + ++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) + /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) + +@@ -77,7 +76,7 @@ ifdef(`distro_redhat',` /var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0) /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) @@ -31847,7 +31878,7 @@ index 9fe8e01..06fa481 100644 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -@@ -90,6 +87,7 @@ ifdef(`distro_debian',` +@@ -90,6 +89,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_redhat',` @@ -34692,10 +34723,10 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..2fa1253 100644 +index 346a7cc..b44bb0c 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc -@@ -17,14 +17,15 @@ ifdef(`distro_debian',` +@@ -17,16 +17,17 @@ ifdef(`distro_debian',` /etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0) @@ -34712,8 +34743,11 @@ index 346a7cc..2fa1253 100644 /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) +-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) ++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0) /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) + + ifdef(`distro_redhat',` @@ -55,6 +56,20 @@ ifdef(`distro_redhat',` # # /usr @@ -35417,12 +35451,29 @@ index 0000000..4e12420 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..fc080a1 +index 0000000..ab20e2f --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1064 @@ +@@ -0,0 +1,1081 @@ +## SELinux policy for systemd components + ++###################################### ++## ++## Create a domain for processes which are started ++## exuting systemctl. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_stub_unit_file',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++') ++ +####################################### +## +## Create a domain for processes which are started @@ -36487,7 +36538,7 @@ index 0000000..fc080a1 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..60e3e89 +index 0000000..4d56107 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,641 @@ @@ -36970,7 +37021,7 @@ index 0000000..60e3e89 + +userdom_dbus_send_all_users(systemd_localed_t) + -+xserver_read_config(systemd_localed_t) ++xserver_manage_config(systemd_localed_t) + +optional_policy(` + dbus_connect_system_bus(systemd_localed_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index ff0cb24..fe16da6 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -516,7 +516,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..304203f 100644 +index cc43d25..0842350 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -935,7 +935,7 @@ index cc43d25..304203f 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -947,6 +947,7 @@ index cc43d25..304203f 100644 +optional_policy(` + mock_domtrans(abrt_retrace_worker_t) ++ mock_manage_lib_files(abrt_t) +') + ######################################## @@ -976,7 +977,7 @@ index cc43d25..304203f 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) +@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) @@ -994,7 +995,7 @@ index cc43d25..304203f 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -9740,10 +9741,10 @@ index 2354e21..bec6c06 100644 + ') +') diff --git a/certwatch.te b/certwatch.te -index 403af41..7c0b1be 100644 +index 403af41..68a5e26 100644 --- a/certwatch.te +++ b/certwatch.te -@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t; +@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t; allow certwatch_t self:capability sys_nice; allow certwatch_t self:process { setsched getsched }; @@ -9774,7 +9775,10 @@ index 403af41..7c0b1be 100644 +userdom_dontaudit_list_admin_dir(certwatch_t) optional_policy(` ++ apache_exec(certwatch_t) apache_exec_modules(certwatch_t) + apache_read_config(certwatch_t) + ') diff --git a/cfengine.if b/cfengine.if index a731122..5279d4e 100644 --- a/cfengine.if @@ -9933,7 +9937,7 @@ index 85ca63f..1d1c99c 100644 admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) diff --git a/cgroup.te b/cgroup.te -index fdee107..eb7a3ac 100644 +index fdee107..7a38b63 100644 --- a/cgroup.te +++ b/cgroup.te @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t) @@ -9979,10 +9983,10 @@ index fdee107..eb7a3ac 100644 # # cgred local policy # ++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; ++allow cgred_t self:process signal_perms; -allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override }; -+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace }; -+ allow cgred_t self:netlink_socket { write bind create read }; allow cgred_t self:unix_dgram_socket { write create connect }; @@ -16021,7 +16025,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..45fe9a0 100644 +index 9f34c2e..3b03f21 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16243,7 +16247,7 @@ index 9f34c2e..45fe9a0 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -16259,10 +16263,11 @@ index 9f34c2e..45fe9a0 100644 fs_search_fusefs(cupsd_t) fs_read_anon_inodefs_files(cupsd_t) +fs_rw_anon_inodefs_files(cupsd_t) ++fs_rw_inherited_tmpfs_files(cupsd_t) mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -16271,7 +16276,7 @@ index 9f34c2e..45fe9a0 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -16297,7 +16302,7 @@ index 9f34c2e..45fe9a0 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +307,8 @@ optional_policy(` +@@ -275,6 +308,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -16306,7 +16311,7 @@ index 9f34c2e..45fe9a0 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +319,10 @@ optional_policy(` +@@ -285,8 +320,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16317,7 +16322,7 @@ index 9f34c2e..45fe9a0 100644 ') ') -@@ -299,8 +335,8 @@ optional_policy(` +@@ -299,8 +336,8 @@ optional_policy(` ') optional_policy(` @@ -16327,7 +16332,7 @@ index 9f34c2e..45fe9a0 100644 ') optional_policy(` -@@ -309,7 +345,6 @@ optional_policy(` +@@ -309,7 +346,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -16335,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +372,7 @@ optional_policy(` +@@ -337,7 +373,7 @@ optional_policy(` ') optional_policy(` @@ -16344,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644 ') ######################################## -@@ -345,11 +380,9 @@ optional_policy(` +@@ -345,11 +381,9 @@ optional_policy(` # Configuration daemon local policy # @@ -16358,7 +16363,7 @@ index 9f34c2e..45fe9a0 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16378,7 +16383,7 @@ index 9f34c2e..45fe9a0 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16399,7 +16404,7 @@ index 9f34c2e..45fe9a0 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16411,7 +16416,7 @@ index 9f34c2e..45fe9a0 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +469,12 @@ optional_policy(` +@@ -452,9 +470,12 @@ optional_policy(` ') optional_policy(` @@ -16425,7 +16430,7 @@ index 9f34c2e..45fe9a0 100644 ') optional_policy(` -@@ -490,10 +510,6 @@ optional_policy(` +@@ -490,10 +511,6 @@ optional_policy(` # Lpd local policy # @@ -16436,7 +16441,7 @@ index 9f34c2e..45fe9a0 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -16469,7 +16474,7 @@ index 9f34c2e..45fe9a0 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +553,6 @@ optional_policy(` +@@ -546,7 +554,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -16477,7 +16482,7 @@ index 9f34c2e..45fe9a0 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -16495,7 +16500,7 @@ index 9f34c2e..45fe9a0 100644 userdom_manage_user_home_content_dirs(cups_pdf_t) userdom_manage_user_home_content_files(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) -@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',` +@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files(cups_pdf_t) ') @@ -16626,7 +16631,7 @@ index 9f34c2e..45fe9a0 100644 ######################################## # -@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -16634,7 +16639,7 @@ index 9f34c2e..45fe9a0 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -16648,7 +16653,7 @@ index 9f34c2e..45fe9a0 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -19296,7 +19301,7 @@ index 0000000..332a1c9 +') diff --git a/dirsrv-admin.te b/dirsrv-admin.te new file mode 100644 -index 0000000..a3d076f +index 0000000..ab083cf --- /dev/null +++ b/dirsrv-admin.te @@ -0,0 +1,144 @@ @@ -19334,7 +19339,7 @@ index 0000000..a3d076f +# +allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms; +allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource }; -+allow dirsrvadmin_t self:process setrlimit; ++allow dirsrvadmin_t self:process { setrlimit signal_perms }; + +manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) +manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) @@ -23081,7 +23086,7 @@ index d062080..e098a40 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..2f7de33 100644 +index e50f33c..5e6cdb8 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -23102,16 +23107,23 @@ index e50f33c..2f7de33 100644 ## ##

    -@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false) +@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false) ## used for public file transfer services. ##

    ##
    -gen_tunable(allow_ftpd_use_cifs, false) +gen_tunable(ftpd_use_cifs, false) ++ ++## ++##

    ++## Allow samba to export ntfs/fusefs volumes. ++##

    ++##
    ++gen_tunable(ftpd_use_fusefs, false) ## ##

    -@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false) +@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false) ## used for public file transfer services. ##

    ##
    @@ -23120,7 +23132,7 @@ index e50f33c..2f7de33 100644 ## ##

    -@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t) +@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -23130,7 +23142,7 @@ index e50f33c..2f7de33 100644 type ftpd_lock_t; files_lock_file(ftpd_lock_t) -@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; +@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -23140,7 +23152,7 @@ index e50f33c..2f7de33 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) +@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file) kernel_read_kernel_sysctls(ftpd_t) kernel_read_system_state(ftpd_t) @@ -23156,7 +23168,7 @@ index e50f33c..2f7de33 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -23170,7 +23182,7 @@ index e50f33c..2f7de33 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -23178,7 +23190,7 @@ index e50f33c..2f7de33 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t) +@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -23201,6 +23213,13 @@ index e50f33c..2f7de33 100644 ') -tunable_policy(`allow_ftpd_use_nfs',` ++tunable_policy(`ftpd_use_fusefs',` ++ fs_manage_fusefs_dirs(ftpd_t) ++ fs_manage_fusefs_files(ftpd_t) ++',` ++ fs_search_fusefs(ftpd_t) ++') ++ +tunable_policy(`ftpd_use_nfs',` fs_read_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) @@ -23228,7 +23247,7 @@ index e50f33c..2f7de33 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -23241,7 +23260,7 @@ index e50f33c..2f7de33 100644 ') tunable_policy(`ftp_home_dir',` -@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',` +@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',` userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) @@ -23254,7 +23273,7 @@ index e50f33c..2f7de33 100644 userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) ') -@@ -360,7 +374,7 @@ optional_policy(` +@@ -360,7 +388,7 @@ optional_policy(` selinux_validate_context(ftpd_t) kerberos_keytab_template(ftpd, ftpd_t) @@ -23263,7 +23282,7 @@ index e50f33c..2f7de33 100644 ') optional_policy(` -@@ -410,21 +424,20 @@ optional_policy(` +@@ -410,21 +438,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -23287,7 +23306,7 @@ index e50f33c..2f7de33 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -23328,7 +23347,7 @@ index e50f33c..2f7de33 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',` +@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -36788,7 +36807,7 @@ index 6194b80..648d041 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..4c1c064 100644 +index 6a306ee..8faac8d 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -37047,10 +37066,10 @@ index 6a306ee..4c1c064 100644 -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -- --userdom_write_user_tmp_sockets(mozilla_t) +userdom_use_inherited_user_ptys(mozilla_t) +-userdom_write_user_tmp_sockets(mozilla_t) +- -mozilla_run_plugin(mozilla_t, mozilla_roles) -mozilla_run_plugin_config(mozilla_t, mozilla_roles) +#mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -37213,7 +37232,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -300,221 +308,171 @@ optional_policy(` +@@ -300,221 +308,173 @@ optional_policy(` ######################################## # @@ -37468,7 +37487,8 @@ index 6a306ee..4c1c064 100644 -userdom_manage_user_home_content_dirs(mozilla_plugin_t) -userdom_manage_user_home_content_files(mozilla_plugin_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file }) -- ++systemd_read_logind_sessions_files(mozilla_plugin_t) + -userdom_write_user_tmp_sockets(mozilla_plugin_t) +term_getattr_all_ttys(mozilla_plugin_t) +term_getattr_all_ptys(mozilla_plugin_t) @@ -37528,7 +37548,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -523,36 +481,47 @@ optional_policy(` +@@ -523,36 +483,47 @@ optional_policy(` ') optional_policy(` @@ -37589,7 +37609,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -560,7 +529,7 @@ optional_policy(` +@@ -560,7 +531,7 @@ optional_policy(` ') optional_policy(` @@ -37598,7 +37618,7 @@ index 6a306ee..4c1c064 100644 ') optional_policy(` -@@ -568,108 +537,108 @@ optional_policy(` +@@ -568,108 +539,108 @@ optional_policy(` ') optional_policy(` @@ -43275,7 +43295,7 @@ index 46e55c3..346242e 100644 + allow $1 nis_unit_file_t:service all_service_perms; ') diff --git a/nis.te b/nis.te -index 3e4a31c..0d16edc 100644 +index 3e4a31c..bd8e3ff 100644 --- a/nis.te +++ b/nis.te @@ -1,12 +1,10 @@ @@ -43465,7 +43485,7 @@ index 3e4a31c..0d16edc 100644 sysnet_read_config(yppasswdd_t) -@@ -219,6 +215,10 @@ optional_policy(` +@@ -219,6 +215,14 @@ optional_policy(` ') optional_policy(` @@ -43473,10 +43493,14 @@ index 3e4a31c..0d16edc 100644 +') + +optional_policy(` ++ nis_use_ypbind(yppasswdd_t) ++') ++ ++optional_policy(` seutil_sigchld_newrole(yppasswdd_t) ') -@@ -234,7 +234,8 @@ optional_policy(` +@@ -234,7 +238,8 @@ optional_policy(` dontaudit ypserv_t self:capability sys_tty_config; allow ypserv_t self:fifo_file rw_fifo_file_perms; allow ypserv_t self:process signal_perms; @@ -43486,7 +43510,7 @@ index 3e4a31c..0d16edc 100644 allow ypserv_t self:netlink_route_socket r_netlink_socket_perms; allow ypserv_t self:tcp_socket connected_stream_socket_perms; allow ypserv_t self:udp_socket create_socket_perms; -@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t) +@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t) kernel_list_proc(ypserv_t) kernel_read_proc_symlinks(ypserv_t) @@ -43494,7 +43518,7 @@ index 3e4a31c..0d16edc 100644 corenet_all_recvfrom_netlabel(ypserv_t) corenet_tcp_sendrecv_generic_if(ypserv_t) corenet_udp_sendrecv_generic_if(ypserv_t) -@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) +@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t) corenet_udp_sendrecv_all_ports(ypserv_t) corenet_tcp_bind_generic_node(ypserv_t) corenet_udp_bind_generic_node(ypserv_t) @@ -43532,7 +43556,7 @@ index 3e4a31c..0d16edc 100644 nis_domtrans_ypxfr(ypserv_t) -@@ -310,8 +306,8 @@ optional_policy(` +@@ -310,8 +310,8 @@ optional_policy(` # ypxfr local policy # @@ -43543,7 +43567,7 @@ index 3e4a31c..0d16edc 100644 allow ypxfr_t self:tcp_socket create_stream_socket_perms; allow ypxfr_t self:udp_socket create_socket_perms; allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms; -@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; +@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms; manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t) files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file) @@ -43551,7 +43575,7 @@ index 3e4a31c..0d16edc 100644 corenet_all_recvfrom_netlabel(ypxfr_t) corenet_tcp_sendrecv_generic_if(ypxfr_t) corenet_udp_sendrecv_generic_if(ypxfr_t) -@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) +@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t) corenet_udp_sendrecv_all_ports(ypxfr_t) corenet_tcp_bind_generic_node(ypxfr_t) corenet_udp_bind_generic_node(ypxfr_t) @@ -48201,10 +48225,10 @@ index 0000000..407386d +') diff --git a/openshift.te b/openshift.te new file mode 100644 -index 0000000..45e60e5 +index 0000000..894ce1c --- /dev/null +++ b/openshift.te -@@ -0,0 +1,526 @@ +@@ -0,0 +1,530 @@ +policy_module(openshift,1.0.0) + +gen_require(` @@ -48728,6 +48752,10 @@ index 0000000..45e60e5 +') + +optional_policy(` ++ quota_read_db(openshift_cron_t) ++') ++ ++optional_policy(` + ssh_exec_keygen(openshift_cron_t) + ssh_dontaudit_read_server_keys(openshift_cron_t) +') @@ -81326,10 +81354,10 @@ index 0000000..bfcd2c7 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 0000000..aaf768a +index 0000000..49cd645 --- /dev/null +++ b/thumb.te -@@ -0,0 +1,137 @@ +@@ -0,0 +1,138 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -81424,6 +81452,7 @@ index 0000000..aaf768a +userdom_dontaudit_setattr_user_tmp(thumb_t) +userdom_read_user_tmp_files(thumb_t) +userdom_read_user_home_content_files(thumb_t) ++userdom_exec_user_home_content_files(thumb_t) +userdom_write_user_tmp_files(thumb_t) +userdom_read_home_audio_files(thumb_t) +userdom_home_reader(thumb_t) @@ -82357,7 +82386,7 @@ index e29db63..061fb98 100644 domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; diff --git a/tuned.te b/tuned.te -index 7116181..0bd0be9 100644 +index 7116181..7a80e6d 100644 --- a/tuned.te +++ b/tuned.te @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t) @@ -82370,9 +82399,12 @@ index 7116181..0bd0be9 100644 type tuned_var_run_t; files_pid_file(tuned_var_run_t) -@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t) +@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t) + # Local policy + # - allow tuned_t self:capability { sys_admin sys_nice }; +-allow tuned_t self:capability { sys_admin sys_nice }; ++allow tuned_t self:capability { sys_admin sys_nice sys_rawio }; dontaudit tuned_t self:capability { dac_override sys_tty_config }; -allow tuned_t self:process { setsched signal }; +allow tuned_t self:process { setsched signal }; @@ -85655,7 +85687,7 @@ index 9dec06c..b991ec7 100644 + allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index 1f22fba..e780b1b 100644 +index 1f22fba..64e638c 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -86524,7 +86556,7 @@ index 1f22fba..e780b1b 100644 +# virtual domains common policy +# +allow virt_domain self:capability2 compromise_kernel; -+allow virt_domain self:process { setrlimit signal_perms getsched }; ++allow virt_domain self:process { setrlimit signal_perms getsched setsched }; +allow virt_domain self:fifo_file rw_fifo_file_perms; +allow virt_domain self:shm create_shm_perms; +allow virt_domain self:unix_stream_socket create_stream_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index b22aa16..2989464 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -526,6 +526,28 @@ SELinux Reference policy mls base module. %endif %changelog +* Tue Mar 26 2013 Miroslav Grepl 3.12.1-24 +- Add labeling for /usr/share/pki +- Allow programs that read var_run_t symlinks also read var_t symlinks +- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports +- Fix labeling for /etc/dhcp directory +- add missing systemd_stub_unit_file() interface +- Add files_stub_var() interface +- Add lables for cert_t directories +- Make localectl set-x11-keymap working at all +- Allow abrt to manage mock build environments to catch build problems. +- Allow virt_domains to setsched for running gdb on itself +- Allow thumb_t to execute user home content +- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000 +- Allow certwatch to execut /usr/bin/httpd +- Allow cgred to send signal perms to itself, needs back port to RHEL6 +- Allow openshift_cron_t to look at quota +- Allow cups_t to read inhered tmpfs_t from the kernel +- Allow yppasswdd to use NIS +- Tuned wants sys_rawio capability +- Add ftpd_use_fusefs boolean +- Allow dirsrvadmin_t to signal itself + * Wed Mar 20 2013 Miroslav Grepl 3.12.1-23 - Allow localectl to read /etc/X11/xorg.conf.d directory - Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""