diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index e8a0f00..48aad36 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -9454,7 +9454,7 @@ index b876c48..27f60c6 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76..42fc031 100644 +index f962f76..ae94e80 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -10060,7 +10060,32 @@ index f962f76..42fc031 100644 ') ############################################# -@@ -1691,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1601,6 +1953,24 @@ interface(`files_setattr_all_mountpoints',` + + ######################################## + ## ++## Set the attributes of all mount points. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_relabelto_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ allow $1 mountpoint:dir relabelto; ++') ++ ++######################################## ++## + ## Do not audit attempts to set the attributes on all mount points. + ## + ## +@@ -1691,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -10085,7 +10110,7 @@ index f962f76..42fc031 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1709,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1709,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -10128,7 +10153,7 @@ index f962f76..42fc031 100644 ## List the contents of the root directory. ## ## -@@ -1725,6 +2131,23 @@ interface(`files_list_root',` +@@ -1725,6 +2149,23 @@ interface(`files_list_root',` allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; ') @@ -10152,7 +10177,7 @@ index f962f76..42fc031 100644 ######################################## ## -@@ -1765,6 +2188,26 @@ interface(`files_dontaudit_rw_root_dir',` +@@ -1765,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',` ######################################## ## @@ -10179,7 +10204,7 @@ index f962f76..42fc031 100644 ## Create an object in the root directory, with a private ## type using a type transition. ## -@@ -1892,25 +2335,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1892,25 +2353,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -10211,7 +10236,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -1923,7 +2366,7 @@ interface(`files_relabel_rootfs',` +@@ -1923,7 +2384,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -10220,7 +10245,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -1946,6 +2389,24 @@ interface(`files_unmount_rootfs',` +@@ -1946,6 +2407,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -10245,7 +10270,7 @@ index f962f76..42fc031 100644 ## Get attributes of the /boot directory. ## ## -@@ -2181,6 +2642,24 @@ interface(`files_relabelfrom_boot_files',` +@@ -2181,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',` relabelfrom_files_pattern($1, boot_t, boot_t) ') @@ -10270,7 +10295,7 @@ index f962f76..42fc031 100644 ###################################### ## ## Read symbolic links in the /boot directory. -@@ -2645,6 +3124,24 @@ interface(`files_rw_etc_dirs',` +@@ -2645,6 +3142,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -10295,7 +10320,7 @@ index f962f76..42fc031 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2716,6 +3213,7 @@ interface(`files_read_etc_files',` +@@ -2716,6 +3231,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -10303,7 +10328,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -2724,7 +3222,7 @@ interface(`files_read_etc_files',` +@@ -2724,7 +3240,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -10312,7 +10337,7 @@ index f962f76..42fc031 100644 ## ## # -@@ -2780,6 +3278,25 @@ interface(`files_manage_etc_files',` +@@ -2780,6 +3296,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -10338,7 +10363,7 @@ index f962f76..42fc031 100644 ## Delete system configuration files in /etc. ## ## -@@ -2798,6 +3315,24 @@ interface(`files_delete_etc_files',` +@@ -2798,6 +3333,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -10363,7 +10388,7 @@ index f962f76..42fc031 100644 ## Execute generic files in /etc. ## ## -@@ -2963,24 +3498,6 @@ interface(`files_delete_boot_flag',` +@@ -2963,24 +3516,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -10388,7 +10413,7 @@ index f962f76..42fc031 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3021,9 +3538,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3021,9 +3556,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -10399,7 +10424,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -3031,18 +3546,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3031,18 +3564,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -10421,16 +10446,18 @@ index f962f76..42fc031 100644 ## ## ## -@@ -3060,6 +3574,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3060,12 +3592,32 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## +-## Read and write files in /etc that are dynamically +## Do not audit attempts to read files +## in /etc that are dynamically -+## created on boot, such as mtab. -+## -+## -+## + ## created on boot, such as mtab. + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. +## +## @@ -10445,10 +10472,16 @@ index f962f76..42fc031 100644 + +######################################## +## - ## Read and write files in /etc that are dynamically - ## created on boot, such as mtab. - ## -@@ -3077,6 +3611,7 @@ interface(`files_rw_etc_runtime_files',` ++## Read and write files in /etc that are dynamically ++## created on boot, such as mtab. ++## ++## ++## ++## Domain allowed access. + ## + ## + ## +@@ -3077,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -10456,7 +10489,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3098,6 +3633,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3098,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -10464,7 +10497,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3142,10 +3678,48 @@ interface(`files_etc_filetrans_etc_runtime',` +@@ -3142,10 +3696,48 @@ interface(`files_etc_filetrans_etc_runtime',` # interface(`files_getattr_isid_type_dirs',` gen_require(` @@ -10489,9 +10522,8 @@ index f962f76..42fc031 100644 +interface(`files_getattr_isid_type',` + gen_require(` + type unlabeled_t; - ') - -- allow $1 file_t:dir getattr; ++ ') ++ + allow $1 unlabeled_t:dir_file_class_set getattr; +') + @@ -10509,13 +10541,14 @@ index f962f76..42fc031 100644 +interface(`files_setattr_isid_type_dirs',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- allow $1 file_t:dir getattr; + allow $1 unlabeled_t:dir setattr; ') ######################################## -@@ -3161,10 +3735,10 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3161,10 +3753,10 @@ interface(`files_getattr_isid_type_dirs',` # interface(`files_dontaudit_search_isid_type_dirs',` gen_require(` @@ -10528,7 +10561,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3180,10 +3754,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` +@@ -3180,10 +3772,10 @@ interface(`files_dontaudit_search_isid_type_dirs',` # interface(`files_list_isid_type_dirs',` gen_require(` @@ -10541,7 +10574,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3199,10 +3773,10 @@ interface(`files_list_isid_type_dirs',` +@@ -3199,10 +3791,10 @@ interface(`files_list_isid_type_dirs',` # interface(`files_rw_isid_type_dirs',` gen_require(` @@ -10554,7 +10587,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3218,10 +3792,66 @@ interface(`files_rw_isid_type_dirs',` +@@ -3218,10 +3810,66 @@ interface(`files_rw_isid_type_dirs',` # interface(`files_delete_isid_type_dirs',` gen_require(` @@ -10597,8 +10630,9 @@ index f962f76..42fc031 100644 +interface(`files_mounton_isid',` + gen_require(` + type unlabeled_t; -+ ') -+ + ') + +- delete_dirs_pattern($1, file_t, file_t) + allow $1 unlabeled_t:dir mounton; +') + @@ -10616,14 +10650,13 @@ index f962f76..42fc031 100644 +interface(`files_relabelfrom_isid_type',` + gen_require(` + type unlabeled_t; - ') - -- delete_dirs_pattern($1, file_t, file_t) ++ ') ++ + dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; ') ######################################## -@@ -3237,10 +3867,10 @@ interface(`files_delete_isid_type_dirs',` +@@ -3237,10 +3885,10 @@ interface(`files_delete_isid_type_dirs',` # interface(`files_manage_isid_type_dirs',` gen_require(` @@ -10636,7 +10669,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3256,10 +3886,29 @@ interface(`files_manage_isid_type_dirs',` +@@ -3256,10 +3904,29 @@ interface(`files_manage_isid_type_dirs',` # interface(`files_mounton_isid_type_dirs',` gen_require(` @@ -10668,7 +10701,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3275,10 +3924,10 @@ interface(`files_mounton_isid_type_dirs',` +@@ -3275,10 +3942,10 @@ interface(`files_mounton_isid_type_dirs',` # interface(`files_read_isid_type_files',` gen_require(` @@ -10681,7 +10714,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3294,10 +3943,10 @@ interface(`files_read_isid_type_files',` +@@ -3294,10 +3961,10 @@ interface(`files_read_isid_type_files',` # interface(`files_delete_isid_type_files',` gen_require(` @@ -10694,7 +10727,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3313,10 +3962,10 @@ interface(`files_delete_isid_type_files',` +@@ -3313,10 +3980,10 @@ interface(`files_delete_isid_type_files',` # interface(`files_delete_isid_type_symlinks',` gen_require(` @@ -10707,7 +10740,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3332,10 +3981,10 @@ interface(`files_delete_isid_type_symlinks',` +@@ -3332,10 +3999,10 @@ interface(`files_delete_isid_type_symlinks',` # interface(`files_delete_isid_type_fifo_files',` gen_require(` @@ -10720,7 +10753,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3351,10 +4000,10 @@ interface(`files_delete_isid_type_fifo_files',` +@@ -3351,10 +4018,10 @@ interface(`files_delete_isid_type_fifo_files',` # interface(`files_delete_isid_type_sock_files',` gen_require(` @@ -10733,7 +10766,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3370,10 +4019,10 @@ interface(`files_delete_isid_type_sock_files',` +@@ -3370,10 +4037,10 @@ interface(`files_delete_isid_type_sock_files',` # interface(`files_delete_isid_type_blk_files',` gen_require(` @@ -10746,7 +10779,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3389,10 +4038,10 @@ interface(`files_delete_isid_type_blk_files',` +@@ -3389,10 +4056,10 @@ interface(`files_delete_isid_type_blk_files',` # interface(`files_dontaudit_write_isid_chr_files',` gen_require(` @@ -10759,7 +10792,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3408,10 +4057,10 @@ interface(`files_dontaudit_write_isid_chr_files',` +@@ -3408,10 +4075,10 @@ interface(`files_dontaudit_write_isid_chr_files',` # interface(`files_delete_isid_type_chr_files',` gen_require(` @@ -10772,7 +10805,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3427,10 +4076,10 @@ interface(`files_delete_isid_type_chr_files',` +@@ -3427,10 +4094,10 @@ interface(`files_delete_isid_type_chr_files',` # interface(`files_manage_isid_type_files',` gen_require(` @@ -10785,7 +10818,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3446,10 +4095,10 @@ interface(`files_manage_isid_type_files',` +@@ -3446,10 +4113,10 @@ interface(`files_manage_isid_type_files',` # interface(`files_manage_isid_type_symlinks',` gen_require(` @@ -10798,7 +10831,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3465,10 +4114,29 @@ interface(`files_manage_isid_type_symlinks',` +@@ -3465,10 +4132,29 @@ interface(`files_manage_isid_type_symlinks',` # interface(`files_rw_isid_type_blk_files',` gen_require(` @@ -10830,7 +10863,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3484,10 +4152,10 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3484,10 +4170,10 @@ interface(`files_rw_isid_type_blk_files',` # interface(`files_manage_isid_type_blk_files',` gen_require(` @@ -10843,7 +10876,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3503,10 +4171,10 @@ interface(`files_manage_isid_type_blk_files',` +@@ -3503,10 +4189,10 @@ interface(`files_manage_isid_type_blk_files',` # interface(`files_manage_isid_type_chr_files',` gen_require(` @@ -10856,7 +10889,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -3814,20 +4482,38 @@ interface(`files_list_mnt',` +@@ -3814,20 +4500,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -10900,7 +10933,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -4217,6 +4903,172 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,6 +4921,172 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -11073,7 +11106,7 @@ index f962f76..42fc031 100644 ######################################## ## ## Allow the specified type to associate -@@ -4239,6 +5091,26 @@ interface(`files_associate_tmp',` +@@ -4239,6 +5109,26 @@ interface(`files_associate_tmp',` ######################################## ## @@ -11100,7 +11133,7 @@ index f962f76..42fc031 100644 ## Get the attributes of the tmp directory (/tmp). ## ## -@@ -4252,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',` +@@ -4252,17 +5142,37 @@ interface(`files_getattr_tmp_dirs',` type tmp_t; ') @@ -11139,7 +11172,7 @@ index f962f76..42fc031 100644 ## ## # -@@ -4289,6 +5181,7 @@ interface(`files_search_tmp',` +@@ -4289,6 +5199,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -11147,7 +11180,7 @@ index f962f76..42fc031 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5218,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5236,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -11155,7 +11188,7 @@ index f962f76..42fc031 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5228,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5246,7 @@ interface(`files_list_tmp',` ## ## ## @@ -11164,20 +11197,26 @@ index f962f76..42fc031 100644 ## ## # -@@ -4346,6 +5240,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,21 +5258,41 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') +-######################################## +####################################### -+## + ## +-## Remove entries from the tmp directory. +## Allow read and write to the tmp directory (/tmp). -+## -+## + ## + ## +-## +-## Domain allowed access. +-## +## +## Domain not to audit. +## -+## -+# + ## + # +-interface(`files_delete_tmp_dir_entry',` +interface(`files_rw_generic_tmp_dir',` + gen_require(` + type tmp_t; @@ -11187,10 +11226,18 @@ index f962f76..42fc031 100644 + allow $1 tmp_t:dir rw_dir_perms; +') + - ######################################## - ## - ## Remove entries from the tmp directory. -@@ -4361,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',` ++######################################## ++## ++## Remove entries from the tmp directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_tmp_dir_entry',` + gen_require(` type tmp_t; ') @@ -11198,13 +11245,12 @@ index f962f76..42fc031 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,25 +5316,33 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5334,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## --## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. - ## ++## +## +##

+## Allow shared library text relocations in tmp files. @@ -11213,70 +11259,26 @@ index f962f76..42fc031 100644 +## This is added to support java policy. +##

+## - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`files_manage_generic_tmp_files',` -+interface(`files_execmod_tmp',` - gen_require(` -- type tmp_t; -+ attribute tmpfile; - ') - -- manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmpfile:file execmod; - ') - - ######################################## - ## --## Read symbolic links in the tmp directory (/tmp). -+## Manage temporary files and directories in /tmp. - ## - ## - ## -@@ -4428,17 +5350,35 @@ interface(`files_manage_generic_tmp_files',` - ## - ## - # --interface(`files_read_generic_tmp_symlinks',` -+interface(`files_manage_generic_tmp_files',` - gen_require(` - type tmp_t; - ') - -- read_lnk_files_pattern($1, tmp_t, tmp_t) -+ manage_files_pattern($1, tmp_t, tmp_t) - ') - - ######################################## - ## --## Read and write generic named sockets in the tmp directory (/tmp). -+## Read symbolic links in the tmp directory (/tmp). -+## +## +## +## Domain allowed access. +## +## +# -+interface(`files_read_generic_tmp_symlinks',` ++interface(`files_execmod_tmp',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ read_lnk_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file execmod; +') + +######################################## +## -+## Read and write generic named sockets in the tmp directory (/tmp). + ## Manage temporary files and directories in /tmp. ## ## - ## -@@ -4456,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5414,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -11319,7 +11321,7 @@ index f962f76..42fc031 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5468,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -11380,7 +11382,7 @@ index f962f76..42fc031 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5567,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -11389,7 +11391,7 @@ index f962f76..42fc031 100644 ## ## # -@@ -4579,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5627,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -11398,7 +11400,7 @@ index f962f76..42fc031 100644 ## ## # -@@ -4611,6 +5641,44 @@ interface(`files_read_all_tmp_files',` +@@ -4611,6 +5659,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -11443,7 +11445,7 @@ index f962f76..42fc031 100644 ## Create an object in the tmp directories, with a private ## type using a type transition. ## -@@ -4664,6 +5732,16 @@ interface(`files_purge_tmp',` +@@ -4664,6 +5750,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11460,7 +11462,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -5112,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6208,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -11485,7 +11487,7 @@ index f962f76..42fc031 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6337,24 @@ interface(`files_list_var',` +@@ -5241,6 +6355,24 @@ interface(`files_list_var',` ######################################## ## @@ -11510,7 +11512,7 @@ index f962f76..42fc031 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6460,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -11519,7 +11521,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -5527,6 +6641,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6659,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -11545,7 +11547,7 @@ index f962f76..42fc031 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +6729,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +6747,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -11571,7 +11573,7 @@ index f962f76..42fc031 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5641,7 +6793,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +6811,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -11580,7 +11582,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -5649,12 +6801,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +6819,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -11596,7 +11598,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -5672,6 +6825,7 @@ interface(`files_search_locks',` +@@ -5672,6 +6843,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -11604,7 +11606,7 @@ index f962f76..42fc031 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +6852,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +6870,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -11632,7 +11634,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -5706,13 +6879,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +6897,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -11649,7 +11651,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -5731,7 +6903,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +6921,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -11658,7 +11660,7 @@ index f962f76..42fc031 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +6936,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +6954,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -11666,7 +11668,7 @@ index f962f76..42fc031 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +6950,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +6968,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -11675,7 +11677,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -5787,13 +6958,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +6976,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -11710,7 +11712,7 @@ index f962f76..42fc031 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7000,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7018,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -11728,7 +11730,7 @@ index f962f76..42fc031 100644 ') ######################################## -@@ -5834,9 +7024,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7042,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -11739,7 +11741,7 @@ index f962f76..42fc031 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7066,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7084,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -11749,7 +11751,7 @@ index f962f76..42fc031 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7088,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7106,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -11759,7 +11761,7 @@ index f962f76..42fc031 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7125,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7143,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -11769,7 +11771,7 @@ index f962f76..42fc031 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7164,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7182,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -11778,7 +11780,7 @@ index f962f76..42fc031 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,22 +7184,60 @@ interface(`files_search_pids',` +@@ -5999,10 +7202,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -11787,23 +11789,16 @@ index f962f76..42fc031 100644 search_dirs_pattern($1, var_t, var_run_t) ') --######################################## +###################################### - ## --## Do not audit attempts to search --## the /var/run directory. ++## +## Add and remove entries from pid directories. - ## - ## --## --## Domain to not audit. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_search_pids',` ++## ++# +interface(`files_rw_pid_dirs',` + gen_require(` + type var_run_t; @@ -11831,22 +11826,10 @@ index f962f76..42fc031 100644 + allow $1 var_run_t:dir create_dir_perms; +') + -+######################################## -+## -+## Do not audit attempts to search -+## the /var/run directory. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_pids',` - gen_require(` - type var_run_t; - ') -@@ -6025,6 +7248,25 @@ interface(`files_dontaudit_search_pids',` + ######################################## + ## + ## Do not audit attempts to search +@@ -6025,6 +7266,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -11872,7 +11855,7 @@ index f962f76..42fc031 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6039,7 +7281,7 @@ interface(`files_list_pids',` +@@ -6039,7 +7299,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -11881,7 +11864,7 @@ index f962f76..42fc031 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6058,7 +7300,7 @@ interface(`files_read_generic_pids',` +@@ -6058,7 +7318,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -11890,7 +11873,7 @@ index f962f76..42fc031 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6078,7 +7320,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6078,7 +7338,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -11899,7 +11882,7 @@ index f962f76..42fc031 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7382,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7400,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -11907,7 +11890,7 @@ index f962f76..42fc031 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7410,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7428,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -11932,7 +11915,7 @@ index f962f76..42fc031 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7441,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7459,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -11941,7 +11924,7 @@ index f962f76..42fc031 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7508,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,55 +7526,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -12004,7 +11987,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6305,42 +7552,35 @@ interface(`files_delete_all_pids',` +@@ -6305,42 +7570,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -12054,7 +12037,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6348,18 +7588,18 @@ interface(`files_manage_all_pids',` +@@ -6348,18 +7606,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -12078,7 +12061,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6367,37 +7607,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6367,37 +7625,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -12130,7 +12113,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6405,18 +7648,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6405,18 +7666,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -12153,7 +12136,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6424,18 +7666,18 @@ interface(`files_list_spool',` +@@ -6424,18 +7684,18 @@ interface(`files_list_spool',` ## ## # @@ -12177,7 +12160,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6443,19 +7685,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6443,19 +7703,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -12202,7 +12185,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6463,55 +7704,43 @@ interface(`files_read_generic_spool',` +@@ -6463,55 +7722,43 @@ interface(`files_read_generic_spool',` ## ## # @@ -12273,7 +12256,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6519,53 +7748,68 @@ interface(`files_spool_filetrans',` +@@ -6519,53 +7766,68 @@ interface(`files_spool_filetrans',` ## ## # @@ -12380,7 +12363,7 @@ index f962f76..42fc031 100644 ## ## ## -@@ -6573,10 +7817,785 @@ interface(`files_polyinstantiate_all',` +@@ -6573,10 +7835,785 @@ interface(`files_polyinstantiate_all',` ## ## # @@ -12389,9 +12372,8 @@ index f962f76..42fc031 100644 gen_require(` - attribute files_unconfined_type; + attribute spoolfile; - ') - -- typeattribute $1 files_unconfined_type; ++ ') ++ + allow $1 spoolfile:sock_file create_sock_file_perms; +') + @@ -12654,10 +12636,10 @@ index f962f76..42fc031 100644 +interface(`files_unconfined',` + gen_require(` + attribute files_unconfined_type; -+ ') -+ -+ typeattribute $1 files_unconfined_type; -+') + ') + + typeattribute $1 files_unconfined_type; + ') + +######################################## +## @@ -13168,7 +13150,7 @@ index f962f76..42fc031 100644 + ') + + allow $1 etc_t:service status; - ') ++') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 1a03abd..dfcd2ad 100644 --- a/policy/modules/kernel/files.te @@ -17420,23 +17402,24 @@ index 156c333..02f5a3c 100644 + dev_manage_generic_blk_files(fixed_disk_raw_write) +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 0ea25b6..e2ac77c 100644 +index 0ea25b6..01b968e 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -14,11 +14,11 @@ +@@ -14,11 +14,12 @@ /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) -/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) ++/dev/sclp_line[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) +/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0) /dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0) /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) -@@ -42,3 +42,7 @@ ifdef(`distro_gentoo',` +@@ -42,3 +43,7 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') @@ -17445,7 +17428,7 @@ index 0ea25b6..e2ac77c 100644 + +/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index cbb729b..a6adfc1 100644 +index cbb729b..ef15aac 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -124,7 +124,7 @@ interface(`term_user_tty',` @@ -17672,7 +17655,33 @@ index cbb729b..a6adfc1 100644 ## ## # -@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',` + + ######################################## + ## ++## Mounton unallocated tty device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`term_mounton_unallocated_ttys',` ++ gen_require(` ++ type tty_device_t; ++ ') ++ ++ allow $1 tty_device_t:chr_file mounton; ++') ++ ++######################################## ++## + ## Relabel from all user tty types to + ## the unallocated tty type. + ## +@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',` type tty_device_t; ') @@ -17721,7 +17730,7 @@ index cbb729b..a6adfc1 100644 ') ######################################## -@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` +@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` # interface(`term_getattr_all_ttys',` gen_require(` @@ -17735,7 +17744,7 @@ index cbb729b..a6adfc1 100644 ') ######################################## -@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',` +@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',` gen_require(` attribute ttynode; @@ -17748,7 +17757,7 @@ index cbb729b..a6adfc1 100644 ') ######################################## -@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',` +@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',` ') dev_list_all_dev_nodes($1) @@ -17777,7 +17786,7 @@ index cbb729b..a6adfc1 100644 ') ######################################## -@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',` +@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',` attribute ttynode; ') @@ -17786,7 +17795,7 @@ index cbb729b..a6adfc1 100644 ') ######################################## -@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',` +@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',` ## ## ## @@ -17795,7 +17804,7 @@ index cbb729b..a6adfc1 100644 ## ## # -@@ -1513,21 +1694,435 @@ interface(`term_dontaudit_use_all_user_ttys',` +@@ -1513,21 +1713,435 @@ interface(`term_dontaudit_use_all_user_ttys',` term_dontaudit_use_all_ttys($1) ') @@ -26871,7 +26880,7 @@ index 3efd5b6..08c3e93 100644 + allow $1 login_pgm:process sigchld; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791d..4f331be 100644 +index 09b791d..8e6648e 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -27183,7 +27192,7 @@ index 09b791d..4f331be 100644 ') optional_policy(` -@@ -463,3 +508,134 @@ optional_policy(` +@@ -463,3 +508,135 @@ optional_policy(` samba_read_var_files(nsswitch_domain) samba_dontaudit_write_var_files(nsswitch_domain) ') @@ -27199,6 +27208,7 @@ index 09b791d..4f331be 100644 + +allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms; +allow login_pgm self:capability ipc_lock; ++dontaudit login_pgm self:capability net_admin; +allow login_pgm self:process setkeycreate; +allow login_pgm self:key manage_key_perms; +userdom_manage_all_users_keys(login_pgm) @@ -27801,6 +27811,18 @@ index 9dfecf7..6d00f5c 100644 /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) + +/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) +diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if +index 187f04f..cf0af09 100644 +--- a/policy/modules/system/hostname.if ++++ b/policy/modules/system/hostname.if +@@ -53,7 +53,6 @@ interface(`hostname_run',` + ## Domain allowed access. + ## + ## +-## + # + interface(`hostname_exec',` + gen_require(` diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index 24a7889..d97f6d5 100644 --- a/policy/modules/system/hostname.te @@ -28004,7 +28026,7 @@ index bc0ffc8..8de430d 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 79a45f6..35df3cb 100644 +index 79a45f6..b822c29 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1,5 +1,21 @@ @@ -28387,7 +28409,7 @@ index 79a45f6..35df3cb 100644 + type init_t; + ') + -+ dontaudit $1 init_t:unix_stream_socket { getattr read write }; ++ dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl }; ') ######################################## @@ -29438,7 +29460,7 @@ index 79a45f6..35df3cb 100644 + files_etc_filetrans($1, machineid_t, file, "machine-id" ) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 17eda24..758e084 100644 +index 17eda24..e8e4114 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -11,10 +11,31 @@ gen_require(` @@ -29620,11 +29642,12 @@ index 17eda24..758e084 100644 domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) -@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t) +@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t) domain_signull_all_domains(init_t) domain_sigstop_all_domains(init_t) domain_sigchld_all_domains(init_t) +domain_read_all_domains_state(init_t) ++domain_getattr_all_domains(init_t) files_read_etc_files(init_t) +files_read_all_pids(init_t) @@ -29642,7 +29665,7 @@ index 17eda24..758e084 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t) +@@ -156,28 +245,52 @@ fs_list_inotifyfs(init_t) fs_write_ramfs_sockets(init_t) mcs_process_set_categories(init_t) @@ -29698,7 +29721,7 @@ index 17eda24..758e084 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -186,29 +298,229 @@ ifdef(`distro_gentoo',` +@@ -186,29 +299,229 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -29936,7 +29959,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -216,7 +528,31 @@ optional_policy(` +@@ -216,7 +529,31 @@ optional_policy(` ') optional_policy(` @@ -29968,7 +29991,7 @@ index 17eda24..758e084 100644 ') ######################################## -@@ -225,9 +561,9 @@ optional_policy(` +@@ -225,9 +562,9 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -29980,7 +30003,7 @@ index 17eda24..758e084 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -258,12 +594,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -258,12 +595,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -29997,7 +30020,7 @@ index 17eda24..758e084 100644 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) -@@ -279,23 +619,36 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -279,23 +620,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -30040,7 +30063,7 @@ index 17eda24..758e084 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -303,9 +656,11 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -303,9 +657,11 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -30052,7 +30075,7 @@ index 17eda24..758e084 100644 dev_rw_sysfs(initrc_t) dev_list_usbfs(initrc_t) dev_read_framebuffer(initrc_t) -@@ -313,8 +668,10 @@ dev_write_framebuffer(initrc_t) +@@ -313,8 +669,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -30063,7 +30086,7 @@ index 17eda24..758e084 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -322,8 +679,7 @@ dev_manage_generic_files(initrc_t) +@@ -322,8 +680,7 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -30073,7 +30096,7 @@ index 17eda24..758e084 100644 domain_kill_all_domains(initrc_t) domain_signal_all_domains(initrc_t) -@@ -332,7 +688,6 @@ domain_sigstop_all_domains(initrc_t) +@@ -332,7 +689,6 @@ domain_sigstop_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -30081,7 +30104,7 @@ index 17eda24..758e084 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -340,6 +695,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -340,6 +696,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -30089,7 +30112,7 @@ index 17eda24..758e084 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -347,14 +703,15 @@ files_getattr_all_symlinks(initrc_t) +@@ -347,14 +704,15 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -30107,7 +30130,7 @@ index 17eda24..758e084 100644 files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) -@@ -364,8 +721,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -364,8 +722,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -30121,7 +30144,7 @@ index 17eda24..758e084 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -375,10 +736,11 @@ fs_mount_all_fs(initrc_t) +@@ -375,10 +737,11 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -30135,7 +30158,7 @@ index 17eda24..758e084 100644 mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) -@@ -387,8 +749,10 @@ mls_process_read_up(initrc_t) +@@ -387,8 +750,10 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -30146,7 +30169,7 @@ index 17eda24..758e084 100644 storage_getattr_fixed_disk_dev(initrc_t) storage_setattr_fixed_disk_dev(initrc_t) -@@ -398,6 +762,7 @@ term_use_all_terms(initrc_t) +@@ -398,6 +763,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -30154,7 +30177,7 @@ index 17eda24..758e084 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -416,20 +781,18 @@ logging_read_all_logs(initrc_t) +@@ -416,20 +782,18 @@ logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -30178,7 +30201,7 @@ index 17eda24..758e084 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -451,7 +814,6 @@ ifdef(`distro_gentoo',` +@@ -451,7 +815,6 @@ ifdef(`distro_gentoo',` allow initrc_t self:process setfscreate; dev_create_null_dev(initrc_t) dev_create_zero_dev(initrc_t) @@ -30186,7 +30209,7 @@ index 17eda24..758e084 100644 term_create_console_dev(initrc_t) # unfortunately /sbin/rc does stupid tricks -@@ -486,6 +848,10 @@ ifdef(`distro_gentoo',` +@@ -486,6 +849,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -30197,7 +30220,7 @@ index 17eda24..758e084 100644 alsa_read_lib(initrc_t) ') -@@ -506,7 +872,7 @@ ifdef(`distro_redhat',` +@@ -506,7 +873,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -30206,7 +30229,7 @@ index 17eda24..758e084 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -521,6 +887,7 @@ ifdef(`distro_redhat',` +@@ -521,6 +888,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -30214,7 +30237,7 @@ index 17eda24..758e084 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -541,6 +908,7 @@ ifdef(`distro_redhat',` +@@ -541,6 +909,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -30222,7 +30245,7 @@ index 17eda24..758e084 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -550,8 +918,44 @@ ifdef(`distro_redhat',` +@@ -550,8 +919,44 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -30267,7 +30290,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -559,14 +963,31 @@ ifdef(`distro_redhat',` +@@ -559,14 +964,31 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -30299,7 +30322,7 @@ index 17eda24..758e084 100644 ') ') -@@ -577,6 +998,39 @@ ifdef(`distro_suse',` +@@ -577,6 +999,39 @@ ifdef(`distro_suse',` ') ') @@ -30339,7 +30362,7 @@ index 17eda24..758e084 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -589,6 +1043,8 @@ optional_policy(` +@@ -589,6 +1044,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -30348,7 +30371,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -610,6 +1066,7 @@ optional_policy(` +@@ -610,6 +1067,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -30356,7 +30379,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -626,6 +1083,17 @@ optional_policy(` +@@ -626,6 +1084,17 @@ optional_policy(` ') optional_policy(` @@ -30374,7 +30397,7 @@ index 17eda24..758e084 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -642,9 +1110,13 @@ optional_policy(` +@@ -642,9 +1111,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -30388,7 +30411,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -657,15 +1129,11 @@ optional_policy(` +@@ -657,15 +1130,11 @@ optional_policy(` ') optional_policy(` @@ -30406,7 +30429,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -686,6 +1154,15 @@ optional_policy(` +@@ -686,6 +1155,15 @@ optional_policy(` ') optional_policy(` @@ -30422,7 +30445,7 @@ index 17eda24..758e084 100644 inn_exec_config(initrc_t) ') -@@ -726,6 +1203,7 @@ optional_policy(` +@@ -726,6 +1204,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -30430,7 +30453,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -743,7 +1221,13 @@ optional_policy(` +@@ -743,7 +1222,13 @@ optional_policy(` ') optional_policy(` @@ -30445,7 +30468,7 @@ index 17eda24..758e084 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -766,6 +1250,10 @@ optional_policy(` +@@ -766,6 +1251,10 @@ optional_policy(` ') optional_policy(` @@ -30456,7 +30479,7 @@ index 17eda24..758e084 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -775,10 +1263,20 @@ optional_policy(` +@@ -775,10 +1264,20 @@ optional_policy(` ') optional_policy(` @@ -30477,7 +30500,7 @@ index 17eda24..758e084 100644 quota_manage_flags(initrc_t) ') -@@ -787,6 +1285,10 @@ optional_policy(` +@@ -787,6 +1286,10 @@ optional_policy(` ') optional_policy(` @@ -30488,7 +30511,7 @@ index 17eda24..758e084 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -808,8 +1310,6 @@ optional_policy(` +@@ -808,8 +1311,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -30497,7 +30520,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -818,6 +1318,10 @@ optional_policy(` +@@ -818,6 +1319,10 @@ optional_policy(` ') optional_policy(` @@ -30508,7 +30531,7 @@ index 17eda24..758e084 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -827,10 +1331,12 @@ optional_policy(` +@@ -827,10 +1332,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -30521,7 +30544,7 @@ index 17eda24..758e084 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -857,21 +1363,60 @@ optional_policy(` +@@ -857,21 +1364,60 @@ optional_policy(` ') optional_policy(` @@ -30583,7 +30606,7 @@ index 17eda24..758e084 100644 ') optional_policy(` -@@ -887,6 +1432,10 @@ optional_policy(` +@@ -887,6 +1433,10 @@ optional_policy(` ') optional_policy(` @@ -30594,7 +30617,7 @@ index 17eda24..758e084 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -897,3 +1446,218 @@ optional_policy(` +@@ -897,3 +1447,218 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -31346,10 +31369,10 @@ index 312cd04..a97e8da 100644 +userdom_use_inherited_user_terminals(setkey_t) +userdom_read_user_tmp_files(setkey_t) diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 73a1c4e..e0d3d07 100644 +index 73a1c4e..738e9ff 100644 --- a/policy/modules/system/iptables.fc +++ b/policy/modules/system/iptables.fc -@@ -1,22 +1,28 @@ +@@ -1,22 +1,33 @@ /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0) -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0) @@ -31359,6 +31382,9 @@ index 73a1c4e..e0d3d07 100644 -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/lib/systemd/system/iptables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) +/usr/lib/systemd/system/ip6tables.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++/usr/lib/systemd/system/ipset.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0) ++ ++/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) + +/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -31371,6 +31397,7 @@ index 73a1c4e..e0d3d07 100644 +/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -31390,6 +31417,7 @@ index 73a1c4e..e0d3d07 100644 +/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) @@ -34330,7 +34358,7 @@ index 9933677..ca14c17 100644 + +/var/run/tmpfiles.d/kmod.conf -- gen_context(system_u:object_r:insmod_var_run_t,s0) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if -index 7449974..28cb8a3 100644 +index 7449974..23bbbf2 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ @@ -34387,7 +34415,32 @@ index 7449974..28cb8a3 100644 ## Read the configuration options used when ## loading modules. ## -@@ -208,6 +246,24 @@ interface(`modutils_exec_insmod',` +@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',` + + ######################################## + ## ++## Allow send signal to insmod. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`modutils_signal_insmod',` ++ gen_require(` ++ type insmod_t; ++ ') ++ ++ allow $1 insmod_t:process signal; ++') ++ ++######################################## ++## + ## Execute insmod in the insmod domain, and + ## allow the specified role the insmod domain, + ## and use the caller's terminal. Has a sigchld +@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',` can_exec($1, insmod_exec_t) ') @@ -34412,7 +34465,7 @@ index 7449974..28cb8a3 100644 ######################################## ## ## Execute depmod in the depmod domain. -@@ -308,11 +364,18 @@ interface(`modutils_domtrans_update_mods',` +@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',` # interface(`modutils_run_update_mods',` gen_require(` @@ -34433,7 +34486,7 @@ index 7449974..28cb8a3 100644 ') ######################################## -@@ -333,3 +396,25 @@ interface(`modutils_exec_update_mods',` +@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',` corecmd_search_bin($1) can_exec($1, update_modules_exec_t) ') @@ -37977,10 +38030,10 @@ index 0000000..e9f1096 +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..1d9bdfd +index 0000000..8bca1d7 --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,1419 @@ +@@ -0,0 +1,1440 @@ +## SELinux policy for systemd components + +###################################### @@ -38927,6 +38980,27 @@ index 0000000..1d9bdfd + allow $1 hostname_etc_t:file read_file_perms; +') + ++######################################## ++## ++## Allow process to manage hostname config file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`systemd_hostnamed_manage_config',` ++ gen_require(` ++ type hostname_etc_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 hostname_etc_t:file manage_file_perms; ++ files_etc_filetrans($1, hostname_etc_t, file, "hostname") ++') ++ +####################################### +## +## Create objects in /run/systemd/generator directory @@ -39402,7 +39476,7 @@ index 0000000..1d9bdfd +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..e4b127c +index 0000000..4b0bb47 --- /dev/null +++ b/policy/modules/system/systemd.te @@ -0,0 +1,636 @@ @@ -39570,7 +39644,6 @@ index 0000000..e4b127c +init_dbus_chat(systemd_logind_t) +init_dbus_chat_script(systemd_logind_t) +init_read_script_state(systemd_logind_t) -+init_read_state(systemd_logind_t) +init_rw_stream_sockets(systemd_logind_t) + +logging_send_syslog_msg(systemd_logind_t) @@ -39897,7 +39970,6 @@ index 0000000..e4b127c +dev_read_sysfs(systemd_hostnamed_t) + +init_status(systemd_hostnamed_t) -+init_read_state(systemd_hostnamed_t) +init_stream_connect(systemd_hostnamed_t) + +logging_send_syslog_msg(systemd_hostnamed_t) @@ -40030,6 +40102,7 @@ index 0000000..e4b127c +init_stop_transient_unit(systemd_domain) +init_status_transient_unit(systemd_domain) +init_reload_transient_unit(systemd_domain) ++init_read_state(systemd_domain) + +logging_stream_connect_syslog(systemd_domain) + @@ -40042,6 +40115,7 @@ index 0000000..e4b127c + +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t) ++ diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index f41857e..49fd32e 100644 --- a/policy/modules/system/udev.fc diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index a6f1306..20293f5 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -2992,10 +2992,10 @@ index 0000000..8ba9c95 + spamassassin_read_pid_files(antivirus_domain) +') diff --git a/apache.fc b/apache.fc -index 7caefc3..536a4bd 100644 +index 7caefc3..516f7bb 100644 --- a/apache.fc +++ b/apache.fc -@@ -1,162 +1,197 @@ +@@ -1,162 +1,200 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0) +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -3040,6 +3040,7 @@ index 7caefc3..536a4bd 100644 -/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) -/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) -/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/etc/thttpd\.conf -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) +/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) @@ -3112,6 +3113,7 @@ index 7caefc3..536a4bd 100644 +/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) +/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) ++/usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) + +ifdef(`distro_suse', ` +/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -3249,6 +3251,7 @@ index 7caefc3..536a4bd 100644 /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) -/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/log/thttpd\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/php_errors\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) +/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) +ifdef(`distro_debian', ` @@ -3282,6 +3285,7 @@ index 7caefc3..536a4bd 100644 +/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/thttpd\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) + @@ -3331,7 +3335,6 @@ index 7caefc3..536a4bd 100644 +/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -+ diff --git a/apache.if b/apache.if index f6eb485..51b128e 100644 --- a/apache.if @@ -10107,10 +10110,10 @@ index 0000000..de66654 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..fe923e3 +index 0000000..1076e6a --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,59 @@ +@@ -0,0 +1,60 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -10158,6 +10161,7 @@ index 0000000..fe923e3 +logging_send_syslog_msg(bumblebee_t) + +modutils_domtrans_insmod(bumblebee_t) ++modutils_signal_insmod(bumblebee_t) + +sysnet_dns_name_resolve(bumblebee_t) + @@ -16522,7 +16526,7 @@ index 1303b30..72481a7 100644 + logging_log_filetrans($1, cron_log_t, $2, $3) ') diff --git a/cron.te b/cron.te -index 7de3859..ce147f1 100644 +index 7de3859..4e6ebcd 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,46 @@ gen_require(` @@ -16722,7 +16726,7 @@ index 7de3859..ce147f1 100644 selinux_get_fs_mount(admin_crontab_t) selinux_validate_context(admin_crontab_t) selinux_compute_access_vector(admin_crontab_t) -@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t) +@@ -204,22 +148,26 @@ selinux_compute_relabel_context(admin_crontab_t) selinux_compute_user_contexts(admin_crontab_t) tunable_policy(`fcron_crond',` @@ -16738,7 +16742,9 @@ index 7de3859..ce147f1 100644 # allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search }; -@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec +-dontaudit crond_t self:capability { sys_resource sys_tty_config }; ++dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config }; + allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap }; allow crond_t self:process { setexec setfscreate }; allow crond_t self:fd use; allow crond_t self:fifo_file rw_fifo_file_perms; @@ -23445,10 +23451,10 @@ index 0000000..89401fe +') diff --git a/docker.te b/docker.te new file mode 100644 -index 0000000..a1e6966 +index 0000000..75d51ed --- /dev/null +++ b/docker.te -@@ -0,0 +1,239 @@ +@@ -0,0 +1,240 @@ +policy_module(docker, 1.0.0) + +######################################## @@ -23657,6 +23663,7 @@ index 0000000..a1e6966 +term_use_ptmx(docker_t) +term_getattr_pty_fs(docker_t) +term_relabel_pty_fs(docker_t) ++term_mounton_unallocated_ttys(docker_t) + +modutils_domtrans_insmod(docker_t) + @@ -39632,10 +39639,24 @@ index d314333..da30c5d 100644 + ') ') diff --git a/lsm.te b/lsm.te -index 4ec0eea..5bf5627 100644 +index 4ec0eea..0f702df 100644 --- a/lsm.te +++ b/lsm.te -@@ -12,6 +12,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) +@@ -4,6 +4,13 @@ policy_module(lsm, 1.0.0) + # + # Declarations + # ++## ++##

++## Determine whether lsmd_plugin can ++## connect to all TCP ports. ++##

++## ++gen_tunable(lsmd_plugin_connect_any, false) + + type lsmd_t; + type lsmd_exec_t; +@@ -12,6 +19,17 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) type lsmd_var_run_t; files_pid_file(lsmd_var_run_t) @@ -39653,7 +39674,7 @@ index 4ec0eea..5bf5627 100644 ######################################## # # Local policy -@@ -26,4 +37,36 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +@@ -26,4 +44,47 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file }) @@ -39667,6 +39688,7 @@ index 4ec0eea..5bf5627 100644 +# + +allow lsmd_plugin_t self:udp_socket create_socket_perms; ++allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms; + +domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t) +allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write }; @@ -39678,12 +39700,22 @@ index 4ec0eea..5bf5627 100644 +manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t) +files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir }) + ++tunable_policy(`lsmd_plugin_connect_any',` ++ corenet_tcp_connect_all_ports(lsmd_plugin_t) ++ corenet_sendrecv_all_packets(lsmd_plugin_t) ++ corenet_tcp_sendrecv_all_ports(lsmd_plugin_t) ++') ++ +kernel_read_system_state(lsmd_plugin_t) + +dev_read_urand(lsmd_plugin_t) + +corecmd_exec_bin(lsmd_plugin_t) + ++corenet_tcp_connect_http_port(lsmd_plugin_t) ++corenet_tcp_connect_http_cache_port(lsmd_plugin_t) ++corenet_tcp_connect_ssh_port(lsmd_plugin_t) ++ +init_stream_connect(lsmd_plugin_t) +init_dontaudit_rw_stream_socket(lsmd_plugin_t) + @@ -44133,7 +44165,7 @@ index 6194b80..03c6414 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 11ac8e4..ea784b3 100644 +index 11ac8e4..dfd8d3a 100644 --- a/mozilla.te +++ b/mozilla.te @@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0) @@ -44571,7 +44603,7 @@ index 11ac8e4..ea784b3 100644 ') optional_policy(` -@@ -300,259 +324,241 @@ optional_policy(` +@@ -300,259 +324,243 @@ optional_policy(` ######################################## # @@ -44585,7 +44617,7 @@ index 11ac8e4..ea784b3 100644 +dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config }; +dontaudit mozilla_plugin_t self:capability2 block_suspend; + -+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; ++allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition }; +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms; +allow mozilla_plugin_t self:netlink_socket create_socket_perms; +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms; @@ -44670,6 +44702,8 @@ index 11ac8e4..ea784b3 100644 kernel_request_load_module(mozilla_plugin_t) kernel_dontaudit_getattr_core_if(mozilla_plugin_t) +files_dontaudit_read_root_files(mozilla_plugin_t) ++kernel_dontaudit_list_all_proc(mozilla_plugin_t) ++kernel_dontaudit_list_all_sysctls(mozilla_plugin_t) corecmd_exec_bin(mozilla_plugin_t) corecmd_exec_shell(mozilla_plugin_t) @@ -44962,7 +44996,7 @@ index 11ac8e4..ea784b3 100644 ') optional_policy(` -@@ -560,7 +566,11 @@ optional_policy(` +@@ -560,7 +568,11 @@ optional_policy(` ') optional_policy(` @@ -44975,7 +45009,7 @@ index 11ac8e4..ea784b3 100644 ') optional_policy(` -@@ -568,108 +578,131 @@ optional_policy(` +@@ -568,108 +580,131 @@ optional_policy(` ') optional_policy(` @@ -48293,7 +48327,7 @@ index 687af38..404ed6d 100644 + mysql_stream_connect($1) ') diff --git a/mysql.te b/mysql.te -index 7584bbe..d053405 100644 +index 7584bbe..ae0d53a 100644 --- a/mysql.te +++ b/mysql.te @@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1) @@ -48453,7 +48487,7 @@ index 7584bbe..d053405 100644 seutil_sigchld_newrole(mysqld_t) ') -@@ -155,21 +160,17 @@ optional_policy(` +@@ -155,21 +160,18 @@ optional_policy(` ####################################### # @@ -48463,6 +48497,7 @@ index 7584bbe..d053405 100644 -allow mysqld_safe_t self:capability { chown dac_override fowner kill }; +allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource }; ++dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:process { setsched getsched setrlimit }; allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; @@ -48479,7 +48514,7 @@ index 7584bbe..d053405 100644 list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) -@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) +@@ -177,9 +179,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t) logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t) @@ -48490,7 +48525,7 @@ index 7584bbe..d053405 100644 kernel_read_system_state(mysqld_safe_t) kernel_read_kernel_sysctls(mysqld_safe_t) -@@ -187,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) +@@ -187,21 +187,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t) corecmd_exec_bin(mysqld_safe_t) corecmd_exec_shell(mysqld_safe_t) @@ -48526,7 +48561,7 @@ index 7584bbe..d053405 100644 optional_policy(` hostname_exec(mysqld_safe_t) -@@ -209,7 +216,7 @@ optional_policy(` +@@ -209,7 +217,7 @@ optional_policy(` ######################################## # @@ -48535,7 +48570,7 @@ index 7584bbe..d053405 100644 # allow mysqlmanagerd_t self:capability { dac_override kill }; -@@ -218,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; +@@ -218,11 +226,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms; allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms; allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms; @@ -48553,7 +48588,7 @@ index 7584bbe..d053405 100644 domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t) -@@ -230,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) +@@ -230,31 +239,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t) filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file }) @@ -50258,7 +50293,7 @@ index 86dc29d..993ecf5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f2009..8562dec 100644 +index 55f2009..5e67bb6 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -9,15 +9,18 @@ type NetworkManager_t; @@ -50624,7 +50659,7 @@ index 55f2009..8562dec 100644 + systemd_write_inhibit_pipes(NetworkManager_t) + systemd_read_logind_sessions_files(NetworkManager_t) + systemd_dbus_chat_logind(NetworkManager_t) -+ systemd_hostnamed_read_config(NetworkManager_t) ++ systemd_hostnamed_manage_config(NetworkManager_t) +') + +optional_policy(` @@ -80070,7 +80105,7 @@ index ef3b225..d248cd3 100644 init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) diff --git a/rpm.te b/rpm.te -index 6fc360e..4e28c91 100644 +index 6fc360e..44f9739 100644 --- a/rpm.te +++ b/rpm.te @@ -1,15 +1,13 @@ @@ -80474,7 +80509,7 @@ index 6fc360e..4e28c91 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -363,41 +385,67 @@ ifdef(`distro_redhat',` +@@ -363,41 +385,68 @@ ifdef(`distro_redhat',` ') ') @@ -80512,6 +80547,7 @@ index 6fc360e..4e28c91 100644 - ') + optional_policy(` + systemd_dbus_chat_logind(rpm_script_t) ++ systemd_dbus_chat_timedated(rpm_script_t) + ') +') + @@ -80553,7 +80589,7 @@ index 6fc360e..4e28c91 100644 optional_policy(` java_domtrans_unconfined(rpm_script_t) -@@ -409,6 +457,6 @@ optional_policy(` +@@ -409,6 +458,6 @@ optional_policy(` ') optional_policy(` @@ -83828,10 +83864,10 @@ index 0000000..b7db254 +# Empty diff --git a/sandbox.if b/sandbox.if new file mode 100644 -index 0000000..8a6ad19 +index 0000000..89bc443 --- /dev/null +++ b/sandbox.if -@@ -0,0 +1,56 @@ +@@ -0,0 +1,57 @@ + +## policy for sandbox + @@ -83862,6 +83898,7 @@ index 0000000..8a6ad19 + allow sandbox_domain $1:process { sigchld signull }; + allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; + dontaudit sandbox_domain $1:process signal; ++ dontaudit sandbox_domain $1:key { link read search view }; + dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; +') + @@ -83966,10 +84003,10 @@ index 0000000..6caef63 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 0000000..e30b346 +index 0000000..3258f45 --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,393 @@ +@@ -0,0 +1,394 @@ + +## policy for sandboxX + @@ -84011,6 +84048,7 @@ index 0000000..e30b346 + dontaudit sandbox_xserver_t $1:file read; + allow sandbox_x_domain sandbox_x_domain:process signal; + # Dontaudit leaked file descriptors ++ dontaudit sandbox_x_domain $1:key { link read search view }; + dontaudit sandbox_x_domain $1:fifo_file { read write }; + dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; + dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; @@ -88492,13 +88530,14 @@ index cbfe369..6594af3 100644 files_search_var_lib($1) diff --git a/snapper.fc b/snapper.fc new file mode 100644 -index 0000000..1cb1360 +index 0000000..ab5d7e7 --- /dev/null +++ b/snapper.fc -@@ -0,0 +1,5 @@ +@@ -0,0 +1,6 @@ +/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0) + +/etc/snapper(/.*)? gen_context(system_u:object_r:snapperd_conf_t,s0) ++/etc/sysconfig/snapper -- gen_context(system_u:object_r:snapperd_conf_t,s0) + +/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/snapper.if b/snapper.if @@ -88551,10 +88590,10 @@ index 0000000..94105ee +') diff --git a/snapper.te b/snapper.te new file mode 100644 -index 0000000..a299f53 +index 0000000..01ade60 --- /dev/null +++ b/snapper.te -@@ -0,0 +1,66 @@ +@@ -0,0 +1,70 @@ +policy_module(snapper, 1.0.0) + +######################################## @@ -88599,6 +88638,10 @@ index 0000000..a299f53 +corecmd_exec_shell(snapperd_t) +corecmd_exec_bin(snapperd_t) + ++files_write_all_dirs(snapperd_t) ++files_setattr_all_mountpoints(snapperd_t) ++files_relabelto_all_mountpoints(snapperd_t) ++files_relabelfrom_isid_type(snapperd_t) +files_read_all_files(snapperd_t) +files_list_all(snapperd_t) + @@ -88948,7 +88991,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..3d93f55 100644 +index f2f507d..0d4a35c 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -89016,16 +89059,17 @@ index f2f507d..3d93f55 100644 corecmd_exec_all_executables(sosreport_t) -@@ -69,6 +89,8 @@ dev_read_urand(sosreport_t) +@@ -69,6 +89,9 @@ dev_read_urand(sosreport_t) dev_read_raw_memory(sosreport_t) dev_read_sysfs(sosreport_t) dev_rw_generic_usb_dev(sosreport_t) ++dev_rw_lvm_control(sosreport_t) +dev_getattr_all_chr_files(sosreport_t) +dev_getattr_all_blk_files(sosreport_t) domain_getattr_all_domains(sosreport_t) domain_read_all_domains_state(sosreport_t) -@@ -83,7 +105,6 @@ files_list_all(sosreport_t) +@@ -83,7 +106,6 @@ files_list_all(sosreport_t) files_read_config_files(sosreport_t) files_read_generic_tmp_files(sosreport_t) files_read_non_auth_files(sosreport_t) @@ -89033,7 +89077,7 @@ index f2f507d..3d93f55 100644 files_read_var_lib_files(sosreport_t) files_read_var_symlinks(sosreport_t) files_read_kernel_modules(sosreport_t) -@@ -92,25 +113,35 @@ files_manage_etc_runtime_files(sosreport_t) +@@ -92,25 +114,35 @@ files_manage_etc_runtime_files(sosreport_t) files_etc_filetrans_etc_runtime(sosreport_t, file) fs_getattr_all_fs(sosreport_t) @@ -89072,10 +89116,14 @@ index f2f507d..3d93f55 100644 optional_policy(` abrt_manage_pid_files(sosreport_t) -@@ -119,6 +150,10 @@ optional_policy(` +@@ -119,6 +151,14 @@ optional_policy(` ') optional_policy(` ++ bootloader_exec(sosreport_t) ++') ++ ++optional_policy(` + brctl_domtrans(sosreport_t) +') + @@ -89083,10 +89131,11 @@ index f2f507d..3d93f55 100644 cups_stream_connect(sosreport_t) ') -@@ -127,6 +162,15 @@ optional_policy(` +@@ -127,6 +167,16 @@ optional_policy(` ') optional_policy(` ++ lvm_read_config(sosreport_t) + lvm_dontaudit_access_check_lock(sosreport_t) +') + @@ -89099,7 +89148,7 @@ index f2f507d..3d93f55 100644 fstools_domtrans(sosreport_t) ') -@@ -136,6 +180,10 @@ optional_policy(` +@@ -136,6 +186,10 @@ optional_policy(` optional_policy(` hal_dbus_chat(sosreport_t) ') @@ -89110,7 +89159,7 @@ index f2f507d..3d93f55 100644 ') optional_policy(` -@@ -147,13 +195,34 @@ optional_policy(` +@@ -147,13 +201,34 @@ optional_policy(` ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index ed4d120..de84a11 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -580,6 +580,35 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Feb 27 2014 Miroslav Grepl 3.13.1-28 +- Allow bumblebeed to send signal to insmod +- Dontaudit attempts by crond_t net_admin caused by journald +- Allow the docker daemon to mounton tty_device_t +- Add addtional snapper fixes to allo relabel file_t +- Allow setattr for all mountpoints +- Allow snapperd to write all dirs +- Add support for /etc/sysconfig/snapper +- Allow mozilla_plugin to getsession +- Add labeling for thttpd +- Allow sosreport to execute grub2-probe +- Allow NM to manage hostname config file +- Allow systemd_timedated_t to dbus chat with rpm_script_t +- Allow lsmd plugins to connect to http/ssh/http_cache ports by default +- Add lsmd_plugin_connect_any boolea +- Add support for ipset +- Add support for /dev/sclp_line0 +- Add modutils_signal_insmod() +- Add files_relabelto_all_mountpoints() interface +- Allow the docker daemon to mounton tty_device_t +- Allow all systemd domains to read /proc/1 +- Login programs talking to journald are attempting to net_admin, add dontaudit +- init is not gettar on processes as shutdown time +- Add systemd_hostnamed_manage_config() interface +- Make unconfined_service_t valid in enforcing +- Remove transition for temp dirs created by init_t +- gdm-simple-slave uses use setsockopt +- Add lvm_read_metadata() + * Mon Feb 24 2014 Miroslav Grepl 3.13.1-27 - Make unconfined_service_t valid in enforcing - Remove transition for temp dirs created by init_t