diff --git a/docker-selinux.tgz b/docker-selinux.tgz index a7af2a1..53d3064 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2b4a386..eae8615 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -868,7 +868,7 @@ index 3a45f23..ee7d7b3 100644 constrain socket_class_set { create relabelto relabelfrom } ( diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index a94b169..2e137e6 100644 +index a94b169..d0a8a5b 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -879,7 +879,7 @@ index a94b169..2e137e6 100644 } -@@ -393,6 +394,13 @@ class system +@@ -393,6 +394,15 @@ class system syslog_mod syslog_console module_request @@ -890,10 +890,12 @@ index a94b169..2e137e6 100644 + enable + disable + reload ++ stop ++ start } # -@@ -443,10 +451,13 @@ class capability +@@ -443,10 +453,13 @@ class capability class capability2 { mac_override # unused by SELinux @@ -908,7 +910,7 @@ index a94b169..2e137e6 100644 } # -@@ -690,6 +701,8 @@ class nscd +@@ -690,6 +703,8 @@ class nscd shmemhost getserv shmemserv @@ -917,7 +919,7 @@ index a94b169..2e137e6 100644 } # Define the access vector interpretation for controlling -@@ -831,6 +844,38 @@ inherits socket +@@ -831,6 +846,38 @@ inherits socket attach_queue } @@ -956,7 +958,7 @@ index a94b169..2e137e6 100644 class x_pointer inherits x_device -@@ -865,3 +910,18 @@ inherits database +@@ -865,3 +912,18 @@ inherits database implement execute } @@ -6397,7 +6399,7 @@ index b31c054..50a45cf 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..3f6a351 100644 +index 76f285e..c542dd3 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7353,7 +7355,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -3144,6 +3686,60 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3686,61 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -7407,6 +7409,7 @@ index 76f285e..3f6a351 100644 + ') + + read_chr_files_pattern($1, device_t, nvme_device_t) ++ read_blk_files_pattern($1, device_t, nvme_device_t) +') + +######################################## @@ -7414,7 +7417,7 @@ index 76f285e..3f6a351 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3759,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3760,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -7439,7 +7442,7 @@ index 76f285e..3f6a351 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3868,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3869,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -7466,7 +7469,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -3262,12 +3894,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3895,13 @@ interface(`dev_rw_printer',` ## ## # @@ -7483,7 +7486,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -3399,7 +4032,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4033,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -7492,7 +7495,7 @@ index 76f285e..3f6a351 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4046,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4047,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -7501,7 +7504,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -3855,7 +4488,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4489,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -7510,7 +7513,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -3863,91 +4496,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4497,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -7621,7 +7624,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -3955,68 +4586,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4587,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -7700,7 +7703,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4024,114 +4640,97 @@ interface(`dev_rw_sysfs',` +@@ -4024,114 +4641,97 @@ interface(`dev_rw_sysfs',` ## ## # @@ -7845,7 +7848,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4139,35 +4738,50 @@ interface(`dev_getattr_generic_usb_dev',` +@@ -4139,35 +4739,50 @@ interface(`dev_getattr_generic_usb_dev',` ## ## # @@ -7904,7 +7907,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4175,7 +4789,254 @@ interface(`dev_read_generic_usb_dev',` +@@ -4175,7 +4790,254 @@ interface(`dev_read_generic_usb_dev',` ## ## # @@ -8160,7 +8163,7 @@ index 76f285e..3f6a351 100644 gen_require(` type device_t, usb_device_t; ') -@@ -4330,28 +5191,180 @@ interface(`dev_search_usbfs',` +@@ -4330,28 +5192,180 @@ interface(`dev_search_usbfs',` ######################################## ## @@ -8350,7 +8353,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4359,19 +5372,17 @@ interface(`dev_list_usbfs',` +@@ -4359,19 +5373,17 @@ interface(`dev_list_usbfs',` ## ## # @@ -8374,7 +8377,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4379,19 +5390,17 @@ interface(`dev_setattr_usbfs_files',` +@@ -4379,19 +5391,17 @@ interface(`dev_setattr_usbfs_files',` ## ## # @@ -8398,7 +8401,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4399,37 +5408,36 @@ interface(`dev_read_usbfs',` +@@ -4399,37 +5409,36 @@ interface(`dev_read_usbfs',` ## ## # @@ -8447,7 +8450,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4437,18 +5445,18 @@ interface(`dev_getattr_video_dev',` +@@ -4437,18 +5446,18 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -8471,7 +8474,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4456,17 +5464,17 @@ interface(`dev_rw_userio_dev',` +@@ -4456,17 +5465,17 @@ interface(`dev_rw_userio_dev',` ## ## # @@ -8493,7 +8496,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4474,36 +5482,35 @@ interface(`dev_dontaudit_getattr_video_dev',` +@@ -4474,36 +5483,35 @@ interface(`dev_dontaudit_getattr_video_dev',` ## ## # @@ -8539,7 +8542,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4511,17 +5518,17 @@ interface(`dev_dontaudit_setattr_video_dev',` +@@ -4511,17 +5519,17 @@ interface(`dev_dontaudit_setattr_video_dev',` ## ## # @@ -8561,7 +8564,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4529,17 +5536,17 @@ interface(`dev_read_video_dev',` +@@ -4529,17 +5537,17 @@ interface(`dev_read_video_dev',` ## ## # @@ -8583,7 +8586,7 @@ index 76f285e..3f6a351 100644 ## ## ## -@@ -4547,12 +5554,12 @@ interface(`dev_write_video_dev',` +@@ -4547,12 +5555,12 @@ interface(`dev_write_video_dev',` ## ## # @@ -8598,7 +8601,7 @@ index 76f285e..3f6a351 100644 ') ######################################## -@@ -4630,6 +5637,24 @@ interface(`dev_write_watchdog',` +@@ -4630,6 +5638,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8623,7 +8626,7 @@ index 76f285e..3f6a351 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5787,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5788,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8668,7 +8671,7 @@ index 76f285e..3f6a351 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5914,1019 @@ interface(`dev_unconfined',` +@@ -4851,3 +5915,1019 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -10963,7 +10966,7 @@ index b876c48..03f9342 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..89768e5 100644 +index f962f76..f0133ab 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -17042,7 +17045,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6237,129 +8499,118 @@ interface(`files_dontaudit_write_all_pids',` +@@ -6237,129 +8499,119 @@ interface(`files_dontaudit_write_all_pids',` ## ## # @@ -17142,12 +17145,13 @@ index f962f76..89768e5 100644 - attribute pidfile; - type var_t, var_run_t; + attribute file_type; ++ type unlabeled_t; ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - delete_dirs_pattern($1, pidfile, pidfile) -+ allow $1 file_type:file entrypoint; ++ allow $1 {file_type -unlabeled_t} :file entrypoint; ') ######################################## @@ -17211,7 +17215,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6367,18 +8618,19 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,18 +8619,19 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -17236,7 +17240,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6386,132 +8638,227 @@ interface(`files_search_spool',` +@@ -6386,132 +8639,227 @@ interface(`files_search_spool',` ## ## # @@ -17510,7 +17514,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6519,53 +8866,17 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +8867,17 @@ interface(`files_spool_filetrans',` ## ## # @@ -17568,7 +17572,7 @@ index f962f76..89768e5 100644 ## ## ## -@@ -6573,10 +8884,10 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +8885,10 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -36598,7 +36602,7 @@ index 79a45f6..e69fa39 100644 + allow $1 init_var_lib_t:dir search_dir_perms; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..528f36a 100644 +index 17eda24..5559333 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -37735,7 +37739,7 @@ index 17eda24..528f36a 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1405,60 @@ optional_policy(` +@@ -857,21 +1405,62 @@ optional_policy(` ') optional_policy(` @@ -37743,6 +37747,7 @@ index 17eda24..528f36a 100644 + virt_stream_connect(init_t) + virt_noatsecure(init_t) + virt_rlimitinh(init_t) ++ virt_transition_svirt_sandbox(init_t, system_r) +') + +optional_policy(` @@ -37751,6 +37756,7 @@ index 17eda24..528f36a 100644 + virt_manage_lib_files(initrc_t) virt_stream_connect(initrc_t) - virt_manage_virt_cache(initrc_t) ++ virt_transition_svirt_sandbox(initrc_t, system_r) +') + +# Cron jobs used to start and stop services @@ -37797,7 +37803,7 @@ index 17eda24..528f36a 100644 ') optional_policy(` -@@ -887,6 +1474,10 @@ optional_policy(` +@@ -887,6 +1476,10 @@ optional_policy(` ') optional_policy(` @@ -37808,7 +37814,7 @@ index 17eda24..528f36a 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1488,218 @@ optional_policy(` +@@ -897,3 +1490,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index e3721a3..5a0637c 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -3818,7 +3818,7 @@ index 7caefc3..754c30f 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/apache.if b/apache.if -index f6eb485..438bc20 100644 +index f6eb485..ce5dba7 100644 --- a/apache.if +++ b/apache.if @@ -1,9 +1,9 @@ @@ -3834,15 +3834,18 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -13,118 +13,126 @@ +@@ -11,120 +11,233 @@ + ## + ## # - template(`apache_content_template',` +-template(`apache_content_template',` ++template(`apache_user_content_template',` gen_require(` - attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type; - attribute httpd_script_domains, httpd_htaccess_type; + attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t; -+ attribute httpd_script_type, httpd_content_type; ++ attribute httpd_script_type, httpd_user_content_type; ') - ######################################## @@ -3878,41 +3881,136 @@ index f6eb485..438bc20 100644 - type httpd_$1_rw_content_t, httpdcontent; # customizable - typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t }; - files_type(httpd_$1_rw_content_t) -- ++ #This type is for webpages ++ type $1_content_t; # customizable; ++ typeattribute $1_content_t httpd_user_content_type; ++ typealias $1_content_t alias httpd_$1_script_ro_t; ++ files_type($1_content_t) ++ ++ # This type is used for .htaccess files ++ type $1_htaccess_t, httpd_content_type; # customizable; ++ typeattribute $1_htaccess_t httpd_user_content_type; ++ files_type($1_htaccess_t) ++ ++ # Type that CGI scripts run as ++ type $1_script_t, httpd_script_type; ++ domain_type($1_script_t) ++ role system_r types $1_script_t; ++ ++ kernel_read_system_state($1_script_t) ++ ++ # This type is used for executable scripts files ++ type $1_script_exec_t, httpd_script_exec_type; # customizable; ++ typeattribute $1_script_exec_t httpd_user_content_type; ++ domain_entry_file($1_script_t, $1_script_exec_t) ++ ++ type $1_rw_content_t; # customizable ++ typeattribute $1_rw_content_t httpd_user_content_type; ++ typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t }; ++ files_type($1_rw_content_t) ++ ++ type $1_ra_content_t, httpd_content_type; # customizable ++ typeattribute $1_ra_content_t httpd_user_content_type; ++ typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t }; ++ files_type($1_ra_content_t) ++ ++ # Allow the script process to search the cgi directory, and users directory ++ allow $1_script_t $1_content_t:dir search_dir_perms; ++ ++ can_exec($1_script_t, $1_script_exec_t) ++ allow $1_script_t $1_script_exec_t:dir list_dir_perms; ++ allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; ++ read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) ++ ++ allow $1_script_t $1_content_t:dir list_dir_perms; ++ read_files_pattern($1_script_t, $1_content_t, $1_content_t) ++ read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) ++ ++ manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) ++ ++ allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; ++ ++ # Allow the web server to run scripts and serve pages ++ tunable_policy(`httpd_builtin_scripting',` ++ manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) ++ rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) + - type httpd_$1_ra_content_t, httpdcontent; # customizable - typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t }; - files_type(httpd_$1_ra_content_t) -- ++ allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; ++ read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ++ read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) + - ######################################## - # - # Policy - # -- ++ ') + - can_exec(httpd_$1_script_t, httpd_$1_script_exec_t) -- ++ tunable_policy(`httpd_enable_cgi',` ++ allow $1_script_t $1_script_exec_t:file entrypoint; + - allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms }; - allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms; -- ++ domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) + - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms; - allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms; - allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; -- ++ # privileged users run the script: ++ domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) + - manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) - files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file }) -- ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; + - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms; - allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms; - allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms; -- ++ # apache runs the script: ++ domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) ++ allow httpd_t $1_script_t:unix_dgram_socket sendto; ++ ') ++') + - tunable_policy(`allow_httpd_$1_script_anon_write',` - miscfiles_manage_public_files(httpd_$1_script_t) -- ') -- ++######################################## ++## ++## Create a set of derived types for apache ++## web content. ++## ++## ++## ++## The prefix to be used for deriving type names. ++## ++## ++# ++template(`apache_content_template',` ++ gen_require(` ++ attribute httpd_exec_scripts, httpd_script_exec_type; ++ type httpd_t, httpd_suexec_t; ++ attribute httpd_script_type, httpd_content_type; + ') + + #This type is for webpages + type $1_content_t; # customizable; + typeattribute $1_content_t httpd_content_type; @@ -4013,11 +4111,11 @@ index f6eb485..438bc20 100644 - ') + # privileged users run the script: + domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) ++ ++ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; - tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` - filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) -+ allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; -+ + # apache runs the script: + domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) + allow httpd_t $1_script_t:unix_dgram_socket sendto; @@ -4056,7 +4154,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -133,47 +141,61 @@ template(`apache_content_template',` +@@ -133,47 +246,61 @@ template(`apache_content_template',` ## ## ## @@ -4147,7 +4245,7 @@ index f6eb485..438bc20 100644 domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') -@@ -184,7 +206,7 @@ interface(`apache_role',` +@@ -184,7 +311,7 @@ interface(`apache_role',` ######################################## ## @@ -4156,7 +4254,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -204,7 +226,7 @@ interface(`apache_read_user_scripts',` +@@ -204,7 +331,7 @@ interface(`apache_read_user_scripts',` ######################################## ## @@ -4165,7 +4263,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -224,7 +246,7 @@ interface(`apache_read_user_content',` +@@ -224,7 +351,7 @@ interface(`apache_read_user_content',` ######################################## ## @@ -4174,7 +4272,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -241,27 +263,47 @@ interface(`apache_domtrans',` +@@ -241,27 +368,47 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') @@ -4229,7 +4327,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -279,7 +321,7 @@ interface(`apache_signal',` +@@ -279,7 +426,7 @@ interface(`apache_signal',` ######################################## ## @@ -4238,7 +4336,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -297,7 +339,7 @@ interface(`apache_signull',` +@@ -297,7 +444,7 @@ interface(`apache_signull',` ######################################## ## @@ -4247,7 +4345,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -315,8 +357,7 @@ interface(`apache_sigchld',` +@@ -315,8 +462,7 @@ interface(`apache_sigchld',` ######################################## ## @@ -4257,7 +4355,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -334,8 +375,8 @@ interface(`apache_use_fds',` +@@ -334,8 +480,8 @@ interface(`apache_use_fds',` ######################################## ## @@ -4268,18 +4366,16 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -348,13 +389,32 @@ interface(`apache_dontaudit_rw_fifo_file',` +@@ -348,13 +494,32 @@ interface(`apache_dontaudit_rw_fifo_file',` type httpd_t; ') - dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms; + dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Do not audit attempts to read and --## write httpd unix domain stream sockets. ++') ++ ++######################################## ++## +## Allow attempts to read and write Apache +## unix domain stream sockets. +## @@ -4295,16 +4391,18 @@ index f6eb485..438bc20 100644 + ') + + allow $1 httpd_t:unix_stream_socket { getattr read write }; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read and +-## write httpd unix domain stream sockets. +## Do not audit attempts to read and write Apache +## unix domain stream sockets. ## ## ## -@@ -367,13 +427,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` +@@ -367,13 +532,13 @@ interface(`apache_dontaudit_rw_stream_sockets',` type httpd_t; ') @@ -4321,7 +4419,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -391,8 +451,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` +@@ -391,8 +556,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## @@ -4331,7 +4429,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -417,7 +476,8 @@ interface(`apache_manage_all_content',` +@@ -417,7 +581,8 @@ interface(`apache_manage_all_content',` ######################################## ## @@ -4341,7 +4439,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -435,7 +495,8 @@ interface(`apache_setattr_cache_dirs',` +@@ -435,7 +600,8 @@ interface(`apache_setattr_cache_dirs',` ######################################## ## @@ -4351,7 +4449,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -453,7 +514,8 @@ interface(`apache_list_cache',` +@@ -453,7 +619,8 @@ interface(`apache_list_cache',` ######################################## ## @@ -4361,7 +4459,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -471,7 +533,8 @@ interface(`apache_rw_cache_files',` +@@ -471,7 +638,8 @@ interface(`apache_rw_cache_files',` ######################################## ## @@ -4371,7 +4469,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -489,7 +552,8 @@ interface(`apache_delete_cache_dirs',` +@@ -489,7 +657,8 @@ interface(`apache_delete_cache_dirs',` ######################################## ## @@ -4381,7 +4479,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -507,49 +571,51 @@ interface(`apache_delete_cache_files',` +@@ -507,49 +676,51 @@ interface(`apache_delete_cache_files',` ######################################## ## @@ -4444,7 +4542,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -570,8 +636,8 @@ interface(`apache_manage_config',` +@@ -570,8 +741,8 @@ interface(`apache_manage_config',` ######################################## ## @@ -4455,7 +4553,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -608,16 +674,38 @@ interface(`apache_domtrans_helper',` +@@ -608,16 +779,38 @@ interface(`apache_domtrans_helper',` # interface(`apache_run_helper',` gen_require(` @@ -4497,7 +4595,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -639,7 +727,8 @@ interface(`apache_read_log',` +@@ -639,7 +832,8 @@ interface(`apache_read_log',` ######################################## ## @@ -4507,7 +4605,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -657,10 +746,29 @@ interface(`apache_append_log',` +@@ -657,10 +851,29 @@ interface(`apache_append_log',` append_files_pattern($1, httpd_log_t, httpd_log_t) ') @@ -4539,7 +4637,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -678,8 +786,8 @@ interface(`apache_dontaudit_append_log',` +@@ -678,8 +891,8 @@ interface(`apache_dontaudit_append_log',` ######################################## ## @@ -4550,7 +4648,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -687,20 +795,21 @@ interface(`apache_dontaudit_append_log',` +@@ -687,20 +900,21 @@ interface(`apache_dontaudit_append_log',` ## ## # @@ -4580,7 +4678,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -708,19 +817,21 @@ interface(`apache_manage_log',` +@@ -708,19 +922,21 @@ interface(`apache_manage_log',` ## ## # @@ -4606,7 +4704,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -738,7 +849,8 @@ interface(`apache_dontaudit_search_modules',` +@@ -738,7 +954,8 @@ interface(`apache_dontaudit_search_modules',` ######################################## ## @@ -4616,7 +4714,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -746,17 +858,19 @@ interface(`apache_dontaudit_search_modules',` +@@ -746,17 +963,19 @@ interface(`apache_dontaudit_search_modules',` ## ## # @@ -4639,7 +4737,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -764,19 +878,19 @@ interface(`apache_list_modules',` +@@ -764,19 +983,19 @@ interface(`apache_list_modules',` ## ## # @@ -4663,7 +4761,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -784,19 +898,19 @@ interface(`apache_exec_modules',` +@@ -784,19 +1003,19 @@ interface(`apache_exec_modules',` ## ## # @@ -4688,7 +4786,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -809,13 +923,50 @@ interface(`apache_domtrans_rotatelogs',` +@@ -809,13 +1028,50 @@ interface(`apache_domtrans_rotatelogs',` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') @@ -4741,7 +4839,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -829,13 +980,14 @@ interface(`apache_list_sys_content',` +@@ -829,13 +1085,14 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -4758,7 +4856,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -844,6 +996,7 @@ interface(`apache_list_sys_content',` +@@ -844,6 +1101,7 @@ interface(`apache_list_sys_content',` ## ## # @@ -4766,37 +4864,17 @@ index f6eb485..438bc20 100644 interface(`apache_manage_sys_content',` gen_require(` type httpd_sys_content_t; -@@ -855,32 +1008,98 @@ interface(`apache_manage_sys_content',` +@@ -855,32 +1113,98 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') -######################################## +###################################### -+## -+## Allow the specified domain to read -+## apache system content rw files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`apache_read_sys_content_rw_files',` -+ gen_require(` -+ type httpd_sys_rw_content_t; -+ ') -+ -+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) -+') -+ -+###################################### ## -## Create, read, write, and delete -## httpd system rw content. +## Allow the specified domain to read -+## apache system content rw dirs. ++## apache system content rw files. ## ## ## @@ -4806,12 +4884,32 @@ index f6eb485..438bc20 100644 +## # -interface(`apache_manage_sys_rw_content',` -+interface(`apache_read_sys_content_rw_dirs',` ++interface(`apache_read_sys_content_rw_files',` gen_require(` type httpd_sys_rw_content_t; ') - apache_search_sys_content($1) ++ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) ++') ++ ++###################################### ++## ++## Allow the specified domain to read ++## apache system content rw dirs. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`apache_read_sys_content_rw_dirs',` ++ gen_require(` ++ type httpd_sys_rw_content_t; ++ ') ++ + list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) +') + @@ -4873,7 +4971,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -888,10 +1107,17 @@ interface(`apache_manage_sys_rw_content',` +@@ -888,10 +1212,17 @@ interface(`apache_manage_sys_rw_content',` ## ## # @@ -4892,7 +4990,7 @@ index f6eb485..438bc20 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -901,9 +1127,8 @@ interface(`apache_domtrans_sys_script',` +@@ -901,9 +1232,8 @@ interface(`apache_domtrans_sys_script',` ######################################## ## @@ -4904,7 +5002,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -916,7 +1141,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` +@@ -916,7 +1246,7 @@ interface(`apache_dontaudit_rw_sys_script_stream_sockets',` type httpd_sys_script_t; ') @@ -4913,7 +5011,7 @@ index f6eb485..438bc20 100644 ') ######################################## -@@ -941,7 +1166,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -941,7 +1271,7 @@ interface(`apache_domtrans_all_scripts',` ######################################## ## ## Execute all user scripts in the user @@ -4922,7 +5020,7 @@ index f6eb485..438bc20 100644 ## to the specified role. ## ## -@@ -954,6 +1179,7 @@ interface(`apache_domtrans_all_scripts',` +@@ -954,6 +1284,7 @@ interface(`apache_domtrans_all_scripts',` ## Role allowed access. ## ## @@ -4930,7 +5028,7 @@ index f6eb485..438bc20 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -966,7 +1192,8 @@ interface(`apache_run_all_scripts',` +@@ -966,7 +1297,8 @@ interface(`apache_run_all_scripts',` ######################################## ## @@ -4940,7 +5038,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -979,12 +1206,13 @@ interface(`apache_read_squirrelmail_data',` +@@ -979,12 +1311,13 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -4956,7 +5054,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1002,7 +1230,7 @@ interface(`apache_append_squirrelmail_data',` +@@ -1002,7 +1335,7 @@ interface(`apache_append_squirrelmail_data',` ######################################## ## @@ -4965,7 +5063,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1015,13 +1243,12 @@ interface(`apache_search_sys_content',` +@@ -1015,13 +1348,12 @@ interface(`apache_search_sys_content',` type httpd_sys_content_t; ') @@ -4980,7 +5078,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1041,7 +1268,7 @@ interface(`apache_read_sys_content',` +@@ -1041,7 +1373,7 @@ interface(`apache_read_sys_content',` ######################################## ## @@ -4989,7 +5087,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1059,8 +1286,7 @@ interface(`apache_search_sys_scripts',` +@@ -1059,8 +1391,7 @@ interface(`apache_search_sys_scripts',` ######################################## ## @@ -4999,7 +5097,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1071,18 +1297,21 @@ interface(`apache_search_sys_scripts',` +@@ -1071,18 +1402,21 @@ interface(`apache_search_sys_scripts',` # interface(`apache_manage_all_user_content',` gen_require(` @@ -5027,7 +5125,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1100,7 +1329,8 @@ interface(`apache_search_sys_script_state',` +@@ -1100,7 +1434,8 @@ interface(`apache_search_sys_script_state',` ######################################## ## @@ -5037,7 +5135,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1117,10 +1347,29 @@ interface(`apache_read_tmp_files',` +@@ -1117,10 +1452,29 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -5069,7 +5167,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1133,7 +1382,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1133,7 +1487,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -5078,7 +5176,7 @@ index f6eb485..438bc20 100644 ') ######################################## -@@ -1142,6 +1391,9 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1142,6 +1496,9 @@ interface(`apache_dontaudit_write_tmp_files',` ## ## ##

@@ -5088,7 +5186,7 @@ index f6eb485..438bc20 100644 ## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. -@@ -1171,8 +1423,31 @@ interface(`apache_cgi_domain',` +@@ -1171,8 +1528,31 @@ interface(`apache_cgi_domain',` ######################################## ##

@@ -5122,7 +5220,7 @@ index f6eb485..438bc20 100644 ## ## ## -@@ -1189,18 +1464,19 @@ interface(`apache_cgi_domain',` +@@ -1189,18 +1569,19 @@ interface(`apache_cgi_domain',` interface(`apache_admin',` gen_require(` attribute httpdcontent, httpd_script_exec_type; @@ -5151,7 +5249,7 @@ index f6eb485..438bc20 100644 init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1210,10 +1486,10 @@ interface(`apache_admin',` +@@ -1210,10 +1591,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -5165,7 +5263,7 @@ index f6eb485..438bc20 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1224,9 +1500,182 @@ interface(`apache_admin',` +@@ -1224,9 +1605,182 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -5301,9 +5399,7 @@ index f6eb485..438bc20 100644 + type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; + type httpd_user_content_ra_t; + ') - -- apache_run_all_scripts($1, $2) -- apache_run_helper($1, $2) ++ + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") + userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") @@ -5311,7 +5407,9 @@ index f6eb485..438bc20 100644 + filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs") + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") +') -+ + +- apache_run_all_scripts($1, $2) +- apache_run_helper($1, $2) +######################################## +## +## Read apache pid files. @@ -5353,7 +5451,7 @@ index f6eb485..438bc20 100644 + ps_process_pattern(httpd_t, $1) ') diff --git a/apache.te b/apache.te -index 6649962..1862dfb 100644 +index 6649962..84717e1 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -5926,7 +6024,7 @@ index 6649962..1862dfb 100644 files_tmpfs_file(httpd_tmpfs_t) -apache_content_template(user) -+apache_content_template(httpd_user) ++apache_user_content_template(httpd_user) ubac_constrained(httpd_user_script_t) + +typeattribute httpd_user_content_t httpdcontent; @@ -7193,11 +7291,11 @@ index 6649962..1862dfb 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- --append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +allow httpd_sys_script_t self:process getsched; +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -7338,14 +7436,14 @@ index 6649962..1862dfb 100644 -# -# System script local policy -# -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -allow httpd_sys_script_t self:tcp_socket { accept listen }; - -allow httpd_sys_script_t httpd_t:tcp_socket { read write }; - -dontaudit httpd_sys_script_t httpd_config_t:dir search; -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms }; - -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms; @@ -7523,14 +7621,15 @@ index 6649962..1862dfb 100644 ') ######################################## -@@ -1330,49 +1628,38 @@ optional_policy(` +@@ -1330,49 +1628,40 @@ optional_policy(` # User content local policy # -tunable_policy(`httpd_enable_homedirs',` - userdom_search_user_home_dirs(httpd_user_script_t) -') -- ++auth_use_nsswitch(httpd_user_script_t) + -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` - fs_list_auto_mountpoints(httpd_user_script_t) - fs_read_cifs_files(httpd_user_script_t) @@ -7539,13 +7638,6 @@ index 6649962..1862dfb 100644 - -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_user_script_t) --') -+auth_use_nsswitch(httpd_user_script_t) - --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -- fs_list_auto_mountpoints(httpd_user_script_t) -- fs_read_nfs_files(httpd_user_script_t) -- fs_read_nfs_symlinks(httpd_user_script_t) +tunable_policy(`httpd_enable_cgi && httpd_unified',` + allow httpd_user_script_t httpdcontent:file entrypoint; + manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t) @@ -7554,13 +7646,20 @@ index 6649962..1862dfb 100644 + manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t) ') --tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_user_script_t) +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +- fs_list_auto_mountpoints(httpd_user_script_t) +- fs_read_nfs_files(httpd_user_script_t) +- fs_read_nfs_symlinks(httpd_user_script_t) +-') +# allow accessing files/dirs below the users home dir +tunable_policy(`httpd_enable_homedirs',` + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) + +-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_user_script_t) ++ read_files_pattern(httpd_t, httpd_user_content_type, httpd_user_content_type) ') tunable_policy(`httpd_read_user_content',` @@ -7588,7 +7687,7 @@ index 6649962..1862dfb 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1669,109 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1671,109 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -29471,7 +29570,7 @@ index 4498143..84a4858 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index 36838c2..8bfc879 100644 +index 36838c2..2812a63 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1) @@ -29517,7 +29616,22 @@ index 36838c2..8bfc879 100644 ## ##

-@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t) +@@ -66,14 +73,6 @@ gen_tunable(ftpd_connect_all_unreserved, false) + + ## + ##

+-## Determine whether ftpd can read and write +-## files in user home directories. +-##

+-## +-gen_tunable(ftp_home_dir, false) +- +-## +-##

+ ## Determine whether sftpd can modify + ## public files used for public file + ## transfer services. Directories/Files must +@@ -124,6 +123,9 @@ files_config_file(ftpd_etc_t) type ftpd_initrc_exec_t; init_script_file(ftpd_initrc_exec_t) @@ -29527,7 +29641,7 @@ index 36838c2..8bfc879 100644 type ftpd_keytab_t; files_type(ftpd_keytab_t) -@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; +@@ -184,6 +186,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms; allow ftpd_t ftpd_lock_t:file manage_file_perms; files_lock_filetrans(ftpd_t, ftpd_lock_t, file) @@ -29537,7 +29651,7 @@ index 36838c2..8bfc879 100644 manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) -@@ -198,22 +211,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) +@@ -198,22 +203,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir }) allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms; @@ -29564,7 +29678,7 @@ index 36838c2..8bfc879 100644 corenet_all_recvfrom_netlabel(ftpd_t) corenet_tcp_sendrecv_generic_if(ftpd_t) corenet_udp_sendrecv_generic_if(ftpd_t) -@@ -229,9 +239,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) +@@ -229,9 +231,12 @@ corenet_tcp_bind_ftp_port(ftpd_t) corenet_sendrecv_ftp_data_server_packets(ftpd_t) corenet_tcp_bind_ftp_data_port(ftpd_t) @@ -29578,7 +29692,7 @@ index 36838c2..8bfc879 100644 files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) -@@ -250,7 +263,6 @@ logging_send_audit_msgs(ftpd_t) +@@ -250,7 +255,6 @@ logging_send_audit_msgs(ftpd_t) logging_send_syslog_msg(ftpd_t) logging_set_loginuid(ftpd_t) @@ -29586,7 +29700,7 @@ index 36838c2..8bfc879 100644 miscfiles_read_public_files(ftpd_t) seutil_dontaudit_search_config(ftpd_t) -@@ -259,32 +271,50 @@ sysnet_use_ldap(ftpd_t) +@@ -259,32 +263,50 @@ sysnet_use_ldap(ftpd_t) userdom_dontaudit_use_unpriv_user_fds(ftpd_t) userdom_dontaudit_search_user_home_dirs(ftpd_t) @@ -29644,35 +29758,57 @@ index 36838c2..8bfc879 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -304,22 +334,19 @@ tunable_policy(`ftpd_connect_db',` +@@ -304,44 +326,24 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) - corenet_sendrecv_oracledb_client_packets(ftpd_t) - corenet_tcp_connect_oracledb_port(ftpd_t) - corenet_tcp_sendrecv_oracledb_port(ftpd_t) +-') +- +-tunable_policy(`ftp_home_dir',` +- allow ftpd_t self:capability { dac_override dac_read_search }; +- +- userdom_manage_user_home_content_dirs(ftpd_t) +- userdom_manage_user_home_content_files(ftpd_t) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) +- userdom_manage_user_tmp_dirs(ftpd_t) +- userdom_manage_user_tmp_files(ftpd_t) +- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) +-',` +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) +- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) + corenet_sendrecv_oracle_client_packets(ftpd_t) + corenet_tcp_connect_oracle_port(ftpd_t) + corenet_tcp_sendrecv_oracle_port(ftpd_t) ') - tunable_policy(`ftp_home_dir',` - allow ftpd_t self:capability { dac_override dac_read_search }; +-tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` ++tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(ftpd_t) + fs_manage_nfs_files(ftpd_t) + fs_manage_nfs_symlinks(ftpd_t) + ') -- userdom_manage_user_home_content_dirs(ftpd_t) -- userdom_manage_user_home_content_files(ftpd_t) -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) -+ userdom_manage_all_user_home_type_dirs(ftpd_t) -+ userdom_manage_all_user_home_type_files(ftpd_t) - userdom_manage_user_tmp_dirs(ftpd_t) - userdom_manage_user_tmp_files(ftpd_t) -- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) - ',` -- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) - userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) +-tunable_policy(`ftp_home_dir && use_samba_home_dirs',` ++tunable_policy(`use_samba_home_dirs',` + fs_manage_cifs_dirs(ftpd_t) + fs_manage_cifs_files(ftpd_t) + fs_manage_cifs_symlinks(ftpd_t) ') -@@ -363,9 +390,8 @@ optional_policy(` + optional_policy(` +- tunable_policy(`ftp_home_dir',` +- apache_search_sys_content(ftpd_t) +- ') +-') +- +-optional_policy(` + corecmd_exec_shell(ftpd_t) + + files_read_usr_files(ftpd_t) +@@ -363,9 +365,8 @@ optional_policy(` optional_policy(` selinux_validate_context(ftpd_t) @@ -29683,7 +29819,7 @@ index 36838c2..8bfc879 100644 kerberos_use(ftpd_t) ') -@@ -416,21 +442,20 @@ optional_policy(` +@@ -416,21 +417,20 @@ optional_policy(` # stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t) @@ -29707,7 +29843,7 @@ index 36838c2..8bfc879 100644 miscfiles_read_public_files(anon_sftpd_t) -@@ -443,23 +468,34 @@ tunable_policy(`sftpd_anon_write',` +@@ -443,23 +443,34 @@ tunable_policy(`sftpd_anon_write',` # Sftpd local policy # @@ -29748,7 +29884,7 @@ index 36838c2..8bfc879 100644 ') tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',` -@@ -481,21 +517,8 @@ tunable_policy(`sftpd_anon_write',` +@@ -481,21 +492,8 @@ tunable_policy(`sftpd_anon_write',` tunable_policy(`sftpd_full_access',` allow sftpd_t self:capability { dac_override dac_read_search }; fs_read_noxattr_fs_files(sftpd_t) @@ -49815,7 +49951,7 @@ index 6fcfc31..e9e6bc5 100644 +/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0) +/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0) diff --git a/mongodb.te b/mongodb.te -index 169f236..f19680b 100644 +index 169f236..eaaeb0d 100644 --- a/mongodb.te +++ b/mongodb.te @@ -12,6 +12,9 @@ init_daemon_domain(mongod_t, mongod_exec_t) @@ -49861,7 +49997,7 @@ index 169f236..f19680b 100644 manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) -@@ -41,21 +51,44 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) +@@ -41,21 +51,46 @@ files_var_lib_filetrans(mongod_t, mongod_var_lib_t, dir) manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) @@ -49898,6 +50034,8 @@ index 169f236..f19680b 100644 -miscfiles_read_localization(mongod_t) +auth_use_nsswitch(mongod_t) + ++logging_send_syslog_msg(mongod_t) ++ +optional_policy(` + mysql_stream_connect(mongod_t) +') @@ -60214,10 +60352,10 @@ index bcd7d0a..0188086 100644 + unconfined_dontaudit_rw_packet_sockets(nscd_t) +') diff --git a/nsd.fc b/nsd.fc -index 4f2b1b6..adea830 100644 +index 4f2b1b6..6b300d5 100644 --- a/nsd.fc +++ b/nsd.fc -@@ -1,16 +1,17 @@ +@@ -1,16 +1,19 @@ -/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0) -/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0) @@ -60245,6 +60383,8 @@ index 4f2b1b6..adea830 100644 +/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0) /var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0) ++ ++/var/log/nsd\.log -- gen_context(system_u:object_r:nsd_log_t,s0) diff --git a/nsd.if b/nsd.if index a9c60ff..ad4f14a 100644 --- a/nsd.if @@ -60335,7 +60475,7 @@ index a9c60ff..ad4f14a 100644 + refpolicywarn(`$0($*) has been deprecated.') ') diff --git a/nsd.te b/nsd.te -index 47bb1d2..17db1a1 100644 +index 47bb1d2..5cc2b26 100644 --- a/nsd.te +++ b/nsd.te @@ -9,9 +9,7 @@ type nsd_t; @@ -60349,13 +60489,15 @@ index 47bb1d2..17db1a1 100644 type nsd_conf_t; files_type(nsd_conf_t) -@@ -20,32 +18,31 @@ domain_type(nsd_crond_t) +@@ -20,41 +18,50 @@ domain_type(nsd_crond_t) domain_entry_file(nsd_crond_t, nsd_exec_t) role system_r types nsd_crond_t; -type nsd_db_t; -files_type(nsd_db_t) -- ++type nsd_log_t; ++logging_log_file(nsd_log_t) + type nsd_var_run_t; files_pid_file(nsd_var_run_t) @@ -60393,7 +60535,12 @@ index 47bb1d2..17db1a1 100644 manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t) files_pid_filetrans(nsd_t, nsd_var_run_t, file) -@@ -55,6 +52,10 @@ manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + ++manage_files_pattern(nsd_t, nsd_log_t, nsd_log_t) ++logging_log_filetrans(nsd_t, nsd_log_t, file) ++ + manage_dirs_pattern(nsd_t, nsd_zone_t, nsd_zone_t) + manage_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) manage_lnk_files_pattern(nsd_t, nsd_zone_t, nsd_zone_t) files_var_lib_filetrans(nsd_t, nsd_zone_t, dir) @@ -60404,7 +60551,7 @@ index 47bb1d2..17db1a1 100644 can_exec(nsd_t, nsd_exec_t) kernel_read_system_state(nsd_t) -@@ -62,7 +63,6 @@ kernel_read_kernel_sysctls(nsd_t) +@@ -62,7 +69,6 @@ kernel_read_kernel_sysctls(nsd_t) corecmd_exec_bin(nsd_t) @@ -60412,7 +60559,7 @@ index 47bb1d2..17db1a1 100644 corenet_all_recvfrom_netlabel(nsd_t) corenet_tcp_sendrecv_generic_if(nsd_t) corenet_udp_sendrecv_generic_if(nsd_t) -@@ -72,16 +72,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t) +@@ -72,16 +78,20 @@ corenet_tcp_sendrecv_all_ports(nsd_t) corenet_udp_sendrecv_all_ports(nsd_t) corenet_tcp_bind_generic_node(nsd_t) corenet_udp_bind_generic_node(nsd_t) @@ -60435,7 +60582,7 @@ index 47bb1d2..17db1a1 100644 fs_getattr_all_fs(nsd_t) fs_search_auto_mountpoints(nsd_t) -@@ -90,8 +94,6 @@ auth_use_nsswitch(nsd_t) +@@ -90,8 +100,6 @@ auth_use_nsswitch(nsd_t) logging_send_syslog_msg(nsd_t) @@ -60444,7 +60591,7 @@ index 47bb1d2..17db1a1 100644 userdom_dontaudit_use_unpriv_user_fds(nsd_t) userdom_dontaudit_search_user_home_dirs(nsd_t) -@@ -105,23 +107,24 @@ optional_policy(` +@@ -105,23 +113,24 @@ optional_policy(` ######################################## # @@ -60477,7 +60624,7 @@ index 47bb1d2..17db1a1 100644 manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t) filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file) -@@ -133,29 +136,33 @@ kernel_read_system_state(nsd_crond_t) +@@ -133,29 +142,33 @@ kernel_read_system_state(nsd_crond_t) corecmd_exec_bin(nsd_crond_t) corecmd_exec_shell(nsd_crond_t) @@ -99587,12 +99734,14 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..4f4bdb3 +index 0000000..34f7846 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1,14 @@ +@@ -0,0 +1,16 @@ +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) + ++/usr/lib/snapper/systemd-helper -- gen_context(system_u:object_r:snapperd_exec_t,s0) ++ +/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) +/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) + @@ -99607,10 +99756,10 @@ index 0000000..4f4bdb3 +/home/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) diff --git a/snapper.if b/snapper.if new file mode 100644 -index 0000000..ed76979 +index 0000000..88490d5 --- /dev/null +++ b/snapper.if -@@ -0,0 +1,80 @@ +@@ -0,0 +1,99 @@ + +##

policy for snapperd + @@ -99672,6 +99821,25 @@ index 0000000..ed76979 + allow $1 snapperd_t:fifo_file read_inherited_file_perms; +') + ++######################################## ++## ++## Allow a domain to relabel snapshots to snapperd_data_t ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`snapper_relabel_snapshots',` ++ gen_require(` ++ type snapperd_data_t; ++ ') ++ ++ kernel_relabelfrom_unlabeled_dirs($1) ++ allow $1 snapperd_data_t:dir relabelto; ++') ++ +####################################### +## +## Allow domain to create .smapshot @@ -99693,10 +99861,10 @@ index 0000000..ed76979 + diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..88805d7 +index 0000000..3984dba --- /dev/null +++ b/snapper.te -@@ -0,0 +1,78 @@ +@@ -0,0 +1,82 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -99775,6 +99943,10 @@ index 0000000..88805d7 +optional_policy(` + lvm_domtrans(snapperd_t) +') ++ ++optional_policy(` ++ snapper_relabel_snapshots(snapperd_t) ++') diff --git a/snmp.fc b/snmp.fc index 2f0a2f2..1569e33 100644 --- a/snmp.fc @@ -111688,10 +111860,10 @@ index facdee8..816d860 100644 + ps_process_pattern(virtd_t, $1) ') diff --git a/virt.te b/virt.te -index f03dcf5..5e41cd6 100644 +index f03dcf5..5b78d90 100644 --- a/virt.te +++ b/virt.te -@@ -1,451 +1,395 @@ +@@ -1,451 +1,402 @@ -policy_module(virt, 1.7.4) +policy_module(virt, 1.5.0) @@ -111846,6 +112018,13 @@ index f03dcf5..5e41cd6 100644 + +## +##

++## Allow confined virtual guests to use smartcards ++##

++## ++gen_tunable(virt_use_pcscd, false) ++ ++## ++##

+## Allow sandbox containers to send audit messages + +##

@@ -111858,15 +112037,15 @@ index f03dcf5..5e41cd6 100644 +##

+## +gen_tunable(virt_sandbox_use_netlink, false) -+ + +-attribute svirt_lxc_domain; +## +##

+## Allow sandbox containers to use sys_admin system calls, for example mount +##

+## +gen_tunable(virt_sandbox_use_sys_admin, false) - --attribute svirt_lxc_domain; ++ +## +##

+## Allow sandbox containers to use mknod system calls @@ -111905,11 +112084,11 @@ index f03dcf5..5e41cd6 100644 -virt_domain_template(svirt_prot_exec) +role system_r types svirt_t; +typealias svirt_t alias qemu_t; - --type virt_cache_t alias svirt_cache_t; ++ +virt_domain_template(svirt_tcg) +role system_r types svirt_tcg_t; -+ + +-type virt_cache_t alias svirt_cache_t; +type qemu_exec_t, virt_file_type; + +type virt_cache_t alias svirt_cache_t, virt_file_type; @@ -112274,24 +112453,24 @@ index f03dcf5..5e41cd6 100644 - -dontaudit svirt_t virt_content_t:file write_file_perms; -dontaudit svirt_t virt_content_t:dir rw_dir_perms; -+allow svirt_t self:process ptrace; - +- -append_files_pattern(svirt_t, virt_home_t, virt_home_t) -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t) -- ++allow svirt_t self:process ptrace; + -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") -- ++# it was a part of auth_use_nsswitch ++allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) - -corenet_udp_sendrecv_generic_if(svirt_t) -corenet_udp_sendrecv_generic_node(svirt_t) -corenet_udp_sendrecv_all_ports(svirt_t) -corenet_udp_bind_generic_node(svirt_t) -+# it was a part of auth_use_nsswitch -+allow svirt_t self:netlink_route_socket r_netlink_socket_perms; - +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) @@ -112397,7 +112576,7 @@ index f03dcf5..5e41cd6 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -455,42 +399,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -455,42 +406,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -112444,7 +112623,7 @@ index f03dcf5..5e41cd6 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -503,23 +434,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -503,23 +441,24 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -112477,7 +112656,7 @@ index f03dcf5..5e41cd6 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -527,24 +459,16 @@ corecmd_exec_shell(virtd_t) +@@ -527,24 +466,16 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -112505,7 +112684,7 @@ index f03dcf5..5e41cd6 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -555,20 +479,26 @@ dev_rw_vhost(virtd_t) +@@ -555,20 +486,26 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -112536,7 +112715,7 @@ index f03dcf5..5e41cd6 100644 fs_list_auto_mountpoints(virtd_t) fs_getattr_all_fs(virtd_t) fs_rw_anon_inodefs_files(virtd_t) -@@ -601,15 +531,18 @@ term_use_ptmx(virtd_t) +@@ -601,15 +538,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -112556,7 +112735,7 @@ index f03dcf5..5e41cd6 100644 selinux_validate_context(virtd_t) -@@ -620,18 +553,26 @@ seutil_read_file_contexts(virtd_t) +@@ -620,18 +560,26 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) @@ -112593,7 +112772,7 @@ index f03dcf5..5e41cd6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -640,7 +581,7 @@ tunable_policy(`virt_use_nfs',` +@@ -640,7 +588,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -112602,7 +112781,7 @@ index f03dcf5..5e41cd6 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -665,20 +606,12 @@ optional_policy(` +@@ -665,20 +613,12 @@ optional_policy(` ') optional_policy(` @@ -112623,7 +112802,7 @@ index f03dcf5..5e41cd6 100644 ') optional_policy(` -@@ -691,20 +624,26 @@ optional_policy(` +@@ -691,20 +631,26 @@ optional_policy(` dnsmasq_kill(virtd_t) dnsmasq_signull(virtd_t) dnsmasq_create_pid_dirs(virtd_t) @@ -112634,11 +112813,12 @@ index f03dcf5..5e41cd6 100644 ') optional_policy(` +- iptables_domtrans(virtd_t) + firewalld_dbus_chat(virtd_t) +') + +optional_policy(` - iptables_domtrans(virtd_t) ++ iptables_domtrans(virtd_t) iptables_initrc_domtrans(virtd_t) + iptables_systemctl(virtd_t) + @@ -112654,7 +112834,7 @@ index f03dcf5..5e41cd6 100644 ') optional_policy(` -@@ -712,11 +651,18 @@ optional_policy(` +@@ -712,11 +658,18 @@ optional_policy(` ') optional_policy(` @@ -112673,7 +112853,7 @@ index f03dcf5..5e41cd6 100644 policykit_domtrans_auth(virtd_t) policykit_domtrans_resolve(virtd_t) policykit_read_lib(virtd_t) -@@ -727,10 +673,18 @@ optional_policy(` +@@ -727,10 +680,18 @@ optional_policy(` ') optional_policy(` @@ -112692,7 +112872,7 @@ index f03dcf5..5e41cd6 100644 kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) -@@ -746,44 +700,321 @@ optional_policy(` +@@ -746,44 +707,327 @@ optional_policy(` udev_read_pid_files(virtd_t) ') @@ -112782,7 +112962,7 @@ index f03dcf5..5e41cd6 100644 +read_files_pattern(virt_domain, virt_content_t, virt_content_t) +dontaudit virt_domain virt_content_t:file write_file_perms; +dontaudit virt_domain virt_content_t:dir write; - ++ +kernel_read_net_sysctls(virt_domain) +kernel_read_network_state(virt_domain) + @@ -112837,7 +113017,7 @@ index f03dcf5..5e41cd6 100644 +append_files_pattern(virt_domain, virt_log_t, virt_log_t) + +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -+ + +corecmd_exec_bin(virt_domain) +corecmd_exec_shell(virt_domain) + @@ -112968,6 +113148,12 @@ index f03dcf5..5e41cd6 100644 +') + +optional_policy(` ++ tunable_policy(`virt_use_pcscd',` ++ pcscd_stream_connect(virt_domain) ++ ') ++') ++ ++optional_policy(` + tunable_policy(`virt_use_sanlock',` + sanlock_stream_connect(virt_domain) + ') @@ -113036,7 +113222,7 @@ index f03dcf5..5e41cd6 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -794,25 +1025,18 @@ kernel_write_xen_state(virsh_t) +@@ -794,25 +1038,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -113063,7 +113249,7 @@ index f03dcf5..5e41cd6 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -821,23 +1045,25 @@ fs_search_auto_mountpoints(virsh_t) +@@ -821,23 +1058,25 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -113080,10 +113266,10 @@ index f03dcf5..5e41cd6 100644 -logging_send_syslog_msg(virsh_t) +systemd_exec_systemctl(virsh_t) ++ ++auth_read_passwd(virsh_t) -miscfiles_read_localization(virsh_t) -+auth_read_passwd(virsh_t) -+ +logging_send_syslog_msg(virsh_t) sysnet_dns_name_resolve(virsh_t) @@ -113097,7 +113283,7 @@ index f03dcf5..5e41cd6 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) -@@ -856,14 +1082,20 @@ optional_policy(` +@@ -856,14 +1095,20 @@ optional_policy(` ') optional_policy(` @@ -113119,7 +113305,7 @@ index f03dcf5..5e41cd6 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -888,49 +1120,66 @@ optional_policy(` +@@ -888,49 +1133,66 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -113204,7 +113390,7 @@ index f03dcf5..5e41cd6 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -942,17 +1191,16 @@ dev_read_urand(virtd_lxc_t) +@@ -942,17 +1204,16 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -113224,7 +113410,7 @@ index f03dcf5..5e41cd6 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -964,8 +1212,23 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -964,8 +1225,23 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -113248,7 +113434,7 @@ index f03dcf5..5e41cd6 100644 selinux_get_enforce_mode(virtd_lxc_t) selinux_get_fs_mount(virtd_lxc_t) selinux_validate_context(virtd_lxc_t) -@@ -974,194 +1237,354 @@ selinux_compute_create_context(virtd_lxc_t) +@@ -974,194 +1250,354 @@ selinux_compute_create_context(virtd_lxc_t) selinux_compute_relabel_context(virtd_lxc_t) selinux_compute_user_contexts(virtd_lxc_t) @@ -113317,7 +113503,89 @@ index f03dcf5..5e41cd6 100644 +tunable_policy(`deny_ptrace',`',` + allow svirt_sandbox_domain self:process ptrace; +') -+ + +-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; +-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; +-allow svirt_lxc_domain self:fifo_file manage_file_perms; +-allow svirt_lxc_domain self:sem create_sem_perms; +-allow svirt_lxc_domain self:shm create_shm_perms; +-allow svirt_lxc_domain self:msgq create_msgq_perms; +-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; +- +-allow svirt_lxc_domain virtd_lxc_t:fd use; +-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virtd_lxc_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; +- +-allow svirt_lxc_domain virsh_t:fd use; +-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; +-allow svirt_lxc_domain virsh_t:process sigchld; +- +-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; +-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; +- +-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +- +-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; +-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; +- +-can_exec(svirt_lxc_domain, svirt_lxc_file_t) +- +-kernel_getattr_proc(svirt_lxc_domain) +-kernel_list_all_proc(svirt_lxc_domain) +-kernel_read_kernel_sysctls(svirt_lxc_domain) +-kernel_rw_net_sysctls(svirt_lxc_domain) +-kernel_read_system_state(svirt_lxc_domain) +-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) +- +-corecmd_exec_all_executables(svirt_lxc_domain) +- +-files_dontaudit_getattr_all_dirs(svirt_lxc_domain) +-files_dontaudit_getattr_all_files(svirt_lxc_domain) +-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) +-files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +-files_dontaudit_getattr_all_sockets(svirt_lxc_domain) +-files_dontaudit_list_all_mountpoints(svirt_lxc_domain) +-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) +-# files_entrypoint_all_files(svirt_lxc_domain) +-files_list_var(svirt_lxc_domain) +-files_list_var_lib(svirt_lxc_domain) +-files_search_all(svirt_lxc_domain) +-files_read_config_files(svirt_lxc_domain) +-files_read_usr_files(svirt_lxc_domain) +-files_read_usr_symlinks(svirt_lxc_domain) +- +-fs_getattr_all_fs(svirt_lxc_domain) +-fs_list_inotifyfs(svirt_lxc_domain) +- +-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) +-# fs_rw_inherited_cifs_files(svirt_lxc_domain) +-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) +- +-auth_dontaudit_read_login_records(svirt_lxc_domain) +-auth_dontaudit_write_login_records(svirt_lxc_domain) +-auth_search_pam_console_data(svirt_lxc_domain) +- +-clock_read_adjtime(svirt_lxc_domain) +- +-init_read_utmp(svirt_lxc_domain) +-init_dontaudit_write_utmp(svirt_lxc_domain) +- +-libs_dontaudit_setattr_lib_files(svirt_lxc_domain) +- +-miscfiles_read_localization(svirt_lxc_domain) +-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) +-miscfiles_read_fonts(svirt_lxc_domain) +- +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto }; +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr }; +allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms }; @@ -113414,8 +113682,9 @@ index f03dcf5..5e41cd6 100644 +userdom_use_inherited_user_terminals(svirt_sandbox_domain) +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain) +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain) -+ -+optional_policy(` + + optional_policy(` +- udev_read_pid_files(svirt_lxc_domain) + apache_exec_modules(svirt_sandbox_domain) + apache_read_sys_content(svirt_sandbox_domain) +') @@ -113431,95 +113700,12 @@ index f03dcf5..5e41cd6 100644 +optional_policy(` + ssh_use_ptys(svirt_sandbox_domain) +') - --allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot }; --allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid }; --allow svirt_lxc_domain self:fifo_file manage_file_perms; --allow svirt_lxc_domain self:sem create_sem_perms; --allow svirt_lxc_domain self:shm create_shm_perms; --allow svirt_lxc_domain self:msgq create_msgq_perms; --allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; --allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; -- --allow svirt_lxc_domain virtd_lxc_t:fd use; --allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virtd_lxc_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms }; -- --allow svirt_lxc_domain virsh_t:fd use; --allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms; --allow svirt_lxc_domain virsh_t:process sigchld; -- --allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms; --allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms; -- --manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) --rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -- --allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton; --allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr; -- --can_exec(svirt_lxc_domain, svirt_lxc_file_t) -- --kernel_getattr_proc(svirt_lxc_domain) --kernel_list_all_proc(svirt_lxc_domain) --kernel_read_kernel_sysctls(svirt_lxc_domain) --kernel_rw_net_sysctls(svirt_lxc_domain) --kernel_read_system_state(svirt_lxc_domain) --kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) -- --corecmd_exec_all_executables(svirt_lxc_domain) -- --files_dontaudit_getattr_all_dirs(svirt_lxc_domain) --files_dontaudit_getattr_all_files(svirt_lxc_domain) --files_dontaudit_getattr_all_symlinks(svirt_lxc_domain) --files_dontaudit_getattr_all_pipes(svirt_lxc_domain) --files_dontaudit_getattr_all_sockets(svirt_lxc_domain) --files_dontaudit_list_all_mountpoints(svirt_lxc_domain) --files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) --# files_entrypoint_all_files(svirt_lxc_domain) --files_list_var(svirt_lxc_domain) --files_list_var_lib(svirt_lxc_domain) --files_search_all(svirt_lxc_domain) --files_read_config_files(svirt_lxc_domain) --files_read_usr_files(svirt_lxc_domain) --files_read_usr_symlinks(svirt_lxc_domain) -- --fs_getattr_all_fs(svirt_lxc_domain) --fs_list_inotifyfs(svirt_lxc_domain) -- --# fs_rw_inherited_tmpfs_files(svirt_lxc_domain) --# fs_rw_inherited_cifs_files(svirt_lxc_domain) --# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain) -- --auth_dontaudit_read_login_records(svirt_lxc_domain) --auth_dontaudit_write_login_records(svirt_lxc_domain) --auth_search_pam_console_data(svirt_lxc_domain) -- --clock_read_adjtime(svirt_lxc_domain) -- --init_read_utmp(svirt_lxc_domain) --init_dontaudit_write_utmp(svirt_lxc_domain) -- --libs_dontaudit_setattr_lib_files(svirt_lxc_domain) -- --miscfiles_read_localization(svirt_lxc_domain) --miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain) --miscfiles_read_fonts(svirt_lxc_domain) -- --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +optional_policy(` + udev_read_pid_files(svirt_sandbox_domain) +') - - optional_policy(` -- udev_read_pid_files(svirt_lxc_domain) ++ ++optional_policy(` + userhelper_dontaudit_write_config(svirt_sandbox_domain) +') + @@ -113691,15 +113877,15 @@ index f03dcf5..5e41cd6 100644 + +term_use_generic_ptys(svirt_qemu_net_t) +term_use_ptmx(svirt_qemu_net_t) -+ + +-allow svirt_prot_exec_t self:process { execmem execstack }; +dev_rw_kvm(svirt_qemu_net_t) + +manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t) + +list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) +read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t) - --allow svirt_prot_exec_t self:process { execmem execstack }; ++ +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t) + +kernel_read_irq_sysctls(svirt_qemu_net_t) @@ -113744,7 +113930,7 @@ index f03dcf5..5e41cd6 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1174,12 +1597,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1174,12 +1610,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -113759,7 +113945,7 @@ index f03dcf5..5e41cd6 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1192,7 +1615,7 @@ optional_policy(` +@@ -1192,7 +1628,7 @@ optional_policy(` ######################################## # @@ -113768,7 +113954,7 @@ index f03dcf5..5e41cd6 100644 # allow virt_bridgehelper_t self:process { setcap getcap }; -@@ -1201,11 +1624,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; +@@ -1201,11 +1637,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; allow virt_bridgehelper_t self:tun_socket create_socket_perms; allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms; diff --git a/selinux-policy.spec b/selinux-policy.spec index 88fc414..a06746b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 183%{?dist} +Release: 184%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -653,6 +653,19 @@ exit 0 %endif %changelog +* Tue Apr 26 2016 Lukas Vrabec 3.13.1-184 +- Remove ftpd_home_dir() boolean from distro policy. Reason is that we cannot make this working due to m4 macro language limits. +- Create new apache content template for files stored in user homedir. This change is needed to make working booleans: - httpd_enable_homedirs - httpd_read_user_content Resolves: rhbz#1330448 +- Label /usr/lib/snapper/systemd-helper as snapperd_exec_t. rhbz#1323732 +- Make virt_use_pcscd boolean off by default. +- Create boolean to allow virtual machine use smartcards. rhbz#1029297 +- Allow snapperd to relabel btrfs snapshot subvolume to snapperd_data_t. rhbz#1323754 +- Allow mongod log to syslog. +- Allow nsd daemon to create log file in /var/log as nsd_log_t +- unlabeled_t can not be an entrypoint. +- Modify interface den_read_nvme() to allow also read nvme_device_t block files. rhbz#1327909 +- Add new permissions stop/start to class system. rhbz#1324453 + * Mon Apr 18 2016 Lukas Vrabec 3.13.1-183 - Allow modemmanager to talk to logind - Dontaudit tor daemon needs net_admin capability. rhbz#1311788