diff --git a/container-selinux.tgz b/container-selinux.tgz index b681098..3b80c6c 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 08f8a56..a08c614 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -17543,7 +17543,7 @@ index d7c11a0b3..f521a50f8 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb43..1cc0d9ad9 100644 +index 8416beb43..a7af809a0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -577,6 +577,24 @@ interface(`fs_mount_cgroup', ` @@ -18307,7 +18307,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Read files on a DOS filesystem. ## ## -@@ -1793,137 +2162,336 @@ interface(`fs_read_eventpollfs',` +@@ -1793,161 +2162,986 @@ interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') @@ -18679,14 +18679,17 @@ index 8416beb43..1cc0d9ad9 100644 + ') + + dontaudit $1 fusefs_t:dir manage_dir_perms; - ') - - ######################################## -@@ -1935,19 +2503,645 @@ interface(`fs_dontaudit_manage_fusefs_dirs',` - ## Domain allowed access. - ## - ## --## ++') ++ ++######################################## ++## ++## Read, a FUSEFS filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## +## +# +interface(`fs_read_fusefs_files',` @@ -19301,18 +19304,20 @@ index 8416beb43..1cc0d9ad9 100644 + ') + + allow $1 iso9660_t:filesystem remount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read, a FUSEFS filesystem. +## Unmount an iso9660 filesystem, which +## is usually used on CDs. -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +-## # -interface(`fs_read_fusefs_files',` +interface(`fs_unmount_iso9660_fs',` @@ -19860,44 +19865,38 @@ index 8416beb43..1cc0d9ad9 100644 allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') -@@ -2518,73 +3731,148 @@ interface(`fs_dontaudit_read_nfs_files',` - ## - ## - # --interface(`fs_write_nfs_files',` -+interface(`fs_write_nfs_files',` -+ gen_require(` -+ type nfs_t; -+ ') -+ +@@ -2523,6 +3736,7 @@ interface(`fs_write_nfs_files',` + type nfs_t; + ') + + fs_search_auto_mountpoints($1) -+ allow $1 nfs_t:dir list_dir_perms; -+ write_files_pattern($1, nfs_t, nfs_t) -+') -+ -+######################################## -+## -+## Execute files on a NFS filesystem. + allow $1 nfs_t:dir list_dir_perms; + write_files_pattern($1, nfs_t, nfs_t) + ') +@@ -2549,6 +3763,44 @@ interface(`fs_exec_nfs_files',` + + ######################################## + ## ++## Make general progams in nfs an entrypoint for ++## the specified domain. +## +## +## -+## Domain allowed access. ++## The domain for which nfs_t is an entrypoint. +## +## -+## +# -+interface(`fs_exec_nfs_files',` ++interface(`fs_nfs_entry_type',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:dir list_dir_perms; -+ exec_files_pattern($1, nfs_t, nfs_t) ++ domain_entry_file($1, nfs_t) +') + +######################################## +## -+## Make general progams in nfs an entrypoint for ++## Make general progams in NFS an entrypoint for +## the specified domain. +## +## @@ -19906,94 +19905,62 @@ index 8416beb43..1cc0d9ad9 100644 +## +## +# -+interface(`fs_nfs_entry_type',` ++interface(`fs_nfs_entrypoint',` + gen_require(` + type nfs_t; + ') + -+ domain_entry_file($1, nfs_t) ++ allow $1 nfs_t:file entrypoint; +') + +######################################## +## -+## Make general progams in NFS an entrypoint for -+## the specified domain. + ## Append files + ## on a NFS filesystem. + ## +@@ -2559,32 +3811,68 @@ interface(`fs_exec_nfs_files',` + ## + ## + # +-interface(`fs_append_nfs_files',` ++interface(`fs_append_nfs_files',` ++ gen_require(` ++ type nfs_t; ++ ') ++ ++ append_files_pattern($1, nfs_t, nfs_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to append files ++## on a NFS filesystem. +## +## +## -+## The domain for which nfs_t is an entrypoint. ++## Domain to not audit. +## +## ++## +# -+interface(`fs_nfs_entrypoint',` ++interface(`fs_dontaudit_append_nfs_files',` + gen_require(` + type nfs_t; + ') + -+ allow $1 nfs_t:file entrypoint; ++ dontaudit $1 nfs_t:file append_file_perms; +') + +######################################## +## -+## Append files -+## on a NFS filesystem. ++## Read inherited files on a NFS filesystem. +## +## +## +## Domain allowed access. +## +## -+## +# -+interface(`fs_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- write_files_pattern($1, nfs_t, nfs_t) -+ append_files_pattern($1, nfs_t, nfs_t) - ') - - ######################################## - ## --## Execute files on a NFS filesystem. -+## Do not audit attempts to append files -+## on a NFS filesystem. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - ## - # --interface(`fs_exec_nfs_files',` -+interface(`fs_dontaudit_append_nfs_files',` - gen_require(` - type nfs_t; - ') - -- allow $1 nfs_t:dir list_dir_perms; -- exec_files_pattern($1, nfs_t, nfs_t) -+ dontaudit $1 nfs_t:file append_file_perms; - ') - - ######################################## - ## --## Append files --## on a NFS filesystem. -+## Read inherited files on a NFS filesystem. - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`fs_append_nfs_files',` +interface(`fs_read_inherited_nfs_files',` gen_require(` type nfs_t; @@ -20121,7 +20088,33 @@ index 8416beb43..1cc0d9ad9 100644 ## ## # -@@ -2777,7 +4124,7 @@ interface(`fs_read_removable_files',` +@@ -2771,13 +4118,33 @@ interface(`fs_read_removable_files',` + read_files_pattern($1, removable_t, removable_t) + ') + ++ ++######################################## ++## ++## mmap files on a removable files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`fs_mmap_removable_files',` ++ gen_require(` ++ type removable_t; ++ ') ++ ++ allow $1 removable_t:file map; ++') ++ + ######################################## + ## + ## Do not audit attempts to read removable storage files. ## ## ## @@ -20130,7 +20123,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## # -@@ -2970,6 +4317,7 @@ interface(`fs_manage_nfs_dirs',` +@@ -2970,6 +4337,7 @@ interface(`fs_manage_nfs_dirs',` type nfs_t; ') @@ -20138,7 +20131,7 @@ index 8416beb43..1cc0d9ad9 100644 allow $1 nfs_t:dir manage_dir_perms; ') -@@ -3010,11 +4358,31 @@ interface(`fs_manage_nfs_files',` +@@ -3010,11 +4378,31 @@ interface(`fs_manage_nfs_files',` type nfs_t; ') @@ -20170,7 +20163,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Do not audit attempts to create, ## read, write, and delete files ## on a NFS filesystem. -@@ -3050,6 +4418,7 @@ interface(`fs_manage_nfs_symlinks',` +@@ -3050,6 +4438,7 @@ interface(`fs_manage_nfs_symlinks',` type nfs_t; ') @@ -20178,7 +20171,7 @@ index 8416beb43..1cc0d9ad9 100644 manage_lnk_files_pattern($1, nfs_t, nfs_t) ') -@@ -3137,6 +4506,24 @@ interface(`fs_nfs_domtrans',` +@@ -3137,6 +4526,24 @@ interface(`fs_nfs_domtrans',` ######################################## ## @@ -20203,7 +20196,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Mount a NFS server pseudo filesystem. ## ## -@@ -3239,15 +4626,198 @@ interface(`fs_search_nfsd_fs',` +@@ -3239,15 +4646,198 @@ interface(`fs_search_nfsd_fs',` # interface(`fs_list_nfsd_fs',` gen_require(` @@ -20405,7 +20398,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3255,35 +4825,35 @@ interface(`fs_list_nfsd_fs',` +@@ -3255,35 +4845,35 @@ interface(`fs_list_nfsd_fs',` ## ## # @@ -20450,7 +20443,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3291,12 +4861,12 @@ interface(`fs_rw_nfsd_fs',` +@@ -3291,12 +4881,12 @@ interface(`fs_rw_nfsd_fs',` ## ## # @@ -20466,7 +20459,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -3392,7 +4962,7 @@ interface(`fs_search_ramfs',` +@@ -3392,7 +4982,7 @@ interface(`fs_search_ramfs',` ######################################## ## @@ -20475,7 +20468,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3429,7 +4999,7 @@ interface(`fs_manage_ramfs_dirs',` +@@ -3429,7 +5019,7 @@ interface(`fs_manage_ramfs_dirs',` ######################################## ## @@ -20484,7 +20477,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3447,7 +5017,7 @@ interface(`fs_dontaudit_read_ramfs_files',` +@@ -3447,7 +5037,7 @@ interface(`fs_dontaudit_read_ramfs_files',` ######################################## ## @@ -20493,7 +20486,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3779,6 +5349,24 @@ interface(`fs_mount_tmpfs',` +@@ -3779,6 +5369,24 @@ interface(`fs_mount_tmpfs',` ######################################## ## @@ -20518,7 +20511,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Remount a tmpfs filesystem. ## ## -@@ -3815,6 +5403,24 @@ interface(`fs_unmount_tmpfs',` +@@ -3815,6 +5423,24 @@ interface(`fs_unmount_tmpfs',` ######################################## ## @@ -20543,7 +20536,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3908,7 +5514,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3908,7 +5534,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ######################################## ## @@ -20552,7 +20545,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3916,17 +5522,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` +@@ -3916,17 +5542,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',` ## ## # @@ -20573,7 +20566,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3934,17 +5540,17 @@ interface(`fs_mounton_tmpfs',` +@@ -3934,17 +5560,17 @@ interface(`fs_mounton_tmpfs',` ## ## # @@ -20594,7 +20587,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3952,17 +5558,36 @@ interface(`fs_setattr_tmpfs_dirs',` +@@ -3952,17 +5578,36 @@ interface(`fs_setattr_tmpfs_dirs',` ## ## # @@ -20634,7 +20627,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -3970,31 +5595,48 @@ interface(`fs_search_tmpfs',` +@@ -3970,31 +5615,48 @@ interface(`fs_search_tmpfs',` ## ## # @@ -20690,7 +20683,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -4057,23 +5699,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` +@@ -4057,23 +5719,170 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## ## ## @@ -20867,7 +20860,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4081,18 +5870,18 @@ interface(`fs_tmpfs_filetrans',` +@@ -4081,18 +5890,18 @@ interface(`fs_tmpfs_filetrans',` ## ## # @@ -20890,7 +20883,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4100,54 +5889,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` +@@ -4100,54 +5909,53 @@ interface(`fs_dontaudit_getattr_tmpfs_files',` ## ## # @@ -20957,7 +20950,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4155,17 +5943,18 @@ interface(`fs_read_tmpfs_files',` +@@ -4155,17 +5963,18 @@ interface(`fs_read_tmpfs_files',` ## ## # @@ -20979,7 +20972,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4173,17 +5962,18 @@ interface(`fs_rw_tmpfs_files',` +@@ -4173,17 +5982,18 @@ interface(`fs_rw_tmpfs_files',` ## ## # @@ -21001,7 +20994,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4191,37 +5981,36 @@ interface(`fs_read_tmpfs_symlinks',` +@@ -4191,37 +6001,36 @@ interface(`fs_read_tmpfs_symlinks',` ## ## # @@ -21047,7 +21040,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4229,18 +6018,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` +@@ -4229,18 +6038,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',` ## ## # @@ -21069,7 +21062,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4248,18 +6037,19 @@ interface(`fs_relabel_tmpfs_chr_file',` +@@ -4248,18 +6057,19 @@ interface(`fs_relabel_tmpfs_chr_file',` ## ## # @@ -21093,7 +21086,7 @@ index 8416beb43..1cc0d9ad9 100644 ## ## ## -@@ -4267,32 +6057,31 @@ interface(`fs_rw_tmpfs_blk_files',` +@@ -4267,32 +6077,31 @@ interface(`fs_rw_tmpfs_blk_files',` ## ## # @@ -21132,7 +21125,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -4407,6 +6196,25 @@ interface(`fs_search_xenfs',` +@@ -4407,6 +6216,25 @@ interface(`fs_search_xenfs',` allow $1 xenfs_t:dir search_dir_perms; ') @@ -21158,7 +21151,7 @@ index 8416beb43..1cc0d9ad9 100644 ######################################## ## ## Create, read, write, and delete directories -@@ -4503,6 +6311,8 @@ interface(`fs_mount_all_fs',` +@@ -4503,6 +6331,8 @@ interface(`fs_mount_all_fs',` ') allow $1 filesystem_type:filesystem mount; @@ -21167,7 +21160,7 @@ index 8416beb43..1cc0d9ad9 100644 ') ######################################## -@@ -4549,7 +6359,7 @@ interface(`fs_unmount_all_fs',` +@@ -4549,7 +6379,7 @@ interface(`fs_unmount_all_fs',` ## ##

## Allow the specified domain to @@ -21176,7 +21169,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Example attributes: ##

##
    -@@ -4596,6 +6406,26 @@ interface(`fs_dontaudit_getattr_all_fs',` +@@ -4596,6 +6426,26 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## @@ -21203,7 +21196,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Get the quotas of all filesystems. ## ## -@@ -4671,6 +6501,25 @@ interface(`fs_getattr_all_dirs',` +@@ -4671,6 +6521,25 @@ interface(`fs_getattr_all_dirs',` ######################################## ## @@ -21229,7 +21222,7 @@ index 8416beb43..1cc0d9ad9 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6761,176 @@ interface(`fs_unconfined',` +@@ -4912,3 +6781,176 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -34661,7 +34654,7 @@ index 247958765..890e1e293 100644 /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b669..a8cb6df3d 100644 +index 3efd5b669..2ce58d86d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -34883,7 +34876,15 @@ index 3efd5b669..a8cb6df3d 100644 ## Manage authentication cache ##
## -@@ -402,6 +459,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -337,6 +394,7 @@ interface(`auth_manage_cache',` + + manage_dirs_pattern($1, auth_cache_t, auth_cache_t) + manage_files_pattern($1, auth_cache_t, auth_cache_t) ++ allow $1 auth_cache_t:file map; + ') + + ####################################### +@@ -402,6 +460,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -34892,7 +34893,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -428,6 +487,24 @@ interface(`auth_domtrans_chkpwd',` +@@ -428,6 +488,24 @@ interface(`auth_domtrans_chkpwd',` ######################################## ## @@ -34917,7 +34918,7 @@ index 3efd5b669..a8cb6df3d 100644 ## Execute chkpwd programs in the chkpwd domain. ## ## -@@ -448,6 +525,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +526,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -34943,7 +34944,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -467,7 +563,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +564,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -34951,7 +34952,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -534,6 +629,24 @@ interface(`auth_dontaudit_getattr_shadow',` +@@ -534,6 +630,24 @@ interface(`auth_dontaudit_getattr_shadow',` ######################################## ## @@ -34976,7 +34977,7 @@ index 3efd5b669..a8cb6df3d 100644 ## Read the shadow passwords file (/etc/shadow) ## ## -@@ -664,6 +777,11 @@ interface(`auth_manage_shadow',` +@@ -664,6 +778,11 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -34988,7 +34989,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ####################################### -@@ -763,7 +881,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +882,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -35040,7 +35041,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ####################################### -@@ -824,9 +985,29 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +986,29 @@ interface(`auth_rw_lastlog',` allow $1 lastlog_t:file { rw_file_perms lock setattr }; ') @@ -35071,7 +35072,7 @@ index 3efd5b669..a8cb6df3d 100644 ## ## ## -@@ -834,12 +1015,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +1016,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -35102,7 +35103,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -854,15 +1050,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +1051,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -35121,7 +35122,7 @@ index 3efd5b669..a8cb6df3d 100644 ## ## ## -@@ -875,13 +1071,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1072,33 @@ interface(`auth_signal_pam',` ## ## # @@ -35159,7 +35160,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -959,9 +1175,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1176,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -35193,7 +35194,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1040,6 +1277,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1278,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -35204,7 +35205,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1176,6 +1417,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1418,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -35212,7 +35213,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ####################################### -@@ -1576,6 +1818,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1819,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -35238,7 +35239,7 @@ index 3efd5b669..a8cb6df3d 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1987,63 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1988,63 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -35306,7 +35307,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1767,11 +2067,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +2068,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -35323,7 +35324,7 @@ index 3efd5b669..a8cb6df3d 100644 ') ######################################## -@@ -1805,3 +2107,298 @@ interface(`auth_unconfined',` +@@ -1805,3 +2108,298 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -35623,7 +35624,7 @@ index 3efd5b669..a8cb6df3d 100644 + allow $1 login_pgm:key manage_key_perms; +') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 09b791dcc..c6721f846 100644 +index 09b791dcc..03feb4c8d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1) @@ -35982,7 +35983,7 @@ index 09b791dcc..c6721f846 100644 optional_policy(` kerberos_use(nsswitch_domain) ') -@@ -456,10 +525,163 @@ optional_policy(` +@@ -456,10 +525,164 @@ optional_policy(` optional_policy(` sssd_stream_connect(nsswitch_domain) @@ -36037,6 +36038,7 @@ index 09b791dcc..c6721f846 100644 +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t) +files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey") ++allow login_pgm auth_cache_t:file map; + +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) +manage_files_pattern(login_pgm, auth_home_t, auth_home_t) diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index c0fc473..aa773fb 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -5635,7 +5635,7 @@ index f6eb4851f..3628a384f 100644 + allow $1 httpd_t:process { noatsecure }; ') diff --git a/apache.te b/apache.te -index 6649962b6..b7ac74501 100644 +index 6649962b6..1df48fb13 100644 --- a/apache.te +++ b/apache.te @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2) @@ -6323,7 +6323,7 @@ index 6649962b6..b7ac74501 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -412,13 +524,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -412,13 +524,22 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -6334,11 +6334,12 @@ index 6649962b6..b7ac74501 100644 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) - --allow httpd_t httpd_suexec_exec_t:file read_file_perms; ++allow httpd_t httpd_squirrelmail_t:file map; ++ +allow httpd_t httpd_suexec_t:process { signal signull }; +allow httpd_t httpd_suexec_t:file read_file_perms; -+ + +-allow httpd_t httpd_suexec_exec_t:file read_file_perms; +allow httpd_t httpd_sys_content_t:dir list_dir_perms; +read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) +read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t) @@ -6346,7 +6347,7 @@ index 6649962b6..b7ac74501 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; -@@ -428,6 +548,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) +@@ -428,6 +549,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir) @@ -6354,7 +6355,7 @@ index 6649962b6..b7ac74501 100644 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) -@@ -438,6 +559,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi +@@ -438,6 +560,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) @@ -6362,7 +6363,7 @@ index 6649962b6..b7ac74501 100644 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t) -@@ -450,140 +572,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -450,140 +573,179 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -6606,7 +6607,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -594,28 +755,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -594,28 +756,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -6666,7 +6667,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -624,68 +807,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -624,68 +808,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -6769,7 +6770,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -695,49 +866,48 @@ tunable_policy(`httpd_setrlimit',` +@@ -695,49 +867,48 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -6850,7 +6851,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -749,24 +919,32 @@ optional_policy(` +@@ -749,24 +920,32 @@ optional_policy(` ') optional_policy(` @@ -6889,7 +6890,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -775,6 +953,10 @@ optional_policy(` +@@ -775,6 +954,10 @@ optional_policy(` tunable_policy(`httpd_dbus_avahi',` avahi_dbus_chat(httpd_t) ') @@ -6900,7 +6901,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -786,35 +968,62 @@ optional_policy(` +@@ -786,35 +969,62 @@ optional_policy(` ') optional_policy(` @@ -6976,7 +6977,7 @@ index 6649962b6..b7ac74501 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -822,8 +1031,31 @@ optional_policy(` +@@ -822,8 +1032,31 @@ optional_policy(` ') optional_policy(` @@ -7008,7 +7009,7 @@ index 6649962b6..b7ac74501 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -832,6 +1064,8 @@ optional_policy(` +@@ -832,6 +1065,8 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -7017,7 +7018,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -842,20 +1076,48 @@ optional_policy(` +@@ -842,20 +1077,48 @@ optional_policy(` ') optional_policy(` @@ -7072,7 +7073,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -863,16 +1125,31 @@ optional_policy(` +@@ -863,16 +1126,31 @@ optional_policy(` ') optional_policy(` @@ -7106,7 +7107,7 @@ index 6649962b6..b7ac74501 100644 ') optional_policy(` -@@ -883,65 +1160,189 @@ optional_policy(` +@@ -883,65 +1161,189 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -7318,7 +7319,7 @@ index 6649962b6..b7ac74501 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -950,123 +1351,75 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -950,123 +1352,75 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -7472,7 +7473,7 @@ index 6649962b6..b7ac74501 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1083,172 +1436,107 @@ optional_policy(` +@@ -1083,172 +1437,107 @@ optional_policy(` ') ') @@ -7710,7 +7711,7 @@ index 6649962b6..b7ac74501 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1256,64 +1544,74 @@ tunable_policy(`httpd_read_user_content',` +@@ -1256,64 +1545,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -7808,7 +7809,7 @@ index 6649962b6..b7ac74501 100644 ######################################## # -@@ -1321,8 +1619,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1321,8 +1620,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -7825,7 +7826,7 @@ index 6649962b6..b7ac74501 100644 ') ######################################## -@@ -1330,49 +1635,43 @@ optional_policy(` +@@ -1330,49 +1636,43 @@ optional_policy(` # User content local policy # @@ -7894,7 +7895,7 @@ index 6649962b6..b7ac74501 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1382,38 +1681,110 @@ dev_read_urand(httpd_passwd_t) +@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -16089,10 +16090,10 @@ index 954309e64..67801421b 100644 ') + diff --git a/collectd.te b/collectd.te -index 6471fa8c4..90d2b5324 100644 +index 6471fa8c4..00a1f00ef 100644 --- a/collectd.te +++ b/collectd.te -@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t) +@@ -26,43 +26,62 @@ files_type(collectd_var_lib_t) type collectd_var_run_t; files_pid_file(collectd_var_run_t) @@ -16144,6 +16145,7 @@ index 6471fa8c4..90d2b5324 100644 -kernel_read_system_state(collectd_t) +corenet_udp_bind_generic_node(collectd_t) +corenet_udp_bind_collectd_port(collectd_t) ++corenet_tcp_connect_lmtp_port(collectd_t) dev_read_rand(collectd_t) dev_read_sysfs(collectd_t) @@ -16164,7 +16166,7 @@ index 6471fa8c4..90d2b5324 100644 logging_send_syslog_msg(collectd_t) -@@ -75,16 +93,47 @@ tunable_policy(`collectd_tcp_network_connect',` +@@ -75,16 +94,47 @@ tunable_policy(`collectd_tcp_network_connect',` ') optional_policy(` @@ -28615,7 +28617,7 @@ index 18f245250..a446210f0 100644 + ') diff --git a/dspam.te b/dspam.te -index ef6236335..25dcb975a 100644 +index ef6236335..281bd61c6 100644 --- a/dspam.te +++ b/dspam.te @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t) @@ -28641,7 +28643,7 @@ index ef6236335..25dcb975a 100644 files_search_spool(dspam_t) -@@ -64,14 +73,35 @@ auth_use_nsswitch(dspam_t) +@@ -64,14 +73,36 @@ auth_use_nsswitch(dspam_t) logging_send_syslog_msg(dspam_t) @@ -28653,6 +28655,7 @@ index ef6236335..25dcb975a 100644 + + manage_dirs_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) + manage_files_pattern(dspam_t, dspam_rw_content_t, dspam_rw_content_t) ++ allow dspam_t dspam_rw_content_t:file map; + + read_files_pattern(dspam_script_t, dspam_var_lib_t, dspam_var_lib_t) + @@ -28682,7 +28685,7 @@ index ef6236335..25dcb975a 100644 ') optional_policy(` -@@ -87,3 +117,12 @@ optional_policy(` +@@ -87,3 +118,12 @@ optional_policy(` postgresql_tcp_connect(dspam_t) ') @@ -78385,7 +78388,7 @@ index b9e71b537..a7502cd0e 100644 domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; diff --git a/postgrey.te b/postgrey.te -index fd58805e5..593a05367 100644 +index fd58805e5..6f75dbd4b 100644 --- a/postgrey.te +++ b/postgrey.te @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t; @@ -78406,7 +78409,15 @@ index fd58805e5..593a05367 100644 dontaudit postgrey_t self:capability sys_tty_config; allow postgrey_t self:process signal_perms; allow postgrey_t self:fifo_file create_fifo_file_perms; -@@ -55,9 +55,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) +@@ -43,6 +43,7 @@ manage_dirs_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) + manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) ++allow postgrey_t postgrey_spool_t:file map; + + manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) + files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) +@@ -55,9 +56,10 @@ files_pid_filetrans(postgrey_t, postgrey_var_run_t, { dir file sock_file }) kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) @@ -78419,7 +78430,7 @@ index fd58805e5..593a05367 100644 corenet_all_recvfrom_netlabel(postgrey_t) corenet_tcp_sendrecv_generic_if(postgrey_t) corenet_tcp_sendrecv_generic_node(postgrey_t) -@@ -72,17 +73,15 @@ dev_read_sysfs(postgrey_t) +@@ -72,17 +74,15 @@ dev_read_sysfs(postgrey_t) domain_use_interactive_fds(postgrey_t) @@ -99519,10 +99530,10 @@ index 000000000..6caef6326 +/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0) diff --git a/sandboxX.if b/sandboxX.if new file mode 100644 -index 000000000..98dc14ef6 +index 000000000..92695bf0d --- /dev/null +++ b/sandboxX.if -@@ -0,0 +1,401 @@ +@@ -0,0 +1,402 @@ + +## policy for sandboxX + @@ -99641,8 +99652,9 @@ index 000000000..98dc14ef6 + fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) + # Pulseaudio tmpfs files with different MCS labels + dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; -+ dontaudit $1_t $1_client_tmpfs_t:file { read write }; ++ dontaudit $1_t $1_client_tmpfs_t:file { read write map }; + allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; ++ allow $1_client_t $1_client_tmpfs_t:file { map }; + + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + allow $1_t sandbox_xserver_t:process signal_perms; @@ -99926,10 +99938,10 @@ index 000000000..98dc14ef6 +') diff --git a/sandboxX.te b/sandboxX.te new file mode 100644 -index 000000000..22e956fe3 +index 000000000..6d87bc156 --- /dev/null +++ b/sandboxX.te -@@ -0,0 +1,512 @@ +@@ -0,0 +1,536 @@ +policy_module(sandboxX,1.0.0) + +dbus_stub() @@ -99973,6 +99985,8 @@ index 000000000..22e956fe3 +# +allow sandbox_xserver_t self:process { signal_perms execstack }; + ++allow sandbox_web_t sandbox_xserver_t:process2 nnp_transition; ++ +tunable_policy(`deny_execmem',`',` + allow sandbox_xserver_t self:process execmem; +') @@ -100052,6 +100066,22 @@ index 000000000..22e956fe3 + +######################################## +# ++# sandbox_x_t local policy ++# ++ ++allow sandbox_x_t sandbox_x_client_t:process2 nnp_transition; ++allow sandbox_x_t sandbox_xserver_t:process2 nnp_transition; ++ ++files_search_home(sandbox_x_t) ++userdom_use_user_ptys(sandbox_x_t) ++ ++# This access is needed due to Wayland ++userdom_manage_user_tmp_dirs(sandbox_x_t) ++userdom_map_tmp_files(sandbox_x_t) ++userdom_manage_user_tmp_files(sandbox_x_t) ++ ++######################################## ++# +# sandbox_x_domain local policy +# +allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap }; @@ -100226,9 +100256,6 @@ index 000000000..22e956fe3 + networkmanager_dontaudit_dbus_chat(sandbox_x_domain) +') + -+files_search_home(sandbox_x_t) -+userdom_use_user_ptys(sandbox_x_t) -+ +#1103622 +corenet_tcp_connect_xserver_port(sandbox_x_domain) +xserver_stream_connect(sandbox_x_domain) @@ -100251,6 +100278,11 @@ index 000000000..22e956fe3 + +logging_send_syslog_msg(sandbox_x_client_t) + ++# This access is needed due to Wayland ++userdom_manage_user_tmp_dirs(sandbox_x_client_t) ++userdom_map_tmp_files(sandbox_x_client_t) ++userdom_manage_user_tmp_files(sandbox_x_client_t) ++ +optional_policy(` + avahi_dbus_chat(sandbox_x_client_t) +') @@ -100273,12 +100305,16 @@ index 000000000..22e956fe3 +# +typeattribute sandbox_web_client_t sandbox_web_type; + ++allow sandbox_web_t sandbox_web_client_t:process2 nnp_transition; ++ +selinux_get_fs_mount(sandbox_web_client_t) + +auth_use_nsswitch(sandbox_web_client_t) + +logging_send_syslog_msg(sandbox_web_client_t) + ++miscfiles_map_generic_certs(sandbox_web_client_t) ++ +allow sandbox_web_type self:capability { setuid setgid }; +allow sandbox_web_type self:netlink_audit_socket nlmsg_relay; +dontaudit sandbox_web_type self:process setrlimit; @@ -112041,10 +112077,10 @@ index 000000000..d371f62f6 +') diff --git a/thumb.te b/thumb.te new file mode 100644 -index 000000000..1b34bc7b6 +index 000000000..6c04973ea --- /dev/null +++ b/thumb.te -@@ -0,0 +1,175 @@ +@@ -0,0 +1,176 @@ +policy_module(thumb, 1.0.0) + +######################################## @@ -112138,6 +112174,7 @@ index 000000000..1b34bc7b6 +fs_read_dos_files(thumb_t) +fs_rw_inherited_tmpfs_files(thumb_t) +fs_map_dos_files(thumb_t) ++fs_mmap_removable_files(thumb_t) + +auth_read_passwd(thumb_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index d398a58..9f49a3e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 307%{?dist} +Release: 308%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -717,6 +717,16 @@ exit 0 %endif %changelog +* Thu Jan 04 2018 Lukas Vrabec - 3.13.1-308 +- Make working SELinux sandbox with Wayland. BZ(1474082) +- Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169) +- Allow dspam_t to mmap dspam_rw_content_t files BZ(1528723) +- Allow collectd to connect to lmtp_port_t BZ(1304029) +- Allow httpd_t to mmap httpd_squirrelmail_t files BZ(1528776) +- Allow thumb_t to mmap removable_t files. BZ(1522724) +- Allow sssd_t and login_pgm attribute to mmap auth_cache_t files BZ(1530118) +- Add interface fs_mmap_removable_files() + * Tue Dec 19 2017 Lukas Vrabec - 3.13.1-307 - Allow crond_t to read pcp lib files BZ(1525420) - Allow mozilla plugin domain to mmap user_home_t files BZ(1452783)