diff --git a/policy-rawhide.patch b/policy-rawhide.patch index 3cd546e..64ff603 100644 --- a/policy-rawhide.patch +++ b/policy-rawhide.patch @@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644 # fork # setexec diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors -index f462e95..20fb556 100644 +index 28802c5..7ee62e0 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -329,6 +329,7 @@ class process @@ -62032,16 +62032,15 @@ index f462e95..20fb556 100644 } # -@@ -445,6 +450,8 @@ class capability2 - mac_override # unused by SELinux +@@ -446,6 +451,7 @@ class capability2 mac_admin # unused by SELinux syslog -+ wake_alarm + wake_alarm + epollwakeup + block_suspend } - # -@@ -860,3 +867,20 @@ inherits database +@@ -862,3 +868,20 @@ inherits database implement execute } @@ -63156,7 +63155,7 @@ index 0960199..6c2e521 100644 + can_exec($1, sudo_exec_t) +') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index 1bd7d84..4f57935 100644 +index d9fce57..0424852 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,104 @@ attribute sudodomain; @@ -63488,10 +63487,10 @@ index 98b8b2d..da75471 100644 ######################################## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 81b6608..c8252ac 100644 +index 673180c..1187de6 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te -@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3) +@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0) # Declarations # @@ -64523,7 +64522,7 @@ index 9e9263a..c4dc1b6 100644 manage_lnk_files_pattern($1, bin_t, bin_t) ') diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te -index b4f7bc7..481ae66 100644 +index 1dd0427..a4ba874 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -13,7 +13,7 @@ attribute exec_type; @@ -65959,7 +65958,7 @@ index 8e0f9cd..da3b374 100644 ## ## diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 97978e3..0cc85e4 100644 +index fe2ee5e..8db5e47 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -14,12 +14,14 @@ attribute node_type; @@ -66210,7 +66209,8 @@ index 97978e3..0cc85e4 100644 +network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0) +type socks_port_t, port_type; dnl network_port(socks) # no defined portcon network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) - network_port(spamd, tcp,783,s0) +-network_port(spamd, tcp,783,s0) ++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0) network_port(speech, tcp,8036,s0) -network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp +network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp @@ -68030,7 +68030,7 @@ index d820975..21a21e4 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 74894d7..94d5f10 100644 +index 06eda45..7fa1559 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -20,6 +20,7 @@ files_mountpoint(device_t) @@ -68604,7 +68604,7 @@ index cf04cb5..e43701b 100644 + +dontaudit domain domain:process { noatsecure siginh rlimitinh } ; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 4429d30..38dcaf6 100644 +index 8796ca3..38dcaf6 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -68615,11 +68615,13 @@ index 4429d30..38dcaf6 100644 ') ifdef(`distro_suse',` -@@ -53,10 +54,16 @@ ifdef(`distro_suse',` +@@ -53,12 +54,16 @@ ifdef(`distro_suse',` /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) -/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) +-/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) -/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -68634,7 +68636,7 @@ index 4429d30..38dcaf6 100644 /etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0) -@@ -68,7 +75,10 @@ ifdef(`distro_suse',` +@@ -70,7 +75,10 @@ ifdef(`distro_suse',` /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -68646,7 +68648,7 @@ index 4429d30..38dcaf6 100644 ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) -@@ -102,7 +112,7 @@ HOME_ROOT/lost\+found/.* <> +@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <> /initrd -d gen_context(system_u:object_r:root_t,s0) # @@ -68655,7 +68657,7 @@ index 4429d30..38dcaf6 100644 # /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0) -@@ -127,6 +137,8 @@ ifdef(`distro_debian',` +@@ -129,6 +137,8 @@ ifdef(`distro_debian',` /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0) /media/[^/]*/.* <> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0) @@ -68664,7 +68666,7 @@ index 4429d30..38dcaf6 100644 # # /misc -@@ -151,7 +163,7 @@ ifdef(`distro_debian',` +@@ -153,7 +163,7 @@ ifdef(`distro_debian',` /opt -d gen_context(system_u:object_r:usr_t,s0) /opt/.* gen_context(system_u:object_r:usr_t,s0) @@ -68673,7 +68675,7 @@ index 4429d30..38dcaf6 100644 # # /proc -@@ -159,6 +171,12 @@ ifdef(`distro_debian',` +@@ -161,6 +171,12 @@ ifdef(`distro_debian',` /proc -d <> /proc/.* <> @@ -68686,7 +68688,7 @@ index 4429d30..38dcaf6 100644 # # /run # -@@ -195,6 +213,7 @@ ifdef(`distro_debian',` +@@ -197,6 +213,7 @@ ifdef(`distro_debian',` /usr -d gen_context(system_u:object_r:usr_t,s0) /usr/.* gen_context(system_u:object_r:usr_t,s0) /usr/\.journal <> @@ -68694,7 +68696,7 @@ index 4429d30..38dcaf6 100644 /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -@@ -202,15 +221,9 @@ ifdef(`distro_debian',` +@@ -204,15 +221,9 @@ ifdef(`distro_debian',` /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) @@ -68711,7 +68713,7 @@ index 4429d30..38dcaf6 100644 /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0) -@@ -218,8 +231,6 @@ ifdef(`distro_debian',` +@@ -220,8 +231,6 @@ ifdef(`distro_debian',` /usr/tmp/.* <> ifndef(`distro_redhat',` @@ -68720,7 +68722,7 @@ index 4429d30..38dcaf6 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -235,11 +246,14 @@ ifndef(`distro_redhat',` +@@ -237,11 +246,14 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -68735,14 +68737,14 @@ index 4429d30..38dcaf6 100644 /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> -@@ -262,3 +276,5 @@ ifndef(`distro_redhat',` +@@ -264,3 +276,5 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 41346fb..002fe16 100644 +index e1e814d..89379cc 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -69606,33 +69608,32 @@ index 41346fb..002fe16 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5550,6 +6094,25 @@ interface(`files_manage_mounttab',` +@@ -5550,7 +6094,7 @@ interface(`files_manage_mounttab',` ######################################## ## +-## Set the attributes of the generic lock directories. +## List generic lock directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -5558,12 +6102,13 @@ interface(`files_manage_mounttab',` + ## + ## + # +-interface(`files_setattr_lock_dirs',` +interface(`files_list_locks',` -+ gen_require(` -+ type var_t, var_lock_t; -+ ') -+ + gen_require(` + type var_t, var_lock_t; + ') + +- setattr_dirs_pattern($1, var_t, var_lock_t) + files_search_locks($1) + list_dirs_pattern($1, var_t, var_lock_t) -+') -+ -+######################################## -+## - ## Search the locks directory (/var/lock). - ## - ## -@@ -5563,6 +6126,7 @@ interface(`files_search_locks',` + ') + + ######################################## +@@ -5581,6 +6126,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -69640,51 +69641,33 @@ index 41346fb..002fe16 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5589,7 +6153,8 @@ interface(`files_dontaudit_search_locks',` +@@ -5607,7 +6153,7 @@ interface(`files_dontaudit_search_locks',` ######################################## ## -## List generic lock directories. -+## create a directory in the /var/lock -+## directories. ++## Set the attributes of the /var/lock directory. ## ## ## -@@ -5597,13 +6162,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5615,13 +6161,12 @@ interface(`files_dontaudit_search_locks',` ## ## # -interface(`files_list_locks',` -+interface(`files_create_lock_dirs',` ++interface(`files_setattr_lock_dirs',` gen_require(` - type var_t, var_lock_t; +- type var_t, var_lock_t; ++ type var_lock_t; ') -+ files_search_locks($1) -+ allow $1 var_lock_t:dir create_dir_perms; -+') - allow $1 var_lock_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, var_lock_t) -+######################################## -+## -+## Set the attributes of the /var/lock directory. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_lock_dirs',` -+ gen_require(` -+ type var_lock_t; -+ ') -+ + allow $1 var_lock_t:dir setattr; ') ######################################## -@@ -5622,7 +6204,7 @@ interface(`files_rw_lock_dirs',` +@@ -5640,7 +6185,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -69693,7 +69676,7 @@ index 41346fb..002fe16 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5635,7 +6217,6 @@ interface(`files_rw_lock_dirs',` +@@ -5673,7 +6218,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -69701,7 +69684,7 @@ index 41346fb..002fe16 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5663,8 +6244,7 @@ interface(`files_getattr_generic_locks',` +@@ -5701,8 +6245,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -69711,7 +69694,7 @@ index 41346fb..002fe16 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5680,13 +6260,12 @@ interface(`files_getattr_generic_locks',` +@@ -5718,13 +6261,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -69729,7 +69712,7 @@ index 41346fb..002fe16 100644 ') ######################################## -@@ -5705,8 +6284,7 @@ interface(`files_manage_generic_locks',` +@@ -5743,8 +6285,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -69739,7 +69722,7 @@ index 41346fb..002fe16 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5748,8 +6326,7 @@ interface(`files_read_all_locks',` +@@ -5786,8 +6327,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -69749,7 +69732,7 @@ index 41346fb..002fe16 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5771,8 +6348,7 @@ interface(`files_manage_all_locks',` +@@ -5809,8 +6349,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -69759,7 +69742,7 @@ index 41346fb..002fe16 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5809,8 +6385,7 @@ interface(`files_lock_filetrans',` +@@ -5847,8 +6386,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -69769,7 +69752,7 @@ index 41346fb..002fe16 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5873,6 +6448,43 @@ interface(`files_search_pids',` +@@ -5911,6 +6449,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -69813,7 +69796,7 @@ index 41346fb..002fe16 100644 ######################################## ## ## Do not audit attempts to search -@@ -5895,6 +6507,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5933,6 +6508,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -69839,7 +69822,7 @@ index 41346fb..002fe16 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6010,7 +6641,6 @@ interface(`files_pid_filetrans',` +@@ -6048,7 +6642,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -69847,11 +69830,89 @@ index 41346fb..002fe16 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6096,6 +6726,116 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6157,30 +6750,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## +-## Read all process ID files. +## Relable all pid directories + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_read_all_pids',` ++interface(`files_relabel_all_pid_dirs',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- list_dirs_pattern($1, var_t, pidfile) +- read_files_pattern($1, pidfile, pidfile) ++ relabel_dirs_pattern($1, pidfile, pidfile) + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. ++## Delete all pid sockets + ## + ## + ## +@@ -6188,43 +6776,213 @@ interface(`files_read_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` ++interface(`files_delete_all_pid_sockets',` + gen_require(` +- attribute polymember; ++ attribute pidfile; + ') + +- allow $1 polymember:dir mounton; ++ allow $1 pidfile:sock_file delete_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process IDs. ++## Create all pid sockets + ## + ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`files_delete_all_pids',` ++interface(`files_create_all_pid_sockets',` + gen_require(` + attribute pidfile; +- type var_t, var_run_t; + ') + +- allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; +- allow $1 var_run_t:dir rmdir; +- allow $1 var_run_t:lnk_file delete_lnk_file_perms; +- delete_files_pattern($1, pidfile, pidfile) +- delete_fifo_files_pattern($1, pidfile, pidfile) +- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ allow $1 pidfile:sock_file create_sock_file_perms; + ') + + ######################################## + ## +-## Delete all process ID directories. ++## Create all pid named pipes +## +## +## @@ -69859,17 +69920,17 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_relabel_all_pid_dirs',` ++interface(`files_create_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + -+ relabel_dirs_pattern($1, pidfile, pidfile) ++ allow $1 pidfile:fifo_file create_fifo_file_perms; +') + +######################################## +## -+## Delete all pid sockets ++## Delete all pid named pipes +## +## +## @@ -69877,17 +69938,18 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_delete_all_pid_sockets',` ++interface(`files_delete_all_pid_pipes',` + gen_require(` + attribute pidfile; + ') + -+ allow $1 pidfile:sock_file delete_sock_file_perms; ++ allow $1 pidfile:fifo_file delete_fifo_file_perms; +') + +######################################## +## -+## Create all pid sockets ++## manage all pidfile directories ++## in the /var/run directory. +## +## +## @@ -69895,35 +69957,40 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_create_all_pid_sockets',` ++interface(`files_manage_all_pid_dirs',` + gen_require(` + attribute pidfile; + ') + -+ allow $1 pidfile:sock_file create_sock_file_perms; ++ manage_dirs_pattern($1,pidfile,pidfile) +') + ++ +######################################## +## -+## Create all pid named pipes ++## Read all process ID files. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_create_all_pid_pipes',` ++interface(`files_read_all_pids',` + gen_require(` + attribute pidfile; ++ type var_t; + ') + -+ allow $1 pidfile:fifo_file create_fifo_file_perms; ++ list_dirs_pattern($1, var_t, pidfile) ++ read_files_pattern($1, pidfile, pidfile) ++ read_lnk_files_pattern($1, pidfile, pidfile) +') + +######################################## +## -+## Delete all pid named pipes ++## Relable all pid files +## +## +## @@ -69931,18 +69998,17 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_delete_all_pid_pipes',` ++interface(`files_relabel_all_pid_files',` + gen_require(` + attribute pidfile; + ') + -+ allow $1 pidfile:fifo_file delete_fifo_file_perms; ++ relabel_files_pattern($1, pidfile, pidfile) +') + +######################################## +## -+## manage all pidfile directories -+## in the /var/run directory. ++## Execute generic programs in /var/run in the caller domain. +## +## +## @@ -69950,37 +70016,18 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_manage_all_pid_dirs',` ++interface(`files_exec_generic_pid_files',` + gen_require(` -+ attribute pidfile; ++ type var_run_t; + ') + -+ manage_dirs_pattern($1,pidfile,pidfile) -+') -+ -+ -+######################################## -+## - ## Read all process ID files. - ## - ## -@@ -6108,12 +6848,67 @@ interface(`files_dontaudit_ioctl_all_pids',` - interface(`files_read_all_pids',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; -+ type var_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; - list_dirs_pattern($1, var_t, pidfile) - read_files_pattern($1, pidfile, pidfile) -+ read_lnk_files_pattern($1, pidfile, pidfile) ++ exec_files_pattern($1, var_run_t, var_run_t) +') + +######################################## +## -+## Relable all pid files ++## manage all pidfiles ++## in the /var/run directory. +## +## +## @@ -69988,17 +70035,18 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_relabel_all_pid_files',` ++interface(`files_manage_all_pids',` + gen_require(` + attribute pidfile; + ') + -+ relabel_files_pattern($1, pidfile, pidfile) ++ manage_files_pattern($1,pidfile,pidfile) +') + +######################################## +## -+## Execute generic programs in /var/run in the caller domain. ++## Mount filesystems on all polyinstantiation ++## member directories. +## +## +## @@ -70006,35 +70054,47 @@ index 41346fb..002fe16 100644 +## +## +# -+interface(`files_exec_generic_pid_files',` ++interface(`files_mounton_all_poly_members',` + gen_require(` -+ type var_run_t; ++ attribute polymember; + ') + -+ exec_files_pattern($1, var_run_t, var_run_t) ++ allow $1 polymember:dir mounton; +') + +######################################## +## -+## manage all pidfiles -+## in the /var/run directory. ++## Delete all process IDs. +## +## +## +## Domain allowed access. +## +## ++## +# -+interface(`files_manage_all_pids',` ++interface(`files_delete_all_pids',` + gen_require(` + attribute pidfile; ++ type var_t, var_run_t; + ') + -+ manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## -@@ -6184,6 +6979,90 @@ interface(`files_delete_all_pid_dirs',` ++ allow $1 var_t:dir search_dir_perms; ++ allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ allow $1 var_run_t:dir rmdir; ++ allow $1 var_run_t:lnk_file delete_lnk_file_perms; ++ delete_files_pattern($1, pidfile, pidfile) ++ delete_fifo_files_pattern($1, pidfile, pidfile) ++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++') ++ ++######################################## ++## ++## Delete all process ID directories. + ## + ## + ## +@@ -6245,6 +7003,90 @@ interface(`files_delete_all_pid_dirs',` ######################################## ## @@ -70125,7 +70185,7 @@ index 41346fb..002fe16 100644 ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -6406,3 +7285,343 @@ interface(`files_unconfined',` +@@ -6467,3 +7309,343 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -70470,7 +70530,7 @@ index 41346fb..002fe16 100644 + files_etc_filetrans_etc_runtime($1, file, "iptables.save") +') diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te -index 1ce8aa0..24dfed0 100644 +index 52ef84e..14fabe2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -10,7 +10,9 @@ attribute files_unconfined_type; @@ -70514,7 +70574,15 @@ index 1ce8aa0..24dfed0 100644 genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) # -@@ -167,12 +179,14 @@ files_mountpoint(var_t) +@@ -149,6 +161,7 @@ files_tmp_file(tmp_t) + files_mountpoint(tmp_t) + files_poly(tmp_t) + files_poly_parent(tmp_t) ++typealias tmp_t alias firstboot_tmp_t; + + # + # usr_t is the type for /usr. +@@ -167,12 +180,14 @@ files_mountpoint(var_t) # type var_lib_t; files_mountpoint(var_lib_t) @@ -70529,7 +70597,7 @@ index 1ce8aa0..24dfed0 100644 # # var_run_t is the type of /var/run, usually -@@ -187,6 +201,7 @@ files_mountpoint(var_run_t) +@@ -187,6 +202,7 @@ files_mountpoint(var_run_t) # type var_spool_t; files_tmp_file(var_spool_t) @@ -70537,7 +70605,7 @@ index 1ce8aa0..24dfed0 100644 ######################################## # -@@ -229,6 +244,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil +@@ -229,6 +245,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil # Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem *; @@ -70567,7 +70635,7 @@ index cda5588..91d1e25 100644 +/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/usr/lib/udev/devices/shm/.* <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 7c6b791..1be0007 100644 +index 7c6b791..aad6319 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -71064,40 +71132,10 @@ index 7c6b791..1be0007 100644 ######################################## ## ## Mount a FUSE filesystem. -@@ -1996,17 +2358,99 @@ interface(`fs_manage_fusefs_files',` - ## - ## - # --interface(`fs_dontaudit_manage_fusefs_files',` -+interface(`fs_dontaudit_manage_fusefs_files',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ dontaudit $1 fusefs_t:file manage_file_perms; -+') -+ -+######################################## -+## -+## Read symbolic links on a FUSEFS filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_read_fusefs_symlinks',` -+ gen_require(` -+ type fusefs_t; -+ ') -+ -+ allow $1 fusefs_t:dir list_dir_perms; -+ read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+') -+ -+######################################## -+## +@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',` + + ######################################## + ## +## Manage symbolic links on a FUSEFS filesystem. +## +## @@ -71150,104 +71188,44 @@ index 7c6b791..1be0007 100644 +## +# +interface(`fs_fusefs_domtrans',` - gen_require(` - type fusefs_t; - ') - -- dontaudit $1 fusefs_t:file manage_file_perms; ++ gen_require(` ++ type fusefs_t; ++ ') ++ + allow $1 fusefs_t:dir search_dir_perms; + domain_auto_transition_pattern($1, fusefs_t, $2) - ') - - ######################################## - ## --## Read symbolic links on a FUSEFS filesystem. -+## Get the attributes of an hugetlbfs -+## filesystem. - ## - ## - ## -@@ -2014,19 +2458,17 @@ interface(`fs_dontaudit_manage_fusefs_files',` - ## - ## - # --interface(`fs_read_fusefs_symlinks',` -+interface(`fs_getattr_hugetlbfs',` - gen_require(` -- type fusefs_t; -+ type hugetlbfs_t; - ') - -- allow $1 fusefs_t:dir list_dir_perms; -- read_lnk_files_pattern($1, fusefs_t, fusefs_t) -+ allow $1 hugetlbfs_t:filesystem getattr; - ') - - ######################################## - ## --## Get the attributes of an hugetlbfs --## filesystem. -+## List hugetlbfs. ++') ++ ++######################################## ++## + ## Get the attributes of an hugetlbfs + ## filesystem. ## - ## - ## -@@ -2034,17 +2476,17 @@ interface(`fs_read_fusefs_symlinks',` - ## - ## - # --interface(`fs_getattr_hugetlbfs',` -+interface(`fs_list_hugetlbfs',` - gen_require(` - type hugetlbfs_t; - ') - -- allow $1 hugetlbfs_t:filesystem getattr; -+ allow $1 hugetlbfs_t:dir list_dir_perms; - ') +@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ######################################## ## --## List hugetlbfs. -+## Manage hugetlbfs dirs. - ## - ## - ## -@@ -2052,17 +2494,17 @@ interface(`fs_getattr_hugetlbfs',` - ## - ## - # --interface(`fs_list_hugetlbfs',` -+interface(`fs_manage_hugetlbfs_dirs',` - gen_require(` - type hugetlbfs_t; - ') - -- allow $1 hugetlbfs_t:dir list_dir_perms; -+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## - ## --## Manage hugetlbfs dirs. +## Read hugetlbfs files. - ## - ## - ## -@@ -2070,12 +2512,12 @@ interface(`fs_list_hugetlbfs',` - ## - ## - # --interface(`fs_manage_hugetlbfs_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`fs_read_hugetlbfs_files',` - gen_require(` - type hugetlbfs_t; - ') - -- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ++ gen_require(` ++ type hugetlbfs_t; ++ ') ++ + read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) - ') - - ######################################## ++') ++ ++######################################## ++## + ## Read and write hugetlbfs files. + ## + ## @@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',` ') @@ -71735,7 +71713,7 @@ index 7c6b791..1be0007 100644 ## Example attributes: ##

##
    -@@ -4876,3 +5581,24 @@ interface(`fs_unconfined',` +@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -71760,8 +71738,27 @@ index 7c6b791..1be0007 100644 + dontaudit $1 filesystem_type:lnk_file { read }; +') + ++ ++######################################## ++## ++## Transition named content in tmpfs_t directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_tmpfs_filetrans_named_content',` ++ gen_require(` ++ type cgroup_t; ++ ') ++ ++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") ++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") ++') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index f1ab8c6..9ae349a 100644 +index 376bae8..7c84405 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); @@ -72150,7 +72147,7 @@ index 4bf45cb..30e39df 100644 + dontaudit $1 sysctl_type:file getattr; ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index b285b90..129a0ec 100644 +index ab9b6cd..0665979 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -58,6 +58,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -72727,7 +72724,7 @@ index 81440c5..0383653 100644 ') + diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te -index b63601a..f3eb48a 100644 +index 522ab32..443f4a0 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false) @@ -74066,7 +74063,7 @@ index 3a45a3e..6b08160 100644 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice }; logging_admin(logadm_t, logadm_r) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te -index 110d48a..1eebd22 100644 +index da11120..34f3a61 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -9,6 +9,8 @@ role secadm_r; @@ -74439,10 +74436,10 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index bd5a2ea..7905181 100644 +index 44c198a..82eb9e5 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,69 @@ policy_module(sysadm, 2.4.2) +@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0) # Declarations # @@ -74476,11 +74473,15 @@ index bd5a2ea..7905181 100644 +files_read_kernel_modules(sysadm_t) +files_filetrans_named_content(sysadm_t) + ++fs_mount_fusefs(sysadm_t) ++ +storage_filetrans_all_named_dev(sysadm_t) + +term_filetrans_all_named_dev(sysadm_t) + mls_process_read_up(sysadm_t) ++mls_file_read_all_levels(sysadm_t) ++mls_file_write_all_levels(sysadm_t) +mls_file_read_to_clearance(sysadm_t) +mls_process_write_to_clearance(sysadm_t) + @@ -74523,7 +74524,7 @@ index bd5a2ea..7905181 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +85,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +89,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -74538,7 +74539,7 @@ index bd5a2ea..7905181 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +95,9 @@ optional_policy(` +@@ -71,9 +99,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -74549,7 +74550,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -110,6 +134,10 @@ optional_policy(` +@@ -110,6 +138,10 @@ optional_policy(` ') optional_policy(` @@ -74560,7 +74561,7 @@ index bd5a2ea..7905181 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -122,11 +150,20 @@ optional_policy(` +@@ -122,11 +154,20 @@ optional_policy(` ') optional_policy(` @@ -74571,19 +74572,19 @@ index bd5a2ea..7905181 100644 + +optional_policy(` + consoletype_exec(sysadm_t) -+') -+ -+optional_policy(` -+ daemonstools_run_start(sysadm_t, sysadm_r) ') optional_policy(` - cvs_exec(sysadm_t) ++ daemonstools_run_start(sysadm_t, sysadm_r) ++') ++ ++optional_policy(` + dbus_role_template(sysadm, sysadm_r, sysadm_t) ') optional_policy(` -@@ -140,6 +177,10 @@ optional_policy(` +@@ -140,6 +181,10 @@ optional_policy(` ') optional_policy(` @@ -74594,7 +74595,7 @@ index bd5a2ea..7905181 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +197,15 @@ optional_policy(` +@@ -156,11 +201,15 @@ optional_policy(` ') optional_policy(` @@ -74611,7 +74612,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -179,6 +224,13 @@ optional_policy(` +@@ -179,6 +228,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -74625,7 +74626,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -186,15 +238,20 @@ optional_policy(` +@@ -186,15 +242,20 @@ optional_policy(` ') optional_policy(` @@ -74637,19 +74638,19 @@ index bd5a2ea..7905181 100644 - libs_run_ldconfig(sysadm_t, sysadm_r) + kerberos_exec_kadmind(sysadm_t) + kerberos_filetrans_named_content(sysadm_t) ++') ++ ++optional_policy(` ++ kudzu_run(sysadm_t, sysadm_r) ') optional_policy(` - lockdev_role(sysadm_r, sysadm_t) -+ kudzu_run(sysadm_t, sysadm_r) -+') -+ -+optional_policy(` + libs_run_ldconfig(sysadm_t, sysadm_r) ') optional_policy(` -@@ -214,22 +271,20 @@ optional_policy(` +@@ -214,22 +275,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -74678,7 +74679,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -241,25 +296,47 @@ optional_policy(` +@@ -241,25 +300,47 @@ optional_policy(` ') optional_policy(` @@ -74726,7 +74727,7 @@ index bd5a2ea..7905181 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +347,32 @@ optional_policy(` +@@ -270,31 +351,32 @@ optional_policy(` ') optional_policy(` @@ -74766,7 +74767,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -319,12 +397,18 @@ optional_policy(` +@@ -319,12 +401,18 @@ optional_policy(` ') optional_policy(` @@ -74786,7 +74787,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -349,7 +433,18 @@ optional_policy(` +@@ -349,7 +437,18 @@ optional_policy(` ') optional_policy(` @@ -74806,7 +74807,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -360,19 +455,15 @@ optional_policy(` +@@ -360,19 +459,15 @@ optional_policy(` ') optional_policy(` @@ -74828,7 +74829,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -384,10 +475,6 @@ optional_policy(` +@@ -384,10 +479,6 @@ optional_policy(` ') optional_policy(` @@ -74839,16 +74840,17 @@ index bd5a2ea..7905181 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +482,8 @@ optional_policy(` +@@ -395,6 +486,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) + virt_filetrans_home_content(sysadm_t) + virt_manage_pid_dirs(sysadm_t) ++ virt_transition_svirt_lxc(sysadm_t, sysadm_r) ') optional_policy(` -@@ -402,31 +491,34 @@ optional_policy(` +@@ -402,31 +496,34 @@ optional_policy(` ') optional_policy(` @@ -74889,7 +74891,7 @@ index bd5a2ea..7905181 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +531,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +536,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -74900,7 +74902,7 @@ index bd5a2ea..7905181 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) ') -@@ -460,6 +548,7 @@ ifndef(`distro_redhat',` +@@ -460,6 +553,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role(sysadm_r, sysadm_t) @@ -74908,7 +74910,7 @@ index bd5a2ea..7905181 100644 ') optional_policy(` -@@ -467,11 +556,66 @@ ifndef(`distro_redhat',` +@@ -467,11 +561,66 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -75638,7 +75640,7 @@ index 0000000..bac0dc0 + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..2a0c726 +index 0000000..35fc04a --- /dev/null +++ b/policy/modules/roles/unconfineduser.te @@ -0,0 +1,376 @@ @@ -76001,6 +76003,7 @@ index 0000000..2a0c726 + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) ++ virt_transition_svirt_lxc(unconfined_t, unconfined_r) +') + +optional_policy(` @@ -76017,7 +76020,6 @@ index 0000000..2a0c726 +') + +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -+ diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if index 3835596..fbca2be 100644 --- a/policy/modules/roles/unprivuser.if @@ -76377,7 +76379,7 @@ index ecef19f..fcbc25a 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 6b336e7..236e7c7 100644 +index 4318f73..90f98a2 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,9 +19,9 @@ gen_require(` @@ -78982,7 +78984,7 @@ index 130ced9..1b31c76 100644 + files_search_tmp($1) +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index c4f7c35..6efbf14 100644 +index d40f750..c7e6040 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,27 +26,50 @@ gen_require(` @@ -80354,7 +80356,7 @@ index 28ad538..47fdb65 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 6ce867a..25def3e 100644 +index f416ce9..25def3e 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -80479,7 +80481,7 @@ index 6ce867a..25def3e 100644 auth_use_pam($1) init_rw_utmp($1) -@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',` +@@ -155,9 +198,89 @@ interface(`auth_login_pgm_domain',` seutil_read_config($1) seutil_read_default_contexts($1) @@ -80530,11 +80532,11 @@ index 6ce867a..25def3e 100644 + optional_policy(` + ssh_agent_exec($1) + ssh_read_user_home_files($1) - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Read authlogin state files. +## +## @@ -80546,7 +80548,7 @@ index 6ce867a..25def3e 100644 +interface(`authlogin_read_state',` + gen_require(` + attribute polydomain; -+ ') + ') + + kernel_search_proc($1) + ps_process_pattern($1, polydomain) @@ -80568,13 +80570,9 @@ index 6ce867a..25def3e 100644 + ') + + allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; -+') -+ -+######################################## -+## - ## Use the login program as an entry point program. - ## - ## + ') + + ######################################## @@ -231,6 +354,25 @@ interface(`auth_domtrans_login_program',` ######################################## @@ -80794,90 +80792,50 @@ index 6ce867a..25def3e 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1676,37 +1930,49 @@ interface(`auth_manage_login_records',` +@@ -1676,24 +1930,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; -+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") - ') - - ######################################## - ## +-') +- +-######################################## +-## -## Relabel login record files. -+## Use nsswitch to look up user, password, group, or -+## host information. - ## -+## -+##

    -+## Allow the specified domain to look up user, password, -+## group, or host information using the name service. -+## The most common use of this interface is for services -+## that do host name resolution (usually DNS resolution). -+##

    -+##     - ## - ## - ## Domain allowed access. - ## - ## -+## - # +-##     +-## +-## +-## Domain allowed access. +-## +-## +-# -interface(`auth_relabel_login_records',` -+interface(`auth_use_nsswitch',` - gen_require(` +- gen_require(` - type wtmp_t; -+ attribute nsswitch_domain; - ') - +- ') +- - allow $1 wtmp_t:file relabel_file_perms; -+ typeattribute $1 nsswitch_domain; ++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp") ') ######################################## - ## --## Use nsswitch to look up user, password, group, or --## host information. -+## Unconfined access to the authlogin module. - ## - ## - ##

    --## Allow the specified domain to look up user, password, --## group, or host information using the name service. --## The most common use of this interface is for services --## that do host name resolution (usually DNS resolution). -+## Unconfined access to the authlogin module. -+##

    -+##

    -+## Currently, this only allows assertions for -+## the shadow passwords file (/etc/shadow) to -+## be passed. No access is granted yet. - ##

    - ##     - ## -@@ -1714,87 +1980,206 @@ interface(`auth_relabel_login_records',` - ## Domain allowed access. - ##     - ## --## +@@ -1717,9 +1954,9 @@ interface(`auth_relabel_login_records',` + ## # --interface(`auth_use_nsswitch',` -- -- files_list_var_lib($1) -+interface(`auth_unconfined',` + interface(`auth_use_nsswitch',` +- gen_require(` +- attribute nsswitch_domain; +- ') + gen_require(` -+ attribute can_read_shadow_passwords; -+ attribute can_write_shadow_passwords; -+ attribute can_relabelto_shadow_passwords; ++ attribute nsswitch_domain; + ') -- # read /etc/nsswitch.conf -- files_read_etc_files($1) -+ typeattribute $1 can_read_shadow_passwords; -+ typeattribute $1 can_write_shadow_passwords; -+ typeattribute $1 can_relabelto_shadow_passwords; -+') - -- miscfiles_read_generic_certs($1) + typeattribute $1 nsswitch_domain; + ') +@@ -1755,3 +1992,194 @@ interface(`auth_unconfined',` + typeattribute $1 can_write_shadow_passwords; + typeattribute $1 can_relabelto_shadow_passwords; + ') ++ +######################################## +## +## Transition to authlogin named content @@ -80898,9 +80856,7 @@ index 6ce867a..25def3e 100644 + type pam_var_console_t; + type pam_var_run_t; + ') - -- sysnet_dns_name_resolve($1) -- sysnet_use_ldap($1) ++ + files_etc_filetrans($1, passwd_file_t, file, "group") + files_etc_filetrans($1, passwd_file_t, file, "group-") + #files_etc_filetrans($1, passwd_file_t, file, "group+") @@ -80929,9 +80885,7 @@ index 6ce867a..25def3e 100644 + files_pid_filetrans($1, pam_var_run_t, dir, "sudo") + logging_log_named_filetrans($1, wtmp_t, file, "wtmp") +') - -- optional_policy(` -- avahi_stream_connect($1) ++ +######################################## +## +## Get the attributes of the passwd passwords file. @@ -80945,17 +80899,12 @@ index 6ce867a..25def3e 100644 +interface(`auth_getattr_passwd',` + gen_require(` + type passwd_file_t; - ') - -- optional_policy(` -- ldap_stream_connect($1) -- ') ++ ') ++ + files_search_etc($1) + allow $1 passwd_file_t:file getattr; +') - -- optional_policy(` -- likewise_stream_connect_lsassd($1) ++ +######################################## +## +## Do not audit attempts to get the attributes @@ -80970,16 +80919,11 @@ index 6ce867a..25def3e 100644 +interface(`auth_dontaudit_getattr_passwd',` + gen_require(` + type passwd_file_t; - ') - -- optional_policy(` -- kerberos_use($1) -- ') ++ ') ++ + dontaudit $1 passwd_file_t:file getattr; +') - -- optional_policy(` -- nis_use_ypbind($1) ++ +######################################## +## +## Read the passwd passwords file (/etc/passwd) @@ -80993,16 +80937,11 @@ index 6ce867a..25def3e 100644 +interface(`auth_read_passwd',` + gen_require(` + type passwd_file_t; - ') - -- optional_policy(` -- nscd_socket_use($1) -- ') ++ ') ++ + allow $1 passwd_file_t:file read_file_perms; +') - -- optional_policy(` -- nslcd_stream_connect($1) ++ +######################################## +## +## Do not audit attempts to read the passwd @@ -81017,10 +80956,8 @@ index 6ce867a..25def3e 100644 +interface(`auth_dontaudit_read_passwd',` + gen_require(` + type passwd_file_t; - ') - -- optional_policy(` -- sssd_stream_connect($1) ++ ') ++ + dontaudit $1 passwd_file_t:file read_file_perms; +') + @@ -81038,12 +80975,8 @@ index 6ce867a..25def3e 100644 +interface(`auth_manage_passwd',` + gen_require(` + type passwd_file_t; - ') - -- optional_policy(` -- samba_stream_connect_winbind($1) -- samba_read_var_files($1) -- samba_dontaudit_write_var_files($1) ++ ') ++ + files_rw_etc_dirs($1) + allow $1 passwd_file_t:file manage_file_perms; + files_etc_filetrans($1, passwd_file_t, file, "passwd") @@ -81067,55 +81000,37 @@ index 6ce867a..25def3e 100644 +interface(`auth_filetrans_admin_home_content',` + gen_require(` + type auth_home_t; - ') ++ ') + + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") - ') - - ######################################## - ## --## Unconfined access to the authlogin module. ++') ++ ++######################################## ++## +## Create auth directory in the user home directory +## with an correct label. - ## --## --##

    --## Unconfined access to the authlogin module. --##

    --##

    --## Currently, this only allows assertions for --## the shadow passwords file (/etc/shadow) to --## be passed. No access is granted yet. --##

    --##     - ## - ## - ## Domain allowed access. - ## - ## - # --interface(`auth_unconfined',` ++##     ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`auth_filetrans_home_content',` + - gen_require(` -- attribute can_read_shadow_passwords; -- attribute can_write_shadow_passwords; -- attribute can_relabelto_shadow_passwords; ++ gen_require(` + type auth_home_t; - ') - -- typeattribute $1 can_read_shadow_passwords; -- typeattribute $1 can_write_shadow_passwords; -- typeattribute $1 can_relabelto_shadow_passwords; ++ ') ++ + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") - ') ++') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index f12b8ff..3b80e52 100644 +index f145ccb..c0ed878 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te -@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1) +@@ -5,6 +5,12 @@ policy_module(authlogin, 2.4.0) # Declarations # @@ -81125,19 +81040,15 @@ index f12b8ff..3b80e52 100644 +##

    +## +gen_tunable(authlogin_radius, false) -+ -+## -+##

    -+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server -+##

    -+##     -+gen_tunable(authlogin_nsswitch_use_ldap, false) -+ + + ## + ##

    +@@ -16,20 +22,25 @@ gen_tunable(authlogin_nsswitch_use_ldap, false) attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; +attribute polydomain; -+attribute nsswitch_domain; + attribute nsswitch_domain; type auth_cache_t; logging_log_file(auth_cache_t) @@ -81159,7 +81070,7 @@ index f12b8ff..3b80e52 100644 type lastlog_t; logging_log_file(lastlog_t) -@@ -55,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; +@@ -64,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; @@ -81169,7 +81080,7 @@ index f12b8ff..3b80e52 100644 type updpwd_t; type updpwd_exec_t; domain_type(updpwd_t) -@@ -100,6 +123,8 @@ dev_read_urand(chkpwd_t) +@@ -109,6 +123,8 @@ dev_read_urand(chkpwd_t) files_read_etc_files(chkpwd_t) # for nscd files_dontaudit_search_var(chkpwd_t) @@ -81178,7 +81089,7 @@ index f12b8ff..3b80e52 100644 fs_dontaudit_getattr_xattr_fs(chkpwd_t) -@@ -118,7 +143,7 @@ miscfiles_read_localization(chkpwd_t) +@@ -127,7 +143,7 @@ miscfiles_read_localization(chkpwd_t) seutil_read_config(chkpwd_t) seutil_dontaudit_use_newrole_fds(chkpwd_t) @@ -81187,7 +81098,7 @@ index f12b8ff..3b80e52 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -332,6 +357,7 @@ kernel_read_system_state(updpwd_t) +@@ -341,6 +357,7 @@ kernel_read_system_state(updpwd_t) dev_read_urand(updpwd_t) files_manage_etc_files(updpwd_t) @@ -81195,7 +81106,7 @@ index f12b8ff..3b80e52 100644 term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) -@@ -343,7 +369,7 @@ logging_send_syslog_msg(updpwd_t) +@@ -352,7 +369,7 @@ logging_send_syslog_msg(updpwd_t) miscfiles_read_localization(updpwd_t) @@ -81204,7 +81115,7 @@ index f12b8ff..3b80e52 100644 ifdef(`distro_ubuntu',` optional_policy(` -@@ -371,13 +397,15 @@ term_dontaudit_use_all_ttys(utempter_t) +@@ -380,13 +397,15 @@ term_dontaudit_use_all_ttys(utempter_t) term_dontaudit_use_all_ptys(utempter_t) term_dontaudit_use_ptmx(utempter_t) @@ -81221,7 +81132,7 @@ index f12b8ff..3b80e52 100644 # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) -@@ -388,10 +416,79 @@ ifdef(`distro_ubuntu',` +@@ -397,12 +416,81 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -81304,6 +81215,29 @@ index f12b8ff..3b80e52 100644 + samba_read_var_files(nsswitch_domain) + samba_dontaudit_write_var_files(nsswitch_domain) ') + + ####################################### +@@ -426,6 +514,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',` + + optional_policy(` + tunable_policy(`authlogin_nsswitch_use_ldap',` ++ dirsrv_stream_connect(nsswitch_domain) ++ ') ++') ++ ++optional_policy(` ++ tunable_policy(`authlogin_nsswitch_use_ldap',` + ldap_stream_connect(nsswitch_domain) + ') + ') +@@ -456,6 +550,7 @@ optional_policy(` + + optional_policy(` + sssd_stream_connect(nsswitch_domain) ++ sssd_read_public_files(nsswitch_domain) + ') + + optional_policy(` diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc index c5e05ca..c9ddbee 100644 --- a/policy/modules/system/clock.fc @@ -81584,7 +81518,7 @@ index 9dfecf7..6d00f5c 100644 + +/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te -index ec82afa..df11774 100644 +index f6cbda9..9a75c1e 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -23,29 +23,34 @@ dontaudit hostname_t self:capability sys_tty_config; @@ -82876,7 +82810,7 @@ index d26fe81..3f3a57f 100644 + allow $1 init_t:system undefined; +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 5fb9683..13860f3 100644 +index 4a88fa1..2a13153 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -82956,7 +82890,7 @@ index 5fb9683..13860f3 100644 type initrc_devpts_t; term_pty(initrc_devpts_t) -@@ -92,7 +132,7 @@ ifdef(`enable_mls',` +@@ -95,7 +135,7 @@ ifdef(`enable_mls',` # # Use capabilities. old rule: @@ -82965,7 +82899,7 @@ index 5fb9683..13860f3 100644 # is ~sys_module really needed? observed: # sys_boot # sys_tty_config -@@ -104,12 +144,26 @@ allow init_t self:fifo_file rw_fifo_file_perms; +@@ -107,12 +147,26 @@ allow init_t self:fifo_file rw_fifo_file_perms; # Re-exec itself can_exec(init_t, init_exec_t) @@ -82998,7 +82932,7 @@ index 5fb9683..13860f3 100644 allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) -@@ -119,28 +173,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; +@@ -122,28 +176,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) @@ -83038,7 +82972,7 @@ index 5fb9683..13860f3 100644 # file descriptors inherited from the rootfs: files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) -@@ -149,6 +213,8 @@ fs_list_inotifyfs(init_t) +@@ -152,6 +216,8 @@ fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -83047,7 +82981,7 @@ index 5fb9683..13860f3 100644 mcs_process_set_categories(init_t) mcs_killall(init_t) -@@ -156,22 +222,41 @@ mls_file_read_all_levels(init_t) +@@ -159,22 +225,41 @@ mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) mls_process_write_down(init_t) mls_fd_use_all_levels(init_t) @@ -83090,7 +83024,7 @@ index 5fb9683..13860f3 100644 ifdef(`distro_gentoo',` allow init_t self:process { getcap setcap }; -@@ -180,12 +265,18 @@ ifdef(`distro_gentoo',` +@@ -183,12 +268,19 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_redhat',` @@ -83100,6 +83034,7 @@ index 5fb9683..13860f3 100644 fs_read_tmpfs_symlinks(init_t) fs_rw_tmpfs_chr_files(init_t) fs_tmpfs_filetrans(init_t, initctl_t, fifo_file) ++ fs_tmpfs_filetrans_named_content(init_t) + + logging_stream_connect_syslog(init_t) + logging_relabel_syslog_pid_socket(init_t) @@ -83110,7 +83045,7 @@ index 5fb9683..13860f3 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -193,16 +284,148 @@ tunable_policy(`init_upstart',` +@@ -196,16 +288,148 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -83261,7 +83196,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -210,6 +433,18 @@ optional_policy(` +@@ -213,6 +437,18 @@ optional_policy(` ') optional_policy(` @@ -83280,7 +83215,7 @@ index 5fb9683..13860f3 100644 unconfined_domain(init_t) ') -@@ -219,8 +454,8 @@ optional_policy(` +@@ -222,8 +458,8 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -83291,7 +83226,7 @@ index 5fb9683..13860f3 100644 allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -248,12 +483,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -251,12 +487,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -83305,9 +83240,9 @@ index 5fb9683..13860f3 100644 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir }) +allow initrc_t initrc_tmp_t:dir relabelfrom; - init_write_initctl(initrc_t) - -@@ -265,20 +503,34 @@ kernel_change_ring_buffer_level(initrc_t) + manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) + manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t) +@@ -272,23 +511,36 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -83321,7 +83256,10 @@ index 5fb9683..13860f3 100644 +files_read_var_lib_symlinks(initrc_t) +files_setattr_pid_dirs(initrc_t) + files_create_lock_dirs(initrc_t) + files_pid_filetrans_lock_dir(initrc_t, "lock") files_read_kernel_symbol_table(initrc_t) +-files_setattr_lock_dirs(initrc_t) +files_exec_etc_files(initrc_t) +files_manage_etc_symlinks(initrc_t) +files_manage_system_conf_files(initrc_t) @@ -83347,7 +83285,7 @@ index 5fb9683..13860f3 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -286,6 +538,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -296,6 +548,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -83355,7 +83293,7 @@ index 5fb9683..13860f3 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -296,8 +549,10 @@ dev_write_framebuffer(initrc_t) +@@ -306,8 +559,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -83366,7 +83304,7 @@ index 5fb9683..13860f3 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -305,17 +560,16 @@ dev_manage_generic_files(initrc_t) +@@ -315,17 +570,16 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -83386,7 +83324,7 @@ index 5fb9683..13860f3 100644 domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -323,6 +577,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -333,6 +587,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -83394,7 +83332,7 @@ index 5fb9683..13860f3 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -330,8 +585,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -340,8 +595,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -83406,7 +83344,7 @@ index 5fb9683..13860f3 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -347,8 +604,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -357,8 +614,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -83420,7 +83358,7 @@ index 5fb9683..13860f3 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -358,9 +619,12 @@ fs_mount_all_fs(initrc_t) +@@ -368,9 +629,12 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -83434,7 +83372,7 @@ index 5fb9683..13860f3 100644 mcs_killall(initrc_t) mcs_process_set_categories(initrc_t) -@@ -370,6 +634,7 @@ mls_process_read_up(initrc_t) +@@ -380,6 +644,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -83442,7 +83380,7 @@ index 5fb9683..13860f3 100644 selinux_get_enforce_mode(initrc_t) -@@ -381,6 +646,7 @@ term_use_all_terms(initrc_t) +@@ -391,6 +656,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -83450,7 +83388,7 @@ index 5fb9683..13860f3 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -401,18 +667,17 @@ logging_read_audit_config(initrc_t) +@@ -411,18 +677,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -83472,7 +83410,7 @@ index 5fb9683..13860f3 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -465,6 +730,10 @@ ifdef(`distro_gentoo',` +@@ -476,6 +741,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -83483,7 +83421,7 @@ index 5fb9683..13860f3 100644 alsa_read_lib(initrc_t) ') -@@ -485,7 +754,7 @@ ifdef(`distro_redhat',` +@@ -496,7 +765,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -83492,7 +83430,7 @@ index 5fb9683..13860f3 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -500,6 +769,7 @@ ifdef(`distro_redhat',` +@@ -511,6 +780,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -83500,7 +83438,7 @@ index 5fb9683..13860f3 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -520,6 +790,7 @@ ifdef(`distro_redhat',` +@@ -531,6 +801,7 @@ ifdef(`distro_redhat',` miscfiles_rw_localization(initrc_t) miscfiles_setattr_localization(initrc_t) miscfiles_relabel_localization(initrc_t) @@ -83508,7 +83446,7 @@ index 5fb9683..13860f3 100644 miscfiles_read_fonts(initrc_t) miscfiles_read_hwdata(initrc_t) -@@ -529,8 +800,35 @@ ifdef(`distro_redhat',` +@@ -540,8 +811,35 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -83544,7 +83482,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -538,14 +836,27 @@ ifdef(`distro_redhat',` +@@ -549,14 +847,27 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -83572,7 +83510,7 @@ index 5fb9683..13860f3 100644 ') ') -@@ -556,6 +867,39 @@ ifdef(`distro_suse',` +@@ -567,6 +878,39 @@ ifdef(`distro_suse',` ') ') @@ -83612,7 +83550,7 @@ index 5fb9683..13860f3 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -568,6 +912,8 @@ optional_policy(` +@@ -579,6 +923,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -83621,7 +83559,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -589,6 +935,7 @@ optional_policy(` +@@ -600,6 +946,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -83629,7 +83567,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -601,6 +948,17 @@ optional_policy(` +@@ -612,6 +959,17 @@ optional_policy(` ') optional_policy(` @@ -83647,7 +83585,7 @@ index 5fb9683..13860f3 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -617,9 +975,13 @@ optional_policy(` +@@ -628,9 +986,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -83661,7 +83599,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -644,6 +1006,10 @@ optional_policy(` +@@ -655,6 +1017,10 @@ optional_policy(` ') optional_policy(` @@ -83672,7 +83610,7 @@ index 5fb9683..13860f3 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -661,6 +1027,15 @@ optional_policy(` +@@ -672,6 +1038,15 @@ optional_policy(` ') optional_policy(` @@ -83688,7 +83626,7 @@ index 5fb9683..13860f3 100644 inn_exec_config(initrc_t) ') -@@ -701,6 +1076,7 @@ optional_policy(` +@@ -712,6 +1087,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -83696,7 +83634,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -718,7 +1094,13 @@ optional_policy(` +@@ -729,7 +1105,13 @@ optional_policy(` ') optional_policy(` @@ -83710,7 +83648,7 @@ index 5fb9683..13860f3 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -741,6 +1123,10 @@ optional_policy(` +@@ -752,6 +1134,10 @@ optional_policy(` ') optional_policy(` @@ -83721,7 +83659,7 @@ index 5fb9683..13860f3 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -750,10 +1136,20 @@ optional_policy(` +@@ -761,10 +1147,20 @@ optional_policy(` ') optional_policy(` @@ -83742,7 +83680,7 @@ index 5fb9683..13860f3 100644 quota_manage_flags(initrc_t) ') -@@ -762,6 +1158,10 @@ optional_policy(` +@@ -773,6 +1169,10 @@ optional_policy(` ') optional_policy(` @@ -83753,7 +83691,7 @@ index 5fb9683..13860f3 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -783,8 +1183,6 @@ optional_policy(` +@@ -794,8 +1194,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -83762,7 +83700,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -793,6 +1191,10 @@ optional_policy(` +@@ -804,6 +1202,10 @@ optional_policy(` ') optional_policy(` @@ -83773,7 +83711,7 @@ index 5fb9683..13860f3 100644 # shorewall-init script run /var/lib/shorewall/firewall shorewall_lib_domtrans(initrc_t) ') -@@ -802,10 +1204,12 @@ optional_policy(` +@@ -813,10 +1215,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -83786,15 +83724,16 @@ index 5fb9683..13860f3 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -817,7 +1221,6 @@ optional_policy(` +@@ -828,8 +1232,6 @@ optional_policy(` ') optional_policy(` - udev_rw_db(initrc_t) +- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev") udev_manage_pid_files(initrc_t) + udev_manage_pid_dirs(initrc_t) udev_manage_rules_files(initrc_t) - ') -@@ -827,12 +1230,30 @@ optional_policy(` +@@ -840,12 +1242,30 @@ optional_policy(` ') optional_policy(` @@ -83827,7 +83766,7 @@ index 5fb9683..13860f3 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -842,6 +1263,18 @@ optional_policy(` +@@ -855,6 +1275,18 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -83846,7 +83785,7 @@ index 5fb9683..13860f3 100644 ') optional_policy(` -@@ -857,6 +1290,10 @@ optional_policy(` +@@ -870,6 +1302,10 @@ optional_policy(` ') optional_policy(` @@ -83857,7 +83796,7 @@ index 5fb9683..13860f3 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -867,3 +1304,165 @@ optional_policy(` +@@ -880,3 +1316,165 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -84076,7 +84015,7 @@ index 0d4c8d3..9d66bf7 100644 ######################################## diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index fac0a01..481ef57 100644 +index a30840c..1035cf4 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -73,13 +73,15 @@ role system_r types setkey_t; @@ -84923,7 +84862,7 @@ index 808ba93..f94b80a 100644 + files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") +') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te -index 992d105..e412258 100644 +index ad01883..1166ff5 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -59,9 +59,11 @@ optional_policy(` @@ -85713,10 +85652,10 @@ index 321bb13..e7fd936 100644 + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 92555db..bec9a0b 100644 +index 0034021..a684b91 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -5,6 +5,20 @@ policy_module(logging, 1.18.2) +@@ -5,6 +5,20 @@ policy_module(logging, 1.19.0) # Declarations # @@ -86220,7 +86159,7 @@ index 58bc27f..51e9872 100644 + allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 7b6bcb9..08b4b7e 100644 +index f8eeecd..310893f 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -86551,10 +86490,10 @@ index 926ba65..b2a1675 100644 + files_var_filetrans($1, public_content_t, dir, "ftp") +') diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te -index c885e4e..6d0881d 100644 +index 622fb4f..69b6fef 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te -@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.9.1) +@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.0) # # Declarations # @@ -86688,10 +86627,10 @@ index 350c450..2debedc 100644 + files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 560d5d9..3d8e252 100644 +index b4ff2f7..6555c9e 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te -@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1) +@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.0) # Declarations # @@ -87241,10 +87180,10 @@ index 4584457..5b041ee 100644 + domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) ') diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 6d3b14b..31dac3e 100644 +index 63931f6..91137b6 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -10,35 +10,60 @@ policy_module(mount, 1.14.2) +@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0) ## Allow the mount command to mount any directory or file. ##

    ##     @@ -87392,7 +87331,7 @@ index 6d3b14b..31dac3e 100644 files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) -@@ -92,28 +147,39 @@ files_list_mnt(mount_t) +@@ -92,28 +147,42 @@ files_list_mnt(mount_t) files_dontaudit_write_all_mountpoints(mount_t) files_dontaudit_setattr_all_mountpoints(mount_t) @@ -87420,6 +87359,9 @@ index 6d3b14b..31dac3e 100644 -mls_file_read_all_levels(mount_t) -mls_file_write_all_levels(mount_t) ++mcs_file_read_all(mount_t) ++mcs_file_write_all(mount_t) ++ +mls_file_read_to_clearance(mount_t) +mls_file_write_to_clearance(mount_t) +mls_process_write_to_clearance(mount_t) @@ -87438,7 +87380,7 @@ index 6d3b14b..31dac3e 100644 term_dontaudit_manage_pty_dirs(mount_t) auth_use_nsswitch(mount_t) -@@ -121,6 +187,8 @@ auth_use_nsswitch(mount_t) +@@ -121,6 +190,8 @@ auth_use_nsswitch(mount_t) init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -87447,7 +87389,7 @@ index 6d3b14b..31dac3e 100644 logging_send_syslog_msg(mount_t) -@@ -131,6 +199,9 @@ sysnet_use_portmap(mount_t) +@@ -131,6 +202,9 @@ sysnet_use_portmap(mount_t) seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -87457,7 +87399,7 @@ index 6d3b14b..31dac3e 100644 ifdef(`distro_redhat',` optional_policy(` -@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',` +@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',` ') ') @@ -87497,7 +87439,7 @@ index 6d3b14b..31dac3e 100644 corenet_tcp_bind_generic_port(mount_t) corenet_udp_bind_generic_port(mount_t) corenet_tcp_bind_reserved_port(mount_t) -@@ -179,6 +251,8 @@ optional_policy(` +@@ -179,6 +254,8 @@ optional_policy(` fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -87506,7 +87448,7 @@ index 6d3b14b..31dac3e 100644 ') optional_policy(` -@@ -186,6 +260,28 @@ optional_policy(` +@@ -186,6 +263,28 @@ optional_policy(` ') optional_policy(` @@ -87535,7 +87477,7 @@ index 6d3b14b..31dac3e 100644 ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -193,21 +289,123 @@ optional_policy(` +@@ -193,21 +292,123 @@ optional_policy(` ') ') @@ -88088,7 +88030,7 @@ index 3822072..cac0b1e 100644 + auth_relabelto_shadow($1) +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc0c03b..0472c89 100644 +index ec01d0b..98094ae 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,17 @@ gen_require(` @@ -89227,10 +89169,10 @@ index 41a1853..32a502e 100644 + files_etc_filetrans($1, net_conf_t, file, "yp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 8aed9d0..fdabb76 100644 +index ed363e1..272215f 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te -@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.13.2) +@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0) # Declarations # @@ -90845,7 +90787,7 @@ index 2575393..49fd32e 100644 ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if -index 025348a..d7b15a4 100644 +index 77a13a5..9a5a73f 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -34,6 +34,7 @@ interface(`udev_domtrans',` @@ -90866,7 +90808,7 @@ index 025348a..d7b15a4 100644 ') ######################################## -@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',` +@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` # interface(`udev_dontaudit_search_db',` gen_require(` @@ -90879,7 +90821,7 @@ index 025348a..d7b15a4 100644 ') ######################################## -@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',` +@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',` ## # interface(`udev_read_db',` @@ -90902,35 +90844,35 @@ index 025348a..d7b15a4 100644 + type udev_var_run_t; ') -+ files_search_pids($1) - dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:dir list_dir_perms; -- read_files_pattern($1, udev_tbl_t, udev_tbl_t) -- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ++ files_search_pids($1) ++ dev_list_all_dev_nodes($1) + rw_files_pattern($1, udev_var_run_t, udev_var_run_t) - ') ++') - ######################################## - ## --## Allow process to modify list of devices. +- read_files_pattern($1, udev_tbl_t, udev_tbl_t) +- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) ++######################################## ++## +## Allow process to modify relabelto udev database - ## - ## - ## -@@ -203,13 +216,54 @@ interface(`udev_read_db',` - ## - ## - # --interface(`udev_rw_db',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`udev_relabelto_db',` + gen_require(` + type udev_var_run_t; + ') -+ + +- dev_list_all_dev_nodes($1) + files_search_pids($1) + allow $1 udev_var_run_t:file relabelto_file_perms; +') -+ + +- files_search_etc($1) +######################################## +## +## Relabel the udev sock_file. @@ -90942,27 +90884,30 @@ index 025348a..d7b15a4 100644 +## +# +interface(`udev_relabel_pid_sockfile',` - gen_require(` -- type udev_tbl_t; ++ gen_require(` + type udev_var_run_t; + ') -+ + +- udev_search_pids($1) + allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow process to modify list of devices. +## Create, read, write, and delete +## udev pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -213,13 +258,16 @@ interface(`udev_read_db',` + ## + ## + # +-interface(`udev_rw_db',` +interface(`udev_read_pid_files',` -+ gen_require(` + gen_require(` +- type udev_tbl_t; + type udev_var_run_t; ') @@ -90975,7 +90920,7 @@ index 025348a..d7b15a4 100644 ') ######################################## -@@ -228,6 +282,84 @@ interface(`udev_manage_pid_files',` +@@ -300,6 +348,84 @@ interface(`udev_manage_pid_files',` type udev_var_run_t; ') @@ -91062,7 +91007,7 @@ index 025348a..d7b15a4 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index cf279df..44ade49 100644 +index 29075b3..6ee8c74 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -91864,14 +91809,10 @@ index db7aabb..4012a61 100644 + refpolicywarn(`$0() has been deprecated.') ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 4f60203..71e46b2 100644 +index 0280b32..61f19e9 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te -@@ -1,240 +1,7 @@ --policy_module(unconfined, 3.4.1) -+policy_module(unconfined, 3.3.0) - - ######################################## +@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0) # # Declarations # @@ -95922,10 +95863,10 @@ index e720dcd..7ce85d3 100644 + typeattribute $1 userdom_home_manager_type; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 47efe9a..1fa68b1 100644 +index 6a4bd85..a1a8acb 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te -@@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2) +@@ -7,17 +7,17 @@ policy_module(userdomain, 4.8.0) ## ##

    diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch index b4e5022..0199ab6 100644 --- a/policy_contrib-rawhide.patch +++ b/policy_contrib-rawhide.patch @@ -1520,7 +1520,7 @@ index dc1b088..d1f2a62 100644 term_dontaudit_use_console(alsa_t) diff --git a/amanda.te b/amanda.te -index bec220e..f0cf404 100644 +index d8b5abe..e12641f 100644 --- a/amanda.te +++ b/amanda.te @@ -58,7 +58,7 @@ optional_policy(` @@ -1636,10 +1636,10 @@ index e31d92a..1aa0718 100644 domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; diff --git a/amavis.te b/amavis.te -index 5a9b451..94d9048 100644 +index 505309b..6cc4f4f 100644 --- a/amavis.te +++ b/amavis.te -@@ -5,6 +5,13 @@ policy_module(amavis, 1.13.1) +@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0) # Declarations # @@ -2722,10 +2722,10 @@ index 6480167..d30bdbf 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index a36a01d..8203991 100644 +index 0833afb..4664751 100644 --- a/apache.te +++ b/apache.te -@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2) +@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0) # Declarations # @@ -2734,7 +2734,7 @@ index a36a01d..8203991 100644 ## ##

    ## Allow Apache to modify public files -@@ -25,14 +27,35 @@ policy_module(apache, 2.3.2) +@@ -25,14 +27,35 @@ policy_module(apache, 2.4.0) ## be labeled public_content_rw_t. ##

    ##     @@ -3398,7 +3398,7 @@ index a36a01d..8203991 100644 ') optional_policy(` -@@ -568,7 +888,21 @@ optional_policy(` +@@ -573,7 +893,21 @@ optional_policy(` ') optional_policy(` @@ -3420,7 +3420,7 @@ index a36a01d..8203991 100644 mysql_stream_connect(httpd_t) mysql_rw_db_sockets(httpd_t) -@@ -579,6 +913,7 @@ optional_policy(` +@@ -584,6 +918,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -3428,7 +3428,7 @@ index a36a01d..8203991 100644 ') optional_policy(` -@@ -589,6 +924,33 @@ optional_policy(` +@@ -594,6 +929,33 @@ optional_policy(` ') optional_policy(` @@ -3462,7 +3462,7 @@ index a36a01d..8203991 100644 # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) postgresql_unpriv_client(httpd_t) -@@ -603,6 +965,11 @@ optional_policy(` +@@ -608,6 +970,11 @@ optional_policy(` ') optional_policy(` @@ -3474,7 +3474,7 @@ index a36a01d..8203991 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -615,6 +982,12 @@ optional_policy(` +@@ -620,6 +987,12 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -3487,7 +3487,7 @@ index a36a01d..8203991 100644 ######################################## # # Apache helper local policy -@@ -628,7 +1001,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; +@@ -633,7 +1006,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms; logging_send_syslog_msg(httpd_helper_t) @@ -3500,7 +3500,7 @@ index a36a01d..8203991 100644 ######################################## # -@@ -666,28 +1043,30 @@ libs_exec_lib_files(httpd_php_t) +@@ -671,28 +1048,30 @@ libs_exec_lib_files(httpd_php_t) userdom_use_unpriv_users_fds(httpd_php_t) tunable_policy(`httpd_can_network_connect_db',` @@ -3544,7 +3544,7 @@ index a36a01d..8203991 100644 ') ######################################## -@@ -697,6 +1076,7 @@ optional_policy(` +@@ -702,6 +1081,7 @@ optional_policy(` allow httpd_suexec_t self:capability { setuid setgid }; allow httpd_suexec_t self:process signal_perms; @@ -3552,7 +3552,7 @@ index a36a01d..8203991 100644 allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) -@@ -711,19 +1091,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) +@@ -716,19 +1096,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t) files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir }) @@ -3581,7 +3581,7 @@ index a36a01d..8203991 100644 files_read_usr_files(httpd_suexec_t) files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -740,7 +1128,6 @@ tunable_policy(`httpd_can_network_connect',` +@@ -745,7 +1133,6 @@ tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; allow httpd_suexec_t self:udp_socket create_socket_perms; @@ -3589,7 +3589,7 @@ index a36a01d..8203991 100644 corenet_all_recvfrom_netlabel(httpd_suexec_t) corenet_tcp_sendrecv_generic_if(httpd_suexec_t) corenet_udp_sendrecv_generic_if(httpd_suexec_t) -@@ -752,13 +1139,31 @@ tunable_policy(`httpd_can_network_connect',` +@@ -757,13 +1144,31 @@ tunable_policy(`httpd_can_network_connect',` corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -3622,7 +3622,7 @@ index a36a01d..8203991 100644 fs_read_nfs_files(httpd_suexec_t) fs_read_nfs_symlinks(httpd_suexec_t) fs_exec_nfs_files(httpd_suexec_t) -@@ -781,6 +1186,25 @@ optional_policy(` +@@ -786,6 +1191,25 @@ optional_policy(` dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -3648,7 +3648,7 @@ index a36a01d..8203991 100644 ######################################## # # Apache system script local policy -@@ -801,12 +1225,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp +@@ -806,12 +1230,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp kernel_read_kernel_sysctls(httpd_sys_script_t) @@ -3666,7 +3666,7 @@ index a36a01d..8203991 100644 ifdef(`distro_redhat',` allow httpd_sys_script_t httpd_log_t:file append_file_perms; ') -@@ -815,18 +1244,49 @@ tunable_policy(`httpd_can_sendmail',` +@@ -820,18 +1249,49 @@ tunable_policy(`httpd_can_sendmail',` mta_send_mail(httpd_sys_script_t) ') @@ -3723,7 +3723,7 @@ index a36a01d..8203991 100644 corenet_tcp_sendrecv_all_ports(httpd_sys_script_t) corenet_udp_sendrecv_all_ports(httpd_sys_script_t) corenet_tcp_connect_all_ports(httpd_sys_script_t) -@@ -834,14 +1294,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` +@@ -839,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',` ') tunable_policy(`httpd_enable_homedirs',` @@ -3764,7 +3764,7 @@ index a36a01d..8203991 100644 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -854,10 +1339,20 @@ optional_policy(` +@@ -859,10 +1344,20 @@ optional_policy(` optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -3785,7 +3785,7 @@ index a36a01d..8203991 100644 ') ######################################## -@@ -873,7 +1368,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) +@@ -878,7 +1373,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t) kernel_dontaudit_list_proc(httpd_rotatelogs_t) kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t) @@ -3793,7 +3793,7 @@ index a36a01d..8203991 100644 logging_search_logs(httpd_rotatelogs_t) -@@ -903,11 +1397,144 @@ optional_policy(` +@@ -908,11 +1402,144 @@ optional_policy(` tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -4433,7 +4433,7 @@ index b6168fd..313c6e4 100644 domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; diff --git a/asterisk.te b/asterisk.te -index 3b4613b..3ebeb4c 100644 +index 159610b..ae334b4 100644 --- a/asterisk.te +++ b/asterisk.te @@ -20,10 +20,11 @@ type asterisk_log_t; @@ -4851,144 +4851,25 @@ index 0bfc958..81fc8bd 100644 optional_policy(` cron_system_entry(backup_t, backup_exec_t) diff --git a/bcfg2.fc b/bcfg2.fc -new file mode 100644 -index 0000000..9e06a9d ---- /dev/null +index f5413da..9e06a9d 100644 +--- a/bcfg2.fc +++ b/bcfg2.fc -@@ -0,0 +1,9 @@ -+/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) -+ +@@ -1,5 +1,7 @@ + /etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) + +/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0) + -+/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) -+ -+/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) -+ -+/var/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0) + /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) + + /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) diff --git a/bcfg2.if b/bcfg2.if -new file mode 100644 -index 0000000..9a1d5f5 ---- /dev/null +index b289d93..070f22b 100644 +--- a/bcfg2.if +++ b/bcfg2.if -@@ -0,0 +1,185 @@ -+ -+## bcfg2-server daemon which serves configurations to clients based on the data in its repository -+ -+######################################## -+## -+## Execute bcfg2 in the bcfg2 domain.. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`bcfg2_domtrans',` -+ gen_require(` -+ type bcfg2_t, bcfg2_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, bcfg2_exec_t, bcfg2_t) -+') -+ -+######################################## -+## -+## Execute bcfg2 server in the bcfg2 domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bcfg2_initrc_domtrans',` -+ gen_require(` -+ type bcfg2_initrc_exec_t; -+ ') -+ -+ init_labeled_script_domtrans($1, bcfg2_initrc_exec_t) -+') -+ -+######################################## -+## -+## Search bcfg2 lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bcfg2_search_lib',` -+ gen_require(` -+ type bcfg2_var_lib_t; -+ ') -+ -+ allow $1 bcfg2_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read bcfg2 lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bcfg2_read_lib_files',` -+ gen_require(` -+ type bcfg2_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) -+') -+ -+######################################## -+## -+## Manage bcfg2 lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bcfg2_manage_lib_files',` -+ gen_require(` -+ type bcfg2_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) -+') -+ -+######################################## -+## -+## Manage bcfg2 lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`bcfg2_manage_lib_dirs',` -+ gen_require(` -+ type bcfg2_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) -+') -+ -+######################################## -+## +@@ -115,6 +115,31 @@ interface(`bcfg2_manage_lib_dirs',` + + ######################################## + ## +## Execute bcfg2 server in the bcfg2 domain. +## +## @@ -5014,108 +4895,45 @@ index 0000000..9a1d5f5 + +######################################## +## -+## All of the rules required to administrate -+## an bcfg2 environment -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`bcfg2_admin',` -+ gen_require(` -+ type bcfg2_t; -+ type bcfg2_initrc_exec_t; -+ type bcfg2_var_lib_t; + ## All of the rules required to administrate + ## an bcfg2 environment + ## +@@ -135,6 +160,7 @@ interface(`bcfg2_admin',` + type bcfg2_t; + type bcfg2_initrc_exec_t; + type bcfg2_var_lib_t; + type bcfg2_unit_file_t; -+ ') -+ -+ allow $1 bcfg2_t:process { ptrace signal_perms }; -+ ps_process_pattern($1, bcfg2_t) -+ -+ bcfg2_initrc_domtrans($1) -+ domain_system_change_exemption($1) -+ role_transition $2 bcfg2_initrc_exec_t system_r; -+ allow $2 system_r; -+ -+ files_search_var_lib($1) -+ admin_pattern($1, bcfg2_var_lib_t) + ') + + allow $1 bcfg2_t:process { ptrace signal_perms }; +@@ -147,4 +173,13 @@ interface(`bcfg2_admin',` + + files_search_var_lib($1) + admin_pattern($1, bcfg2_var_lib_t) + + bcfg2_systemctl($1) + admin_pattern($1, bcfg2_unit_file_t) + allow $1 bcfg2_unit_file_t:service all_service_perms; ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') -+') + ') diff --git a/bcfg2.te b/bcfg2.te -new file mode 100644 -index 0000000..7b560ac ---- /dev/null +index cf8e59f..4c6b5cf 100644 +--- a/bcfg2.te +++ b/bcfg2.te -@@ -0,0 +1,54 @@ -+policy_module(bcfg2, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type bcfg2_t; -+type bcfg2_exec_t; -+init_daemon_domain(bcfg2_t, bcfg2_exec_t) -+ -+type bcfg2_initrc_exec_t; -+init_script_file(bcfg2_initrc_exec_t) -+ -+type bcfg2_var_lib_t; -+files_type(bcfg2_var_lib_t) -+ +@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t) + type bcfg2_var_lib_t; + files_type(bcfg2_var_lib_t) + +type bcfg2_unit_file_t; +systemd_unit_file(bcfg2_unit_file_t) + -+type bcfg2_var_run_t; -+files_pid_file(bcfg2_var_run_t) -+ -+######################################## -+# -+# bcfg2 local policy -+# -+ -+allow bcfg2_t self:fifo_file rw_fifo_file_perms; -+allow bcfg2_t self:tcp_socket create_stream_socket_perms; -+allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms }; -+ -+manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) -+manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) -+files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir ) -+ -+manage_files_pattern(bcfg2_t, bcfg2_var_run_t,bcfg2_var_run_t) -+files_pid_filetrans(bcfg2_t,bcfg2_var_run_t, file ) -+ -+kernel_read_system_state(bcfg2_t) -+ -+corecmd_exec_bin(bcfg2_t) -+ -+dev_read_urand(bcfg2_t) -+ -+domain_use_interactive_fds(bcfg2_t) -+ -+files_read_usr_files(bcfg2_t) -+ -+auth_use_nsswitch(bcfg2_t) -+ -+logging_send_syslog_msg(bcfg2_t) -+ -+miscfiles_read_localization(bcfg2_t) + type bcfg2_var_run_t; + files_pid_file(bcfg2_var_run_t) + diff --git a/bind.fc b/bind.fc index 59aa54f..b01072c 100644 --- a/bind.fc @@ -5296,7 +5114,7 @@ index 44a1e3d..9b50c13 100644 + allow $1 named_unit_file_t:service all_service_perms; ') diff --git a/bind.te b/bind.te -index 4deca04..ecf98a1 100644 +index 0968cb4..398a7eb 100644 --- a/bind.te +++ b/bind.te @@ -6,6 +6,13 @@ policy_module(bind, 1.11.0) @@ -5392,7 +5210,7 @@ index 4deca04..ecf98a1 100644 init_dbus_chat_script(named_t) sysnet_dbus_chat_dhcpc(named_t) -@@ -206,13 +226,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; +@@ -211,13 +231,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read }; stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t) allow ndc_t named_conf_t:file read_file_perms; @@ -5408,7 +5226,7 @@ index 4deca04..ecf98a1 100644 corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) corenet_tcp_sendrecv_generic_node(ndc_t) -@@ -223,11 +243,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t) +@@ -228,11 +248,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t) domain_use_interactive_fds(ndc_t) @@ -5422,7 +5240,7 @@ index 4deca04..ecf98a1 100644 init_use_fds(ndc_t) init_use_script_ptys(ndc_t) -@@ -235,16 +256,15 @@ logging_send_syslog_msg(ndc_t) +@@ -240,16 +261,15 @@ logging_send_syslog_msg(ndc_t) miscfiles_read_localization(ndc_t) @@ -5572,172 +5390,22 @@ index f4e7ad3..9aaf3f6 100644 # normally started from inetd using tcpwrappers, so use those entry points tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t) diff --git a/blueman.fc b/blueman.fc -new file mode 100644 -index 0000000..98ba16a ---- /dev/null +index 6355318..98ba16a 100644 +--- a/blueman.fc +++ b/blueman.fc -@@ -0,0 +1,4 @@ -+ -+/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) -+ -+/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) -diff --git a/blueman.if b/blueman.if -new file mode 100644 -index 0000000..d941245 ---- /dev/null -+++ b/blueman.if -@@ -0,0 +1,99 @@ -+## Blueman is a tool to use Bluetooth devices -+ -+######################################## -+## -+## Execute blueman in the blueman domain.. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+# -+interface(`blueman_domtrans',` -+ gen_require(` -+ type blueman_t, blueman_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, blueman_exec_t, blueman_t) -+') -+ -+######################################## -+## -+## Send and receive messages from -+## blueman over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`blueman_dbus_chat',` -+ gen_require(` -+ type blueman_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 blueman_t:dbus send_msg; -+ allow blueman_t $1:dbus send_msg; -+') -+ -+######################################## -+## -+## Search blueman lib directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`blueman_search_lib',` -+ gen_require(` -+ type blueman_var_lib_t; -+ ') -+ -+ allow $1 blueman_var_lib_t:dir search_dir_perms; -+ files_search_var_lib($1) -+') -+ -+######################################## -+## -+## Read blueman lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`blueman_read_lib_files',` -+ gen_require(` -+ type blueman_var_lib_t; -+ ') -+ -+ files_search_var_lib($1) -+ read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete -+## blueman lib files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`blueman_manage_lib_files',` -+ gen_require(` -+ type blueman_var_lib_t; -+ ') +@@ -1,3 +1,4 @@ + -+ files_search_var_lib($1) -+ manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) -+') + /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0) + + /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0) diff --git a/blueman.te b/blueman.te -new file mode 100644 -index 0000000..5d26a60 ---- /dev/null +index 70969fa..5d26a60 100644 +--- a/blueman.te +++ b/blueman.te -@@ -0,0 +1,54 @@ -+policy_module(blueman, 1.0.0) -+ -+######################################## -+# -+# Declarations -+# -+ -+type blueman_t; -+type blueman_exec_t; -+dbus_system_domain(blueman_t, blueman_exec_t) -+init_daemon_domain(blueman_t, blueman_exec_t) -+ -+type blueman_var_lib_t; -+files_type(blueman_var_lib_t) -+ -+######################################## -+# -+# blueman local policy -+# -+allow blueman_t self:fifo_file rw_fifo_file_perms; -+ -+manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -+manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t) -+files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir) -+ -+kernel_read_system_state(blueman_t) -+ -+corecmd_exec_bin(blueman_t) -+ -+dev_read_rand(blueman_t) -+dev_read_urand(blueman_t) -+dev_rw_wireless(blueman_t) -+ -+domain_use_interactive_fds(blueman_t) -+ -+files_read_usr_files(blueman_t) -+ -+auth_use_nsswitch(blueman_t) -+ -+logging_send_syslog_msg(blueman_t) -+ -+miscfiles_read_localization(blueman_t) -+ -+optional_policy(` -+ avahi_domtrans(blueman_t) -+') +@@ -44,3 +44,11 @@ miscfiles_read_localization(blueman_t) + optional_policy(` + avahi_domtrans(blueman_t) + ') + +optional_policy(` + gnome_search_gconf(blueman_t) @@ -8139,10 +7807,10 @@ index 0000000..efebae7 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..b3b6ffe +index 0000000..dc13756 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,183 @@ +@@ -0,0 +1,182 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -8325,7 +7993,6 @@ index 0000000..b3b6ffe +optional_policy(` + gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t) +') -+ diff --git a/chronyd.fc b/chronyd.fc index fd8cd0b..f33885f 100644 --- a/chronyd.fc @@ -8776,11 +8443,11 @@ index bbac14a..99c5cca 100644 + ') diff --git a/clamav.te b/clamav.te -index 5b7a1d7..e75455f 100644 +index a10350e..47f77db 100644 --- a/clamav.te +++ b/clamav.te @@ -1,9 +1,23 @@ - policy_module(clamav, 1.9.1) + policy_module(clamav, 1.10.0) ## -##

    @@ -12008,7 +11675,7 @@ index 9971337..476f1e2 100644 ') diff --git a/courier.te b/courier.te -index 785088b..b6e2895 100644 +index d034450..8478094 100644 --- a/courier.te +++ b/courier.te @@ -15,7 +15,7 @@ courier_domain_template(pcp) @@ -13725,7 +13392,7 @@ index 305ddf4..11d010a 100644 + filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat") ') diff --git a/cups.te b/cups.te -index 6e7f1b6..9f6cabb 100644 +index e5a8924..abb85c3 100644 --- a/cups.te +++ b/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -14223,7 +13890,7 @@ index e4e86d0..7c30655 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index a531e6f..323da45 100644 +index 097fdcc..373c8ca 100644 --- a/cyrus.te +++ b/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -14775,7 +14442,7 @@ index fb4bf82..115133d 100644 + dontaudit $1 session_bus_type:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index 8e7ba54..edb1219 100644 +index 625cb32..ac27bd9 100644 --- a/dbus.te +++ b/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -16104,7 +15771,7 @@ index 5e2cea8..2ab8a14 100644 + allow $1 dhcpd_unit_file_t:service all_service_perms; ') diff --git a/dhcp.te b/dhcp.te -index 54b794f..63eae1d 100644 +index ed07b26..624922d 100644 --- a/dhcp.te +++ b/dhcp.te @@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t) @@ -17965,10 +17632,10 @@ index 4d32b42..78736d8 100644 ######################################## diff --git a/dpkg.te b/dpkg.te -index a1b8f92..b362622 100644 +index 52725c4..c751c48 100644 --- a/dpkg.te +++ b/dpkg.te -@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1) +@@ -5,8 +5,8 @@ policy_module(dpkg, 1.10.0) # Declarations # @@ -20203,10 +19870,10 @@ index 9d3201b..6e75e3d 100644 + allow $1 ftpd_unit_file_t:service all_service_perms; ') diff --git a/ftp.te b/ftp.te -index 4285c83..4f2cd97 100644 +index 80026bb..3045d40 100644 --- a/ftp.te +++ b/ftp.te -@@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1) +@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0) ## public_content_rw_t. ##

    ##     @@ -21206,7 +20873,7 @@ index b0242d9..5126181 100644 + userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") +') diff --git a/git.te b/git.te -index 58c3c61..9595f7c 100644 +index 6e8e1f3..aa176c4 100644 --- a/git.te +++ b/git.te @@ -31,6 +31,15 @@ gen_tunable(git_cgi_use_nfs, false) @@ -21264,12 +20931,8 @@ index 58c3c61..9595f7c 100644 corenet_tcp_bind_generic_node(git_session_t) corenet_tcp_sendrecv_generic_if(git_session_t) corenet_tcp_sendrecv_generic_node(git_session_t) -@@ -108,8 +123,15 @@ corenet_tcp_bind_git_port(git_session_t) - corenet_tcp_sendrecv_git_port(git_session_t) - corenet_sendrecv_git_server_packets(git_session_t) +@@ -112,6 +127,11 @@ auth_use_nsswitch(git_session_t) -+auth_use_nsswitch(git_session_t) -+ userdom_use_user_terminals(git_session_t) +tunable_policy(`git_session_bind_all_unreserved_ports',` @@ -21280,7 +20943,7 @@ index 58c3c61..9595f7c 100644 tunable_policy(`git_session_send_syslog_msg',` logging_send_syslog_msg(git_session_t) ') -@@ -131,10 +153,12 @@ tunable_policy(`use_samba_home_dirs',` +@@ -133,8 +153,8 @@ tunable_policy(`use_samba_home_dirs',` # Git system policy # @@ -21290,12 +20953,8 @@ index 58c3c61..9595f7c 100644 +read_files_pattern(git_system_t, git_content, git_content) files_search_var_lib(git_system_t) -+auth_use_nsswitch(git_system_t) -+ - logging_send_syslog_msg(git_system_t) - - tunable_policy(`git_system_enable_homedirs',` -@@ -170,8 +194,8 @@ tunable_policy(`git_system_use_nfs',` + auth_use_nsswitch(git_system_t) +@@ -174,8 +194,8 @@ tunable_policy(`git_system_use_nfs',` # Git CGI policy # @@ -21306,12 +20965,9 @@ index 58c3c61..9595f7c 100644 files_search_var_lib(httpd_git_script_t) files_dontaudit_getattr_tmp_dirs(httpd_git_script_t) -@@ -221,6 +245,11 @@ files_read_usr_files(git_daemon) - +@@ -226,3 +246,10 @@ files_read_usr_files(git_daemon) fs_search_auto_mountpoints(git_daemon) --auth_use_nsswitch(git_daemon) -- miscfiles_read_localization(git_daemon) + +######################################## @@ -23741,14 +23397,10 @@ index 6d50300..46cc164 100644 ## ## Send generic signals to user gpg processes. diff --git a/gpg.te b/gpg.te -index 156820c..50c208c 100644 +index 72a113e..2af9ab1 100644 --- a/gpg.te +++ b/gpg.te -@@ -1,9 +1,10 @@ --policy_module(gpg, 2.5.1) -+policy_module(gpg, 2.4.0) - - ######################################## +@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0) # # Declarations # @@ -23756,7 +23408,7 @@ index 156820c..50c208c 100644 ## ##

    -@@ -13,23 +14,34 @@ policy_module(gpg, 2.5.1) +@@ -13,23 +14,34 @@ policy_module(gpg, 2.6.0) ## gen_tunable(gpg_agent_env_file, false) @@ -24913,10 +24565,10 @@ index ebc9e0d..2c4b5da 100644 init_labeled_script_domtrans($1, innd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/inn.te b/inn.te -index 22f449a..4d38202 100644 +index 7311364..0a5f8e0 100644 --- a/inn.te +++ b/inn.te -@@ -4,6 +4,7 @@ policy_module(inn, 1.9.1) +@@ -4,6 +4,7 @@ policy_module(inn, 1.10.0) # # Declarations # @@ -25921,7 +25573,7 @@ index 53e53ca..92520eb 100644 + +sysnet_read_config(jabberd_domain) diff --git a/java.fc b/java.fc -index 72f3df0..43b488f 100644 +index bc1a419..f630930 100644 --- a/java.fc +++ b/java.fc @@ -28,8 +28,6 @@ @@ -25934,10 +25586,10 @@ index 72f3df0..43b488f 100644 ifdef(`distro_redhat',` diff --git a/java.te b/java.te -index 95771f4..9d7f599 100644 +index ff52c16..22a761a 100644 --- a/java.te +++ b/java.te -@@ -10,7 +10,7 @@ policy_module(java, 2.5.1) +@@ -10,7 +10,7 @@ policy_module(java, 2.6.0) ## Allow java executable stack ##

    ##     @@ -27166,7 +26818,7 @@ index 604f67b..71b1df2 100644 + kerberos_tmp_filetrans_host_rcache($1, "ldap_55") +') diff --git a/kerberos.te b/kerberos.te -index 8edc29b..9e9473d 100644 +index 6a95faf..9e9473d 100644 --- a/kerberos.te +++ b/kerberos.te @@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0) @@ -27258,14 +26910,10 @@ index 8edc29b..9e9473d 100644 miscfiles_read_localization(kadmind_t) seutil_read_file_contexts(kadmind_t) -@@ -160,6 +164,14 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t) - userdom_dontaudit_search_user_home_dirs(kadmind_t) +@@ -164,6 +168,10 @@ optional_policy(` + ') optional_policy(` -+ ldap_stream_connect(kadmind_t) -+') -+ -+optional_policy(` + dirsrv_stream_connect(kadmind_t) +') + @@ -27273,7 +26921,7 @@ index 8edc29b..9e9473d 100644 nis_use_ypbind(kadmind_t) ') -@@ -193,13 +205,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) +@@ -197,13 +205,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t) read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t) dontaudit krb5kdc_t krb5kdc_conf_t:file write; @@ -27289,7 +26937,7 @@ index 8edc29b..9e9473d 100644 manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -217,7 +228,6 @@ kernel_search_network_sysctl(krb5kdc_t) +@@ -221,7 +228,6 @@ kernel_search_network_sysctl(krb5kdc_t) corecmd_exec_bin(krb5kdc_t) @@ -27297,7 +26945,7 @@ index 8edc29b..9e9473d 100644 corenet_all_recvfrom_netlabel(krb5kdc_t) corenet_tcp_sendrecv_generic_if(krb5kdc_t) corenet_udp_sendrecv_generic_if(krb5kdc_t) -@@ -249,6 +259,7 @@ selinux_validate_context(krb5kdc_t) +@@ -253,6 +259,7 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) @@ -27305,14 +26953,10 @@ index 8edc29b..9e9473d 100644 miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) -@@ -260,6 +271,14 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) - userdom_dontaudit_search_user_home_dirs(krb5kdc_t) +@@ -268,6 +275,10 @@ optional_policy(` + ') optional_policy(` -+ ldap_stream_connect(krb5kdc_t) -+') -+ -+optional_policy(` + dirsrv_stream_connect(krb5kdc_t) +') + @@ -27320,7 +26964,7 @@ index 8edc29b..9e9473d 100644 nis_use_ypbind(krb5kdc_t) ') -@@ -300,7 +319,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) +@@ -308,7 +319,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) corecmd_exec_bin(kpropd_t) @@ -28307,7 +27951,7 @@ index c62f23e..04b74f0 100644 /usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0) diff --git a/ldap.if b/ldap.if -index 3aa8fa7..9539b76 100644 +index d6b7b2d..bc0ccb3 100644 --- a/ldap.if +++ b/ldap.if @@ -1,5 +1,64 @@ @@ -28401,17 +28045,7 @@ index 3aa8fa7..9539b76 100644 ## Read the OpenLDAP configuration files. ##     ## -@@ -69,8 +147,7 @@ interface(`ldap_stream_connect',` - ') - - files_search_pids($1) -- allow $1 slapd_var_run_t:sock_file write; -- allow $1 slapd_t:unix_stream_socket connectto; -+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) - ') - - ######################################## -@@ -95,10 +172,14 @@ interface(`ldap_admin',` +@@ -94,10 +172,14 @@ interface(`ldap_admin',` type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; type slapd_initrc_exec_t; @@ -28427,7 +28061,7 @@ index 3aa8fa7..9539b76 100644 init_labeled_script_domtrans($1, slapd_initrc_exec_t) domain_system_change_exemption($1) -@@ -110,6 +191,7 @@ interface(`ldap_admin',` +@@ -109,6 +191,7 @@ interface(`ldap_admin',` admin_pattern($1, slapd_lock_t) @@ -28435,7 +28069,7 @@ index 3aa8fa7..9539b76 100644 admin_pattern($1, slapd_replog_t) files_list_tmp($1) -@@ -117,4 +199,8 @@ interface(`ldap_admin',` +@@ -116,4 +199,8 @@ interface(`ldap_admin',` files_list_pids($1) admin_pattern($1, slapd_var_run_t) @@ -29793,7 +29427,7 @@ index 67c7fdd..20fded2 100644 ## ## Execute mailman CGI scripts in the diff --git a/mailman.te b/mailman.te -index afa7a2e..30bdd7a 100644 +index 22265f0..ad18986 100644 --- a/mailman.te +++ b/mailman.te @@ -19,6 +19,9 @@ logging_log_file(mailman_log_t) @@ -32103,10 +31737,10 @@ index b397fde..25a03ce 100644 +') + diff --git a/mozilla.te b/mozilla.te -index 0724816..85fd964 100644 +index d4fcb75..b1d28b7 100644 --- a/mozilla.te +++ b/mozilla.te -@@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3) +@@ -12,14 +12,22 @@ policy_module(mozilla, 2.6.0) ## gen_tunable(mozilla_read_content, false) @@ -33625,7 +33259,7 @@ index 4e2a5ba..c3643f0 100644 + mta_filetrans_admin_home_content($1) +') diff --git a/mta.te b/mta.te -index 25151b4..507c17e 100644 +index 84a7d66..f887c9e 100644 --- a/mta.te +++ b/mta.te @@ -20,14 +20,19 @@ files_type(etc_aliases_t) @@ -34168,7 +33802,7 @@ index c358d8f..7c097ec 100644 init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) diff --git a/munin.te b/munin.te -index f17583b..6fd4f42 100644 +index f17583b..a363924 100644 --- a/munin.te +++ b/munin.te @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -34289,26 +33923,29 @@ index f17583b..6fd4f42 100644 sysnet_read_config(disk_munin_plugin_t) -@@ -221,30 +232,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) +@@ -221,30 +232,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) dev_read_urand(mail_munin_plugin_t) -files_read_etc_files(mail_munin_plugin_t) -- ++logging_read_generic_logs(mail_munin_plugin_t) + -fs_getattr_all_fs(mail_munin_plugin_t) -- - logging_read_generic_logs(mail_munin_plugin_t) ++optional_policy(` ++ exim_read_log(mail_munin_plugin_t) ++') --mta_read_config(mail_munin_plugin_t) --mta_send_mail(mail_munin_plugin_t) --mta_read_queue(mail_munin_plugin_t) +-logging_read_generic_logs(mail_munin_plugin_t) +optional_policy(` + mta_read_config(mail_munin_plugin_t) + mta_send_mail(mail_munin_plugin_t) + mta_list_queue(mail_munin_plugin_t) + mta_read_queue(mail_munin_plugin_t) +') -+ + +-mta_read_config(mail_munin_plugin_t) +-mta_send_mail(mail_munin_plugin_t) +-mta_read_queue(mail_munin_plugin_t) +optional_policy(` + nscd_socket_use(mail_munin_plugin_t) +') @@ -34340,7 +33977,7 @@ index f17583b..6fd4f42 100644 allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms; allow services_munin_plugin_t self:udp_socket create_socket_perms; allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms; -@@ -255,13 +279,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) +@@ -255,13 +283,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t) @@ -34355,7 +33992,7 @@ index f17583b..6fd4f42 100644 cups_stream_connect(services_munin_plugin_t) ') -@@ -279,6 +300,10 @@ optional_policy(` +@@ -279,6 +304,10 @@ optional_policy(` ') optional_policy(` @@ -34366,7 +34003,7 @@ index f17583b..6fd4f42 100644 postgresql_stream_connect(services_munin_plugin_t) ') -@@ -286,6 +311,10 @@ optional_policy(` +@@ -286,6 +315,10 @@ optional_policy(` snmp_read_snmp_var_lib_files(services_munin_plugin_t) ') @@ -34377,7 +34014,7 @@ index f17583b..6fd4f42 100644 ################################## # # local policy for system plugins -@@ -295,12 +324,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; +@@ -295,12 +328,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms; rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -34393,7 +34030,7 @@ index f17583b..6fd4f42 100644 dev_read_sysfs(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t) -@@ -313,3 +340,36 @@ init_read_utmp(system_munin_plugin_t) +@@ -313,3 +344,36 @@ init_read_utmp(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t) @@ -35055,15 +34692,10 @@ index 8581040..7d8e93b 100644 init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) diff --git a/nagios.te b/nagios.te -index 1fadd94..b6eec03 100644 +index c3e2a2d..f5afc60 100644 --- a/nagios.te +++ b/nagios.te -@@ -1,10 +1,12 @@ --policy_module(nagios, 1.11.1) -+policy_module(nagios, 1.10.0) - - ######################################## - # +@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0) # Declarations # @@ -35592,7 +35224,7 @@ index f19ca0b..dfc1ba2 100644 + #netutils_run(ncftool_t, ncftool_roles) ') diff --git a/nessus.te b/nessus.te -index 4bfd50e..fcc4eba 100644 +index abf25da..16322b7 100644 --- a/nessus.te +++ b/nessus.te @@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t) @@ -36297,7 +35929,7 @@ index abe3f7f..6b31271 100644 + ') diff --git a/nis.te b/nis.te -index 4caa041..0c2c426 100644 +index f27899c..ba3f6a9 100644 --- a/nis.te +++ b/nis.te @@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t) @@ -37187,7 +36819,7 @@ index 23c769c..0398e70 100644 + admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) ') diff --git a/nslcd.te b/nslcd.te -index 4e28d58..0551354 100644 +index 01594c8..fad9434 100644 --- a/nslcd.te +++ b/nslcd.te @@ -16,7 +16,7 @@ type nslcd_var_run_t; @@ -37208,29 +36840,28 @@ index 4e28d58..0551354 100644 allow nslcd_t self:unix_stream_socket create_stream_socket_perms; allow nslcd_t nslcd_conf_t:file read_file_perms; -@@ -36,10 +36,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) - - kernel_read_system_state(nslcd_t) +@@ -42,6 +42,8 @@ corenet_tcp_connect_ldap_port(nslcd_t) + corenet_sendrecv_ldap_client_packets(nslcd_t) --files_read_etc_files(nslcd_t) + files_read_etc_files(nslcd_t) +files_read_usr_symlinks(nslcd_t) +files_list_tmp(nslcd_t) auth_use_nsswitch(nslcd_t) - logging_send_syslog_msg(nslcd_t) +@@ -49,6 +51,13 @@ logging_send_syslog_msg(nslcd_t) miscfiles_read_localization(nslcd_t) -+ + +userdom_read_user_tmp_files(nslcd_t) + +optional_policy(` + dirsrv_stream_connect(nslcd_t) +') + -+optional_policy(` -+ ldap_stream_connect(nslcd_t) -+') + optional_policy(` + ldap_stream_connect(nslcd_t) + ') + diff --git a/nsplugin.fc b/nsplugin.fc new file mode 100644 @@ -38767,7 +38398,7 @@ index bd76ec2..28c4f00 100644 ## ## Execute a domain transition to run oddjob_mkhomedir. diff --git a/oddjob.te b/oddjob.te -index 36df5a2..2fee791 100644 +index a17ba31..9500f31 100644 --- a/oddjob.te +++ b/oddjob.te @@ -51,7 +51,8 @@ mcs_process_set_categories(oddjob_t) @@ -41990,10 +41621,10 @@ index 0000000..00b432b + +userdom_home_manager(polipo_session_t) diff --git a/portage.fc b/portage.fc -index 1d5b4e5..a79acdd 100644 +index d9b2a90..5b0e6f8 100644 --- a/portage.fc +++ b/portage.fc -@@ -23,7 +23,7 @@ +@@ -25,7 +25,7 @@ /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) @@ -42003,7 +41634,7 @@ index 1d5b4e5..a79acdd 100644 /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) diff --git a/portage.if b/portage.if -index b4bb48a..b52100d 100644 +index 08ac5af..9c4aa3c 100644 --- a/portage.if +++ b/portage.if @@ -43,11 +43,15 @@ interface(`portage_domtrans',` @@ -42034,10 +41665,10 @@ index b4bb48a..b52100d 100644 corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) diff --git a/portage.te b/portage.te -index 2af04b9..7255594 100644 +index 630f16f..c49cdd9 100644 --- a/portage.te +++ b/portage.te -@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4) +@@ -12,7 +12,7 @@ policy_module(portage, 1.13.0) ## gen_tunable(portage_use_nfs, false) @@ -42109,7 +41740,7 @@ index 2af04b9..7255594 100644 ifdef(`distro_gentoo',` init_exec_rc(gcc_config_t) -@@ -194,33 +200,41 @@ auth_manage_shadow(portage_t) +@@ -198,33 +204,41 @@ auth_manage_shadow(portage_t) init_exec(portage_t) # run setfiles -r @@ -42164,7 +41795,7 @@ index 2af04b9..7255594 100644 ifdef(`TODO',` # seems to work ok without these -@@ -265,7 +279,6 @@ kernel_read_kernel_sysctls(portage_fetch_t) +@@ -271,7 +285,6 @@ kernel_read_kernel_sysctls(portage_fetch_t) corecmd_exec_bin(portage_fetch_t) corecmd_exec_shell(portage_fetch_t) @@ -42172,7 +41803,7 @@ index 2af04b9..7255594 100644 corenet_all_recvfrom_netlabel(portage_fetch_t) corenet_tcp_sendrecv_generic_if(portage_fetch_t) corenet_tcp_sendrecv_generic_node(portage_fetch_t) -@@ -302,11 +315,9 @@ miscfiles_read_localization(portage_fetch_t) +@@ -308,11 +321,9 @@ miscfiles_read_localization(portage_fetch_t) sysnet_read_config(portage_fetch_t) sysnet_dns_name_resolve(portage_fetch_t) @@ -42185,7 +41816,7 @@ index 2af04b9..7255594 100644 ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') -@@ -322,6 +333,10 @@ optional_policy(` +@@ -328,6 +339,10 @@ optional_policy(` gpg_exec(portage_fetch_t) ') @@ -42842,15 +42473,10 @@ index 46bee12..61cc81a 100644 + postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") +') diff --git a/postfix.te b/postfix.te -index 69cbd06..fb3486f 100644 +index a1e0f60..4baf9a4 100644 --- a/postfix.te +++ b/postfix.te -@@ -1,10 +1,19 @@ --policy_module(postfix, 1.13.1) -+policy_module(postfix, 1.12.1) - - ######################################## - # +@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0) # Declarations # @@ -42978,7 +42604,16 @@ index 69cbd06..fb3486f 100644 corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t) +@@ -157,6 +174,8 @@ corenet_tcp_connect_all_ports(postfix_master_t) + corenet_sendrecv_amavisd_send_server_packets(postfix_master_t) + corenet_sendrecv_smtp_server_packets(postfix_master_t) + corenet_sendrecv_all_client_packets(postfix_master_t) ++# for spampd ++corenet_tcp_bind_spamd_port(postfix_master_t) + + # for a find command + selinux_dontaudit_search_fs(postfix_master_t) +@@ -167,6 +186,10 @@ corecmd_exec_bin(postfix_master_t) domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -42989,7 +42624,7 @@ index 69cbd06..fb3486f 100644 term_dontaudit_search_ptys(postfix_master_t) -@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search; +@@ -220,13 +243,17 @@ allow postfix_bounce_t self:capability dac_read_search; allow postfix_bounce_t self:tcp_socket create_socket_perms; allow postfix_bounce_t postfix_public_t:sock_file write; @@ -43008,7 +42643,7 @@ index 69cbd06..fb3486f 100644 manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) -@@ -237,18 +262,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool +@@ -237,18 +264,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool # allow postfix_cleanup_t self:process setrlimit; @@ -43033,7 +42668,7 @@ index 69cbd06..fb3486f 100644 allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) -@@ -264,7 +295,6 @@ optional_policy(` +@@ -264,7 +297,6 @@ optional_policy(` # Postfix local local policy # @@ -43041,7 +42676,7 @@ index 69cbd06..fb3486f 100644 allow postfix_local_t self:process { setsched setrlimit }; # connect to master process -@@ -273,12 +303,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post +@@ -273,12 +305,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post # for .forward - maybe we need a new type for it? rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t) @@ -43056,7 +42691,7 @@ index 69cbd06..fb3486f 100644 logging_dontaudit_search_logs(postfix_local_t) -@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t) +@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t) mta_delete_spool(postfix_local_t) # For reading spamassasin mta_read_config(postfix_local_t) @@ -43075,7 +42710,7 @@ index 69cbd06..fb3486f 100644 optional_policy(` clamav_search_lib(postfix_local_t) -@@ -297,6 +333,14 @@ optional_policy(` +@@ -297,6 +335,14 @@ optional_policy(` ') optional_policy(` @@ -43090,7 +42725,7 @@ index 69cbd06..fb3486f 100644 # for postalias mailman_manage_data_files(postfix_local_t) mailman_append_log(postfix_local_t) -@@ -304,9 +348,22 @@ optional_policy(` +@@ -304,9 +350,22 @@ optional_policy(` ') optional_policy(` @@ -43113,7 +42748,7 @@ index 69cbd06..fb3486f 100644 ######################################## # # Postfix map local policy -@@ -329,7 +386,6 @@ kernel_read_kernel_sysctls(postfix_map_t) +@@ -329,7 +388,6 @@ kernel_read_kernel_sysctls(postfix_map_t) kernel_dontaudit_list_proc(postfix_map_t) kernel_dontaudit_read_system_state(postfix_map_t) @@ -43121,7 +42756,7 @@ index 69cbd06..fb3486f 100644 corenet_all_recvfrom_netlabel(postfix_map_t) corenet_tcp_sendrecv_generic_if(postfix_map_t) corenet_udp_sendrecv_generic_if(postfix_map_t) -@@ -348,7 +404,6 @@ corecmd_read_bin_sockets(postfix_map_t) +@@ -348,7 +406,6 @@ corecmd_read_bin_sockets(postfix_map_t) files_list_home(postfix_map_t) files_read_usr_files(postfix_map_t) @@ -43129,7 +42764,7 @@ index 69cbd06..fb3486f 100644 files_read_etc_runtime_files(postfix_map_t) files_dontaudit_search_var(postfix_map_t) -@@ -379,18 +434,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p +@@ -379,18 +436,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t) @@ -43155,7 +42790,7 @@ index 69cbd06..fb3486f 100644 allow postfix_pipe_t self:process setrlimit; write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) +@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t) @@ -43164,7 +42799,7 @@ index 69cbd06..fb3486f 100644 optional_policy(` dovecot_domtrans_deliver(postfix_pipe_t) ') -@@ -420,6 +483,7 @@ optional_policy(` +@@ -420,6 +485,7 @@ optional_policy(` optional_policy(` spamassassin_domtrans_client(postfix_pipe_t) @@ -43172,7 +42807,7 @@ index 69cbd06..fb3486f 100644 ') optional_policy(` -@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource; +@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource; allow postfix_postdrop_t self:tcp_socket create; allow postfix_postdrop_t self:udp_socket create_socket_perms; @@ -43190,7 +42825,7 @@ index 69cbd06..fb3486f 100644 corenet_udp_sendrecv_generic_if(postfix_postdrop_t) corenet_udp_sendrecv_generic_node(postfix_postdrop_t) -@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t +@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t) # to write the mailq output, it really should not need read access! @@ -43201,7 +42836,7 @@ index 69cbd06..fb3486f 100644 init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) -@@ -519,7 +589,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) +@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; @@ -43214,7 +42849,7 @@ index 69cbd06..fb3486f 100644 corecmd_exec_bin(postfix_qmgr_t) -@@ -539,7 +613,9 @@ postfix_list_spool(postfix_showq_t) +@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t) allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms; allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms; @@ -43225,16 +42860,19 @@ index 69cbd06..fb3486f 100644 # to write the mailq output, it really should not need read access! term_use_all_ptys(postfix_showq_t) -@@ -558,6 +634,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; +@@ -558,6 +636,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms; allow postfix_smtp_t postfix_spool_t:file rw_file_perms; +rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + ++# for spampd ++corenet_tcp_connect_spamd_port(postfix_master_t) ++ files_search_all_mountpoints(postfix_smtp_t) optional_policy(` -@@ -565,6 +643,14 @@ optional_policy(` +@@ -565,6 +648,14 @@ optional_policy(` ') optional_policy(` @@ -43249,7 +42887,7 @@ index 69cbd06..fb3486f 100644 milter_stream_connect_all(postfix_smtp_t) ') -@@ -581,17 +667,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, +@@ -581,17 +672,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t) # for prng_exch @@ -43276,7 +42914,7 @@ index 69cbd06..fb3486f 100644 ') optional_policy(` -@@ -599,6 +693,12 @@ optional_policy(` +@@ -599,6 +698,12 @@ optional_policy(` ') optional_policy(` @@ -43289,7 +42927,7 @@ index 69cbd06..fb3486f 100644 postgrey_stream_connect(postfix_smtpd_t) ') -@@ -611,7 +711,6 @@ optional_policy(` +@@ -611,7 +716,6 @@ optional_policy(` # Postfix virtual local policy # @@ -43297,7 +42935,7 @@ index 69cbd06..fb3486f 100644 allow postfix_virtual_t self:process { setsched setrlimit }; allow postfix_virtual_t postfix_spool_t:file rw_file_perms; -@@ -622,7 +721,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } +@@ -622,7 +726,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t } corecmd_exec_shell(postfix_virtual_t) corecmd_exec_bin(postfix_virtual_t) @@ -43305,7 +42943,7 @@ index 69cbd06..fb3486f 100644 files_read_usr_files(postfix_virtual_t) mta_read_aliases(postfix_virtual_t) -@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t) +@@ -630,3 +733,75 @@ mta_delete_spool(postfix_virtual_t) # For reading spamassasin mta_read_config(postfix_virtual_t) mta_manage_spool(postfix_virtual_t) @@ -45053,10 +44691,10 @@ index 2855a44..2f72e9a 100644 + allow $1 puppet_var_run_t:dir search_dir_perms; +') diff --git a/puppet.te b/puppet.te -index d792d53..0f9c777 100644 +index baa88f6..f683a84 100644 --- a/puppet.te +++ b/puppet.te -@@ -13,6 +13,13 @@ policy_module(puppet, 1.2.1) +@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0) ## gen_tunable(puppet_manage_all_files, false) @@ -46012,7 +45650,7 @@ index 268d691..8b40924 100644 + domain_entry_file($1, qemu_exec_t) +') diff --git a/qemu.te b/qemu.te -index 5014056..9505fce 100644 +index 9681d82..695c857 100644 --- a/qemu.te +++ b/qemu.te @@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true) @@ -47549,7 +47187,7 @@ index b1a85b5..db0d815 100644 ## ## diff --git a/raid.te b/raid.te -index 641f677..1e3cf4c 100644 +index a8a12b7..8543ebf 100644 --- a/raid.te +++ b/raid.te @@ -10,11 +10,9 @@ type mdadm_exec_t; @@ -48456,7 +48094,7 @@ index 7dc38d1..808f9c6 100644 + admin_pattern($1, rgmanager_var_run_t) +') diff --git a/rgmanager.te b/rgmanager.te -index 07333db..91ef567 100644 +index 3786c45..70bc902 100644 --- a/rgmanager.te +++ b/rgmanager.te @@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false) @@ -50060,7 +49698,7 @@ index 63e78c6..fdd8228 100644 type rlogind_home_t; ') diff --git a/rlogin.te b/rlogin.te -index d654552..998463f 100644 +index 16304ec..864f4b4 100644 --- a/rlogin.te +++ b/rlogin.te @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t) @@ -50454,10 +50092,10 @@ index dddabcf..90b3b52 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/rpc.te b/rpc.te -index 19bb611..2719eee 100644 +index 330d01f..b80dad2 100644 --- a/rpc.te +++ b/rpc.te -@@ -10,7 +10,7 @@ policy_module(rpc, 1.13.1) +@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow gssd to read temp directory. For access to kerberos tgt. ##

    ##     @@ -50785,20 +50423,18 @@ index a63e9ee..b4e1f32 100644 + nis_use_ypbind(rpcbind_t) +') diff --git a/rpm.fc b/rpm.fc -index b206bf6..3d5caa1 100644 +index b2a0b6a..6167fe8 100644 --- a/rpm.fc +++ b/rpm.fc -@@ -6,7 +6,9 @@ +@@ -6,6 +6,7 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - - /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -19,23 +21,31 @@ +@@ -20,12 +21,18 @@ /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` @@ -50816,10 +50452,8 @@ index b206bf6..3d5caa1 100644 +/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') -+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - - /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) + /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +@@ -36,9 +43,10 @@ ifdef(`distro_redhat', ` /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) @@ -51038,11 +50672,11 @@ index 951d8f6..8ba0f86 100644 + allow rpm_script_t $1:process sigchld; +') diff --git a/rpm.te b/rpm.te -index 1f95a33..31d9991 100644 +index 60149a5..aa590f5 100644 --- a/rpm.te +++ b/rpm.te @@ -1,12 +1,11 @@ - policy_module(rpm, 1.14.1) + policy_module(rpm, 1.15.0) +attribute rpm_transition_domain; + @@ -51503,10 +51137,10 @@ index 3386f29..8d8f6c5 100644 + files_etc_filetrans($1, rsync_etc_t, $2) +') diff --git a/rsync.te b/rsync.te -index ba98794..1158d96 100644 +index 2834d86..d01aa87 100644 --- a/rsync.te +++ b/rsync.te -@@ -7,6 +7,27 @@ policy_module(rsync, 1.11.1) +@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0) ## ##

    @@ -52080,10 +51714,10 @@ index 82cb169..987239e 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index fc22785..0a93fed 100644 +index 905883f..564240d 100644 --- a/samba.te +++ b/samba.te -@@ -12,7 +12,7 @@ policy_module(samba, 1.14.1) +@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0) ## public_content_rw_t. ##

    ##     @@ -52145,7 +51779,7 @@ index fc22785..0a93fed 100644 files_read_usr_symlinks(samba_net_t) auth_use_nsswitch(samba_net_t) -@@ -211,26 +218,35 @@ auth_manage_cache(samba_net_t) +@@ -211,15 +218,18 @@ auth_manage_cache(samba_net_t) logging_send_syslog_msg(samba_net_t) @@ -52161,15 +51795,15 @@ index fc22785..0a93fed 100644 userdom_list_user_home_dirs(samba_net_t) optional_policy(` +- ldap_stream_connect(samba_net_t) + ldap_stream_connect(samba_net_t) + dirsrv_stream_connect(samba_net_t) -+') -+ -+optional_policy(` - pcscd_read_pub_files(samba_net_t) ') optional_policy(` +@@ -228,13 +238,15 @@ optional_policy(` + + optional_policy(` kerberos_use(samba_net_t) + kerberos_etc_filetrans_keytab(samba_net_t) ') @@ -52184,7 +51818,7 @@ index fc22785..0a93fed 100644 dontaudit smbd_t self:capability sys_tty_config; allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow smbd_t self:process setrlimit; -@@ -249,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; +@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow smbd_t nmbd_t:process { signal signull }; allow smbd_t nmbd_var_run_t:file rw_file_perms; @@ -52192,7 +51826,7 @@ index fc22785..0a93fed 100644 allow smbd_t samba_etc_t:file { rw_file_perms setattr }; -@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) +@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file) manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t) manage_files_pattern(smbd_t, samba_share_t, samba_share_t) manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) @@ -52207,7 +51841,7 @@ index fc22785..0a93fed 100644 allow smbd_t smbcontrol_t:process { signal signull }; -@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) +@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) @@ -52216,7 +51850,7 @@ index fc22785..0a93fed 100644 allow smbd_t swat_t:process signal; -@@ -298,7 +316,6 @@ kernel_read_system_state(smbd_t) +@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t) corecmd_exec_shell(smbd_t) corecmd_exec_bin(smbd_t) @@ -52224,7 +51858,7 @@ index fc22785..0a93fed 100644 corenet_all_recvfrom_netlabel(smbd_t) corenet_tcp_sendrecv_generic_if(smbd_t) corenet_udp_sendrecv_generic_if(smbd_t) -@@ -316,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t) +@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) @@ -52232,7 +51866,7 @@ index fc22785..0a93fed 100644 dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) # For redhat bug 566984 -@@ -323,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t) +@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t) dev_getattr_all_chr_files(smbd_t) fs_getattr_all_fs(smbd_t) @@ -52263,7 +51897,7 @@ index fc22785..0a93fed 100644 # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -354,6 +375,8 @@ logging_send_syslog_msg(smbd_t) +@@ -358,6 +375,8 @@ logging_send_syslog_msg(smbd_t) miscfiles_read_localization(smbd_t) miscfiles_read_public_files(smbd_t) @@ -52272,7 +51906,7 @@ index fc22785..0a93fed 100644 userdom_use_unpriv_users_fds(smbd_t) userdom_search_user_home_content(smbd_t) userdom_signal_all_users(smbd_t) -@@ -368,8 +391,13 @@ ifdef(`hide_broken_symptoms', ` +@@ -372,8 +391,13 @@ ifdef(`hide_broken_symptoms', ` fs_dontaudit_getattr_tmpfs_dirs(smbd_t) ') @@ -52287,7 +51921,7 @@ index fc22785..0a93fed 100644 ') tunable_policy(`samba_domain_controller',` -@@ -385,12 +413,7 @@ tunable_policy(`samba_domain_controller',` +@@ -389,12 +413,7 @@ tunable_policy(`samba_domain_controller',` ') tunable_policy(`samba_enable_home_dirs',` @@ -52301,7 +51935,7 @@ index fc22785..0a93fed 100644 ') # Support Samba sharing of NFS mount points -@@ -411,6 +434,15 @@ tunable_policy(`samba_share_fusefs',` +@@ -415,6 +434,15 @@ tunable_policy(`samba_share_fusefs',` ') optional_policy(` @@ -52317,19 +51951,15 @@ index fc22785..0a93fed 100644 cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) ') -@@ -421,6 +453,11 @@ optional_policy(` - ') +@@ -426,6 +454,7 @@ optional_policy(` optional_policy(` -+ ldap_stream_connect(smbd_t) + ldap_stream_connect(smbd_t) + dirsrv_stream_connect(smbd_t) -+') -+ -+optional_policy(` - lpd_exec_lpr(smbd_t) ') -@@ -444,26 +481,26 @@ optional_policy(` + optional_policy(` +@@ -452,26 +481,26 @@ optional_policy(` tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -52368,7 +51998,7 @@ index fc22785..0a93fed 100644 ######################################## # # nmbd Local policy -@@ -483,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms; +@@ -491,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms; allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -52381,7 +52011,7 @@ index fc22785..0a93fed 100644 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) -@@ -496,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) +@@ -504,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) allow nmbd_t smbcontrol_t:process signal; @@ -52390,7 +52020,7 @@ index fc22785..0a93fed 100644 kernel_getattr_core_if(nmbd_t) kernel_getattr_message_if(nmbd_t) kernel_read_kernel_sysctls(nmbd_t) -@@ -505,7 +543,6 @@ kernel_read_network_state(nmbd_t) +@@ -513,7 +543,6 @@ kernel_read_network_state(nmbd_t) kernel_read_software_raid_state(nmbd_t) kernel_read_system_state(nmbd_t) @@ -52398,7 +52028,7 @@ index fc22785..0a93fed 100644 corenet_all_recvfrom_netlabel(nmbd_t) corenet_tcp_sendrecv_generic_if(nmbd_t) corenet_udp_sendrecv_generic_if(nmbd_t) -@@ -528,7 +565,6 @@ fs_search_auto_mountpoints(nmbd_t) +@@ -536,7 +565,6 @@ fs_search_auto_mountpoints(nmbd_t) domain_use_interactive_fds(nmbd_t) files_read_usr_files(nmbd_t) @@ -52406,7 +52036,7 @@ index fc22785..0a93fed 100644 files_list_var_lib(nmbd_t) auth_use_nsswitch(nmbd_t) -@@ -554,18 +590,21 @@ optional_policy(` +@@ -562,18 +590,21 @@ optional_policy(` # smbcontrol local policy # @@ -52432,7 +52062,7 @@ index fc22785..0a93fed 100644 samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -573,11 +612,20 @@ samba_read_winbind_pid(smbcontrol_t) +@@ -581,11 +612,20 @@ samba_read_winbind_pid(smbcontrol_t) domain_use_interactive_fds(smbcontrol_t) @@ -52455,7 +52085,7 @@ index fc22785..0a93fed 100644 ######################################## # -@@ -596,7 +644,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; +@@ -604,7 +644,7 @@ allow smbmount_t samba_etc_t:file read_file_perms; can_exec(smbmount_t, smbmount_exec_t) @@ -52464,7 +52094,7 @@ index fc22785..0a93fed 100644 allow smbmount_t samba_log_t:file manage_file_perms; allow smbmount_t samba_secrets_t:file manage_file_perms; -@@ -607,7 +655,6 @@ files_list_var_lib(smbmount_t) +@@ -615,7 +655,6 @@ files_list_var_lib(smbmount_t) kernel_read_system_state(smbmount_t) @@ -52472,7 +52102,7 @@ index fc22785..0a93fed 100644 corenet_all_recvfrom_netlabel(smbmount_t) corenet_tcp_sendrecv_generic_if(smbmount_t) corenet_raw_sendrecv_generic_if(smbmount_t) -@@ -637,25 +684,26 @@ files_list_mnt(smbmount_t) +@@ -645,25 +684,26 @@ files_list_mnt(smbmount_t) files_mounton_mnt(smbmount_t) files_manage_etc_runtime_files(smbmount_t) files_etc_filetrans_etc_runtime(smbmount_t, file) @@ -52503,7 +52133,7 @@ index fc22785..0a93fed 100644 ######################################## # # SWAT Local policy -@@ -676,7 +724,8 @@ samba_domtrans_nmbd(swat_t) +@@ -684,7 +724,8 @@ samba_domtrans_nmbd(swat_t) allow swat_t nmbd_t:process { signal signull }; allow nmbd_t swat_t:process signal; @@ -52513,7 +52143,7 @@ index fc22785..0a93fed 100644 allow swat_t smbd_port_t:tcp_socket name_bind; -@@ -691,12 +740,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) +@@ -699,12 +740,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t) manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t) manage_files_pattern(swat_t, samba_var_t, samba_var_t) @@ -52528,7 +52158,7 @@ index fc22785..0a93fed 100644 manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t) manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t) -@@ -709,6 +760,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; +@@ -717,6 +760,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms; domtrans_pattern(swat_t, winbind_exec_t, winbind_t) allow swat_t winbind_t:process { signal signull }; @@ -52536,7 +52166,7 @@ index fc22785..0a93fed 100644 allow swat_t winbind_var_run_t:dir { write add_name remove_name }; allow swat_t winbind_var_run_t:sock_file { create unlink }; -@@ -718,7 +770,6 @@ kernel_read_network_state(swat_t) +@@ -726,7 +770,6 @@ kernel_read_network_state(swat_t) corecmd_search_bin(swat_t) @@ -52544,7 +52174,7 @@ index fc22785..0a93fed 100644 corenet_all_recvfrom_netlabel(swat_t) corenet_tcp_sendrecv_generic_if(swat_t) corenet_udp_sendrecv_generic_if(swat_t) -@@ -736,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) +@@ -744,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t) dev_read_urand(swat_t) files_list_var_lib(swat_t) @@ -52552,7 +52182,7 @@ index fc22785..0a93fed 100644 files_search_home(swat_t) files_read_usr_files(swat_t) fs_getattr_xattr_fs(swat_t) -@@ -751,8 +801,12 @@ logging_send_syslog_msg(swat_t) +@@ -759,8 +801,12 @@ logging_send_syslog_msg(swat_t) logging_send_audit_msgs(swat_t) logging_search_logs(swat_t) @@ -52565,7 +52195,7 @@ index fc22785..0a93fed 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -782,7 +836,8 @@ allow winbind_t self:udp_socket create_socket_perms; +@@ -790,7 +836,8 @@ allow winbind_t self:udp_socket create_socket_perms; allow winbind_t nmbd_t:process { signal signull }; @@ -52575,7 +52205,7 @@ index fc22785..0a93fed 100644 allow winbind_t samba_etc_t:dir list_dir_perms; read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) -@@ -805,21 +860,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) +@@ -813,21 +860,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t) allow winbind_t winbind_log_t:file manage_file_perms; logging_log_filetrans(winbind_t, winbind_log_t, file) @@ -52606,7 +52236,7 @@ index fc22785..0a93fed 100644 corenet_all_recvfrom_netlabel(winbind_t) corenet_tcp_sendrecv_generic_if(winbind_t) corenet_udp_sendrecv_generic_if(winbind_t) -@@ -832,6 +890,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) +@@ -840,6 +890,7 @@ corenet_udp_sendrecv_all_ports(winbind_t) corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -52614,7 +52244,7 @@ index fc22785..0a93fed 100644 corenet_tcp_connect_epmap_port(winbind_t) corenet_tcp_connect_all_unreserved_ports(winbind_t) -@@ -847,12 +906,15 @@ auth_manage_cache(winbind_t) +@@ -855,12 +906,15 @@ auth_manage_cache(winbind_t) domain_use_interactive_fds(winbind_t) @@ -52631,7 +52261,7 @@ index fc22785..0a93fed 100644 userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) -@@ -863,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t) +@@ -871,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t) userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` @@ -52643,7 +52273,7 @@ index fc22785..0a93fed 100644 kerberos_use(winbind_t) ') -@@ -901,9 +968,10 @@ auth_use_nsswitch(winbind_helper_t) +@@ -909,9 +968,10 @@ auth_use_nsswitch(winbind_helper_t) logging_send_syslog_msg(winbind_helper_t) @@ -52656,7 +52286,7 @@ index fc22785..0a93fed 100644 optional_policy(` apache_append_log(winbind_helper_t) -@@ -921,19 +989,34 @@ optional_policy(` +@@ -929,19 +989,34 @@ optional_policy(` # optional_policy(` @@ -52679,14 +52309,14 @@ index fc22785..0a93fed 100644 + filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file) + userdom_use_inherited_user_terminals(samba_unconfined_net_t) +') -+ + +type samba_unconfined_script_t; +type samba_unconfined_script_exec_t; +domain_type(samba_unconfined_script_t) +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t) +corecmd_shell_entry_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; - ++ +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; + @@ -55689,10 +55319,10 @@ index 275f9fb..f1343b7 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/snmp.te b/snmp.te -index 595942d..74c5752 100644 +index 56f074c..e86e037 100644 --- a/snmp.te +++ b/snmp.te -@@ -4,6 +4,7 @@ policy_module(snmp, 1.12.1) +@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0) # # Declarations # @@ -55886,7 +55516,7 @@ index 94c01b5..f64bd93 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index b66e657..9214bcc 100644 +index c6079a5..6c7b30a 100644 --- a/sosreport.te +++ b/sosreport.te @@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t) @@ -55988,10 +55618,10 @@ index 3217605..14718f2 100644 corenet_tcp_sendrecv_generic_if(soundd_t) corenet_udp_sendrecv_generic_if(soundd_t) diff --git a/spamassassin.fc b/spamassassin.fc -index 6b3abf9..c1f28eb 100644 +index 6b3abf9..3dfa27b 100644 --- a/spamassassin.fc +++ b/spamassassin.fc -@@ -1,15 +1,50 @@ +@@ -1,15 +1,53 @@ -HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) +HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) +HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) @@ -56001,6 +55631,7 @@ index 6b3abf9..c1f28eb 100644 +/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0) + +/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0) /usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0) @@ -56011,6 +55642,7 @@ index 6b3abf9..c1f28eb 100644 +/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0) /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0) ++/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0) +/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0) @@ -56024,6 +55656,7 @@ index 6b3abf9..c1f28eb 100644 /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) ++/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) +/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) +/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + @@ -56261,7 +55894,7 @@ index c954f31..82fc7f6 100644 + admin_pattern($1, spamd_var_run_t) ') diff --git a/spamassassin.te b/spamassassin.te -index 1bbf73b..13cf9df 100644 +index 1bbf73b..eb40028 100644 --- a/spamassassin.te +++ b/spamassassin.te @@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0) @@ -56644,7 +56277,7 @@ index 1bbf73b..13cf9df 100644 files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -310,16 +415,19 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) +@@ -310,16 +415,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir }) # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -56658,6 +56291,8 @@ index 1bbf73b..13cf9df 100644 +manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t) +files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir }) + ++read_files_pattern(spamd_t, spamc_home_t, spamc_home_t) ++ +can_exec(spamd_t, spamd_exec_t) kernel_read_all_sysctls(spamd_t) @@ -56667,7 +56302,7 @@ index 1bbf73b..13cf9df 100644 corenet_all_recvfrom_netlabel(spamd_t) corenet_tcp_sendrecv_generic_if(spamd_t) corenet_udp_sendrecv_generic_if(spamd_t) -@@ -356,30 +464,29 @@ corecmd_exec_bin(spamd_t) +@@ -356,30 +466,32 @@ corecmd_exec_bin(spamd_t) domain_use_interactive_fds(spamd_t) files_read_usr_files(spamd_t) @@ -56680,6 +56315,9 @@ index 1bbf73b..13cf9df 100644 +auth_use_nsswitch(spamd_t) + ++libs_use_ld_so(spamd_t) ++libs_use_shared_libs(spamd_t) ++ logging_send_syslog_msg(spamd_t) miscfiles_read_localization(spamd_t) @@ -56706,7 +56344,7 @@ index 1bbf73b..13cf9df 100644 ') optional_policy(` -@@ -395,7 +502,9 @@ optional_policy(` +@@ -395,7 +507,9 @@ optional_policy(` ') optional_policy(` @@ -56716,7 +56354,7 @@ index 1bbf73b..13cf9df 100644 dcc_stream_connect_dccifd(spamd_t) ') -@@ -404,25 +513,17 @@ optional_policy(` +@@ -404,25 +518,17 @@ optional_policy(` ') optional_policy(` @@ -56744,7 +56382,7 @@ index 1bbf73b..13cf9df 100644 postgresql_stream_connect(spamd_t) ') -@@ -433,6 +534,10 @@ optional_policy(` +@@ -433,6 +539,10 @@ optional_policy(` optional_policy(` razor_domtrans(spamd_t) @@ -56755,7 +56393,7 @@ index 1bbf73b..13cf9df 100644 ') optional_policy(` -@@ -440,6 +545,7 @@ optional_policy(` +@@ -440,6 +550,7 @@ optional_policy(` ') optional_policy(` @@ -56763,7 +56401,7 @@ index 1bbf73b..13cf9df 100644 sendmail_stub(spamd_t) mta_read_config(spamd_t) ') -@@ -447,3 +553,50 @@ optional_policy(` +@@ -447,3 +558,50 @@ optional_policy(` optional_policy(` udev_read_db(spamd_t) ') @@ -56854,7 +56492,7 @@ index d2496bd..c7614d7 100644 init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) diff --git a/squid.te b/squid.te -index d24bd07..25734c5 100644 +index c38de7a..a4aef18 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -57110,7 +56748,7 @@ index 941380a..ff89df6 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/sssd.te b/sssd.te -index 8ffa257..706c52b 100644 +index a1b61bc..1df45e7 100644 --- a/sssd.te +++ b/sssd.te @@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t) @@ -57212,7 +56850,7 @@ index 8ffa257..706c52b 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +113,19 @@ optional_policy(` +@@ -87,8 +113,17 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -57222,16 +56860,14 @@ index 8ffa257..706c52b 100644 + +optional_policy(` + dirsrv_stream_connect(sssd_t) -+') -+ -+optional_policy(` -+ ldap_stream_connect(sssd_t) + ') + + optional_policy(` + ldap_stream_connect(sssd_t) ') + +userdom_home_reader(sssd_t) + -+ -+ diff --git a/stapserver.fc b/stapserver.fc new file mode 100644 index 0000000..0ccce59 @@ -57750,7 +57386,7 @@ index 0000000..df04e25 +sysnet_dns_name_resolve(svnserve_t) + diff --git a/sxid.te b/sxid.te -index 32822ab..6b0a5d9 100644 +index 8296303..ae14531 100644 --- a/sxid.te +++ b/sxid.te @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t) @@ -57792,7 +57428,7 @@ index 32822ab..6b0a5d9 100644 optional_policy(` mta_send_mail(sxid_t) diff --git a/sysstat.te b/sysstat.te -index 200ea66..04e4828 100644 +index 0ecd8a7..58f7d76 100644 --- a/sysstat.te +++ b/sysstat.te @@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t) @@ -57917,7 +57553,7 @@ index b07ee19..a275bd6 100644 HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0) diff --git a/telepathy.if b/telepathy.if -index 6bf75ef..d49274d 100644 +index f09171e..18952a8 100644 --- a/telepathy.if +++ b/telepathy.if @@ -11,7 +11,6 @@ @@ -57928,20 +57564,19 @@ index 6bf75ef..d49274d 100644 template(`telepathy_domain_template',` gen_require(` attribute telepathy_domain; -@@ -20,16 +19,20 @@ template(`telepathy_domain_template',` +@@ -20,19 +19,19 @@ template(`telepathy_domain_template',` type telepathy_$1_t, telepathy_domain; type telepathy_$1_exec_t, telepathy_executable; - userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ubac_constrained(telepathy_$1_t) -+ auth_use_nsswitch(telepathy_$1_t) type telepathy_$1_tmp_t; -- userdom_user_tmp_file(telepathy_$1_tmp_t) -+ files_tmp_file(telepathy_$1_tmp_t) -+ ubac_constrained(telepathy_$1_tmp_t) -+ + userdom_user_tmp_file(telepathy_$1_tmp_t) + + auth_use_nsswitch(telepathy_$1_t) +- ') ####################################### @@ -57953,7 +57588,7 @@ index 6bf75ef..d49274d 100644 ##     ## ## -@@ -41,8 +44,13 @@ template(`telepathy_domain_template',` +@@ -44,8 +43,13 @@ template(`telepathy_domain_template',` ## The type of the user domain. ## ## @@ -57968,7 +57603,7 @@ index 6bf75ef..d49274d 100644 gen_require(` attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; -@@ -73,6 +81,8 @@ template(`telepathy_role', ` +@@ -76,6 +80,8 @@ template(`telepathy_role', ` dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) @@ -57977,7 +57612,7 @@ index 6bf75ef..d49274d 100644 ') ######################################## -@@ -119,11 +129,6 @@ interface(`telepathy_gabble_dbus_chat', ` +@@ -122,11 +128,6 @@ interface(`telepathy_gabble_dbus_chat', ` ## ## Read telepathy mission control state. ## @@ -57989,7 +57624,7 @@ index 6bf75ef..d49274d 100644 ## ## ## Domain allowed access. -@@ -163,7 +168,7 @@ interface(`telepathy_msn_stream_connect', ` +@@ -166,7 +167,7 @@ interface(`telepathy_msn_stream_connect', ` ## Stream connect to Telepathy Salut ## ## @@ -57998,7 +57633,7 @@ index 6bf75ef..d49274d 100644 ## Domain allowed access. ##     ## -@@ -176,3 +181,111 @@ interface(`telepathy_salut_stream_connect', ` +@@ -179,3 +180,111 @@ interface(`telepathy_salut_stream_connect', ` stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) files_search_tmp($1) ') @@ -58111,10 +57746,10 @@ index 6bf75ef..d49274d 100644 + gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") +') diff --git a/telepathy.te b/telepathy.te -index ad6a38d..cca6cff 100644 +index 964978b..b75b98c 100644 --- a/telepathy.te +++ b/telepathy.te -@@ -7,16 +7,16 @@ policy_module(telepathy, 1.2.0) +@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0) ## ##

    @@ -58350,7 +57985,7 @@ index ad6a38d..cca6cff 100644 corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t) corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t) corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t) -@@ -361,14 +400,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; +@@ -361,10 +400,14 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms; allow telepathy_domain self:tcp_socket create_socket_perms; allow telepathy_domain self:udp_socket create_socket_perms; @@ -58364,12 +57999,8 @@ index ad6a38d..cca6cff 100644 +fs_getattr_all_fs(telepathy_domain) fs_search_auto_mountpoints(telepathy_domain) --auth_use_nsswitch(telepathy_domain) -- miscfiles_read_localization(telepathy_domain) - - optional_policy(` -@@ -376,5 +417,23 @@ optional_policy(` +@@ -374,5 +417,23 @@ optional_policy(` ') optional_policy(` @@ -58418,7 +58049,7 @@ index 58e7ec0..e4119f7 100644 + allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms; +') diff --git a/telnet.te b/telnet.te -index f40e67b..ec3bb78 100644 +index 3858d35..ec3bb78 100644 --- a/telnet.te +++ b/telnet.te @@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t) @@ -58462,7 +58093,7 @@ index f40e67b..ec3bb78 100644 files_read_etc_runtime_files(telnetd_t) # for identd; cjp: this should probably only be inetd_child rules? files_search_home(telnetd_t) -@@ -81,15 +78,10 @@ miscfiles_read_localization(telnetd_t) +@@ -81,10 +78,10 @@ miscfiles_read_localization(telnetd_t) seutil_read_config(telnetd_t) @@ -58470,26 +58101,18 @@ index f40e67b..ec3bb78 100644 - userdom_search_user_home_dirs(telnetd_t) userdom_setattr_user_ptys(telnetd_t) -- --optional_policy(` -- kerberos_keytab_template(telnetd, telnetd_t) -- kerberos_manage_host_rcache(telnetd_t) --') +userdom_manage_user_tmp_files(telnetd_t) +userdom_tmp_filetrans_user_tmp(telnetd_t, file) tunable_policy(`use_nfs_home_dirs',` fs_search_nfs(telnetd_t) -@@ -98,3 +90,13 @@ tunable_policy(`use_nfs_home_dirs',` - tunable_policy(`use_samba_home_dirs',` - fs_search_cifs(telnetd_t) - ') -+ -+optional_policy(` -+ kerberos_keytab_template(telnetd, telnetd_t) +@@ -96,5 +93,10 @@ tunable_policy(`use_samba_home_dirs',` + + optional_policy(` + kerberos_keytab_template(telnetd, telnetd_t) + kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0") -+ kerberos_manage_host_rcache(telnetd_t) -+') + kerberos_manage_host_rcache(telnetd_t) + ') + +optional_policy(` + remotelogin_domtrans(telnetd_t) @@ -61312,7 +60935,7 @@ index 2124b6a..37e03e4 100644 +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/virt.if b/virt.if -index 7c5d8d8..9883b66 100644 +index 6f0736b..2d43a63 100644 --- a/virt.if +++ b/virt.if @@ -13,39 +13,45 @@ @@ -61370,7 +60993,7 @@ index 7c5d8d8..9883b66 100644 manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) -@@ -57,18 +63,6 @@ template(`virt_domain_template',` +@@ -57,20 +63,6 @@ template(`virt_domain_template',` manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) @@ -61386,10 +61009,12 @@ index 7c5d8d8..9883b66 100644 - files_pid_filetrans($1_t, $1_var_run_t, { dir file }) - stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) - +- auth_use_nsswitch($1_t) +- optional_policy(` xserver_rw_shm($1_t) ') -@@ -96,14 +90,32 @@ interface(`virt_image',` +@@ -98,14 +90,32 @@ interface(`virt_image',` dev_node($1) ') @@ -61424,7 +61049,7 @@ index 7c5d8d8..9883b66 100644 ## # interface(`virt_domtrans',` -@@ -114,9 +126,45 @@ interface(`virt_domtrans',` +@@ -116,9 +126,45 @@ interface(`virt_domtrans',` domtrans_pattern($1, virtd_exec_t, virtd_t) ') @@ -61471,7 +61096,7 @@ index 7c5d8d8..9883b66 100644 ##

    ## ## -@@ -164,13 +212,13 @@ interface(`virt_attach_tun_iface',` +@@ -166,13 +212,13 @@ interface(`virt_attach_tun_iface',` # interface(`virt_read_config',` gen_require(` @@ -61487,7 +61112,7 @@ index 7c5d8d8..9883b66 100644 ') ######################################## -@@ -185,13 +233,13 @@ interface(`virt_read_config',` +@@ -187,13 +233,13 @@ interface(`virt_read_config',` # interface(`virt_manage_config',` gen_require(` @@ -61503,7 +61128,7 @@ index 7c5d8d8..9883b66 100644 ') ######################################## -@@ -231,6 +279,24 @@ interface(`virt_read_content',` +@@ -233,6 +279,24 @@ interface(`virt_read_content',` ######################################## ## @@ -61528,7 +61153,7 @@ index 7c5d8d8..9883b66 100644 ## Read virt PID files. ## ## -@@ -250,6 +316,28 @@ interface(`virt_read_pid_files',` +@@ -252,6 +316,28 @@ interface(`virt_read_pid_files',` ######################################## ## @@ -61557,7 +61182,7 @@ index 7c5d8d8..9883b66 100644 ## Manage virt pid files. ## ## -@@ -261,10 +349,42 @@ interface(`virt_read_pid_files',` +@@ -263,10 +349,42 @@ interface(`virt_read_pid_files',` interface(`virt_manage_pid_files',` gen_require(` type virt_var_run_t; @@ -61600,7 +61225,7 @@ index 7c5d8d8..9883b66 100644 ') ######################################## -@@ -308,6 +428,24 @@ interface(`virt_read_lib_files',` +@@ -310,6 +428,24 @@ interface(`virt_read_lib_files',` ######################################## ## @@ -61625,7 +61250,7 @@ index 7c5d8d8..9883b66 100644 ## Create, read, write, and delete ## virt lib files. ## -@@ -352,9 +490,9 @@ interface(`virt_read_log',` +@@ -354,9 +490,9 @@ interface(`virt_read_log',` ## virt log files. ## ## @@ -61637,7 +61262,7 @@ index 7c5d8d8..9883b66 100644 ## # interface(`virt_append_log',` -@@ -388,6 +526,25 @@ interface(`virt_manage_log',` +@@ -390,6 +526,25 @@ interface(`virt_manage_log',` ######################################## ## @@ -61663,7 +61288,7 @@ index 7c5d8d8..9883b66 100644 ## Allow domain to read virt image files ## ## -@@ -408,6 +565,7 @@ interface(`virt_read_images',` +@@ -410,6 +565,7 @@ interface(`virt_read_images',` read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -61671,7 +61296,7 @@ index 7c5d8d8..9883b66 100644 tunable_policy(`virt_use_nfs',` fs_list_nfs($1) -@@ -424,6 +582,24 @@ interface(`virt_read_images',` +@@ -426,6 +582,24 @@ interface(`virt_read_images',` ######################################## ## @@ -61696,7 +61321,7 @@ index 7c5d8d8..9883b66 100644 ## Create, read, write, and delete ## svirt cache files. ## -@@ -433,15 +609,15 @@ interface(`virt_read_images',` +@@ -435,15 +609,15 @@ interface(`virt_read_images',` ##     ## # @@ -61717,7 +61342,7 @@ index 7c5d8d8..9883b66 100644 ') ######################################## -@@ -466,6 +642,7 @@ interface(`virt_manage_images',` +@@ -468,6 +642,7 @@ interface(`virt_manage_images',` manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) @@ -61725,7 +61350,7 @@ index 7c5d8d8..9883b66 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs($1) -@@ -500,10 +677,19 @@ interface(`virt_manage_images',` +@@ -502,10 +677,19 @@ interface(`virt_manage_images',` interface(`virt_admin',` gen_require(` type virtd_t, virtd_initrc_exec_t; @@ -61746,7 +61371,7 @@ index 7c5d8d8..9883b66 100644 init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) -@@ -515,4 +701,248 @@ interface(`virt_admin',` +@@ -517,4 +701,278 @@ interface(`virt_admin',` virt_manage_lib_files($1) virt_manage_log($1) @@ -61776,10 +61401,12 @@ index 7c5d8d8..9883b66 100644 +interface(`virt_transition_svirt',` + gen_require(` + type svirt_t; ++ type virt_bridgehelper_t; + ') + + allow $1 svirt_t:process transition; + role $2 types svirt_t; ++ role $2 types virt_bridgehelper_t; + + optional_policy(` + ptchown_run(svirt_t, $2) @@ -61994,12 +61621,40 @@ index 7c5d8d8..9883b66 100644 + ') + + files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") ++') ++ ++######################################## ++## ++## Execute qemu in the svirt domain, and ++## allow the specified role the svirt domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the sandbox domain. ++## ++## ++## ++# ++interface(`virt_transition_svirt_lxc',` ++ gen_require(` ++ attribute svirt_lxc_domain; ++ ') ++ ++ allow $1 svirt_lxc_domain:process transition; ++ role $2 types svirt_lxc_domain; ++ ++ allow svirt_lxc_domain $1:process sigchld; ') diff --git a/virt.te b/virt.te -index ad3068a..dcde4ba 100644 +index 947bbc6..274140a 100644 --- a/virt.te +++ b/virt.te -@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2) +@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0) # Declarations # @@ -62061,15 +61716,15 @@ index ad3068a..dcde4ba 100644 +gen_tunable(virt_use_sanlock, false) + +## -+##

    + ##

    +-## Allow virt to use usb devices +## Allow confined virtual guests to interact with the xserver +##

    +##     +gen_tunable(virt_use_xserver, false) + +## - ##

    --## Allow virt to use usb devices ++##

    +## Allow confined virtual guests to use usb devices ##

    ##     @@ -62617,7 +62272,7 @@ index ad3068a..dcde4ba 100644 files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -449,25 +662,441 @@ files_search_all(virt_domain) +@@ -449,8 +662,16 @@ files_search_all(virt_domain) fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -62625,20 +62280,17 @@ index ad3068a..dcde4ba 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - --term_use_all_terms(virt_domain) ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) -+ + +-term_use_all_terms(virt_domain) +term_use_all_inherited_terms(virt_domain) term_getattr_pty_fs(virt_domain) term_use_generic_ptys(virt_domain) term_use_ptmx(virt_domain) - --auth_use_nsswitch(virt_domain) -- - logging_send_syslog_msg(virt_domain) +@@ -459,13 +680,447 @@ logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) @@ -62671,7 +62323,7 @@ index ad3068a..dcde4ba 100644 +typealias virsh_t alias xm_t; +typealias virsh_exec_t alias xm_exec_t; + -+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config }; ++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config }; +allow virsh_t self:process { getcap getsched setsched setcap signal }; +allow virsh_t self:fifo_file rw_fifo_file_perms; +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -62683,6 +62335,14 @@ index ad3068a..dcde4ba 100644 +manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) +manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type) + ++manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) ++virt_transition_svirt_lxc(virsh_t) ++ +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms; + +kernel_read_system_state(virsh_t) @@ -62704,8 +62364,10 @@ index ad3068a..dcde4ba 100644 +dev_read_sysfs(virsh_t) + +files_read_etc_runtime_files(virsh_t) ++files_read_etc_files(virsh_t) +files_read_usr_files(virsh_t) +files_list_mnt(virsh_t) ++files_list_tmp(virsh_t) +# Some common macros (you might be able to remove some) + +fs_getattr_all_fs(virsh_t) @@ -62728,6 +62390,14 @@ index ad3068a..dcde4ba 100644 +sysnet_dns_name_resolve(virsh_t) + +optional_policy(` ++ cron_system_entry(virsh_t, virsh_exec_t) ++') ++ ++optional_policy(` ++ rpm_exec(virsh_t) ++') ++ ++optional_policy(` + xen_manage_image_dirs(virsh_t) + xen_append_log(virsh_t) + xen_domtrans(virsh_t) @@ -62776,7 +62446,7 @@ index ad3068a..dcde4ba 100644 +# +# virt_lxc local policy +# -+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_resource }; ++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource }; +allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms }; +allow virtd_lxc_t self:fifo_file rw_fifo_file_perms; +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms; @@ -62807,9 +62477,8 @@ index ad3068a..dcde4ba 100644 + +storage_manage_fixed_disk(virtd_lxc_t) + ++kernel_read_all_sysctls(virtd_lxc_t) +kernel_read_network_state(virtd_lxc_t) -+kernel_search_network_sysctl(virtd_lxc_t) -+kernel_read_sysctl(virtd_lxc_t) +kernel_read_system_state(virtd_lxc_t) + +corecmd_exec_bin(virtd_lxc_t) @@ -63001,6 +62670,13 @@ index ad3068a..dcde4ba 100644 + +rpm_read_db(svirt_lxc_net_t) + ++userdom_use_inherited_user_ptys(svirt_lxc_net_t) ++ ++fs_mount_cgroup(svirt_lxc_net_t) ++fs_manage_cgroup_dirs(svirt_lxc_net_t) ++fs_manage_cgroup_files(svirt_lxc_net_t) ++ ++ +####################################### +# +# svirt_prot_exec local policy @@ -63073,7 +62749,7 @@ index 2511093..9e5625e 100644 -userdom_use_user_terminals(vlock_t) +userdom_use_inherited_user_terminals(vlock_t) diff --git a/vmware.te b/vmware.te -index f21389b..b8ed066 100644 +index 7d334c4..ac07e8b 100644 --- a/vmware.te +++ b/vmware.te @@ -68,7 +68,7 @@ ifdef(`enable_mcs',` @@ -63978,10 +63654,10 @@ index 77d41b6..cc73c96 100644 files_search_pids($1) diff --git a/xen.te b/xen.te -index d995c70..a9a273a 100644 +index 07033bb..7d53822 100644 --- a/xen.te +++ b/xen.te -@@ -4,6 +4,7 @@ policy_module(xen, 1.11.1) +@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0) # # Declarations # @@ -64779,7 +64455,7 @@ index 21ae664..cb3a098 100644 + manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) +') diff --git a/zarafa.te b/zarafa.te -index 9fb4747..3879499 100644 +index 91267bc..5bce06b 100644 --- a/zarafa.te +++ b/zarafa.te @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t) @@ -64793,7 +64469,7 @@ index 9fb4747..3879499 100644 zarafa_domain_template(monitor) zarafa_domain_template(server) -@@ -49,7 +53,6 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) +@@ -51,7 +55,6 @@ auth_use_nsswitch(zarafa_deliver_t) allow zarafa_gateway_t self:capability { chown kill }; allow zarafa_gateway_t self:process setrlimit; @@ -64801,10 +64477,11 @@ index 9fb4747..3879499 100644 corenet_all_recvfrom_netlabel(zarafa_gateway_t) corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) -@@ -57,6 +60,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) +@@ -59,7 +62,22 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) corenet_tcp_bind_pop_port(zarafa_gateway_t) +-auth_use_nsswitch(zarafa_gateway_t) +###################################### +# +# zarafa-indexer local policy @@ -64820,10 +64497,11 @@ index 9fb4747..3879499 100644 +manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) + ++auth_use_nsswitch(zarafa_indexer_t) + ####################################### # - # zarafa-ical local policy -@@ -64,7 +82,6 @@ corenet_tcp_bind_pop_port(zarafa_gateway_t) +@@ -68,7 +86,6 @@ auth_use_nsswitch(zarafa_gateway_t) allow zarafa_ical_t self:capability chown; @@ -64831,7 +64509,7 @@ index 9fb4747..3879499 100644 corenet_all_recvfrom_netlabel(zarafa_ical_t) corenet_tcp_sendrecv_generic_if(zarafa_ical_t) corenet_tcp_sendrecv_generic_node(zarafa_ical_t) -@@ -93,11 +110,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) +@@ -101,11 +118,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) @@ -64845,15 +64523,7 @@ index 9fb4747..3879499 100644 corenet_all_recvfrom_netlabel(zarafa_server_t) corenet_tcp_sendrecv_generic_if(zarafa_server_t) corenet_tcp_sendrecv_generic_node(zarafa_server_t) -@@ -107,7 +124,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) - - files_read_usr_files(zarafa_server_t) - --logging_send_syslog_msg(zarafa_server_t) - logging_send_audit_msgs(zarafa_server_t) - - sysnet_dns_name_resolve(zarafa_server_t) -@@ -129,7 +145,6 @@ allow zarafa_spooler_t self:capability { chown kill }; +@@ -139,7 +156,6 @@ allow zarafa_spooler_t self:capability { chown kill }; can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) @@ -64861,40 +64531,7 @@ index 9fb4747..3879499 100644 corenet_all_recvfrom_netlabel(zarafa_spooler_t) corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) -@@ -138,6 +153,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t) - - ######################################## - # -+# zarafa_gateway local policy -+# -+ -+allow zarafa_gateway_t self:capability { chown kill }; -+allow zarafa_gateway_t self:process setrlimit; -+ -+corenet_tcp_bind_pop_port(zarafa_gateway_t) -+ -+####################################### -+# -+# zarafa-ical local policy -+# -+ -+allow zarafa_ical_t self:capability chown; -+ -+corenet_tcp_bind_http_cache_port(zarafa_ical_t) -+ -+###################################### -+# -+# zarafa-monitor local policy -+# -+ -+allow zarafa_monitor_t self:capability chown; -+ -+######################################## -+# - # zarafa domains local policy - # - -@@ -152,10 +193,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var +@@ -164,8 +180,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) @@ -64905,9 +64542,8 @@ index 9fb4747..3879499 100644 files_read_etc_files(zarafa_domain) --auth_use_nsswitch(zarafa_domain) +logging_send_syslog_msg(zarafa_domain) - ++ miscfiles_read_localization(zarafa_domain) diff --git a/zebra.if b/zebra.if index 6b87605..ef64e73 100644 diff --git a/selinux-policy.spec b/selinux-policy.spec index 8400726..c0b2f08 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -18,8 +18,8 @@ %define CHECKPOLICYVER 2.1.10-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.11.0 -Release: 15%{?dist} +Version: 3.11.1 +Release: 0%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -491,6 +491,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Thu Aug 2 2012 Miroslav Grepl 3.11.1-0 +- Update to upstream + * Mon Jul 30 2012 Miroslav Grepl 3.11.0-15 - More fixes for systemd to make rawhide booting from Dan Walsh diff --git a/sources b/sources index 7c0230c..955e429 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -468f5688ae2b0c2c185d094c930957e0 serefpolicy-contrib-3.11.0.tgz -766a3bb5686bc8b585f73935a2e39b1e serefpolicy-3.11.0.tgz dbea318af516689d48155ba4677b5303 config.tgz +ee1c09715a7b04a16aa2e7004703b72a serefpolicy-3.11.1.tgz +8637c3e6add4e83a882c5cea26625257 serefpolicy-contrib-3.11.1.tgz