diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 2faa209..0dea9cd 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5363,7 +5363,7 @@ index 8e0f9cd..b9f45b9 100644 define(`create_packet_interfaces',`` diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055..6c1f7f5 100644 +index b191055..a5e72c3 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -5450,7 +5450,7 @@ index b191055..6c1f7f5 100644 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0) network_port(audit, tcp,60,s0) network_port(auth, tcp,113,s0) -@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0) +@@ -96,19 +119,20 @@ network_port(boinc, tcp,31416,s0) network_port(boinc_client, tcp,1043,s0, udp,1034,s0) network_port(biff) # no defined portcon network_port(certmaster, tcp,51235,s0) @@ -5466,6 +5466,7 @@ index b191055..6c1f7f5 100644 network_port(commplex_main, tcp,5000,s0, udp,5000,s0) network_port(comsat, udp,512,s0) network_port(condor, tcp,9618,s0, udp,9618,s0) ++network_port(conman, tcp,7890,s0, udp,7890,s0) network_port(couchdb, tcp,5984,s0, udp,5984,s0) -network_port(cslistener, tcp,9000,s0, udp,9000,s0) -network_port(ctdb, tcp,4379,s0, udp,4397,s0) @@ -5473,7 +5474,7 @@ index b191055..6c1f7f5 100644 network_port(cvs, tcp,2401,s0, udp,2401,s0) network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0) network_port(daap, tcp,3689,s0, udp,3689,s0) -@@ -119,20 +142,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, +@@ -119,20 +143,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0) network_port(dict, tcp,2628,s0) network_port(distccd, tcp,3632,s0) @@ -5503,7 +5504,7 @@ index b191055..6c1f7f5 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +170,52 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +171,52 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -5570,7 +5571,7 @@ index b191055..6c1f7f5 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,26 +223,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,26 +224,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -5609,7 +5610,7 @@ index b191055..6c1f7f5 100644 network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -@@ -215,39 +260,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) +@@ -215,39 +261,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) @@ -5662,7 +5663,7 @@ index b191055..6c1f7f5 100644 network_port(ssh, tcp,22,s0) network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) -@@ -259,8 +310,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) +@@ -259,8 +311,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -5673,7 +5674,7 @@ index b191055..6c1f7f5 100644 network_port(transproxy, tcp,8081,s0) network_port(trisoap, tcp,10200,s0, udp,10200,s0) network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0) -@@ -271,10 +323,10 @@ network_port(varnishd, tcp,6081-6082,s0) +@@ -271,10 +324,10 @@ network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virtual_places, tcp,1533,s0, udp,1533,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -5686,7 +5687,7 @@ index b191055..6c1f7f5 100644 network_port(winshadow, tcp,3161,s0, udp,3261,s0) network_port(wsdapi, tcp,5357,s0, udp,5357,s0) network_port(wsicopy, tcp,3378,s0, udp,3378,s0) -@@ -288,19 +340,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +341,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -5713,7 +5714,7 @@ index b191055..6c1f7f5 100644 ######################################## # -@@ -333,6 +389,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +390,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -5722,7 +5723,7 @@ index b191055..6c1f7f5 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +403,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +404,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -5871,7 +5872,7 @@ index b31c054..e4d61f5 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..b708d28 100644 +index 76f285e..2b2f4b0 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6288,122 +6289,85 @@ index 76f285e..b708d28 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',` +@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',` ######################################## ## --## Get the attributes of the lvm comtrol device. -+## Get the attributes of the loop comtrol device. - ## - ## - ## -@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',` - ## - ## - # --interface(`dev_getattr_lvm_control',` -+interface(`dev_getattr_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, lvm_control_t) -+ getattr_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Read the lvm comtrol device. -+## Read the loop comtrol device. - ## - ## - ## -@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',` - ## - ## - # --interface(`dev_read_lvm_control',` -+interface(`dev_read_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- read_chr_files_pattern($1, device_t, lvm_control_t) -+ read_chr_files_pattern($1, device_t, loop_control_device_t) - ') - - ######################################## - ## --## Read and write the lvm control device. -+## Read and write the loop control device. ++## Read and write the dri devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_inherited_dri',` ++ gen_require(` ++ type device_t, dri_device_t; ++ ') ++ ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## + ## Dontaudit read and write on the dri devices. ## ## - ## -@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',` - ## - ## - # --interface(`dev_rw_lvm_control',` -+interface(`dev_rw_loop_control',` - gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; - ') - -- rw_chr_files_pattern($1, device_t, lvm_control_t) -+ rw_chr_files_pattern($1, device_t, loop_control_device_t) - ') +@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',` ######################################## ## --## Do not audit attempts to read and write lvm control device. -+## Do not audit attempts to read and write loop control device. +-## Get the attributes of the framebuffer device node. ++## Read input event devices (/dev/input). ## ## ## -@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',` +@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',` ## ## # --interface(`dev_dontaudit_rw_lvm_control',` -+interface(`dev_dontaudit_rw_loop_control',` +-interface(`dev_getattr_framebuffer_dev',` ++interface(`dev_rw_inherited_input_dev',` gen_require(` -- type lvm_control_t; -+ type loop_control_device_t; +- type device_t, framebuf_device_t; ++ type device_t, event_device_t; ') -- dontaudit $1 lvm_control_t:chr_file rw_file_perms; -+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; +- getattr_chr_files_pattern($1, device_t, framebuf_device_t) ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; ') ++ ######################################## ## --## Delete the lvm control device. -+## Delete the loop control device. +-## Set the attributes of the framebuffer device node. ++## Read ipmi devices. ## ## ## -@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',` +@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',` ## ## # --interface(`dev_delete_lvm_control_dev',` -+interface(`dev_delete_loop_control_dev',` +-interface(`dev_setattr_framebuffer_dev',` ++interface(`dev_read_ipmi_dev',` gen_require(` -- type device_t, lvm_control_t; -+ type device_t, loop_control_device_t; +- type device_t, framebuf_device_t; ++ type device_t, ipmi_device_t; ') -- delete_chr_files_pattern($1, device_t, lvm_control_t) -+ delete_chr_files_pattern($1, device_t, loop_control_device_t) +- setattr_chr_files_pattern($1, device_t, framebuf_device_t) ++ read_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## --## dontaudit getattr raw memory devices (e.g. /dev/mem). -+## Get the attributes of the loop comtrol device. +-## Dot not audit attempts to set the attributes +-## of the framebuffer device node. ++## Read and write ipmi devices. ## ## ## @@ -6412,46 +6376,41 @@ index 76f285e..b708d28 100644 ## ## # --interface(`dev_dontaudit_getattr_memory_dev',` -+interface(`dev_getattr_lvm_control',` +-interface(`dev_dontaudit_setattr_framebuffer_dev',` ++interface(`dev_rw_ipmi_dev',` gen_require(` -- type memory_device_t; -+ type device_t, lvm_control_t; +- type framebuf_device_t; ++ type device_t, ipmi_device_t; ') -- dontaudit $1 memory_device_t:chr_file getattr; -+ getattr_chr_files_pattern($1, device_t, lvm_control_t) +- dontaudit $1 framebuf_device_t:chr_file setattr; ++ rw_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## --## Read raw memory devices (e.g. /dev/mem). -+## Read the lvm comtrol device. +-## Read the framebuffer. ++## Get the attributes of the framebuffer device node. ## ## ## -@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',` +@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',` ## ## # --interface(`dev_read_raw_memory',` -+interface(`dev_read_lvm_control',` +-interface(`dev_read_framebuffer',` ++interface(`dev_getattr_framebuffer_dev',` gen_require(` -- type device_t, memory_device_t; -- attribute memory_raw_read; -+ type device_t, lvm_control_t; - ') - -- read_chr_files_pattern($1, device_t, memory_device_t) -- -- allow $1 self:capability sys_rawio; -- typeattribute $1 memory_raw_read; -+ read_chr_files_pattern($1, device_t, lvm_control_t) +- type framebuf_device_t; ++ type device_t, framebuf_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, framebuf_device_t) +') + +######################################## +## -+## Read and write the lvm control device. ++## Set the attributes of the framebuffer device node. +## +## +## @@ -6459,17 +6418,18 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_rw_lvm_control',` ++interface(`dev_setattr_framebuffer_dev',` + gen_require(` -+ type device_t, lvm_control_t; ++ type device_t, framebuf_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, lvm_control_t) ++ setattr_chr_files_pattern($1, device_t, framebuf_device_t) +') + +######################################## +## -+## Do not audit attempts to read and write lvm control device. ++## Dot not audit attempts to set the attributes ++## of the framebuffer device node. +## +## +## @@ -6477,17 +6437,72 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_dontaudit_rw_lvm_control',` ++interface(`dev_dontaudit_setattr_framebuffer_dev',` ++ gen_require(` ++ type framebuf_device_t; ++ ') ++ ++ dontaudit $1 framebuf_device_t:chr_file setattr; ++') ++ ++######################################## ++## ++## Read the framebuffer. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_framebuffer',` ++ gen_require(` ++ type framebuf_device_t; + ') + + read_chr_files_pattern($1, device_t, framebuf_device_t) +@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',` + + ######################################## + ## +-## Get the attributes of the lvm comtrol device. ++## Get the attributes of the loop comtrol device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_loop_control',` ++ gen_require(` ++ type device_t, loop_control_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, loop_control_device_t) ++') ++ ++######################################## ++## ++## Read the loop comtrol device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_loop_control',` + gen_require(` -+ type lvm_control_t; ++ type device_t, loop_control_device_t; + ') + -+ dontaudit $1 lvm_control_t:chr_file rw_file_perms; ++ read_chr_files_pattern($1, device_t, loop_control_device_t) +') + +######################################## +## -+## Delete the lvm control device. ++## Read and write the loop control device. +## +## +## @@ -6495,17 +6510,17 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_delete_lvm_control_dev',` ++interface(`dev_rw_loop_control',` + gen_require(` -+ type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + -+ delete_chr_files_pattern($1, device_t, lvm_control_t) ++ rw_chr_files_pattern($1, device_t, loop_control_device_t) +') + +######################################## +## -+## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## Do not audit attempts to read and write loop control device. +## +## +## @@ -6513,17 +6528,17 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_dontaudit_getattr_memory_dev',` ++interface(`dev_dontaudit_rw_loop_control',` + gen_require(` -+ type memory_device_t; ++ type loop_control_device_t; + ') + -+ dontaudit $1 memory_device_t:chr_file getattr; ++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; +') + +######################################## +## -+## Read raw memory devices (e.g. /dev/mem). ++## Delete the loop control device. +## +## +## @@ -6531,20 +6546,21 @@ index 76f285e..b708d28 100644 +## +## +# -+interface(`dev_read_raw_memory',` ++interface(`dev_delete_loop_control_dev',` + gen_require(` -+ type device_t, memory_device_t; -+ attribute memory_raw_read; ++ type device_t, loop_control_device_t; + ') + -+ read_chr_files_pattern($1, device_t, memory_device_t) ++ delete_chr_files_pattern($1, device_t, loop_control_device_t) ++') + -+ allow $1 self:capability sys_rawio; -+ typeattribute $1 memory_raw_read; - ') - - ######################################## -@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',` ++######################################## ++## ++## Get the attributes of the loop comtrol device. + ## + ## + ## +@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',` ## ## ## @@ -6553,7 +6569,7 @@ index 76f285e..b708d28 100644 ## ## # -@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -6578,7 +6594,7 @@ index 76f285e..b708d28 100644 ##

## ## -@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',` ## ## # @@ -6634,7 +6650,7 @@ index 76f285e..b708d28 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',` ## ## # @@ -6651,7 +6667,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',` +@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',` ######################################## ## @@ -6694,7 +6710,7 @@ index 76f285e..b708d28 100644 ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## -@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` +@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` ######################################## ## @@ -6719,7 +6735,7 @@ index 76f285e..b708d28 100644 ## Read and write BIOS non-volatile RAM. ## ## -@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',` +@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -6746,7 +6762,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',` ## ## # @@ -6763,7 +6779,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -6772,7 +6788,7 @@ index 76f285e..b708d28 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -6781,7 +6797,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -6790,7 +6806,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -6855,7 +6871,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',` +@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',` ## ## # @@ -6900,7 +6916,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -6918,91 +6934,63 @@ index 76f285e..b708d28 100644 ## -## Read hardware state information. +## Do not audit attempts to search sysfs. - ## --## --##

--## Allow the specified domain to read the contents of --## the sysfs filesystem. This filesystem contains --## information, parameters, and other settings on the --## hardware installed on the system. --##

--## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## --## - # --interface(`dev_read_sysfs',` ++## ++## ++# +interface(`dev_dontaudit_search_sysfs',` - gen_require(` - type sysfs_t; - ') - -- read_files_pattern($1, sysfs_t, sysfs_t) -- read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- -- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ gen_require(` ++ type sysfs_t; ++ ') ++ + dontaudit $1 sysfs_t:dir search_dir_perms; - ') - - ######################################## - ## --## Allow caller to modify hardware state information. ++') ++ ++######################################## ++## +## List the contents of the sysfs directories. - ## - ## - ## -@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',` - ## - ## - # --interface(`dev_rw_sysfs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_list_sysfs',` - gen_require(` - type sysfs_t; - ') - -- rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) -- - list_dirs_pattern($1, sysfs_t, sysfs_t) - ') - - ######################################## - ## --## Read and write the TPM device. ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ list_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## +## Write in a sysfs directories. - ## - ## - ## -@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',` - ## - ## - # --interface(`dev_rw_tpm',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +# cjp: added for cpuspeed +interface(`dev_write_sysfs_dirs',` - gen_require(` -- type device_t, tpm_device_t; ++ gen_require(` + type sysfs_t; - ') - -- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ ') ++ + allow $1 sysfs_t:dir write; - ') - - ######################################## - ## --## Read from pseudo random number generator devices (e.g., /dev/urandom). ++') ++ ++######################################## ++## +## Do not audit attempts to write in a sysfs directory. - ## --## --##

--## Allow the specified domain to read from pseudo random number --## generator devices (e.g., /dev/urandom). Typically this is ++##

+## +## +## Domain to not audit. @@ -7044,7 +7032,15 @@ index 76f285e..b708d28 100644 +######################################## +## +## Relabel cpu online hardware state information. -+## + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-## +## +## +## Domain allowed access. @@ -7074,47 +7070,13 @@ index 76f285e..b708d28 100644 +## hardware installed on the system. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_read_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ read_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## -+## Allow caller to modify hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_sysfs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ rw_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ -+ list_dirs_pattern($1, sysfs_t, sysfs_t) -+') -+ -+######################################## -+## + ## + ## + ## Domain allowed access. +@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',` + + ######################################## + ## +## Relabel hardware state directories. +## +## @@ -7171,34 +7133,10 @@ index 76f285e..b708d28 100644 + +######################################## +## -+## Read and write the TPM device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_tpm',` -+ gen_require(` -+ type device_t, tpm_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, tpm_device_t) -+') -+ -+######################################## -+## -+## Read from pseudo random number generator devices (e.g., /dev/urandom). -+## -+## -+##

-+## Allow the specified domain to read from pseudo random number -+## generator devices (e.g., /dev/urandom). Typically this is - ## used in situations when a cryptographically secure random - ## number is not necessarily needed. One example is the Stack - ## Smashing Protector (SSP, formerly known as ProPolice) support -@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',` + ## Read and write the TPM device. + ##

+ ## +@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',` ######################################## ## @@ -7224,7 +7162,7 @@ index 76f285e..b708d28 100644 ## Getattr generic the USB devices. ## ## -@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',` +@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -7236,7 +7174,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -7259,7 +7197,7 @@ index 76f285e..b708d28 100644 ## ## ## -@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -7275,7 +7213,7 @@ index 76f285e..b708d28 100644 ') ######################################## -@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -7410,7 +7348,7 @@ index 76f285e..b708d28 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -7435,7 +7373,7 @@ index 76f285e..b708d28 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -7462,7 +7400,7 @@ index 76f285e..b708d28 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5641,943 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8707,7 +8645,7 @@ index 6a1e4d1..84e8030 100644 + dontaudit $1 domain:dir_file_class_set audit_access; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..83fca99 100644 +index cf04cb5..c47a578 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8844,7 +8782,7 @@ index cf04cb5..83fca99 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +231,310 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +231,314 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8876,6 +8814,10 @@ index cf04cb5..83fca99 100644 + seutil_filetrans_named_content(named_filetrans_domain) +') + ++optional_policy(` ++ wine_filetrans_named_content(named_filetrans_domain) ++') ++ +storage_filetrans_all_named_dev(named_filetrans_domain) + +term_filetrans_all_named_dev(named_filetrans_domain) @@ -14241,7 +14183,7 @@ index 7be4ddf..f7021a0 100644 + +/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index e100d88..fe5be66 100644 +index e100d88..e7d9f85 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',` @@ -14253,6 +14195,16 @@ index e100d88..fe5be66 100644 ') ######################################## +@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',` + ') + + manage_files_pattern($1, debugfs_t, debugfs_t) ++ manage_dirs_pattern($1,debugfs_t, debugfs_t) + read_lnk_files_pattern($1, debugfs_t, debugfs_t) +- list_dirs_pattern($1, debugfs_t, debugfs_t) + ') + + ######################################## @@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',` ######################################## @@ -37706,10 +37658,10 @@ index 0000000..35b4178 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..a88f6e2 +index 0000000..c31945a --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,651 @@ +@@ -0,0 +1,652 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -37820,6 +37772,7 @@ index 0000000..a88f6e2 +dev_getattr_all_blk_files(systemd_logind_t) +dev_rw_sysfs(systemd_logind_t) +dev_rw_input_dev(systemd_logind_t) ++dev_rw_inherited_dri(systemd_logind_t) +dev_setattr_all_chr_files(systemd_logind_t) +dev_setattr_dri_dev(systemd_logind_t) +dev_setattr_generic_usb_dev(systemd_logind_t) @@ -39717,7 +39670,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6..dacbee8 100644 +index 9dc60c6..a964b08 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -40687,7 +40640,7 @@ index 9dc60c6..dacbee8 100644 userdom_change_password_template($1) -@@ -761,82 +984,101 @@ template(`userdom_login_user_template', ` +@@ -761,83 +984,107 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -40793,39 +40746,45 @@ index 9dc60c6..dacbee8 100644 + kerberos_use($1_usertype) + init_write_key($1_usertype) + ') ++ ++ optional_policy(` ++ mysql_filetrans_named_content($1_usertype) ++ ') optional_policy(` - cups_read_config($1_t) - cups_stream_connect($1_t) - cups_stream_connect_ptal($1_t) -+ mysql_filetrans_named_content($1_usertype) ++ mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` - kerberos_use($1_t) -+ mta_dontaudit_read_spool_symlinks($1_usertype) ++ quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` - mta_dontaudit_read_spool_symlinks($1_t) -+ quota_dontaudit_getattr_db($1_usertype) ++ rpm_read_db($1_usertype) ++ rpm_dontaudit_manage_db($1_usertype) ++ rpm_read_cache($1_usertype) ') optional_policy(` - quota_dontaudit_getattr_db($1_t) -+ rpm_read_db($1_usertype) -+ rpm_dontaudit_manage_db($1_usertype) -+ rpm_read_cache($1_usertype) ++ oddjob_run_mkhomedir($1_t, $1_r) ') optional_policy(` - rpm_read_db($1_t) - rpm_dontaudit_manage_db($1_t) -+ oddjob_run_mkhomedir($1_t, $1_r) ++ wine_filetrans_named_content($1_usertype) ') ++ ') -@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',` + ####################################### +@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -40838,7 +40797,7 @@ index 9dc60c6..dacbee8 100644 ############################## # # Local policy -@@ -907,60 +1155,144 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,56 +1160,140 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -40917,12 +40876,14 @@ index 9dc60c6..dacbee8 100644 + abrt_dbus_chat($1_usertype) + abrt_run_helper($1_usertype, $1_r) + ') -+ -+ optional_policy(` + + optional_policy(` +- consolekit_dbus_chat($1_t) + accountsd_dbus_chat($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- cups_dbus_chat($1_t) + consolekit_dontaudit_read_log($1_usertype) + consolekit_dbus_chat($1_usertype) + ') @@ -40937,14 +40898,12 @@ index 9dc60c6..dacbee8 100644 + devicekit_dbus_chat_disk($1_usertype) + devicekit_dbus_chat_power($1_usertype) + ') - - optional_policy(` -- consolekit_dbus_chat($1_t) ++ ++ optional_policy(` + fprintd_dbus_chat($1_t) - ') - - optional_policy(` -- cups_dbus_chat($1_t) ++ ') ++ ++ optional_policy(` + realmd_dbus_chat($1_t) ') @@ -40970,10 +40929,6 @@ index 9dc60c6..dacbee8 100644 -') -####################################### --## --## The template for creating a unprivileged user roughly --## equivalent to a regular linux user. --## + optional_policy(` + rtkit_scheduled($1_usertype) + ') @@ -40996,14 +40951,10 @@ index 9dc60c6..dacbee8 100644 +') + +####################################### -+## -+## The template for creating a unprivileged user roughly -+## equivalent to a regular linux user. -+## - ## - ##

+ ##

## The template for creating a unprivileged user roughly -@@ -987,27 +1319,33 @@ template(`userdom_unpriv_user_template', ` + ## equivalent to a regular linux user. +@@ -987,27 +1324,33 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -41041,7 +40992,7 @@ index 9dc60c6..dacbee8 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1356,60 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1361,60 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -41067,11 +41018,9 @@ index 9dc60c6..dacbee8 100644 + + tunable_policy(`selinuxuser_tcp_server',` + corenet_tcp_bind_all_unreserved_ports($1_usertype) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + cdrecord_role($1_r, $1_t) + ') + @@ -41104,15 +41053,17 @@ index 9dc60c6..dacbee8 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1418,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1423,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -41123,7 +41074,7 @@ index 9dc60c6..dacbee8 100644 ') ') -@@ -1079,7 +1456,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1461,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -41134,7 +41085,7 @@ index 9dc60c6..dacbee8 100644 ') ############################## -@@ -1095,6 +1474,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1479,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -41142,7 +41093,7 @@ index 9dc60c6..dacbee8 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1106,6 +1486,7 @@ template(`userdom_admin_user_template',` +@@ -1106,6 +1491,7 @@ template(`userdom_admin_user_template',` # allow $1_t self:capability ~{ sys_module audit_control audit_write }; @@ -41150,7 +41101,7 @@ index 9dc60c6..dacbee8 100644 allow $1_t self:process { setexec setfscreate }; allow $1_t self:netlink_audit_socket nlmsg_readpriv; allow $1_t self:tun_socket create; -@@ -1114,6 +1495,9 @@ template(`userdom_admin_user_template',` +@@ -1114,6 +1500,9 @@ template(`userdom_admin_user_template',` # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -41160,7 +41111,7 @@ index 9dc60c6..dacbee8 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1128,6 +1512,7 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1517,7 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -41168,7 +41119,7 @@ index 9dc60c6..dacbee8 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1530,14 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1535,14 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -41183,7 +41134,7 @@ index 9dc60c6..dacbee8 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1548,38 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1553,38 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -41226,7 +41177,7 @@ index 9dc60c6..dacbee8 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1589,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1594,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -41235,7 +41186,7 @@ index 9dc60c6..dacbee8 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1598,17 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1603,17 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -41254,7 +41205,7 @@ index 9dc60c6..dacbee8 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1644,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1649,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -41263,7 +41214,7 @@ index 9dc60c6..dacbee8 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1654,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1659,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -41272,7 +41223,7 @@ index 9dc60c6..dacbee8 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1668,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1673,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -41284,7 +41235,7 @@ index 9dc60c6..dacbee8 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1682,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1687,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -41327,7 +41278,7 @@ index 9dc60c6..dacbee8 100644 ') optional_policy(` -@@ -1357,14 +1767,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1772,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -41346,7 +41297,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -1405,6 +1818,51 @@ interface(`userdom_user_tmpfs_file',` +@@ -1405,6 +1823,51 @@ interface(`userdom_user_tmpfs_file',` ## ## Allow domain to attach to TUN devices created by administrative users. ## @@ -41398,7 +41349,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## Domain allowed access. -@@ -1509,11 +1967,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +1972,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -41430,7 +41381,7 @@ index 9dc60c6..dacbee8 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2033,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2038,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -41445,7 +41396,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -1570,9 +2056,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2061,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -41457,7 +41408,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -1629,6 +2117,42 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1629,6 +2122,42 @@ interface(`userdom_relabelto_user_home_dirs',` allow $1 user_home_dir_t:dir relabelto; ') @@ -41500,7 +41451,7 @@ index 9dc60c6..dacbee8 100644 ######################################## ## ## Create directories in the home dir root with -@@ -1708,6 +2232,8 @@ interface(`userdom_dontaudit_search_user_home_content',` +@@ -1708,6 +2237,8 @@ interface(`userdom_dontaudit_search_user_home_content',` ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -41509,7 +41460,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -1741,10 +2267,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2272,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -41524,7 +41475,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -1769,7 +2297,25 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2302,25 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -41551,7 +41502,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -1779,53 +2325,70 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1779,53 +2330,70 @@ interface(`userdom_manage_user_home_content_dirs',` # interface(`userdom_delete_all_user_home_content_dirs',` gen_require(` @@ -41634,7 +41585,7 @@ index 9dc60c6..dacbee8 100644 ## Do not audit attempts to set the ## attributes of user home files. ## -@@ -1845,6 +2408,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` +@@ -1845,6 +2413,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` ######################################## ## @@ -41660,7 +41611,7 @@ index 9dc60c6..dacbee8 100644 ## Mmap user home files. ## ## -@@ -1875,14 +2457,36 @@ interface(`userdom_mmap_user_home_content_files',` +@@ -1875,14 +2462,36 @@ interface(`userdom_mmap_user_home_content_files',` interface(`userdom_read_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -41698,7 +41649,7 @@ index 9dc60c6..dacbee8 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2497,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2502,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -41716,7 +41667,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -1938,7 +2545,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2550,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -41725,7 +41676,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -1946,10 +2553,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2558,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -41738,7 +41689,7 @@ index 9dc60c6..dacbee8 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2564,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2569,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -41747,7 +41698,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -1966,17 +2572,71 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,30 +2577,84 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -41766,18 +41717,21 @@ index 9dc60c6..dacbee8 100644 ## -## Do not audit attempts to write user home files. +## Delete sock files in a user home subdirectory. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`userdom_dontaudit_relabel_user_home_content_files',` +interface(`userdom_delete_user_home_content_sock_files',` -+ gen_require(` -+ type user_home_t; -+ ') -+ + gen_require(` + type user_home_t; + ') + +- dontaudit $1 user_home_t:file relabel_file_perms; + allow $1 user_home_t:sock_file delete_file_perms; +') + @@ -41820,10 +41774,23 @@ index 9dc60c6..dacbee8 100644 +######################################## +## +## Do not audit attempts to write user home files. - ## - ## - ## -@@ -2007,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',` ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_relabel_user_home_content_files',` ++ gen_require(` ++ type user_home_t; ++ ') ++ ++ dontaudit $1 user_home_t:file relabel_file_perms; + ') + + ######################################## +@@ -2007,8 +2672,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -41833,7 +41800,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -2024,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2688,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -41858,7 +41825,7 @@ index 9dc60c6..dacbee8 100644 ######################################## ## -@@ -2120,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2778,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -41867,7 +41834,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -2128,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2786,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -41891,7 +41858,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -2148,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2804,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -41907,7 +41874,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -2390,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2390,11 +3046,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` @@ -41922,7 +41889,7 @@ index 9dc60c6..dacbee8 100644 files_search_tmp($1) ') -@@ -2414,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3070,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -41931,7 +41898,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -2661,6 +3312,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3317,25 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -41957,7 +41924,7 @@ index 9dc60c6..dacbee8 100644 ######################################## ## ## Read user tmpfs files. -@@ -2677,13 +3347,14 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2677,13 +3352,14 @@ interface(`userdom_read_user_tmpfs_files',` ') read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) @@ -41973,7 +41940,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -2704,7 +3375,7 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2704,7 +3380,7 @@ interface(`userdom_rw_user_tmpfs_files',` ######################################## ## @@ -41982,7 +41949,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -2712,14 +3383,30 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2712,14 +3388,30 @@ interface(`userdom_rw_user_tmpfs_files',` ## ## # @@ -42017,7 +41984,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -2814,6 +3501,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3506,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -42042,7 +42009,7 @@ index 9dc60c6..dacbee8 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3537,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3542,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -42085,7 +42052,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -2856,14 +3573,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3578,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -42123,7 +42090,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -2882,8 +3618,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3623,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -42153,7 +42120,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -2955,69 +3710,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,69 +3715,68 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -42254,7 +42221,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -3025,12 +3779,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,12 +3784,12 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -42269,7 +42236,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -3094,7 +3848,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +3853,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -42278,7 +42245,7 @@ index 9dc60c6..dacbee8 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +3864,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +3869,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -42312,7 +42279,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -3214,7 +3952,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +3957,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -42339,7 +42306,7 @@ index 9dc60c6..dacbee8 100644 ') ######################################## -@@ -3269,12 +4025,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4030,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -42355,7 +42322,7 @@ index 9dc60c6..dacbee8 100644 ## ## ## -@@ -3282,44 +4039,120 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,40 +4044,116 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -42405,10 +42372,9 @@ index 9dc60c6..dacbee8 100644 ## -## Domain allowed access. +## Domain to not audit. - ## - ## - # --interface(`userdom_getattr_all_users',` ++## ++## ++# +interface(`userdom_dontaudit_rw_user_tmp_pipes',` + gen_require(` + type user_tmp_t; @@ -42481,14 +42447,10 @@ index 9dc60c6..dacbee8 100644 +## +## +## Domain allowed access. -+## -+## -+# -+interface(`userdom_getattr_all_users',` - gen_require(` - attribute userdomain; - ') -@@ -3382,6 +4215,42 @@ interface(`userdom_signal_all_users',` + ## + ## + # +@@ -3382,6 +4220,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -42531,7 +42493,7 @@ index 9dc60c6..dacbee8 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4271,24 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4276,24 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -42556,7 +42518,7 @@ index 9dc60c6..dacbee8 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4322,1646 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4327,1646 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 0d19f60..3a8e03d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -9563,29 +9563,28 @@ index 18623e3..d9f3061 100644 ') diff --git a/bumblebee.fc b/bumblebee.fc new file mode 100644 -index 0000000..17eea86 +index 0000000..b5ee23b --- /dev/null +++ b/bumblebee.fc @@ -0,0 +1,7 @@ -+/etc/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++/etc/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) + -+/usr/lib/systemd/system/bumblebeed.service -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) ++/usr/lib/systemd/system/bumblebeed.* -- gen_context(system_u:object_r:bumblebee_unit_file_t,s0) + +/usr/sbin/bumblebeed -- gen_context(system_u:object_r:bumblebee_exec_t,s0) + +/var/run/bumblebee.* gen_context(system_u:object_r:bumblebee_var_run_t,s0) diff --git a/bumblebee.if b/bumblebee.if new file mode 100644 -index 0000000..f61b9c3 +index 0000000..23a4f86 --- /dev/null +++ b/bumblebee.if -@@ -0,0 +1,122 @@ -+ +@@ -0,0 +1,126 @@ +## policy for bumblebee + +######################################## +## -+## Execute TEMPLATE in the bumblebee domin. ++## Execute bumblebee in the bumblebee domin. +## +## +## @@ -9601,6 +9600,7 @@ index 0000000..f61b9c3 + corecmd_search_bin($1) + domtrans_pattern($1, bumblebee_exec_t, bumblebee_t) +') ++ +######################################## +## +## Read bumblebee PID files. @@ -9637,7 +9637,7 @@ index 0000000..f61b9c3 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 bumblebee_unit_file_t:file read_file_perms; + allow $1 bumblebee_unit_file_t:service manage_service_perms; + @@ -9687,9 +9687,13 @@ index 0000000..f61b9c3 + type bumblebee_unit_file_t; + ') + -+ allow $1 bumblebee_t:process { ptrace signal_perms }; ++ allow $1 bumblebee_t:process { signal_perms }; + ps_process_pattern($1, bumblebee_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 bumblebee_t:process ptrace; ++ ') ++ + files_search_pids($1) + admin_pattern($1, bumblebee_var_run_t) + @@ -9704,10 +9708,10 @@ index 0000000..f61b9c3 +') diff --git a/bumblebee.te b/bumblebee.te new file mode 100644 -index 0000000..f39fc96 +index 0000000..a774878 --- /dev/null +++ b/bumblebee.te -@@ -0,0 +1,45 @@ +@@ -0,0 +1,44 @@ +policy_module(bumblebee, 1.0.0) + +######################################## @@ -9719,8 +9723,6 @@ index 0000000..f39fc96 +type bumblebee_exec_t; +init_daemon_domain(bumblebee_t, bumblebee_exec_t) + -+permissive bumblebee_t; -+ +type bumblebee_var_run_t; +files_pid_file(bumblebee_var_run_t) + @@ -9731,6 +9733,7 @@ index 0000000..f39fc96 +# +# bumblebee local policy +# ++ +allow bumblebee_t self:capability { setgid }; +allow bumblebee_t self:process { fork signal_perms }; +allow bumblebee_t self:fifo_file rw_fifo_file_perms; @@ -10884,10 +10887,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..12585f0 +index 0000000..748f5d5 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,246 @@ +@@ -0,0 +1,247 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -11016,6 +11019,7 @@ index 0000000..12585f0 +userdom_manage_home_certs(chrome_sandbox_t) + +optional_policy(` ++ gnome_read_generic_cache_files(chrome_sandbox_t) + gnome_rw_inherited_config(chrome_sandbox_t) + gnome_read_home_config(chrome_sandbox_t) + gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium") @@ -13618,6 +13622,218 @@ index ce9f040..32ebb0c 100644 +optional_policy(` + unconfined_domain(condor_startd_t) +') +diff --git a/conman.fc b/conman.fc +new file mode 100644 +index 0000000..5f97ba9 +--- /dev/null ++++ b/conman.fc +@@ -0,0 +1,7 @@ ++/usr/lib/systemd/system/conman.* -- gen_context(system_u:object_r:conman_unit_file_t,s0) ++ ++/usr/sbin/conmand -- gen_context(system_u:object_r:conman_exec_t,s0) ++ ++/var/log/conman(/.*)? gen_context(system_u:object_r:conman_log_t,s0) ++/var/log/conman\.old(/.*)? gen_context(system_u:object_r:conman_log_t,s0) ++ +diff --git a/conman.if b/conman.if +new file mode 100644 +index 0000000..54b4b04 +--- /dev/null ++++ b/conman.if +@@ -0,0 +1,142 @@ ++## Conman is a program for connecting to remote consoles being managed by conmand ++ ++######################################## ++## ++## Execute conman in the conman domin. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`conman_domtrans',` ++ gen_require(` ++ type conman_t, conman_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, conman_exec_t, conman_t) ++') ++ ++######################################## ++## ++## Read conman's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`conman_read_log',` ++ gen_require(` ++ type conman_log_t; ++ ') ++ ++ logging_search_logs($1) ++ read_files_pattern($1, conman_log_t, conman_log_t) ++') ++ ++######################################## ++## ++## Append to conman log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`conman_append_log',` ++ gen_require(` ++ type conman_log_t; ++ ') ++ ++ logging_search_logs($1) ++ append_files_pattern($1, conman_log_t, conman_log_t) ++') ++ ++######################################## ++## ++## Manage conman log files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`conman_manage_log',` ++ gen_require(` ++ type conman_log_t; ++ ') ++ ++ logging_search_logs($1) ++ manage_dirs_pattern($1, conman_log_t, conman_log_t) ++ manage_files_pattern($1, conman_log_t, conman_log_t) ++') ++ ++######################################## ++## ++## Execute conman server in the conman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`conman_systemctl',` ++ gen_require(` ++ type conman_t; ++ type conman_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 conman_unit_file_t:file read_file_perms; ++ allow $1 conman_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, conman_t) ++') ++ ++ ++######################################## ++## ++## All of the rules required to administrate ++## an conman environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`conman_admin',` ++ gen_require(` ++ type conman_t; ++ type conman_log_t; ++ type conman_unit_file_t; ++ ') ++ ++ allow $1 conman_t:process { signal_perms }; ++ ps_process_pattern($1, conman_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 conman_t:process ptrace; ++ ') ++ ++ logging_search_logs($1) ++ admin_pattern($1, conman_log_t) ++ ++ conman_systemctl($1) ++ admin_pattern($1, conman_unit_file_t) ++ allow $1 conman_unit_file_t:service all_service_perms; ++ ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') +diff --git a/conman.te b/conman.te +new file mode 100644 +index 0000000..0de2d4d +--- /dev/null ++++ b/conman.te +@@ -0,0 +1,45 @@ ++policy_module(conman, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++type conman_t; ++type conman_exec_t; ++init_daemon_domain(conman_t, conman_exec_t) ++ ++type conman_log_t; ++logging_log_file(conman_log_t) ++ ++type conman_unit_file_t; ++systemd_unit_file(conman_unit_file_t) ++ ++######################################## ++# ++# conman local policy ++# ++ ++allow conman_t self:capability { sys_tty_config }; ++allow conman_t self:process { setrlimit signal_perms }; ++ ++allow conman_t self:fifo_file rw_fifo_file_perms; ++allow conman_t self:unix_stream_socket create_stream_socket_perms; ++allow conman_t self:tcp_socket { listen create_socket_perms }; ++ ++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t) ++manage_files_pattern(conman_t, conman_log_t, conman_log_t) ++logging_log_filetrans(conman_t, conman_log_t, { dir }) ++ ++corenet_tcp_bind_generic_node(conman_t) ++corenet_tcp_bind_conman_port(conman_t) ++ ++corecmd_exec_bin(conman_t) ++ ++auth_read_passwd(conman_t) ++ ++logging_send_syslog_msg(conman_t) ++ ++optional_policy(` ++ freeipmi_stream_connect(conman_t) ++') diff --git a/consolekit.fc b/consolekit.fc index 23c9558..29e5fd3 100644 --- a/consolekit.fc @@ -19111,7 +19327,7 @@ index 62d22cb..fefd4b4 100644 + dontaudit system_bus_type $1:dbus send_msg; ') diff --git a/dbus.te b/dbus.te -index c9998c8..fa4f188 100644 +index c9998c8..163708f 100644 --- a/dbus.te +++ b/dbus.te @@ -4,17 +4,15 @@ gen_require(` @@ -19155,7 +19371,7 @@ index c9998c8..fa4f188 100644 ifdef(`enable_mcs',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh) -@@ -51,59 +47,58 @@ ifdef(`enable_mls',` +@@ -51,59 +47,61 @@ ifdef(`enable_mls',` init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh) ') @@ -19214,7 +19430,9 @@ index c9998c8..fa4f188 100644 -domain_use_interactive_fds(system_dbusd_t) -domain_read_all_domains_state(system_dbusd_t) -- ++dev_rw_inherited_input_dev(system_dbusd_t) ++dev_rw_inherited_dri(system_dbusd_t) + -files_list_home(system_dbusd_t) -files_read_usr_files(system_dbusd_t) +files_rw_inherited_non_security_files(system_dbusd_t) @@ -19232,7 +19450,7 @@ index c9998c8..fa4f188 100644 mls_fd_use_all_levels(system_dbusd_t) mls_rangetrans_target(system_dbusd_t) mls_file_read_all_levels(system_dbusd_t) -@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t) +@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t) auth_use_nsswitch(system_dbusd_t) auth_read_pam_console_data(system_dbusd_t) @@ -19290,10 +19508,9 @@ index c9998c8..fa4f188 100644 +optional_policy(` + gnome_exec_gconf(system_dbusd_t) + gnome_read_inherited_home_icc_data_files(system_dbusd_t) - ') - - optional_policy(` -- seutil_sigchld_newrole(system_dbusd_t) ++') ++ ++optional_policy(` + nis_use_ypbind(system_dbusd_t) +') + @@ -19310,9 +19527,10 @@ index c9998c8..fa4f188 100644 + +optional_policy(` + sysnet_domtrans_dhcpc(system_dbusd_t) -+') -+ -+optional_policy(` + ') + + optional_policy(` +- seutil_sigchld_newrole(system_dbusd_t) + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) @@ -19406,7 +19624,7 @@ index c9998c8..fa4f188 100644 kernel_read_kernel_sysctls(session_bus_type) corecmd_list_bin(session_bus_type) -@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type) +@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type) corecmd_read_bin_pipes(session_bus_type) corecmd_read_bin_sockets(session_bus_type) @@ -19431,7 +19649,7 @@ index c9998c8..fa4f188 100644 files_dontaudit_search_var(session_bus_type) fs_getattr_romfs(session_bus_type) -@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type) +@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type) fs_list_inotifyfs(session_bus_type) fs_dontaudit_list_nfs(session_bus_type) @@ -19439,7 +19657,7 @@ index c9998c8..fa4f188 100644 selinux_validate_context(session_bus_type) selinux_compute_access_vector(session_bus_type) selinux_compute_create_context(session_bus_type) -@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type) +@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type) auth_read_pam_console_data(session_bus_type) logging_send_audit_msgs(session_bus_type) @@ -19481,7 +19699,7 @@ index c9998c8..fa4f188 100644 ') ######################################## -@@ -244,5 +344,6 @@ optional_policy(` +@@ -244,5 +347,6 @@ optional_policy(` # Unconfined access to this module # @@ -25127,6 +25345,180 @@ index 92a6479..989f63a 100644 +optional_policy(` + xserver_read_state_xdm(fprintd_t) ') +diff --git a/freeipmi.fc b/freeipmi.fc +new file mode 100644 +index 0000000..0942a2e +--- /dev/null ++++ b/freeipmi.fc +@@ -0,0 +1,17 @@ ++/usr/lib/systemd/system/bmc-watchdog.* -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0) ++/usr/lib/systemd/system/ipmidetectd.* -- gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0) ++/usr/lib/systemd/system/ipmiseld.* -- gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0) ++ ++/usr/sbin/bmc-watchdog -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0) ++/usr/sbin/ipmidetectd -- gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0) ++/usr/sbin/ipmiseld -- gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0) ++ ++/var/cache/ipmiseld(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0) ++/var/cache/ipmimonitoringsdrcache(/.*)? gen_context(system_u:object_r:freeipmi_var_cache_t,s0) ++ ++/var/lib/freeipmi(/.*)? gen_context(system_u:object_r:freeipmi_var_lib_t,s0) ++ ++ ++/var/run/ipmidetectd\.pid -- gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0) ++/var/run/ipmiseld\.pid -- gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0) ++/var/run/bmc-watchdog\.pid -- gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0) +diff --git a/freeipmi.if b/freeipmi.if +new file mode 100644 +index 0000000..dc94853 +--- /dev/null ++++ b/freeipmi.if +@@ -0,0 +1,71 @@ ++## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification ++ ++##################################### ++## ++## Creates types and rules for a basic ++## freeipmi init daemon domain. ++## ++## ++## ++## Prefix for the domain. ++## ++## ++# ++template(`freeipmi_domain_template',` ++ gen_require(` ++ attribute freeipmi_domain, freeipmi_pid; ++ ') ++ ++ ############################# ++ # ++ # Declarations ++ # ++ ++ type freeipmi_$1_t, freeipmi_domain; ++ type freeipmi_$1_exec_t; ++ init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t) ++ role system_r types freeipmi_$1_t; ++ ++ type freeipmi_$1_unit_file_t; ++ systemd_unit_file(freeipmi_$1_unit_file_t) ++ ++ type freeipmi_$1_var_run_t, freeipmi_pid; ++ files_pid_file(freeipmi_$1_var_run_t) ++ ++ ############################# ++ # ++ # Local policy ++ # ++ ++ manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t) ++ ++ kernel_read_system_state(freeipmi_$1_t) ++ ++ corenet_all_recvfrom_netlabel(freeipmi_$1_t) ++ corenet_all_recvfrom_unlabeled(freeipmi_$1_t) ++ ++ auth_use_nsswitch(freeipmi_$1_t) ++ ++ logging_send_syslog_msg(freeipmi_$1_t) ++') ++ ++#################################### ++## ++## Connect to cluster domains over a unix domain ++## stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`freeipmi_stream_connect',` ++ gen_require(` ++ attribute freeipmi_domain, freeipmi_pid; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain) ++') ++ +diff --git a/freeipmi.te b/freeipmi.te +new file mode 100644 +index 0000000..1408208 +--- /dev/null ++++ b/freeipmi.te +@@ -0,0 +1,68 @@ ++policy_module(freeipmi, 1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++attribute freeipmi_domain; ++attribute freeipmi_pid; ++ ++freeipmi_domain_template(ipmidetectd) ++freeipmi_domain_template(ipmiseld) ++freeipmi_domain_template(bmc_watchdog) ++ ++type freeipmi_var_lib_t; ++files_type(freeipmi_var_lib_t) ++ ++type freeipmi_var_cache_t; ++files_type(freeipmi_var_cache_t) ++ ++######################################## ++# ++# freeipmi_domain local policy ++# ++ ++allow freeipmi_domain self:fifo_file rw_fifo_file_perms; ++allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms; ++allow freeipmi_domain self:sem create_sem_perms; ++ ++manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t) ++manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t) ++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t) ++files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir }) ++ ++manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t) ++manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t) ++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t) ++files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir }) ++ ++sysnet_dns_name_resolve(freeipmi_domain) ++ ++####################################### ++# ++# bmc-watchdog local policy ++# ++ ++files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid") ++ ++dev_read_raw_memory(freeipmi_bmc_watchdog_t) ++dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t) ++ ++####################################### ++# ++# ipmidetectd local policy ++# ++ ++files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid") ++ ++####################################### ++# ++# ipmiseld local policy ++# ++ ++allow freeipmi_ipmiseld_t self:capability sys_rawio; ++ ++allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms; ++ ++files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid") diff --git a/freqset.fc b/freqset.fc new file mode 100644 index 0000000..3cd9c38 @@ -31492,10 +31884,38 @@ index 08b7560..417e630 100644 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0) diff --git a/iscsi.if b/iscsi.if -index 1a35420..4b9b978 100644 +index 1a35420..2ea1241 100644 --- a/iscsi.if +++ b/iscsi.if -@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',` +@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',` + ######################################## + ## + ## Create, read, write, and delete ++## iscsid lock files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iscsi_manage_lock',` ++ gen_require(` ++ type iscsi_lock_t; ++ ') ++ ++ files_search_locks($1) ++ manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t) ++ manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t) ++') ++ ++######################################## ++## ++## Create, read, write, and delete + ## iscsid sempaphores. + ## + ## +@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',` ######################################## ## @@ -31532,7 +31952,7 @@ index 1a35420..4b9b978 100644 ## ## ## -@@ -99,16 +113,15 @@ interface(`iscsi_admin',` +@@ -99,16 +134,15 @@ interface(`iscsi_admin',` gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; @@ -36738,7 +37158,7 @@ index be0ab84..8c532a6 100644 logging_read_all_logs(logrotate_mail_t) +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) diff --git a/logwatch.te b/logwatch.te -index ab65034..ca924b3 100644 +index ab65034..52cbb90 100644 --- a/logwatch.te +++ b/logwatch.te @@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2) @@ -36825,19 +37245,20 @@ index ab65034..ca924b3 100644 corenet_sendrecv_smtp_client_packets(logwatch_t) corenet_tcp_connect_smtp_port(logwatch_t) corenet_tcp_sendrecv_smtp_port(logwatch_t) -@@ -160,6 +169,11 @@ optional_policy(` +@@ -160,6 +169,12 @@ optional_policy(` ') optional_policy(` + raid_domtrans_mdadm(logwatch_t) + raid_access_check_mdadm(logwatch_t) ++ raid_read_conf_files(logwatch_t) +') + +optional_policy(` rpc_search_nfs_state_data(logwatch_t) ') -@@ -187,6 +201,12 @@ dev_read_sysfs(logwatch_mail_t) +@@ -187,6 +202,12 @@ dev_read_sysfs(logwatch_mail_t) logging_read_all_logs(logwatch_mail_t) @@ -38333,7 +38754,7 @@ index 327f3f7..4f61561 100644 + ') ') diff --git a/mandb.te b/mandb.te -index e6136fd..f5203f5 100644 +index e6136fd..14e2c47 100644 --- a/mandb.te +++ b/mandb.te @@ -10,9 +10,18 @@ roleattribute system_r mandb_roles; @@ -38375,12 +38796,13 @@ index e6136fd..f5203f5 100644 kernel_read_kernel_sysctls(mandb_t) kernel_read_system_state(mandb_t) -@@ -33,11 +54,11 @@ dev_search_sysfs(mandb_t) +@@ -33,11 +54,12 @@ dev_search_sysfs(mandb_t) domain_use_interactive_fds(mandb_t) -files_read_etc_files(mandb_t) +files_search_locks(mandb_t) ++files_dontaudit_search_all_mountpoints(mandb_t) miscfiles_manage_man_cache(mandb_t) +miscfiles_setattr_man_pages(mandb_t) @@ -39039,10 +39461,10 @@ index cba62db..562833a 100644 + delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) +') diff --git a/milter.te b/milter.te -index 4dc99f4..4385417 100644 +index 4dc99f4..22dbcb9 100644 --- a/milter.te +++ b/milter.te -@@ -5,73 +5,106 @@ policy_module(milter, 1.5.0) +@@ -5,73 +5,113 @@ policy_module(milter, 1.5.0) # Declarations # @@ -39057,6 +39479,9 @@ index 4dc99f4..4385417 100644 +type dkim_milter_private_key_t; +files_type(dkim_milter_private_key_t) + ++type dkim_milter_tmp_t; ++files_tmp_file(dkim_milter_tmp_t) ++ +# currently-supported milters are milter-greylist, milter-regex and spamass-milter milter_template(greylist) milter_template(regex) @@ -39116,6 +39541,10 @@ index 4dc99f4..4385417 100644 -logging_send_syslog_msg(milter_domains) +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) + ++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t) ++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t) ++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file }) ++ +kernel_read_kernel_sysctls(dkim_milter_t) + +auth_use_nsswitch(dkim_milter_t) @@ -39176,7 +39605,7 @@ index 4dc99f4..4385417 100644 optional_policy(` mysql_stream_connect(greylist_milter_t) -@@ -79,30 +112,45 @@ optional_policy(` +@@ -79,30 +119,45 @@ optional_policy(` ######################################## # @@ -47724,16 +48153,16 @@ index 0000000..cc31b9f + diff --git a/ninfod.if b/ninfod.if new file mode 100644 -index 0000000..7c813e9 +index 0000000..a7f57d9 --- /dev/null +++ b/ninfod.if -@@ -0,0 +1,75 @@ +@@ -0,0 +1,79 @@ + +## Respond to IPv6 Node Information Queries + +######################################## +## -+## Execute TEMPLATE in the ninfod domin. ++## Execute ninfod in the ninfod domin. +## +## +## @@ -47766,7 +48195,7 @@ index 0000000..7c813e9 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 ninfod_unit_file_t:file read_file_perms; + allow $1 ninfod_unit_file_t:service manage_service_perms; + @@ -47789,12 +48218,16 @@ index 0000000..7c813e9 +interface(`ninfod_admin',` + gen_require(` + type ninfod_t; -+ type ninfod_unit_file_t; ++ type ninfod_unit_file_t; + ') + -+ allow $1 ninfod_t:process { ptrace signal_perms }; ++ allow $1 ninfod_t:process { signal_perms }; + ps_process_pattern($1, ninfod_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 ninfod_t:process ptrace; ++ ') ++ + ninfod_systemctl($1) + admin_pattern($1, ninfod_unit_file_t) + allow $1 ninfod_unit_file_t:service all_service_perms; @@ -53726,16 +54159,16 @@ index 0000000..51650fa +/var/log/opensm\.log.* -- gen_context(system_u:object_r:opensm_log_t,s0) diff --git a/opensm.if b/opensm.if new file mode 100644 -index 0000000..a62f050 +index 0000000..776fda7 --- /dev/null +++ b/opensm.if -@@ -0,0 +1,220 @@ +@@ -0,0 +1,223 @@ + +## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB + +######################################## +## -+## Execute TEMPLATE in the opensm domin. ++## Execute opensm in the opensm domin. +## +## +## @@ -53838,7 +54271,6 @@ index 0000000..a62f050 +## Domain allowed access. +## +## -+## +# +interface(`opensm_read_log',` + gen_require(` @@ -53905,7 +54337,7 @@ index 0000000..a62f050 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 opensm_unit_file_t:file read_file_perms; + allow $1 opensm_unit_file_t:service manage_service_perms; + @@ -53930,12 +54362,16 @@ index 0000000..a62f050 + type opensm_t; + type opensm_cache_t; + type opensm_log_t; -+ type opensm_unit_file_t; ++ type opensm_unit_file_t; + ') + -+ allow $1 opensm_t:process { ptrace signal_perms }; ++ allow $1 opensm_t:process { signal_perms }; + ps_process_pattern($1, opensm_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 opensm_t:process ptrace; ++ ') ++ + files_search_var($1) + admin_pattern($1, opensm_cache_t) + @@ -54641,15 +55077,15 @@ index 0000000..00d0643 +/var/run/wsmand.* -- gen_context(system_u:object_r:openwsman_run_t,s0) diff --git a/openwsman.if b/openwsman.if new file mode 100644 -index 0000000..9c67ac5 +index 0000000..42ed4ba --- /dev/null +++ b/openwsman.if -@@ -0,0 +1,74 @@ +@@ -0,0 +1,78 @@ +## WS-Management Server + +######################################## +## -+## Execute TEMPLATE in the openwsman domin. ++## Execute openwsman in the openwsman domin. +## +## +## @@ -54682,7 +55118,7 @@ index 0000000..9c67ac5 + ') + + systemd_exec_systemctl($1) -+ systemd_read_fifo_file_passwd_run($1) ++ systemd_read_fifo_file_passwd_run($1) + allow $1 openwsman_unit_file_t:file read_file_perms; + allow $1 openwsman_unit_file_t:service manage_service_perms; + @@ -54705,12 +55141,16 @@ index 0000000..9c67ac5 +interface(`openwsman_admin',` + gen_require(` + type openwsman_t; -+ type openwsman_unit_file_t; ++ type openwsman_unit_file_t; + ') + -+ allow $1 openwsman_t:process { ptrace signal_perms }; ++ allow $1 openwsman_t:process { signal_perms }; + ps_process_pattern($1, openwsman_t) + ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 openwsman_t:process ptrace; ++ ') ++ + openwsman_systemctl($1) + admin_pattern($1, openwsman_unit_file_t) + allow $1 openwsman_unit_file_t:service all_service_perms; @@ -55657,7 +56097,7 @@ index 1fb1964..f92c71a 100644 + virt_rw_svirt_dev(pcscd_t) +') diff --git a/pegasus.fc b/pegasus.fc -index dfd46e4..87bda41 100644 +index dfd46e4..6b5b74b 100644 --- a/pegasus.fc +++ b/pegasus.fc @@ -1,15 +1,25 @@ @@ -55689,7 +56129,7 @@ index dfd46e4..87bda41 100644 +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0) -+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) ++/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0) +/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0) + + @@ -55795,7 +56235,7 @@ index d2fc677..ded726f 100644 ') + diff --git a/pegasus.te b/pegasus.te -index 608f454..555f313 100644 +index 608f454..938df5d 100644 --- a/pegasus.te +++ b/pegasus.te @@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0) @@ -55814,7 +56254,7 @@ index 608f454..555f313 100644 type pegasus_cache_t; files_type(pegasus_cache_t) -@@ -30,20 +29,278 @@ files_type(pegasus_mof_t) +@@ -30,20 +29,288 @@ files_type(pegasus_mof_t) type pegasus_var_run_t; files_pid_file(pegasus_var_run_t) @@ -56011,7 +56451,10 @@ index 608f454..555f313 100644 +# pegasus openlmi storage local policy +# + -+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio }; ++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock }; ++allow pegasus_openlmi_storage_t self:process setrlimit; ++ ++allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms; + +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t) @@ -56023,6 +56466,7 @@ index 608f454..555f313 100644 + +kernel_read_all_sysctls(pegasus_openlmi_storage_t) +kernel_get_sysvipc_info(pegasus_openlmi_storage_t) ++kernel_request_load_module(pegasus_openlmi_storage_t) + +dev_read_rand(pegasus_openlmi_storage_t) +dev_read_urand(pegasus_openlmi_storage_t) @@ -56037,6 +56481,8 @@ index 608f454..555f313 100644 +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t) +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t) + ++files_read_kernel_modules(pegasus_openlmi_storage_t) ++ +fs_getattr_all_fs(pegasus_openlmi_storage_t) + +modutils_domtrans_insmod(pegasus_openlmi_storage_t) @@ -56053,6 +56499,10 @@ index 608f454..555f313 100644 +') + +optional_policy(` ++ iscsi_manage_lock(pegasus_openlmi_storage_t) ++') ++ ++optional_policy(` + lvm_domtrans(pegasus_openlmi_storage_t) +') + @@ -56098,7 +56548,7 @@ index 608f454..555f313 100644 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms; manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t) -@@ -54,22 +311,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) +@@ -54,22 +321,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file }) manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t) @@ -56129,7 +56579,7 @@ index 608f454..555f313 100644 kernel_read_network_state(pegasus_t) kernel_read_kernel_sysctls(pegasus_t) -@@ -80,27 +337,21 @@ kernel_read_net_sysctls(pegasus_t) +@@ -80,27 +347,21 @@ kernel_read_net_sysctls(pegasus_t) kernel_read_xen_state(pegasus_t) kernel_write_xen_state(pegasus_t) @@ -56162,7 +56612,7 @@ index 608f454..555f313 100644 corecmd_exec_bin(pegasus_t) corecmd_exec_shell(pegasus_t) -@@ -114,9 +365,11 @@ files_getattr_all_dirs(pegasus_t) +@@ -114,9 +375,11 @@ files_getattr_all_dirs(pegasus_t) auth_use_nsswitch(pegasus_t) auth_domtrans_chk_passwd(pegasus_t) @@ -56174,7 +56624,7 @@ index 608f454..555f313 100644 files_list_var_lib(pegasus_t) files_read_var_lib_files(pegasus_t) -@@ -128,18 +381,29 @@ init_stream_connect_script(pegasus_t) +@@ -128,18 +391,29 @@ init_stream_connect_script(pegasus_t) logging_send_audit_msgs(pegasus_t) logging_send_syslog_msg(pegasus_t) @@ -56210,7 +56660,7 @@ index 608f454..555f313 100644 ') optional_policy(` -@@ -151,16 +415,24 @@ optional_policy(` +@@ -151,16 +425,24 @@ optional_policy(` ') optional_policy(` @@ -56239,7 +56689,7 @@ index 608f454..555f313 100644 ') optional_policy(` -@@ -168,7 +440,7 @@ optional_policy(` +@@ -168,7 +450,7 @@ optional_policy(` ') optional_policy(` @@ -68951,7 +69401,7 @@ index 5806046..d83ec27 100644 /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0) diff --git a/raid.if b/raid.if -index 951db7f..98a0758 100644 +index 951db7f..c0cabe8 100644 --- a/raid.if +++ b/raid.if @@ -1,9 +1,8 @@ @@ -69032,7 +69482,7 @@ index 951db7f..98a0758 100644 ## ## ## -@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',` +@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',` ## ## # @@ -69100,7 +69550,7 @@ index 951db7f..98a0758 100644 + +######################################## +## -+## Manage mdadm config files. ++## Read mdadm config files. +## +## ## @@ -69111,7 +69561,7 @@ index 951db7f..98a0758 100644 -## # -interface(`raid_admin_mdadm',` -+interface(`raid_manage_conf_files',` ++interface(`raid_read_conf_files',` gen_require(` - type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t; + type mdadm_conf_t; @@ -69119,7 +69569,24 @@ index 951db7f..98a0758 100644 - allow $1 mdadm_t:process { ptrace signal_perms }; - ps_process_pattern($1, mdadm_t) -- ++ read_files_pattern($1, mdadm_conf_t, mdadm_conf_t) ++') ++ ++######################################## ++## ++## Manage mdadm config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`raid_manage_conf_files',` ++ gen_require(` ++ type mdadm_conf_t; ++ ') + - init_labeled_script_domtrans($1, mdadm_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 mdadm_initrc_exec_t system_r; @@ -70023,6 +70490,68 @@ index e9765c0..ea21331 100644 +/usr/lib/systemd/system/rdisc.* -- gen_context(system_u:object_r:rdisc_unit_file_t,s0) /usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0) +diff --git a/rdisc.if b/rdisc.if +index 170ef52..7dd9193 100644 +--- a/rdisc.if ++++ b/rdisc.if +@@ -18,3 +18,57 @@ interface(`rdisc_exec',` + corecmd_search_bin($1) + can_exec($1, rdisc_exec_t) + ') ++ ++######################################## ++## ++## Execute rdisc server in the rdisc domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`rdisc_systemctl',` ++ gen_require(` ++ type rdisc_t; ++ type rdisc_unit_file_t; ++ ') ++ ++ systemd_exec_systemctl($1) ++ systemd_read_fifo_file_passwd_run($1) ++ allow $1 rdisc_unit_file_t:file read_file_perms; ++ allow $1 rdisc_unit_file_t:service manage_service_perms; ++ ++ ps_process_pattern($1, rdisc_t) ++') ++ ++######################################## ++## ++## All of the rules required to administrate ++## an rdisc environment ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`rdisc_admin',` ++ gen_require(` ++ type rdisc_t; ++ type rdisc_unit_file_t; ++ ') ++ ++ allow $1 rdisc_t:process { ptrace signal_perms }; ++ ps_process_pattern($1, rdisc_t) ++ ++ rdisc_systemctl($1) ++ admin_pattern($1, rdisc_unit_file_t) ++ allow $1 rdisc_unit_file_t:service all_service_perms; ++ optional_policy(` ++ systemd_passwd_agent_exec($1) ++ systemd_read_fifo_file_passwd_run($1) ++ ') ++') diff --git a/rdisc.te b/rdisc.te index 9196c1d..b775931 100644 --- a/rdisc.te @@ -75365,7 +75894,7 @@ index ebe91fc..576ca21 100644 +/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0) ') diff --git a/rpm.if b/rpm.if -index ef3b225..fbef499 100644 +index ef3b225..0c8576e 100644 --- a/rpm.if +++ b/rpm.if @@ -1,8 +1,8 @@ @@ -75596,10 +76125,12 @@ index ef3b225..fbef499 100644 - logging_search_logs($1) - append_files_pattern($1, rpm_log_t, rpm_log_t) + allow $1 rpm_log_t:file append_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete +-## rpm log files. +## Create, read, write, and delete the RPM log. +## +## @@ -75614,26 +76145,42 @@ index ef3b225..fbef499 100644 + ') + + read_files_pattern($1, rpm_log_t, rpm_log_t) - ') - - ######################################## - ## --## Create, read, write, and delete --## rpm log files. ++') ++ ++######################################## ++## +## Create, read, write, and delete the RPM log. ## ## ## -@@ -302,7 +378,7 @@ interface(`rpm_manage_log',` +@@ -302,7 +378,25 @@ interface(`rpm_manage_log',` ######################################## ## -## Inherit and use rpm script file descriptors. ++## Create rpm logs with an correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_named_filetrans_log_files',` ++ gen_require(` ++ type rpm_log_t; ++ ') ++ logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") ++ logging_log_named_filetrans($1, rpm_log_t, file, "upd2date") ++') ++ ++######################################## ++## +## Inherit and use file descriptors from RPM scripts. ## ## ## -@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',` +@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',` ######################################## ## @@ -75644,7 +76191,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',` +@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',` ') files_search_tmp($1) @@ -75661,7 +76208,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',` +@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',` type rpm_tmp_t; ') @@ -75679,7 +76226,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',` +@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',` ') files_search_tmp($1) @@ -75695,7 +76242,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',` +@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',` ######################################## ## @@ -75704,7 +76251,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -420,8 +500,7 @@ interface(`rpm_read_cache',` +@@ -420,8 +518,7 @@ interface(`rpm_read_cache',` ######################################## ## @@ -75714,7 +76261,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',` +@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',` ######################################## ## @@ -75723,7 +76270,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -459,11 +538,12 @@ interface(`rpm_read_db',` +@@ -459,11 +556,12 @@ interface(`rpm_read_db',` allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -75737,7 +76284,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -482,8 +562,7 @@ interface(`rpm_delete_db',` +@@ -482,8 +580,7 @@ interface(`rpm_delete_db',` ######################################## ## @@ -75747,7 +76294,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -503,8 +582,28 @@ interface(`rpm_manage_db',` +@@ -503,8 +600,28 @@ interface(`rpm_manage_db',` ######################################## ## @@ -75777,7 +76324,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',` +@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',` type rpm_var_lib_t; ') @@ -75786,7 +76333,7 @@ index ef3b225..fbef499 100644 dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') -@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',` +@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',` ##################################### ## @@ -75796,7 +76343,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',` +@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',` ###################################### ## @@ -75806,7 +76353,7 @@ index ef3b225..fbef499 100644 ## ## ## -@@ -573,66 +670,104 @@ interface(`rpm_manage_pid_files',` +@@ -573,66 +688,104 @@ interface(`rpm_manage_pid_files',` ## # interface(`rpm_pid_filetrans',` @@ -78376,7 +78923,7 @@ index 50d07fb..bada62f 100644 + allow $1 samba_unit_file_t:service all_service_perms; ') diff --git a/samba.te b/samba.te -index 2b7c441..3e81196 100644 +index 2b7c441..1912f75 100644 --- a/samba.te +++ b/samba.te @@ -6,100 +6,80 @@ policy_module(samba, 1.16.3) @@ -79355,10 +79902,12 @@ index 2b7c441..3e81196 100644 optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -841,16 +846,19 @@ optional_policy(` +@@ -840,17 +845,20 @@ optional_policy(` + # Winbind local policy # - allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; +-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice }; ++allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice }; +allow winbind_t self:capability2 block_suspend; dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; @@ -84603,7 +85152,7 @@ index 634c6b4..e1edfd9 100644 ######################################## diff --git a/sosreport.te b/sosreport.te -index f2f507d..a41b9d3 100644 +index f2f507d..f7ba057 100644 --- a/sosreport.te +++ b/sosreport.te @@ -13,15 +13,15 @@ type sosreport_exec_t; @@ -84764,7 +85313,7 @@ index f2f507d..a41b9d3 100644 ') optional_policy(` -@@ -151,9 +198,16 @@ optional_policy(` +@@ -151,9 +198,17 @@ optional_policy(` ') optional_policy(` @@ -84775,6 +85324,7 @@ index f2f507d..a41b9d3 100644 + rpm_manage_cache(sosreport_t) + rpm_manage_log(sosreport_t) + rpm_manage_pid_files(sosreport_t) ++ rpm_named_filetrans_log_files(sosreport_t) + rpm_read_db(sosreport_t) + rpm_signull(sosreport_t) +') @@ -97307,7 +97857,7 @@ index ae919b9..e0b1983 100644 manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t) ') diff --git a/wine.if b/wine.if -index fd2b6cc..52a2e72 100644 +index fd2b6cc..938c4a7 100644 --- a/wine.if +++ b/wine.if @@ -1,46 +1,57 @@ @@ -97456,8 +98006,31 @@ index fd2b6cc..52a2e72 100644 ') ######################################## +@@ -165,3 +169,22 @@ interface(`wine_rw_shm',` + + allow $1 wine_t:shm rw_shm_perms; + ') ++ ++######################################## ++## ++## Transition to wine named content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`wine_filetrans_named_content',` ++ gen_require(` ++ type wine_home_t; ++ ') ++ ++ userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine") ++') ++ diff --git a/wine.te b/wine.te -index 491b87b..689460b 100644 +index 491b87b..391f3a1 100644 --- a/wine.te +++ b/wine.te @@ -14,10 +14,11 @@ policy_module(wine, 1.11.0) @@ -97473,7 +98046,7 @@ index 491b87b..689460b 100644 type wine_exec_t; userdom_user_application_domain(wine_t, wine_exec_t) role wine_roles types wine_t; -@@ -25,56 +26,57 @@ role wine_roles types wine_t; +@@ -25,56 +26,58 @@ role wine_roles types wine_t; type wine_home_t; userdom_user_home_content(wine_home_t) @@ -97485,34 +98058,34 @@ index 491b87b..689460b 100644 # Local policy # +domain_mmap_low(wine_t) -+ -+optional_policy(` -+ unconfined_domain(wine_t) -+') -allow wine_t self:process { execstack execmem execheap }; -allow wine_t self:fifo_file manage_fifo_file_perms; ++optional_policy(` ++ unconfined_domain(wine_t) ++') -can_exec(wine_t, wine_exec_t) + +-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") +######################################## +# +# Common wine domain policy +# --userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine") -+allow wine_domain self:process { execstack execmem execheap }; -+allow wine_domain self:fifo_file manage_fifo_file_perms; - -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t) -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t) -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir }) -+can_exec(wine_domain, wine_exec_t) ++allow wine_domain self:process { execstack execmem execheap }; ++allow wine_domain self:fifo_file manage_fifo_file_perms; -domain_mmap_low(wine_t) ++can_exec(wine_domain, wine_exec_t) ++ +manage_files_pattern(wine_domain, wine_home_t, wine_home_t) +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t) -+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine") +userdom_tmpfs_filetrans(wine_domain, file) ++wine_filetrans_named_content(wine_domain) -files_execmod_all_files(wine_t) +files_execmod_all_files(wine_domain) @@ -97542,19 +98115,19 @@ index 491b87b..689460b 100644 optional_policy(` - rtkit_scheduled(wine_t) --') -- --optional_policy(` -- unconfined_domain(wine_t) + rtkit_scheduled(wine_domain) ') optional_policy(` -- xserver_read_xdm_pid(wine_t) -- xserver_rw_shm(wine_t) +- unconfined_domain(wine_t) + xserver_read_xdm_pid(wine_domain) + xserver_rw_shm(wine_domain) ') + +-optional_policy(` +- xserver_read_xdm_pid(wine_t) +- xserver_rw_shm(wine_t) +-') diff --git a/wireshark.te b/wireshark.te index ff6ef38..436d3bf 100644 --- a/wireshark.te diff --git a/selinux-policy.spec b/selinux-policy.spec index 35404c8..2fec2d9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -575,6 +575,48 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Dec 9 2013 Miroslav Grepl 3.13.1-9 +- DRM master and input event devices are used by the TakeDevice API +- Clean up bumblebee policy +- Update pegasus_openlmi_storage_t policy +- opensm policy clean up +- openwsman policy clean up +- ninfod policy clean up +- Allow conman to connect to freeipmi services and clean up conman policy +- Allow conmand just bind on 7890 port +- Add freeipmi_stream_connect() interface +- Allow logwatch read madm.conf to support RAID setup +- Add raid_read_conf_files() interface +- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling +- add rpm_named_filetrans_log_files() interface +- Added policy for conmand +- Allow dkim-milter to create files/dirs in /tmp +- update freeipmi policy +- Add policy for freeipmi services +- Added rdisc_admin and rdisc_systemctl interfaces +- Fix aliases in pegasus.te +- Allow chrome sandbox to read generic cache files in homedir +- Dontaudit mandb searching all mountpoints +- Make sure wine domains create .wine with the correct label +- Add proper aliases for pegasus_openlmi_services_exec_t and pegasus_openlmi_services_t +- Allow windbind the kill capability +- DRM master and input event devices are used by the TakeDevice API +- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev() +- Added support for default conman port +- Add interfaces for ipmi devices +- Make sure wine domains create .wine with the correct label +- Allow manage dirs in kernel_manage_debugfs interface. +- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service +- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t +- Fix userdom_confined_admin_template() +- Add back exec_content boolean for secadm, logadm, auditadm +- Fix files_filetrans_system_db_named_files() interface +- Allow sulogin to getattr on /proc/kcore +- Add filename transition also for servicelog.db-journal +- Add files_dontaudit_access_check_root() +- Add lvm_dontaudit_access_check_lock() interface +- Allow mount to manage mount_var_run_t files/dirs + * Tue Dec 3 2013 Miroslav Grepl 3.13.1-8 - Add back fixes for gnome_role_template() - Label /usr/sbin/htcacheclean as httpd_exec_t