diff --git a/policy-F16.patch b/policy-F16.patch index 4ff9a1d..3dbb7e8 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1048,10 +1048,18 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..6eac7b9 100644 +index 7090dae..0db59d1 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) +@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi + allow logrotate_t self:process setfscreate; + + allow logrotate_t self:fd use; ++allow logrotate_t self:key manage_key_perms; + allow logrotate_t self:fifo_file rw_fifo_file_perms; + allow logrotate_t self:unix_dgram_socket create_socket_perms; + allow logrotate_t self:unix_stream_socket create_stream_socket_perms; +@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) @@ -1059,7 +1067,7 @@ index 7090dae..6eac7b9 100644 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) -@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t) +@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -1067,7 +1075,7 @@ index 7090dae..6eac7b9 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -1090,7 +1098,18 @@ index 7090dae..6eac7b9 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -162,10 +162,20 @@ optional_policy(` +@@ -154,6 +155,10 @@ optional_policy(` + ') + + optional_policy(` ++ awstats_domtrans(logrotate_t) ++') ++ ++optional_policy(` + asterisk_domtrans(logrotate_t) + ') + +@@ -162,10 +167,20 @@ optional_policy(` ') optional_policy(` @@ -1111,7 +1130,7 @@ index 7090dae..6eac7b9 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +213,6 @@ optional_policy(` +@@ -203,7 +218,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -1119,7 +1138,7 @@ index 7090dae..6eac7b9 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +237,14 @@ optional_policy(` +@@ -228,3 +242,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -1655,10 +1674,10 @@ index 0000000..bd83148 +## No Interfaces diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te new file mode 100644 -index 0000000..bb587b1 +index 0000000..3008c85 --- /dev/null +++ b/policy/modules/admin/permissivedomains.te -@@ -0,0 +1,228 @@ +@@ -0,0 +1,236 @@ +policy_module(permissivedomains,16) + +optional_policy(` @@ -1758,6 +1777,14 @@ index 0000000..bb587b1 +') + +optional_policy(` ++ gen_require(` ++ type sshd_sandbox_t; ++ ') ++ ++ permissive sshd_sandbox_t; ++') ++ ++optional_policy(` + gen_require(` + type fail2ban_client_t; + ') @@ -2283,18 +2310,20 @@ index b4ac57e..ef944a4 100644 logging_send_syslog_msg(readahead_t) logging_set_audit_parameters(readahead_t) diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc -index b206bf6..b11df05 100644 +index b206bf6..de6d89b 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc -@@ -7,6 +7,7 @@ +@@ -6,7 +6,9 @@ + /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -24,9 +25,14 @@ ifdef(`distro_redhat', ` +@@ -24,9 +26,14 @@ ifdef(`distro_redhat', ` /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -2309,7 +2338,7 @@ index b206bf6..b11df05 100644 /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -@@ -36,6 +42,8 @@ ifdef(`distro_redhat', ` +@@ -36,6 +43,8 @@ ifdef(`distro_redhat', ` /var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) @@ -3641,7 +3670,7 @@ index 81fb26f..66cf96c 100644 ## ## diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 441cf22..d3dd0b9 100644 +index 441cf22..4779a8d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -79,18 +79,17 @@ selinux_compute_create_context(chfn_t) @@ -3688,7 +3717,15 @@ index 441cf22..d3dd0b9 100644 init_use_fds(groupadd_t) init_read_utmp(groupadd_t) -@@ -291,17 +293,18 @@ selinux_compute_create_context(passwd_t) +@@ -277,6 +279,7 @@ kernel_read_kernel_sysctls(passwd_t) + + # for SSP + dev_read_urand(passwd_t) ++dev_dontaudit_getattr_all(passwd_t) + + fs_getattr_xattr_fs(passwd_t) + fs_search_auto_mountpoints(passwd_t) +@@ -291,17 +294,18 @@ selinux_compute_create_context(passwd_t) selinux_compute_relabel_context(passwd_t) selinux_compute_user_contexts(passwd_t) @@ -3711,7 +3748,16 @@ index 441cf22..d3dd0b9 100644 domain_use_interactive_fds(passwd_t) -@@ -323,7 +326,7 @@ miscfiles_read_localization(passwd_t) +@@ -311,6 +315,8 @@ files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) + ++term_search_ptys(passwd_t) ++ + # /usr/bin/passwd asks for w access to utmp, but it will operate + # correctly without it. Do not audit write denials to utmp. + init_dontaudit_rw_utmp(passwd_t) +@@ -323,7 +329,7 @@ miscfiles_read_localization(passwd_t) seutil_dontaudit_search_config(passwd_t) @@ -3720,7 +3766,7 @@ index 441cf22..d3dd0b9 100644 userdom_use_unpriv_users_fds(passwd_t) # make sure that getcon succeeds userdom_getattr_all_users(passwd_t) -@@ -332,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t) +@@ -332,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t) # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -3728,7 +3774,7 @@ index 441cf22..d3dd0b9 100644 optional_policy(` nscd_domtrans(passwd_t) -@@ -381,8 +385,7 @@ dev_read_urand(sysadm_passwd_t) +@@ -381,8 +388,7 @@ dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) fs_search_auto_mountpoints(sysadm_passwd_t) @@ -3738,7 +3784,7 @@ index 441cf22..d3dd0b9 100644 auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -@@ -426,7 +429,7 @@ optional_policy(` +@@ -426,7 +432,7 @@ optional_policy(` # Useradd local policy # @@ -3747,7 +3793,7 @@ index 441cf22..d3dd0b9 100644 dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -448,8 +451,12 @@ corecmd_exec_shell(useradd_t) +@@ -448,8 +454,12 @@ corecmd_exec_shell(useradd_t) # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. corecmd_exec_bin(useradd_t) @@ -3760,7 +3806,7 @@ index 441cf22..d3dd0b9 100644 files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -460,6 +467,7 @@ fs_search_auto_mountpoints(useradd_t) +@@ -460,6 +470,7 @@ fs_search_auto_mountpoints(useradd_t) fs_getattr_xattr_fs(useradd_t) mls_file_upgrade(useradd_t) @@ -3768,7 +3814,7 @@ index 441cf22..d3dd0b9 100644 # Allow access to context for shadow file selinux_get_fs_mount(useradd_t) -@@ -469,8 +477,7 @@ selinux_compute_create_context(useradd_t) +@@ -469,8 +480,7 @@ selinux_compute_create_context(useradd_t) selinux_compute_relabel_context(useradd_t) selinux_compute_user_contexts(useradd_t) @@ -3778,15 +3824,15 @@ index 441cf22..d3dd0b9 100644 auth_domtrans_chk_passwd(useradd_t) auth_rw_lastlog(useradd_t) -@@ -498,21 +505,11 @@ seutil_domtrans_setfiles(useradd_t) +@@ -498,21 +508,11 @@ seutil_domtrans_setfiles(useradd_t) userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories -userdom_manage_user_home_dirs(useradd_t) - userdom_home_filetrans_user_home_dir(useradd_t) +-userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) --userdom_home_filetrans_user_home_dir(useradd_t) + userdom_home_filetrans_user_home_dir(useradd_t) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) +userdom_manage_home_role(system_r, useradd_t) @@ -3866,6 +3912,36 @@ index 48cf11b..9787bd4 100644 -/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) +/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0) +diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if +index 283ff0d..53f9ba1 100644 +--- a/policy/modules/apps/awstats.if ++++ b/policy/modules/apps/awstats.if +@@ -5,6 +5,25 @@ + + ######################################## + ## ++## Execute the awstats program in the awstats domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`awstats_domtrans',` ++ gen_require(` ++ type awstats_t, awstats_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, awstats_exec_t, awstats_t) ++') ++ ++######################################## ++## + ## Read and write awstats unnamed pipes. + ## + ## diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index 46ea44f..f7183ef 100644 --- a/policy/modules/apps/cdrecord.te @@ -4357,10 +4433,10 @@ index 0000000..6f3570a +/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0) diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if new file mode 100644 -index 0000000..e455bba +index 0000000..fc9014f --- /dev/null +++ b/policy/modules/apps/execmem.if -@@ -0,0 +1,129 @@ +@@ -0,0 +1,133 @@ +## execmem domain + +######################################## @@ -4429,6 +4505,10 @@ index 0000000..e455bba + + files_execmod_tmp($1_execmem_t) + ++ optional_policy(` ++ execmem_execmod($1_execmem_t) ++ ') ++ + # needed by plasma-desktop + optional_policy(` + gnome_read_usr_config($1_execmem_t) @@ -4487,7 +4567,7 @@ index 0000000..e455bba + type execmem_exec_t; + ') + -+ allow $1 execmem_exec_t:chr_file execmod; ++ allow $1 execmem_exec_t:file execmod; +') + diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te @@ -4705,7 +4785,7 @@ index 00a19e3..9f6139c 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..8136040 100644 +index f5afe78..19f3c30 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,731 @@ @@ -5365,11 +5445,10 @@ index f5afe78..8136040 100644 +## Search gkeyringd temporary directories. +## +## - ## --## Role allowed access ++## +## Domain allowed access. - ## - ## ++## ++## +# +interface(`gnome_search_gkeyringd_tmp_dirs',` + gen_require(` @@ -5384,22 +5463,18 @@ index f5afe78..8136040 100644 +## +## search gconf homedir (.local) +## - ## ++## ## --## User domain for the role +-## Role allowed access +## Domain allowed access. ## ## - # --interface(`gnome_role',` ++# +interface(`gnome_search_gconf',` - gen_require(` -- type gconfd_t, gconfd_exec_t; -- type gconf_tmp_t; ++ gen_require(` + type gconf_home_t; - ') - -- role $1 types gconfd_t; ++ ') ++ + allow $1 gconf_home_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) +') @@ -5408,17 +5483,23 @@ index f5afe78..8136040 100644 +## +## Set attributes of Gnome config dirs. +## -+## -+## + ## + ## +-## User domain for the role +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`gnome_role',` +interface(`gnome_setattr_config_dirs',` -+ gen_require(` + gen_require(` +- type gconfd_t, gconfd_exec_t; +- type gconf_tmp_t; + type gnome_home_t; -+ ') + ') +- role $1 types gconfd_t; +- - domain_auto_trans($2, gconfd_exec_t, gconfd_t) - allow gconfd_t $2:fd use; - allow gconfd_t $2:fifo_file write; @@ -5507,7 +5588,7 @@ index f5afe78..8136040 100644 ## ## ## -@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',` +@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',` ## ## # @@ -5529,66 +5610,84 @@ index f5afe78..8136040 100644 -## gconf connection template. +## Connect to gnome over an unix stream socket. ## --## +## - ## - ## Domain allowed access. - ## - ## -+## +## ++## Domain allowed access. ++## ++## + ## + ## +## The type of the user domain. +## +## ++# ++interface(`gnome_stream_connect',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ # Connect to pulseaudit server ++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ++') ++ ++######################################## ++## ++## list gnome homedir content (.config) ++## ++## ++## + ## Domain allowed access. + ## + ## # -interface(`gnome_stream_connect_gconf',` -+interface(`gnome_stream_connect',` ++interface(`gnome_list_home_config',` gen_require(` - type gconfd_t, gconf_tmp_t; -+ attribute gnome_home_type; ++ type config_home_t; ') - read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) - allow $1 gconfd_t:unix_stream_socket connectto; -+ # Connect to pulseaudit server -+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ++ allow $1 config_home_t:dir list_dir_perms; ') ######################################## ## -## Run gconfd in gconfd domain. -+## list gnome homedir content (.config) ++## Set attributes of gnome homedir content (.config) ## ## ## -@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',` +@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',` ## ## # -interface(`gnome_domtrans_gconfd',` -+interface(`gnome_list_home_config',` ++interface(`gnome_setattr_home_config',` gen_require(` - type gconfd_t, gconfd_exec_t; + type config_home_t; ') - domtrans_pattern($1, gconfd_exec_t, gconfd_t) -+ allow $1 config_home_t:dir list_dir_perms; ++ setattr_dirs_pattern($1, config_home_t, config_home_t) ++ userdom_search_user_home_dirs($1) ') ######################################## ## -## Set attributes of Gnome config dirs. -+## Set attributes of gnome homedir content (.config) ++## read gnome homedir content (.config) ## ## ## -@@ -140,51 +831,356 @@ interface(`gnome_domtrans_gconfd',` +@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',` ## ## # -interface(`gnome_setattr_config_dirs',` -+interface(`gnome_setattr_home_config',` ++interface(`gnome_read_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; @@ -5596,14 +5695,15 @@ index f5afe78..8136040 100644 - setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) - files_search_home($1) -+ setattr_dirs_pattern($1, config_home_t, config_home_t) -+ userdom_search_user_home_dirs($1) ++ list_dirs_pattern($1, config_home_t, config_home_t) ++ read_files_pattern($1, config_home_t, config_home_t) ++ read_lnk_files_pattern($1, config_home_t, config_home_t) ') ######################################## ## -## Read gnome homedir content (.config) -+## read gnome homedir content (.config) ++## manage gnome homedir content (.config) ## -## +## @@ -5613,7 +5713,7 @@ index f5afe78..8136040 100644 ## # -template(`gnome_read_config',` -+interface(`gnome_read_home_config',` ++interface(`gnome_manage_home_config',` gen_require(` - type gnome_home_t; + type config_home_t; @@ -5622,9 +5722,7 @@ index f5afe78..8136040 100644 - list_dirs_pattern($1, gnome_home_t, gnome_home_t) - read_files_pattern($1, gnome_home_t, gnome_home_t) - read_lnk_files_pattern($1, gnome_home_t, gnome_home_t) -+ list_dirs_pattern($1, config_home_t, config_home_t) -+ read_files_pattern($1, config_home_t, config_home_t) -+ read_lnk_files_pattern($1, config_home_t, config_home_t) ++ manage_files_pattern($1, config_home_t, config_home_t) ') ######################################## @@ -5639,12 +5737,12 @@ index f5afe78..8136040 100644 ## # -interface(`gnome_manage_config',` -+interface(`gnome_manage_home_config',` ++interface(`gnome_manage_home_config_dirs',` + gen_require(` + type config_home_t; + ') + -+ manage_files_pattern($1, config_home_t, config_home_t) ++ manage_dirs_pattern($1, config_home_t, config_home_t) +') + +######################################## @@ -9982,17 +10080,61 @@ index c8254dd..340a2d7 100644 /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if -index a57e81e..57519a4 100644 +index a57e81e..f9fbc60 100644 --- a/policy/modules/apps/screen.if +++ b/policy/modules/apps/screen.if -@@ -68,15 +68,16 @@ template(`screen_role_template',` - manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) - manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) - userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) -+ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir) - read_files_pattern($1_screen_t, screen_home_t, screen_home_t) - read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) +@@ -25,6 +25,7 @@ template(`screen_role_template',` + gen_require(` + type screen_exec_t, screen_tmp_t; + type screen_home_t, screen_var_run_t; ++ attribute screen_domain; + ') + ######################################## +@@ -32,51 +33,18 @@ template(`screen_role_template',` + # Declarations + # + +- type $1_screen_t; ++ type $1_screen_t, screen_domain; + application_domain($1_screen_t, screen_exec_t) + domain_interactive_fd($1_screen_t) + ubac_constrained($1_screen_t) + role $2 types $1_screen_t; + +- ######################################## +- # +- # Local policy +- # +- +- allow $1_screen_t self:capability { setuid setgid fsetid }; +- allow $1_screen_t self:process signal_perms; +- allow $1_screen_t self:fifo_file rw_fifo_file_perms; +- allow $1_screen_t self:tcp_socket create_stream_socket_perms; +- allow $1_screen_t self:udp_socket create_socket_perms; +- # Internal screen networking +- allow $1_screen_t self:fd use; +- allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto }; +- allow $1_screen_t self:unix_dgram_socket create_socket_perms; +- +- manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +- manage_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +- manage_fifo_files_pattern($1_screen_t, screen_tmp_t, screen_tmp_t) +- files_tmp_filetrans($1_screen_t, screen_tmp_t, { file dir }) +- +- # Create fifo +- manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) +- manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) +- manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t) +- files_pid_filetrans($1_screen_t, screen_var_run_t, dir) +- +- allow $1_screen_t screen_home_t:dir list_dir_perms; +- manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t) +- manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir) +- read_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t) +- - allow $1_screen_t $3:process signal; - domtrans_pattern($3, screen_exec_t, $1_screen_t) @@ -10004,7 +10146,7 @@ index a57e81e..57519a4 100644 manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) -@@ -87,8 +88,6 @@ template(`screen_role_template',` +@@ -87,77 +55,22 @@ template(`screen_role_template',` relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) @@ -10012,15 +10154,191 @@ index a57e81e..57519a4 100644 - manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t) manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) - kernel_read_system_state($1_screen_t) -@@ -118,6 +117,7 @@ template(`screen_role_template',` - # for SSP - dev_read_urand($1_screen_t) +- kernel_read_system_state($1_screen_t) +- kernel_read_kernel_sysctls($1_screen_t) +- +- corecmd_list_bin($1_screen_t) +- corecmd_read_bin_files($1_screen_t) +- corecmd_read_bin_symlinks($1_screen_t) +- corecmd_read_bin_pipes($1_screen_t) +- corecmd_read_bin_sockets($1_screen_t) + # Revert to the user domain when a shell is executed. + corecmd_shell_domtrans($1_screen_t, $3) + corecmd_bin_domtrans($1_screen_t, $3) + +- corenet_all_recvfrom_unlabeled($1_screen_t) +- corenet_all_recvfrom_netlabel($1_screen_t) +- corenet_tcp_sendrecv_generic_if($1_screen_t) +- corenet_udp_sendrecv_generic_if($1_screen_t) +- corenet_tcp_sendrecv_generic_node($1_screen_t) +- corenet_udp_sendrecv_generic_node($1_screen_t) +- corenet_tcp_sendrecv_all_ports($1_screen_t) +- corenet_udp_sendrecv_all_ports($1_screen_t) +- corenet_tcp_connect_all_ports($1_screen_t) +- +- dev_dontaudit_getattr_all_chr_files($1_screen_t) +- dev_dontaudit_getattr_all_blk_files($1_screen_t) +- # for SSP +- dev_read_urand($1_screen_t) +- +- domain_use_interactive_fds($1_screen_t) +- +- files_search_tmp($1_screen_t) +- files_search_home($1_screen_t) +- files_list_home($1_screen_t) +- files_read_usr_files($1_screen_t) +- files_read_etc_files($1_screen_t) +- +- fs_search_auto_mountpoints($1_screen_t) +- fs_getattr_xattr_fs($1_screen_t) +- + auth_domtrans_chk_passwd($1_screen_t) + auth_use_nsswitch($1_screen_t) +- auth_dontaudit_read_shadow($1_screen_t) +- auth_dontaudit_exec_utempter($1_screen_t) +- +- # Write to utmp. +- init_rw_utmp($1_screen_t) +- +- logging_send_syslog_msg($1_screen_t) +- +- miscfiles_read_localization($1_screen_t) +- +- seutil_read_config($1_screen_t) + +- userdom_use_user_terminals($1_screen_t) +- userdom_create_user_pty($1_screen_t) + userdom_user_home_domtrans($1_screen_t, $3) +- userdom_setattr_user_ptys($1_screen_t) +- userdom_setattr_user_ttys($1_screen_t) + + tunable_policy(`use_samba_home_dirs',` + fs_cifs_domtrans($1_screen_t, $3) +- fs_read_cifs_symlinks($1_screen_t) +- fs_list_cifs($1_screen_t) + ') + + tunable_policy(`use_nfs_home_dirs',` + fs_nfs_domtrans($1_screen_t, $3) +- fs_list_nfs($1_screen_t) +- fs_read_nfs_symlinks($1_screen_t) + ') + ') +diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te +index 553bc73..b3b144c 100644 +--- a/policy/modules/apps/screen.te ++++ b/policy/modules/apps/screen.te +@@ -5,6 +5,8 @@ policy_module(screen, 2.3.1) + # Declarations + # -+ domain_sigchld_interactive_fds($1_screen_t) - domain_use_interactive_fds($1_screen_t) ++attribute screen_domain; ++ + type screen_exec_t; + application_executable_file(screen_exec_t) - files_search_tmp($1_screen_t) +@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t + typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t }; + files_pid_file(screen_var_run_t) + ubac_constrained(screen_var_run_t) ++ ++######################################## ++# ++# Local policy ++# ++ ++allow screen_domain self:capability { setuid setgid fsetid }; ++allow screen_domain self:process signal_perms; ++allow screen_domain self:fifo_file rw_fifo_file_perms; ++allow screen_domain self:tcp_socket create_stream_socket_perms; ++allow screen_domain self:udp_socket create_socket_perms; ++# Internal screen networking ++allow screen_domain self:fd use; ++allow screen_domain self:unix_stream_socket { create_socket_perms connectto }; ++allow screen_domain self:unix_dgram_socket create_socket_perms; ++ ++manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t) ++manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) ++manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t) ++files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir }) ++ ++# Create fifo ++manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) ++manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t) ++manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t) ++files_pid_filetrans(screen_domain, screen_var_run_t, dir) ++ ++allow screen_domain screen_home_t:dir list_dir_perms; ++manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t) ++manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t) ++userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir) ++userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir) ++read_files_pattern(screen_domain, screen_home_t, screen_home_t) ++read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t) ++ ++kernel_read_system_state(screen_domain) ++kernel_read_kernel_sysctls(screen_domain) ++ ++corecmd_list_bin(screen_domain) ++corecmd_read_bin_files(screen_domain) ++corecmd_read_bin_symlinks(screen_domain) ++corecmd_read_bin_pipes(screen_domain) ++corecmd_read_bin_sockets(screen_domain) ++ ++corenet_all_recvfrom_unlabeled(screen_domain) ++corenet_all_recvfrom_netlabel(screen_domain) ++corenet_tcp_sendrecv_generic_if(screen_domain) ++corenet_udp_sendrecv_generic_if(screen_domain) ++corenet_tcp_sendrecv_generic_node(screen_domain) ++corenet_udp_sendrecv_generic_node(screen_domain) ++corenet_tcp_sendrecv_all_ports(screen_domain) ++corenet_udp_sendrecv_all_ports(screen_domain) ++corenet_tcp_connect_all_ports(screen_domain) ++ ++dev_dontaudit_getattr_all_chr_files(screen_domain) ++dev_dontaudit_getattr_all_blk_files(screen_domain) ++# for SSP ++dev_read_urand(screen_domain) ++ ++domain_sigchld_interactive_fds(screen_domain) ++domain_use_interactive_fds(screen_domain) ++domain_read_all_domains_state(screen_domain) ++ ++files_search_tmp(screen_domain) ++files_search_home(screen_domain) ++files_list_home(screen_domain) ++files_read_usr_files(screen_domain) ++files_read_etc_files(screen_domain) ++ ++fs_search_auto_mountpoints(screen_domain) ++fs_getattr_xattr_fs(screen_domain) ++ ++auth_dontaudit_read_shadow(screen_domain) ++auth_dontaudit_exec_utempter(screen_domain) ++ ++# Write to utmp. ++init_rw_utmp(screen_domain) ++ ++logging_send_syslog_msg(screen_domain) ++ ++miscfiles_read_localization(screen_domain) ++ ++seutil_read_config(screen_domain) ++ ++userdom_use_user_terminals(screen_domain) ++userdom_create_user_pty(screen_domain) ++userdom_setattr_user_ptys(screen_domain) ++userdom_setattr_user_ttys(screen_domain) ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_symlinks(screen_domain) ++ fs_list_cifs(screen_domain) ++') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_list_nfs(screen_domain) ++ fs_read_nfs_symlinks(screen_domain) ++') diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if index 1dc7a85..a01511f 100644 --- a/policy/modules/apps/seunshare.if @@ -10314,7 +10632,7 @@ index 3cfb128..609921d 100644 + ') +') diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te -index 2533ea0..7c8de51 100644 +index 2533ea0..11187e0 100644 --- a/policy/modules/apps/telepathy.te +++ b/policy/modules/apps/telepathy.te @@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble @@ -10361,7 +10679,7 @@ index 2533ea0..7c8de51 100644 +optional_policy(` +# ~/.config/dconf/user -+ gnome_read_home_config(telepathy_logger_t) ++ gnome_manage_home_config(telepathy_logger_t) +') + ####################################### @@ -12389,7 +12707,7 @@ index 4f3b542..5a41e58 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..9a30b71 100644 +index 99b71cb..5287f7a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,14 @@ attribute netif_type; @@ -12506,13 +12824,11 @@ index 99b71cb..9a30b71 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -114,12 +148,13 @@ network_port(hadoop_namenode, tcp,8020,s0) - network_port(hddtemp, tcp,7634,s0) +@@ -115,11 +149,12 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) --network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port + network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy -+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) @@ -12530,7 +12846,7 @@ index 99b71cb..9a30b71 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -12551,7 +12867,11 @@ index 99b71cb..9a30b71 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -155,13 +195,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +@@ -152,16 +192,25 @@ network_port(mysqlmanagerd, tcp,2273,s0) + network_port(nessus, tcp,1241,s0) + network_port(netport, tcp,3129,s0, udp,3129,s0) + network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) ++network_port(nfs, tcp,2049,s0, udp,2049,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) @@ -12574,7 +12894,7 @@ index 99b71cb..9a30b71 100644 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -179,30 +227,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,30 +228,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -12614,7 +12934,7 @@ index 99b71cb..9a30b71 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -215,7 +268,7 @@ network_port(uucpd, tcp,540,s0) +@@ -215,7 +269,7 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -12623,7 +12943,7 @@ index 99b71cb..9a30b71 100644 network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -@@ -229,6 +282,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +283,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -12631,7 +12951,7 @@ index 99b71cb..9a30b71 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +292,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +293,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -12640,7 +12960,7 @@ index 99b71cb..9a30b71 100644 ######################################## # -@@ -282,9 +338,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +339,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -18164,10 +18484,15 @@ index 1700ef2..6b7eabb 100644 + dev_filetrans($1, removable_device_t, chr_file, "rio500") +') diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc -index 7d45d15..6727eb7 100644 +index 7d45d15..6d27fb3 100644 --- a/policy/modules/kernel/terminal.fc +++ b/policy/modules/kernel/terminal.fc -@@ -19,6 +19,7 @@ +@@ -14,11 +14,11 @@ + /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) + /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) +-/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) + /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0) @@ -18175,7 +18500,7 @@ index 7d45d15..6727eb7 100644 /dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) -@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',` +@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',` # used by init scripts to initally populate udev /dev /lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0) ') @@ -18950,7 +19275,7 @@ index be4de58..7e8b6ec 100644 init_exec(secadm_t) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..afb3532 100644 +index 2be17d2..a1156ed 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,53 @@ policy_module(staff, 2.2.0) @@ -19007,7 +19332,7 @@ index 2be17d2..afb3532 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,19 +68,103 @@ optional_policy(` +@@ -27,19 +68,107 @@ optional_policy(` ') optional_policy(` @@ -19077,6 +19402,10 @@ index 2be17d2..afb3532 100644 +') + +optional_policy(` ++ mta_role(staff_r, staff_t) ++') ++ ++optional_policy(` + mysql_exec(staff_t) +') + @@ -19113,7 +19442,7 @@ index 2be17d2..afb3532 100644 ') optional_policy(` -@@ -48,10 +173,48 @@ optional_policy(` +@@ -48,10 +177,48 @@ optional_policy(` ') optional_policy(` @@ -19162,7 +19491,7 @@ index 2be17d2..afb3532 100644 xserver_role(staff_r, staff_t) ') -@@ -89,18 +252,10 @@ ifndef(`distro_redhat',` +@@ -89,18 +256,10 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -19181,6 +19510,17 @@ index 2be17d2..afb3532 100644 java_role(staff_r, staff_t) ') +@@ -121,10 +280,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(staff_r, staff_t) +- ') +- +- optional_policy(` + pyzor_role(staff_r, staff_t) + ') + @@ -137,10 +292,6 @@ ifndef(`distro_redhat',` ') @@ -20851,10 +21191,10 @@ index 0000000..1105ff5 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..42c1458 100644 +index e5bfdd4..77f4b39 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,82 @@ role user_r; +@@ -12,15 +12,86 @@ role user_r; userdom_unpriv_user_template(user) @@ -20901,6 +21241,10 @@ index e5bfdd4..42c1458 100644 +') + +optional_policy(` ++ mta_role(user_r, user_t) ++') ++ ++optional_policy(` + netutils_run_ping_cond(user_t, user_r) + netutils_run_traceroute_cond(user_t, user_r) +') @@ -20937,7 +21281,7 @@ index e5bfdd4..42c1458 100644 vlock_run(user_t, user_r) ') -@@ -62,19 +129,11 @@ ifndef(`distro_redhat',` +@@ -62,19 +133,11 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -20958,6 +21302,17 @@ index e5bfdd4..42c1458 100644 ') optional_policy(` +@@ -98,10 +161,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- mta_role(user_r, user_t) +- ') +- +- optional_policy(` + postgresql_role(user_r, user_t) + ') + @@ -118,11 +177,7 @@ ifndef(`distro_redhat',` ') @@ -21416,7 +21771,7 @@ index 0b827c5..bfb68b2 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..ee2d7f1 100644 +index 30861ec..bd5ff95 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -21513,15 +21868,17 @@ index 30861ec..ee2d7f1 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) + # abrt tmp files manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) ++manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) +can_exec(abrt_t, abrt_tmp_t) # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -21533,7 +21890,7 @@ index 30861ec..ee2d7f1 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -21541,7 +21898,7 @@ index 30861ec..ee2d7f1 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -21551,7 +21908,7 @@ index 30861ec..ee2d7f1 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -21560,7 +21917,7 @@ index 30861ec..ee2d7f1 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t) +@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -21587,7 +21944,7 @@ index 30861ec..ee2d7f1 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +212,11 @@ optional_policy(` +@@ -150,6 +213,11 @@ optional_policy(` ') optional_policy(` @@ -21599,7 +21956,7 @@ index 30861ec..ee2d7f1 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +234,7 @@ optional_policy(` +@@ -167,6 +235,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -21607,7 +21964,7 @@ index 30861ec..ee2d7f1 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +246,35 @@ optional_policy(` +@@ -178,12 +247,35 @@ optional_policy(` ') optional_policy(` @@ -21644,7 +22001,7 @@ index 30861ec..ee2d7f1 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -21673,7 +22030,7 @@ index 30861ec..ee2d7f1 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -22248,7 +22605,7 @@ index deca9d3..ae8c579 100644 ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc -index 9e39aa5..d7a8d41 100644 +index 9e39aa5..83dbd34 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -1,13 +1,18 @@ @@ -22330,7 +22687,7 @@ index 9e39aa5..d7a8d41 100644 /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -73,8 +85,10 @@ ifdef(`distro_suse', ` +@@ -73,20 +85,25 @@ ifdef(`distro_suse', ` /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -22342,7 +22699,11 @@ index 9e39aa5..d7a8d41 100644 /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -84,9 +98,10 @@ ifdef(`distro_suse', ` + /var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) ++/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) ++/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) + + /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) @@ -22354,7 +22715,7 @@ index 9e39aa5..d7a8d41 100644 ifdef(`distro_debian', ` /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -105,7 +120,27 @@ ifdef(`distro_debian', ` +@@ -105,7 +122,27 @@ ifdef(`distro_debian', ` /var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) @@ -22383,7 +22744,7 @@ index 9e39aa5..d7a8d41 100644 +/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if -index 6480167..6a02978 100644 +index 6480167..b963935 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -13,17 +13,13 @@ @@ -22715,7 +23076,7 @@ index 6480167..6a02978 100644 ') ######################################## -@@ -802,6 +880,24 @@ interface(`apache_domtrans_rotatelogs',` +@@ -802,6 +880,43 @@ interface(`apache_domtrans_rotatelogs',` domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) ') @@ -22737,10 +23098,29 @@ index 6480167..6a02978 100644 + can_exec($1, httpd_rotatelogs_exec_t) +') + ++####################################### ++## ++## Execute httpd system scripts in the caller domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`apache_exec_sys_script',` ++ gen_require(` ++ type httpd_sys_script_exec_t; ++ ') ++ ++ allow $1 httpd_sys_script_exec_t:dir search_dir_perms; ++ can_exec($1, httpd_sys_script_exec_t) ++') ++ ######################################## ## ## Allow the specified domain to list -@@ -819,6 +915,7 @@ interface(`apache_list_sys_content',` +@@ -819,6 +934,7 @@ interface(`apache_list_sys_content',` ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) @@ -22748,7 +23128,7 @@ index 6480167..6a02978 100644 files_search_var($1) ') -@@ -846,6 +943,74 @@ interface(`apache_manage_sys_content',` +@@ -846,6 +962,74 @@ interface(`apache_manage_sys_content',` manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) ') @@ -22823,7 +23203,7 @@ index 6480167..6a02978 100644 ######################################## ## ## Execute all web scripts in the system -@@ -862,7 +1027,12 @@ interface(`apache_manage_sys_content',` +@@ -862,7 +1046,12 @@ interface(`apache_manage_sys_content',` interface(`apache_domtrans_sys_script',` gen_require(` attribute httpdcontent; @@ -22837,7 +23217,7 @@ index 6480167..6a02978 100644 ') tunable_policy(`httpd_enable_cgi && httpd_unified',` -@@ -921,9 +1091,10 @@ interface(`apache_domtrans_all_scripts',` +@@ -921,9 +1110,10 @@ interface(`apache_domtrans_all_scripts',` ## ## ## @@ -22849,7 +23229,7 @@ index 6480167..6a02978 100644 # interface(`apache_run_all_scripts',` gen_require(` -@@ -950,7 +1121,7 @@ interface(`apache_read_squirrelmail_data',` +@@ -950,7 +1140,7 @@ interface(`apache_read_squirrelmail_data',` type httpd_squirrelmail_t; ') @@ -22858,7 +23238,7 @@ index 6480167..6a02978 100644 ') ######################################## -@@ -1091,6 +1262,25 @@ interface(`apache_read_tmp_files',` +@@ -1091,6 +1281,25 @@ interface(`apache_read_tmp_files',` read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) ') @@ -22884,7 +23264,7 @@ index 6480167..6a02978 100644 ######################################## ## ## Dontaudit attempts to write -@@ -1107,7 +1297,7 @@ interface(`apache_dontaudit_write_tmp_files',` +@@ -1107,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',` type httpd_tmp_t; ') @@ -22893,7 +23273,7 @@ index 6480167..6a02978 100644 ') ######################################## -@@ -1150,12 +1340,6 @@ interface(`apache_cgi_domain',` +@@ -1150,12 +1359,6 @@ interface(`apache_cgi_domain',` ## ## All of the rules required to administrate an apache environment ## @@ -22906,7 +23286,7 @@ index 6480167..6a02978 100644 ## ## ## Domain allowed access. -@@ -1170,17 +1354,15 @@ interface(`apache_cgi_domain',` +@@ -1170,17 +1373,15 @@ interface(`apache_cgi_domain',` # interface(`apache_admin',` gen_require(` @@ -22929,7 +23309,7 @@ index 6480167..6a02978 100644 ps_process_pattern($1, httpd_t) init_labeled_script_domtrans($1, httpd_initrc_exec_t) -@@ -1191,10 +1373,10 @@ interface(`apache_admin',` +@@ -1191,10 +1392,10 @@ interface(`apache_admin',` apache_manage_all_content($1) miscfiles_manage_public_files($1) @@ -22942,7 +23322,7 @@ index 6480167..6a02978 100644 admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) -@@ -1205,14 +1387,69 @@ interface(`apache_admin',` +@@ -1205,14 +1406,69 @@ interface(`apache_admin',` admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) @@ -24293,7 +24673,7 @@ index 8b8143e..c1a2b96 100644 init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te -index b3b0176..7cc09e8 100644 +index b3b0176..987245c 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -19,10 +19,11 @@ type asterisk_log_t; @@ -24333,16 +24713,17 @@ index b3b0176..7cc09e8 100644 kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) -@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t) +@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) +corenet_tcp_connect_festival_port(asterisk_t) ++corenet_tcp_connect_jabber_client_port(asterisk_t) +corenet_tcp_connect_pktcable_port(asterisk_t) corenet_tcp_connect_postgresql_port(asterisk_t) corenet_tcp_connect_snmp_port(asterisk_t) corenet_tcp_connect_sip_port(asterisk_t) -@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t) +@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) dev_read_sound(asterisk_t) dev_write_sound(asterisk_t) @@ -24350,7 +24731,7 @@ index b3b0176..7cc09e8 100644 dev_read_urand(asterisk_t) domain_use_interactive_fds(asterisk_t) -@@ -125,6 +130,7 @@ files_search_spool(asterisk_t) +@@ -125,6 +131,7 @@ files_search_spool(asterisk_t) # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm # are labeled usr_t files_read_usr_files(asterisk_t) @@ -24358,7 +24739,7 @@ index b3b0176..7cc09e8 100644 fs_getattr_all_fs(asterisk_t) fs_list_inotifyfs(asterisk_t) -@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) +@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t) userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` @@ -30227,7 +30608,7 @@ index 25546bc..4def4f7 100644 /var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te -index a01be9d..f82c32f 100644 +index a01be9d..01f2f23 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -30239,7 +30620,15 @@ index a01be9d..f82c32f 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -119,6 +119,10 @@ optional_policy(` +@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t) + corenet_tcp_bind_generic_node(cyrus_t) + corenet_tcp_bind_mail_port(cyrus_t) + corenet_tcp_bind_lmtp_port(cyrus_t) ++corenet_tcp_bind_innd_port(cyrus_t) + corenet_tcp_bind_pop_port(cyrus_t) + corenet_tcp_bind_sieve_port(cyrus_t) + corenet_tcp_connect_all_ports(cyrus_t) +@@ -119,6 +120,10 @@ optional_policy(` ') optional_policy(` @@ -30250,7 +30639,7 @@ index a01be9d..f82c32f 100644 kerberos_keytab_template(cyrus, cyrus_t) ') -@@ -135,6 +139,7 @@ optional_policy(` +@@ -135,6 +140,7 @@ optional_policy(` ') optional_policy(` @@ -30592,7 +30981,7 @@ index 1a1becd..d4357ec 100644 ') + diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te -index 1bff6ee..c6db074 100644 +index 1bff6ee..fbfc5db 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -10,6 +10,7 @@ gen_require(` @@ -30674,7 +31063,7 @@ index 1bff6ee..c6db074 100644 policykit_dbus_chat(system_dbusd_t) policykit_domtrans_auth(system_dbusd_t) policykit_search_lib(system_dbusd_t) -@@ -151,12 +171,156 @@ optional_policy(` +@@ -151,12 +171,166 @@ optional_policy(` ') optional_policy(` @@ -30695,7 +31084,7 @@ index 1bff6ee..c6db074 100644 # -# Unconfined access to this module +# system_bus_type rules - # ++# +role system_r types system_bus_type; + +fs_search_all(system_bus_type) @@ -30707,7 +31096,7 @@ index 1bff6ee..c6db074 100644 +init_dgram_send(system_bus_type) +init_use_fds(system_bus_type) +init_rw_stream_sockets(system_bus_type) - ++ +ps_process_pattern(system_dbusd_t, system_bus_type) + +userdom_dontaudit_search_admin_dir(system_bus_type) @@ -30732,7 +31121,7 @@ index 1bff6ee..c6db074 100644 +######################################## +# +# session_bus_type rules -+# + # +dontaudit session_bus_type self:capability sys_resource; +allow session_bus_type self:process { getattr sigkill signal }; +dontaudit session_bus_type self:process { ptrace setrlimit }; @@ -30808,6 +31197,16 @@ index 1bff6ee..c6db074 100644 +userdom_manage_user_home_content_files(session_bus_type) +userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file }) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(session_bus_type) ++ fs_manage_nfs_files(session_bus_type) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_dirs(session_bus_type) ++ fs_manage_cifs_files(session_bus_type) ++') + +optional_policy(` + gnome_read_gconf_home_files(session_bus_type) +') @@ -33534,7 +33933,7 @@ index 298f066..b54de69 100644 /var/run/exim[0-9]?\.pid -- gen_context(system_u:object_r:exim_var_run_t,s0) /var/spool/exim[0-9]?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0) diff --git a/policy/modules/services/exim.if b/policy/modules/services/exim.if -index 6bef7f8..464669c 100644 +index 6bef7f8..885cd43 100644 --- a/policy/modules/services/exim.if +++ b/policy/modules/services/exim.if @@ -5,9 +5,9 @@ @@ -33549,10 +33948,35 @@ index 6bef7f8..464669c 100644 ## # interface(`exim_domtrans',` -@@ -20,6 +20,24 @@ interface(`exim_domtrans',` +@@ -20,6 +20,49 @@ interface(`exim_domtrans',` ######################################## ## ++## Execute the mailman program in the mailman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the mailman domain. ++## ++## ++## ++# ++interface(`exim_run',` ++ gen_require(` ++ type exim_t; ++ ') ++ ++ exim_domtrans($1) ++ role $2 types exim_t; ++') ++ ++######################################## ++## +## Execute exim in the exim domain. +## +## @@ -33574,7 +33998,7 @@ index 6bef7f8..464669c 100644 ## Do not audit attempts to read, ## exim tmp files ## -@@ -101,9 +119,9 @@ interface(`exim_read_log',` +@@ -101,9 +144,9 @@ interface(`exim_read_log',` ## exim log files. ## ## @@ -33586,7 +34010,7 @@ index 6bef7f8..464669c 100644 ## # interface(`exim_append_log',` -@@ -194,3 +212,46 @@ interface(`exim_manage_spool_files',` +@@ -194,3 +237,46 @@ interface(`exim_manage_spool_files',` manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) ') @@ -34674,10 +35098,10 @@ index 99a94de..6dbc203 100644 files_search_etc(gatekeeper_t) diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc -index 54f0737..2b552c5 100644 +index 54f0737..44a9663 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc -@@ -1,3 +1,13 @@ +@@ -1,3 +1,17 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0) @@ -34688,10 +35112,14 @@ index 54f0737..2b552c5 100644 + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) ++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) ++ +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) ++ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index 458aac6..8e83609 100644 --- a/policy/modules/services/git.if @@ -38926,7 +39354,7 @@ index 14ad189..2b8efd8 100644 /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0) ') diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if -index 67c7fdd..84b7626 100644 +index 67c7fdd..d7338be 100644 --- a/policy/modules/services/mailman.if +++ b/policy/modules/services/mailman.if @@ -16,7 +16,7 @@ @@ -38947,6 +39375,38 @@ index 67c7fdd..84b7626 100644 files_list_var(mailman_$1_t) files_list_var_lib(mailman_$1_t) files_read_var_lib_symlinks(mailman_$1_t) +@@ -108,6 +108,31 @@ interface(`mailman_domtrans',` + domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) + ') + ++######################################## ++## ++## Execute the mailman program in the mailman domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++## ++## ++## The role to allow the mailman domain. ++## ++## ++## ++# ++interface(`mailman_run',` ++ gen_require(` ++ type mailman_mail_t; ++ ') ++ ++ mailman_domtrans($1) ++ role $2 types mailman_mail_t; ++') ++ + ####################################### + ## + ## Execute mailman CGI scripts in the diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index af4d572..cea085e 100644 --- a/policy/modules/services/mailman.te @@ -40632,7 +41092,7 @@ index 256166a..6321a93 100644 +/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if -index 343cee3..f8c4fb6 100644 +index 343cee3..f6c92f9 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -37,9 +37,9 @@ interface(`mta_stub',` @@ -40662,7 +41122,7 @@ index 343cee3..f8c4fb6 100644 # interface(`mta_role',` gen_require(` -@@ -169,7 +171,7 @@ interface(`mta_role',` +@@ -169,11 +171,19 @@ interface(`mta_role',` # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) @@ -40671,7 +41131,19 @@ index 343cee3..f8c4fb6 100644 allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; -@@ -220,6 +222,25 @@ interface(`mta_agent_executable',` + allow mta_user_agent $2:fifo_file { read write }; ++ ++ optional_policy(` ++ exim_run($2, $1) ++ ') ++ ++ optional_policy(` ++ mailman_run(mta_user_agent, $1) ++ ') + ') + + ######################################## +@@ -220,6 +230,25 @@ interface(`mta_agent_executable',` application_executable_file($1) ') @@ -40697,7 +41169,7 @@ index 343cee3..f8c4fb6 100644 ######################################## ## ## Make the specified type by a system MTA. -@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',` +@@ -306,7 +335,6 @@ interface(`mta_mailserver_sender',` interface(`mta_mailserver_delivery',` gen_require(` attribute mailserver_delivery; @@ -40705,7 +41177,7 @@ index 343cee3..f8c4fb6 100644 ') typeattribute $1 mailserver_delivery; -@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',` +@@ -330,12 +358,6 @@ interface(`mta_mailserver_user_agent',` ') typeattribute $1 mta_user_agent; @@ -40718,7 +41190,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',` +@@ -350,9 +372,8 @@ interface(`mta_mailserver_user_agent',` # interface(`mta_send_mail',` gen_require(` @@ -40729,7 +41201,7 @@ index 343cee3..f8c4fb6 100644 ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; -@@ -391,12 +404,17 @@ interface(`mta_send_mail',` +@@ -391,12 +412,17 @@ interface(`mta_send_mail',` # interface(`mta_sendmail_domtrans',` gen_require(` @@ -40749,7 +41221,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',` +@@ -409,7 +435,6 @@ interface(`mta_sendmail_domtrans',` ## ## # @@ -40757,7 +41229,7 @@ index 343cee3..f8c4fb6 100644 interface(`mta_signal_system_mail',` gen_require(` type system_mail_t; -@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',` +@@ -420,6 +445,24 @@ interface(`mta_signal_system_mail',` ######################################## ## @@ -40782,7 +41254,7 @@ index 343cee3..f8c4fb6 100644 ## Execute sendmail in the caller domain. ## ## -@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',` +@@ -438,6 +481,26 @@ interface(`mta_sendmail_exec',` ######################################## ## @@ -40809,7 +41281,7 @@ index 343cee3..f8c4fb6 100644 ## Read mail server configuration. ## ## -@@ -474,7 +529,8 @@ interface(`mta_write_config',` +@@ -474,7 +537,8 @@ interface(`mta_write_config',` type etc_mail_t; ') @@ -40819,7 +41291,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -494,6 +550,7 @@ interface(`mta_read_aliases',` +@@ -494,6 +558,7 @@ interface(`mta_read_aliases',` files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; @@ -40827,7 +41299,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',` +@@ -532,7 +597,7 @@ interface(`mta_etc_filetrans_aliases',` type etc_aliases_t; ') @@ -40836,7 +41308,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',` +@@ -552,7 +617,7 @@ interface(`mta_rw_aliases',` ') files_search_etc($1) @@ -40845,7 +41317,7 @@ index 343cee3..f8c4fb6 100644 ') ####################################### -@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',` +@@ -646,8 +711,8 @@ interface(`mta_dontaudit_getattr_spool_files',` files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; @@ -40856,7 +41328,7 @@ index 343cee3..f8c4fb6 100644 ') ####################################### -@@ -697,8 +754,8 @@ interface(`mta_rw_spool',` +@@ -697,8 +762,8 @@ interface(`mta_rw_spool',` files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; @@ -40867,7 +41339,7 @@ index 343cee3..f8c4fb6 100644 read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') -@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',` +@@ -838,7 +903,7 @@ interface(`mta_dontaudit_rw_queue',` ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; @@ -40876,7 +41348,7 @@ index 343cee3..f8c4fb6 100644 ') ######################################## -@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',` +@@ -899,3 +964,112 @@ interface(`mta_rw_user_mail_stream_sockets',` allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; ') @@ -42732,7 +43204,7 @@ index abe3f7f..2de87de 100644 + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..5f29ad9 100644 +index 4876cae..dccdc78 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) @@ -42783,7 +43255,18 @@ index 4876cae..5f29ad9 100644 allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -@@ -224,8 +231,8 @@ optional_policy(` +@@ -211,6 +218,10 @@ optional_policy(` + ') + + optional_policy(` ++ mta_send_mail(yppasswdd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(yppasswdd_t) + ') + +@@ -224,8 +235,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; @@ -46813,7 +47296,7 @@ index b64b02f..166e9c3 100644 + read_files_pattern($1, procmail_home_t, procmail_home_t) +') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te -index 29b9295..e1ae545 100644 +index 29b9295..6451f82 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -10,6 +10,9 @@ type procmail_exec_t; @@ -46835,12 +47318,14 @@ index 29b9295..e1ae545 100644 create_files_pattern(procmail_t, procmail_log_t, procmail_log_t) append_files_pattern(procmail_t, procmail_log_t, procmail_log_t) read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t) -@@ -75,10 +78,18 @@ files_search_pids(procmail_t) +@@ -75,10 +78,20 @@ files_search_pids(procmail_t) # for spamassasin files_read_usr_files(procmail_t) +application_exec_all(procmail_t) + ++init_read_utmp(procmail_t) ++ logging_send_syslog_msg(procmail_t) +logging_append_all_logs(procmail_t) @@ -46854,7 +47339,7 @@ index 29b9295..e1ae545 100644 # only works until we define a different type for maildir userdom_manage_user_home_content_dirs(procmail_t) userdom_manage_user_home_content_files(procmail_t) -@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t) +@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t) userdom_manage_user_home_content_sockets(procmail_t) userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file }) @@ -46865,7 +47350,7 @@ index 29b9295..e1ae545 100644 mta_manage_spool(procmail_t) mta_read_queue(procmail_t) -@@ -125,6 +136,11 @@ optional_policy(` +@@ -125,6 +138,11 @@ optional_policy(` postfix_read_spool_files(procmail_t) postfix_read_local_state(procmail_t) postfix_read_master_state(procmail_t) @@ -50680,7 +51165,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..fb0f852 100644 +index b1468ed..4bd5e3c 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -50758,7 +51243,7 @@ index b1468ed..fb0f852 100644 ######################################## # # NFSD local policy -@@ -120,6 +133,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -50768,7 +51253,12 @@ index b1468ed..fb0f852 100644 corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -148,6 +164,8 @@ storage_raw_read_removable_device(nfsd_t) ++corenet_tcp_bind_nfs_port(nfsd_t) ++corenet_udp_bind_nfs_port(nfsd_t) + + dev_dontaudit_getattr_all_blk_files(nfsd_t) + dev_dontaudit_getattr_all_chr_files(nfsd_t) +@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -50777,7 +51267,7 @@ index b1468ed..fb0f852 100644 # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) -@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -50785,7 +51275,7 @@ index b1468ed..fb0f852 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -50795,7 +51285,7 @@ index b1468ed..fb0f852 100644 ') ######################################## -@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; @@ -50804,7 +51294,7 @@ index b1468ed..fb0f852 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t) +@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -50812,7 +51302,7 @@ index b1468ed..fb0f852 100644 fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t) +@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -50829,7 +51319,7 @@ index b1468ed..fb0f852 100644 ') optional_policy(` -@@ -229,6 +246,10 @@ optional_policy(` +@@ -229,6 +248,10 @@ optional_policy(` ') optional_policy(` @@ -52393,7 +52883,7 @@ index 7e94c7c..5700fb8 100644 + admin_pattern($1, mail_spool_t) +') diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te -index 22dac1f..c3cf42a 100644 +index 22dac1f..1c27bd6 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t) @@ -52432,7 +52922,17 @@ index 22dac1f..c3cf42a 100644 mta_read_config(sendmail_t) mta_etc_filetrans_aliases(sendmail_t) -@@ -149,7 +150,9 @@ optional_policy(` +@@ -129,6 +130,9 @@ optional_policy(` + + optional_policy(` + exim_domtrans(sendmail_t) ++ exim_manage_spool_files(sendmail_t) ++ exim_manage_spool_dirs(sendmail_t) ++ exim_read_log(sendmail_t) + ') + + optional_policy(` +@@ -149,7 +153,9 @@ optional_policy(` ') optional_policy(` @@ -52442,7 +52942,7 @@ index 22dac1f..c3cf42a 100644 postfix_read_config(sendmail_t) postfix_search_spool(sendmail_t) ') -@@ -168,20 +171,13 @@ optional_policy(` +@@ -168,20 +174,13 @@ optional_policy(` ') optional_policy(` @@ -52824,7 +53324,7 @@ index 275f9fb..4f4a192 100644 init_labeled_script_domtrans($1, snmpd_initrc_exec_t) diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te -index 3d8d1b3..633e4ce 100644 +index 3d8d1b3..9509742 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0) @@ -52865,7 +53365,11 @@ index 3d8d1b3..633e4ce 100644 kernel_read_device_sysctls(snmpd_t) kernel_read_kernel_sysctls(snmpd_t) -@@ -97,12 +100,15 @@ fs_search_auto_mountpoints(snmpd_t) +@@ -94,15 +97,19 @@ files_search_home(snmpd_t) + fs_getattr_all_dirs(snmpd_t) + fs_getattr_all_fs(snmpd_t) + fs_search_auto_mountpoints(snmpd_t) ++files_search_all_mountpoints(snmpd_t) storage_dontaudit_read_fixed_disk(snmpd_t) storage_dontaudit_read_removable_device(snmpd_t) @@ -52882,7 +53386,7 @@ index 3d8d1b3..633e4ce 100644 logging_send_syslog_msg(snmpd_t) -@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t) +@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t) userdom_dontaudit_use_unpriv_user_fds(snmpd_t) userdom_dontaudit_search_user_home_dirs(snmpd_t) @@ -53773,7 +54277,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..d9c1d90 100644 +index 22adaca..040ec9b 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -53835,7 +54339,37 @@ index 22adaca..d9c1d90 100644 dev_read_urand($1_ssh_t) -@@ -168,7 +166,7 @@ template(`ssh_basic_client_template',` +@@ -148,6 +146,29 @@ template(`ssh_basic_client_template',` + ') + ') + ++###################################### ++## ++## The template to define a domain to which sshd dyntransition. ++## ++## ++## ++## The prefix of the dyntransition domain ++## ++## ++# ++template(`ssh_dyntransition_domain_template',` ++ gen_require(` ++ attribute ssh_dyntransition_domain; ++ ') ++ ++ type $1, ssh_dyntransition_domain; ++ domain_type($1) ++ role system_r types $1; ++ ++ optional_policy(` ++ ssh_dyntransition_to($1) ++ ') ++') + ####################################### + ## + ## The template to define a ssh server. +@@ -168,7 +189,7 @@ template(`ssh_basic_client_template',` ## ## # @@ -53844,7 +54378,7 @@ index 22adaca..d9c1d90 100644 type $1_t, ssh_server; auth_login_pgm_domain($1_t) -@@ -181,16 +179,18 @@ template(`ssh_server_template', ` +@@ -181,16 +202,18 @@ template(`ssh_server_template', ` type $1_var_run_t; files_pid_file($1_var_run_t) @@ -53866,15 +54400,15 @@ index 22adaca..d9c1d90 100644 term_create_pty($1_t, $1_devpts_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) -@@ -206,6 +206,7 @@ template(`ssh_server_template', ` +@@ -206,6 +229,7 @@ template(`ssh_server_template', ` kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) -+ kernel_request_load_module(ssh_t) ++ kernel_request_load_module($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) -@@ -220,8 +221,11 @@ template(`ssh_server_template', ` +@@ -220,8 +244,11 @@ template(`ssh_server_template', ` corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) @@ -53887,7 +54421,7 @@ index 22adaca..d9c1d90 100644 fs_dontaudit_getattr_all_fs($1_t) -@@ -234,6 +238,7 @@ template(`ssh_server_template', ` +@@ -234,6 +261,7 @@ template(`ssh_server_template', ` corecmd_getattr_bin_files($1_t) domain_interactive_fd($1_t) @@ -53895,7 +54429,7 @@ index 22adaca..d9c1d90 100644 files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) -@@ -243,13 +248,17 @@ template(`ssh_server_template', ` +@@ -243,13 +271,17 @@ template(`ssh_server_template', ` miscfiles_read_localization($1_t) @@ -53915,7 +54449,7 @@ index 22adaca..d9c1d90 100644 tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files($1_t) fs_read_nfs_symlinks($1_t) -@@ -268,6 +277,14 @@ template(`ssh_server_template', ` +@@ -268,6 +300,14 @@ template(`ssh_server_template', ` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') @@ -53930,7 +54464,7 @@ index 22adaca..d9c1d90 100644 ') ######################################## -@@ -290,11 +307,11 @@ template(`ssh_server_template', ` +@@ -290,11 +330,11 @@ template(`ssh_server_template', ` ## User domain for the role ## ## @@ -53943,7 +54477,7 @@ index 22adaca..d9c1d90 100644 type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; -@@ -327,7 +344,7 @@ template(`ssh_role_template',` +@@ -327,17 +367,19 @@ template(`ssh_role_template',` # allow ps to show ssh ps_process_pattern($3, ssh_t) @@ -53952,7 +54486,11 @@ index 22adaca..d9c1d90 100644 # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; -@@ -338,6 +355,7 @@ template(`ssh_role_template',` + allow ssh_t $3:unix_stream_socket connectto; ++ allow ssh_t $3:key manage_key_perms; + + # user can manage the keys and config + manage_files_pattern($3, ssh_home_t, ssh_home_t) manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) @@ -53960,7 +54498,7 @@ index 22adaca..d9c1d90 100644 ############################## # -@@ -359,7 +377,7 @@ template(`ssh_role_template',` +@@ -359,7 +401,7 @@ template(`ssh_role_template',` stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. @@ -53969,7 +54507,7 @@ index 22adaca..d9c1d90 100644 # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) -@@ -381,7 +399,6 @@ template(`ssh_role_template',` +@@ -381,7 +423,6 @@ template(`ssh_role_template',` files_read_etc_files($1_ssh_agent_t) files_read_etc_runtime_files($1_ssh_agent_t) @@ -53977,7 +54515,7 @@ index 22adaca..d9c1d90 100644 libs_read_lib_files($1_ssh_agent_t) -@@ -393,14 +410,13 @@ template(`ssh_role_template',` +@@ -393,14 +434,13 @@ template(`ssh_role_template',` seutil_dontaudit_read_config($1_ssh_agent_t) # Write to the user domain tty. @@ -53995,13 +54533,13 @@ index 22adaca..d9c1d90 100644 tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_ssh_agent_t) -@@ -477,8 +493,27 @@ interface(`ssh_read_pipes',` +@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',` type sshd_t; ') - allow $1 sshd_t:fifo_file { getattr read }; + allow $1 sshd_t:fifo_file read_fifo_file_perms; - ') ++') + +###################################### +## @@ -54019,12 +54557,12 @@ index 22adaca..d9c1d90 100644 + ') + + allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; -+') + ') + ######################################## ## ## Read and write a ssh server unnamed pipe. -@@ -494,7 +529,7 @@ interface(`ssh_rw_pipes',` +@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',` type sshd_t; ') @@ -54033,7 +54571,7 @@ index 22adaca..d9c1d90 100644 ') ######################################## -@@ -586,6 +621,24 @@ interface(`ssh_domtrans',` +@@ -586,6 +645,24 @@ interface(`ssh_domtrans',` ######################################## ## @@ -54058,7 +54596,7 @@ index 22adaca..d9c1d90 100644 ## Execute the ssh client in the caller domain. ## ## -@@ -618,7 +671,7 @@ interface(`ssh_setattr_key_files',` +@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',` type sshd_key_t; ') @@ -54067,7 +54605,7 @@ index 22adaca..d9c1d90 100644 files_search_pids($1) ') -@@ -680,6 +733,32 @@ interface(`ssh_domtrans_keygen',` +@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',` domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) ') @@ -54100,7 +54638,7 @@ index 22adaca..d9c1d90 100644 ######################################## ## ## Read ssh server keys -@@ -695,7 +774,7 @@ interface(`ssh_dontaudit_read_server_keys',` +@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',` type sshd_key_t; ') @@ -54109,7 +54647,7 @@ index 22adaca..d9c1d90 100644 ') ###################################### -@@ -735,3 +814,81 @@ interface(`ssh_delete_tmp',` +@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',` files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) ') @@ -54142,13 +54680,13 @@ index 22adaca..d9c1d90 100644 +## +## +# -+interface(`ssh_dyntransition_chroot_user',` ++interface(`ssh_dyntransition_to',` + gen_require(` -+ type chroot_user_t; ++ type sshd_t; + ') + -+ allow $1 chroot_user_t:process dyntransition; -+ allow chroot_user_t $1:process sigchld; ++ allow sshd_t $1:process dyntransition; ++ allow $1 sshd_t:process sigchld; +') + +######################################## @@ -54192,7 +54730,7 @@ index 22adaca..d9c1d90 100644 + userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") +') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 2dad3c8..28ef6ae 100644 +index 2dad3c8..a6e2e1e 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0) @@ -54232,12 +54770,12 @@ index 2dad3c8..28ef6ae 100644 -gen_tunable(ssh_sysadm_login, false) +gen_tunable(ssh_chroot_rw_homedirs, false) ++attribute ssh_dyntransition_domain; attribute ssh_server; attribute ssh_agent_type; -+type chroot_user_t; -+domain_type(chroot_user_t) -+role system_r types chroot_user_t; ++ssh_dyntransition_domain_template(chroot_user_t) ++ssh_dyntransition_domain_template(sshd_sandbox_t) + type ssh_keygen_t; type ssh_keygen_exec_t; @@ -54492,14 +55030,10 @@ index 2dad3c8..28ef6ae 100644 ') optional_policy(` -@@ -284,6 +337,19 @@ optional_policy(` +@@ -284,6 +337,15 @@ optional_policy(` ') optional_policy(` -+ ssh_dyntransition_chroot_user(sshd_t) -+') -+ -+optional_policy(` + systemd_exec_systemctl(sshd_t) +') + @@ -54512,7 +55046,7 @@ index 2dad3c8..28ef6ae 100644 unconfined_shell_domtrans(sshd_t) ') -@@ -292,26 +358,26 @@ optional_policy(` +@@ -292,26 +354,26 @@ optional_policy(` ') ifdef(`TODO',` @@ -54558,7 +55092,7 @@ index 2dad3c8..28ef6ae 100644 ') dnl endif TODO ######################################## -@@ -322,19 +388,26 @@ tunable_policy(`ssh_sysadm_login',` +@@ -322,19 +384,26 @@ tunable_policy(`ssh_sysadm_login',` # ssh_keygen_t is the type of the ssh-keygen program when run at install time # and by sysadm_t @@ -54586,7 +55120,7 @@ index 2dad3c8..28ef6ae 100644 dev_read_urand(ssh_keygen_t) term_dontaudit_use_console(ssh_keygen_t) -@@ -351,15 +424,63 @@ auth_use_nsswitch(ssh_keygen_t) +@@ -351,15 +420,83 @@ auth_use_nsswitch(ssh_keygen_t) logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) @@ -54600,16 +55134,39 @@ index 2dad3c8..28ef6ae 100644 optional_policy(` - seutil_sigchld_newrole(ssh_keygen_t) + udev_read_db(ssh_keygen_t) + ') + ++#################################### ++# ++# ssh_dyntransition domain local policy ++# ++ ++allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; ++ ++allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; ++ + optional_policy(` +- udev_read_db(ssh_keygen_t) ++ ssh_rw_stream_sockets(ssh_dyntransition_domain) ++ ssh_rw_tcp_sockets(ssh_dyntransition_domain) +') + ++##################################### ++# ++# ssh_sandbox local policy ++# ++ ++allow sshd_t sshd_sandbox_t:process signal; ++ ++init_ioctl_stream_sockets(sshd_sandbox_t) ++ ++logging_send_audit_msgs(sshd_sandbox_t) ++ +###################################### +# +# chroot_user_t local policy +# + -+allow chroot_user_t self:capability { setuid sys_chroot setgid }; -+ -+allow chroot_user_t self:fifo_file rw_fifo_file_perms; + +userdom_read_user_home_content_files(chroot_user_t) +userdom_read_inherited_user_home_content_files(chroot_user_t) @@ -54645,12 +55202,9 @@ index 2dad3c8..28ef6ae 100644 +tunable_policy(`use_nfs_home_dirs',` + fs_read_nfs_files(chroot_user_t) + fs_read_nfs_symlinks(chroot_user_t) - ') - - optional_policy(` -- udev_read_db(ssh_keygen_t) -+ ssh_rw_stream_sockets(chroot_user_t) -+ ssh_rw_tcp_sockets(chroot_user_t) ++') ++ ++optional_policy(` + ssh_rw_dgram_sockets(chroot_user_t) ') diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if @@ -54711,7 +55265,7 @@ index 941380a..6dbfc01 100644 # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te -index 8ffa257..69e86c3 100644 +index 8ffa257..7d5a298 100644 --- a/policy/modules/services/sssd.te +++ b/policy/modules/services/sssd.te @@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t) @@ -54737,7 +55291,7 @@ index 8ffa257..69e86c3 100644 manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t) logging_log_filetrans(sssd_t, sssd_var_log_t, file) -@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) +@@ -48,11 +50,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir }) @@ -54750,7 +55304,11 @@ index 8ffa257..69e86c3 100644 corecmd_exec_bin(sssd_t) dev_read_urand(sssd_t) -@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t) ++dev_read_sysfs(sssd_t) + + domain_read_all_domains_state(sssd_t) + domain_obj_id_change_exemption(sssd_t) +@@ -60,6 +67,7 @@ domain_obj_id_change_exemption(sssd_t) files_list_tmp(sssd_t) files_read_etc_files(sssd_t) files_read_usr_files(sssd_t) @@ -54758,7 +55316,7 @@ index 8ffa257..69e86c3 100644 fs_list_inotifyfs(sssd_t) -@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t) +@@ -69,7 +77,7 @@ seutil_read_file_contexts(sssd_t) mls_file_read_to_clearance(sssd_t) @@ -54767,7 +55325,7 @@ index 8ffa257..69e86c3 100644 auth_domtrans_chk_passwd(sssd_t) auth_domtrans_upd_passwd(sssd_t) -@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t) +@@ -79,6 +87,12 @@ logging_send_syslog_msg(sssd_t) logging_send_audit_msgs(sssd_t) miscfiles_read_localization(sssd_t) @@ -54780,7 +55338,7 @@ index 8ffa257..69e86c3 100644 optional_policy(` dbus_system_bus_client(sssd_t) -@@ -87,4 +100,28 @@ optional_policy(` +@@ -87,4 +101,28 @@ optional_policy(` optional_policy(` kerberos_manage_host_rcache(sssd_t) @@ -56667,7 +57225,7 @@ index 7c5d8d8..72e3065 100644 + dontaudit $1 virt_image_type:chr_file read_chr_file_perms; ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te -index 3eca020..c0d1ec6 100644 +index 3eca020..1eb165e 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0) @@ -57037,9 +57595,9 @@ index 3eca020..c0d1ec6 100644 logging_send_syslog_msg(virtd_t) +logging_send_audit_msgs(virtd_t) -+ -+selinux_validate_context(virtd_t) ++selinux_validate_context(virtd_t) ++ +seutil_read_config(virtd_t) seutil_read_default_contexts(virtd_t) +seutil_read_file_contexts(virtd_t) @@ -57193,7 +57751,7 @@ index 3eca020..c0d1ec6 100644 logging_send_syslog_msg(virt_domain) miscfiles_read_localization(virt_domain) -@@ -457,8 +624,177 @@ optional_policy(` +@@ -457,8 +624,188 @@ optional_policy(` ') optional_policy(` @@ -57317,11 +57875,12 @@ index 3eca020..c0d1ec6 100644 +# +# virt_lxc local policy +# -+allow virt_lxc_t self:capability { net_admin setpcap chown sys_admin }; ++allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin }; +allow virt_lxc_t self:process { setsched getcap setcap signal_perms }; +allow virt_lxc_t self:fifo_file rw_fifo_file_perms; +allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms; +allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms; ++allow virt_lxc_t self:packet_socket create_socket_perms; + +allow virt_lxc_t virt_image_type:dir mounton; + @@ -57337,6 +57896,7 @@ index 3eca020..c0d1ec6 100644 + +kernel_read_network_state(virt_lxc_t) +kernel_search_network_sysctl(virt_lxc_t) ++kernel_read_sysctl(virt_lxc_t) + +dev_read_sysfs(virt_lxc_t) + @@ -57346,12 +57906,14 @@ index 3eca020..c0d1ec6 100644 +files_mounton_all_mountpoints(virt_lxc_t) +files_mount_all_file_type_fs(virt_lxc_t) +files_unmount_all_file_type_fs(virt_lxc_t) ++files_list_isid_type_dirs(virt_lxc_t) + +fs_manage_tmpfs_dirs(virt_lxc_t) +fs_manage_tmpfs_chr_files(virt_lxc_t) +fs_manage_tmpfs_symlinks(virt_lxc_t) +fs_manage_cgroup_dirs(virt_lxc_t) +fs_rw_cgroup_files(virt_lxc_t) ++fs_remount_all_fs(virt_lxc_t) + +selinux_mount_fs(virt_lxc_t) +selinux_unmount_fs(virt_lxc_t) @@ -57365,7 +57927,14 @@ index 3eca020..c0d1ec6 100644 + +miscfiles_read_localization(virt_lxc_t) + -+sysnet_exec_ifconfig(virt_lxc_t) ++sysnet_domtrans_ifconfig(virt_lxc_t) ++ ++type lxc_t; ++domain_type(lxc_t); ++ ++optional_policy(` ++ unconfined_domain(lxc_t) ++') + +optional_policy(` + unconfined_shell_domtrans(virt_lxc_t) @@ -61517,10 +62086,10 @@ index 354ce93..b8b14b9 100644 ') +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 94fd8dd..6794869 100644 +index 94fd8dd..b5e5c70 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if -@@ -79,6 +79,42 @@ interface(`init_script_domain',` +@@ -79,6 +79,44 @@ interface(`init_script_domain',` domtrans_pattern(init_run_all_scripts_domain, $2, $1) ') @@ -61555,15 +62124,17 @@ index 94fd8dd..6794869 100644 + domtrans_pattern(init_t,$2,$1) + allow init_t $1:unix_stream_socket create_stream_socket_perms; + allow init_t $1:unix_dgram_socket create_socket_perms; -+ allow $1 init_t:unix_stream_socket ioctl; ++ allow $1 init_t:unix_stream_socket ioctl; + allow $1 init_t:unix_dgram_socket sendto; ++ # need write to /var/run/systemd/notify ++ init_write_pid_socket($1) + ') +') + ######################################## ## ## Create a domain which can be started by init. -@@ -105,7 +141,11 @@ interface(`init_domain',` +@@ -105,7 +143,11 @@ interface(`init_domain',` role system_r types $1; @@ -61576,7 +62147,7 @@ index 94fd8dd..6794869 100644 ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -193,8 +233,10 @@ interface(`init_daemon_domain',` +@@ -193,8 +235,10 @@ interface(`init_daemon_domain',` gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type initrc_t; @@ -61587,7 +62158,7 @@ index 94fd8dd..6794869 100644 ') typeattribute $1 daemon; -@@ -202,39 +244,20 @@ interface(`init_daemon_domain',` +@@ -202,39 +246,20 @@ interface(`init_daemon_domain',` domain_type($1) domain_entry_file($1, $2) @@ -61613,17 +62184,17 @@ index 94fd8dd..6794869 100644 typeattribute $2 direct_init_entry; - userdom_dontaudit_use_user_terminals($1) -- ') -- ++# userdom_dontaudit_use_user_terminals($1) + ') + - ifdef(`hide_broken_symptoms',` - # RHEL4 systems seem to have a stray - # fds open from the initrd - ifdef(`distro_rhel4',` - kernel_dontaudit_use_fds($1) - ') -+# userdom_dontaudit_use_user_terminals($1) - ') - +- ') +- - optional_policy(` - nscd_socket_use($1) + tunable_policy(`init_upstart || init_systemd',` @@ -61632,7 +62203,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -283,17 +306,20 @@ interface(`init_daemon_domain',` +@@ -283,17 +308,20 @@ interface(`init_daemon_domain',` interface(`init_ranged_daemon_domain',` gen_require(` type initrc_t; @@ -61654,7 +62225,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',` +@@ -336,22 +364,23 @@ interface(`init_ranged_daemon_domain',` # interface(`init_system_domain',` gen_require(` @@ -61685,7 +62256,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -401,20 +428,41 @@ interface(`init_system_domain',` +@@ -401,20 +430,41 @@ interface(`init_system_domain',` interface(`init_ranged_system_domain',` gen_require(` type initrc_t; @@ -61727,7 +62298,7 @@ index 94fd8dd..6794869 100644 ######################################## ## ## Execute init (/sbin/init) with a domain transition. -@@ -451,6 +499,10 @@ interface(`init_exec',` +@@ -451,6 +501,10 @@ interface(`init_exec',` corecmd_search_bin($1) can_exec($1, init_exec_t) @@ -61738,7 +62309,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -509,6 +561,24 @@ interface(`init_sigchld',` +@@ -509,6 +563,24 @@ interface(`init_sigchld',` ######################################## ## @@ -61763,7 +62334,7 @@ index 94fd8dd..6794869 100644 ## Connect to init with a unix socket. ## ## -@@ -519,10 +589,66 @@ interface(`init_sigchld',` +@@ -519,10 +591,66 @@ interface(`init_sigchld',` # interface(`init_stream_connect',` gen_require(` @@ -61832,7 +62403,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -688,19 +814,25 @@ interface(`init_telinit',` +@@ -688,19 +816,25 @@ interface(`init_telinit',` type initctl_t; ') @@ -61859,7 +62430,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -730,7 +862,7 @@ interface(`init_rw_initctl',` +@@ -730,7 +864,7 @@ interface(`init_rw_initctl',` ## ## ## @@ -61868,7 +62439,7 @@ index 94fd8dd..6794869 100644 ## ## # -@@ -773,18 +905,19 @@ interface(`init_script_file_entry_type',` +@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',` # interface(`init_spec_domtrans_script',` gen_require(` @@ -61892,7 +62463,7 @@ index 94fd8dd..6794869 100644 ') ') -@@ -800,19 +933,41 @@ interface(`init_spec_domtrans_script',` +@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',` # interface(`init_domtrans_script',` gen_require(` @@ -61938,7 +62509,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -868,9 +1023,14 @@ interface(`init_script_file_domtrans',` +@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',` interface(`init_labeled_script_domtrans',` gen_require(` type initrc_t; @@ -61953,7 +62524,7 @@ index 94fd8dd..6794869 100644 files_search_etc($1) ') -@@ -1079,6 +1239,24 @@ interface(`init_read_all_script_files',` +@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',` ####################################### ## @@ -61978,7 +62549,7 @@ index 94fd8dd..6794869 100644 ## Dontaudit read all init script files. ## ## -@@ -1130,12 +1308,7 @@ interface(`init_read_script_state',` +@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',` ') kernel_search_proc($1) @@ -61992,7 +62563,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -1375,6 +1548,27 @@ interface(`init_dbus_send_script',` +@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',` ######################################## ## ## Send and receive messages from @@ -62020,7 +62591,7 @@ index 94fd8dd..6794869 100644 ## init scripts over dbus. ## ## -@@ -1461,6 +1655,25 @@ interface(`init_getattr_script_status_files',` +@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',` ######################################## ## @@ -62046,7 +62617,7 @@ index 94fd8dd..6794869 100644 ## Do not audit attempts to read init script ## status files. ## -@@ -1519,6 +1732,24 @@ interface(`init_rw_script_tmp_files',` +@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',` ######################################## ## @@ -62071,7 +62642,7 @@ index 94fd8dd..6794869 100644 ## Create files in a init script ## temporary data directory. ## -@@ -1586,6 +1817,24 @@ interface(`init_read_utmp',` +@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',` ######################################## ## @@ -62096,7 +62667,7 @@ index 94fd8dd..6794869 100644 ## Do not audit attempts to write utmp. ## ## -@@ -1674,7 +1923,7 @@ interface(`init_dontaudit_rw_utmp',` +@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',` type initrc_var_run_t; ') @@ -62105,7 +62676,7 @@ index 94fd8dd..6794869 100644 ') ######################################## -@@ -1715,6 +1964,128 @@ interface(`init_pid_filetrans_utmp',` +@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',` files_pid_filetrans($1, initrc_var_run_t, file) ') @@ -62234,7 +62805,7 @@ index 94fd8dd..6794869 100644 ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket -@@ -1749,3 +2120,175 @@ interface(`init_udp_recvfrom_all_daemons',` +@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',` ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -62291,6 +62862,25 @@ index 94fd8dd..6794869 100644 + init_dontaudit_use_script_fds($1) +') + ++####################################### ++## ++## Allow the specified domain to ioctl an ++## init with a unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_ioctl_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket ioctl; ++') ++ +######################################## +## +## Allow the specified domain to read/write to @@ -62411,7 +63001,7 @@ index 94fd8dd..6794869 100644 + read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) +') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 29a9565..8c027c2 100644 +index 29a9565..1c92ab6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -62590,7 +63180,7 @@ index 29a9565..8c027c2 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',` +@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -62687,6 +63277,7 @@ index 29a9565..8c027c2 100644 + seutil_read_file_contexts(init_t) + + systemd_exec_systemctl(init_t) ++ systemd_manage_unit_dirs(init_t) + systemd_manage_all_unit_files(init_t) + systemd_logger_stream_connect(init_t) + @@ -62730,7 +63321,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -203,6 +385,17 @@ optional_policy(` +@@ -203,6 +386,17 @@ optional_policy(` ') optional_policy(` @@ -62748,7 +63339,7 @@ index 29a9565..8c027c2 100644 unconfined_domain(init_t) ') -@@ -212,7 +405,7 @@ optional_policy(` +@@ -212,7 +406,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -62757,7 +63348,7 @@ index 29a9565..8c027c2 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -62773,7 +63364,7 @@ index 29a9565..8c027c2 100644 init_write_initctl(initrc_t) -@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -62810,7 +63401,7 @@ index 29a9565..8c027c2 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -62818,7 +63409,7 @@ index 29a9565..8c027c2 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t) +@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t) dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) @@ -62829,7 +63420,7 @@ index 29a9565..8c027c2 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -62846,7 +63437,7 @@ index 29a9565..8c027c2 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -62854,7 +63445,7 @@ index 29a9565..8c027c2 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -62866,7 +63457,7 @@ index 29a9565..8c027c2 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -62880,7 +63471,7 @@ index 29a9565..8c027c2 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -62889,7 +63480,7 @@ index 29a9565..8c027c2 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -62897,7 +63488,7 @@ index 29a9565..8c027c2 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -62905,7 +63496,7 @@ index 29a9565..8c027c2 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t) +@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -62927,7 +63518,7 @@ index 29a9565..8c027c2 100644 ifdef(`distro_debian',` dev_setattr_generic_dirs(initrc_t) -@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -62938,7 +63529,7 @@ index 29a9565..8c027c2 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +704,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +705,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -62947,7 +63538,7 @@ index 29a9565..8c027c2 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +719,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +720,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -62955,7 +63546,7 @@ index 29a9565..8c027c2 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +749,33 @@ ifdef(`distro_redhat',` +@@ -522,8 +750,33 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -62989,7 +63580,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -531,10 +783,22 @@ ifdef(`distro_redhat',` +@@ -531,10 +784,22 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -63012,7 +63603,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -549,6 +813,39 @@ ifdef(`distro_suse',` +@@ -549,6 +814,39 @@ ifdef(`distro_suse',` ') ') @@ -63052,7 +63643,7 @@ index 29a9565..8c027c2 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +858,8 @@ optional_policy(` +@@ -561,6 +859,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -63061,7 +63652,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -577,6 +876,7 @@ optional_policy(` +@@ -577,6 +877,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -63069,7 +63660,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -589,6 +889,17 @@ optional_policy(` +@@ -589,6 +890,17 @@ optional_policy(` ') optional_policy(` @@ -63087,7 +63678,7 @@ index 29a9565..8c027c2 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +916,13 @@ optional_policy(` +@@ -605,9 +917,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -63101,7 +63692,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -632,6 +947,10 @@ optional_policy(` +@@ -632,6 +948,10 @@ optional_policy(` ') optional_policy(` @@ -63112,7 +63703,7 @@ index 29a9565..8c027c2 100644 gpm_setattr_gpmctl(initrc_t) ') -@@ -649,6 +968,11 @@ optional_policy(` +@@ -649,6 +969,11 @@ optional_policy(` ') optional_policy(` @@ -63124,7 +63715,7 @@ index 29a9565..8c027c2 100644 inn_exec_config(initrc_t) ') -@@ -689,6 +1013,7 @@ optional_policy(` +@@ -689,6 +1014,7 @@ optional_policy(` lpd_list_spool(initrc_t) lpd_read_config(initrc_t) @@ -63132,7 +63723,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -706,7 +1031,13 @@ optional_policy(` +@@ -706,7 +1032,13 @@ optional_policy(` ') optional_policy(` @@ -63146,7 +63737,7 @@ index 29a9565..8c027c2 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1060,10 @@ optional_policy(` +@@ -729,6 +1061,10 @@ optional_policy(` ') optional_policy(` @@ -63157,7 +63748,7 @@ index 29a9565..8c027c2 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1073,20 @@ optional_policy(` +@@ -738,10 +1074,20 @@ optional_policy(` ') optional_policy(` @@ -63178,7 +63769,7 @@ index 29a9565..8c027c2 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1095,10 @@ optional_policy(` +@@ -750,6 +1096,10 @@ optional_policy(` ') optional_policy(` @@ -63189,7 +63780,7 @@ index 29a9565..8c027c2 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1120,6 @@ optional_policy(` +@@ -771,8 +1121,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -63198,7 +63789,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -790,10 +1137,12 @@ optional_policy(` +@@ -790,10 +1138,12 @@ optional_policy(` squid_manage_logs(initrc_t) ') @@ -63211,7 +63802,7 @@ index 29a9565..8c027c2 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -805,7 +1154,6 @@ optional_policy(` +@@ -805,7 +1155,6 @@ optional_policy(` ') optional_policy(` @@ -63219,7 +63810,7 @@ index 29a9565..8c027c2 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -815,11 +1163,26 @@ optional_policy(` +@@ -815,11 +1164,26 @@ optional_policy(` ') optional_policy(` @@ -63247,7 +63838,7 @@ index 29a9565..8c027c2 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -829,6 +1192,25 @@ optional_policy(` +@@ -829,6 +1193,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -63273,7 +63864,7 @@ index 29a9565..8c027c2 100644 ') optional_policy(` -@@ -844,6 +1226,10 @@ optional_policy(` +@@ -844,6 +1227,10 @@ optional_policy(` ') optional_policy(` @@ -63284,7 +63875,7 @@ index 29a9565..8c027c2 100644 # Set device ownerships/modes. xserver_setattr_console_pipes(initrc_t) -@@ -854,3 +1240,149 @@ optional_policy(` +@@ -854,3 +1241,151 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -63340,6 +63931,8 @@ index 29a9565..8c027c2 100644 + allow init_t daemon:unix_dgram_socket create_socket_perms; + allow init_t daemon:tcp_socket create_stream_socket_perms; + allow daemon init_t:unix_dgram_socket sendto; ++ # need write to /var/run/systemd/notify ++ init_write_pid_socket(daemon) + dontaudit daemon init_t:unix_stream_socket { read ioctl getattr }; +') + @@ -64778,10 +65371,24 @@ index 831b909..efe1038 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index b6ec597..0c27f81 100644 +index b6ec597..5684c8a 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -20,6 +20,7 @@ files_security_file(auditd_log_t) +@@ -5,6 +5,13 @@ policy_module(logging, 1.17.2) + # Declarations + # + ++## ++##

++## Allow syslogd daemon to send mail ++##

++##
++gen_tunable(logging_syslogd_can_sendmail, false) ++ + attribute logfile; + + type auditctl_t; +@@ -20,6 +27,7 @@ files_security_file(auditd_log_t) files_security_mountpoint(auditd_log_t) type audit_spool_t; @@ -64789,7 +65396,7 @@ index b6ec597..0c27f81 100644 files_security_file(audit_spool_t) files_security_mountpoint(audit_spool_t) -@@ -64,6 +65,7 @@ files_config_file(syslog_conf_t) +@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) @@ -64797,7 +65404,7 @@ index b6ec597..0c27f81 100644 type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) -@@ -111,7 +113,7 @@ domain_use_interactive_fds(auditctl_t) +@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -64806,7 +65413,7 @@ index b6ec597..0c27f81 100644 init_dontaudit_use_fds(auditctl_t) -@@ -183,16 +185,19 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -64827,7 +65434,7 @@ index b6ec597..0c27f81 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -237,10 +242,17 @@ corecmd_exec_shell(audisp_t) +@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -64845,7 +65452,7 @@ index b6ec597..0c27f81 100644 logging_send_syslog_msg(audisp_t) -@@ -250,6 +262,10 @@ sysnet_dns_name_resolve(audisp_t) +@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t) optional_policy(` dbus_system_bus_client(audisp_t) @@ -64856,7 +65463,7 @@ index b6ec597..0c27f81 100644 ') ######################################## -@@ -280,11 +296,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -64877,7 +65484,7 @@ index b6ec597..0c27f81 100644 sysnet_dns_name_resolve(audisp_remote_t) ######################################## -@@ -354,11 +379,12 @@ optional_policy(` +@@ -354,11 +386,12 @@ optional_policy(` # chown fsetid for syslog-ng # sys_admin for the integrated klog of syslog-ng and metalog # cjp: why net_admin! @@ -64892,7 +65499,7 @@ index b6ec597..0c27f81 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -376,6 +402,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) +@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) # create/append log files. manage_files_pattern(syslogd_t, var_log_t, var_log_t) rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) @@ -64900,7 +65507,7 @@ index b6ec597..0c27f81 100644 # Allow access for syslog-ng allow syslogd_t var_log_t:dir { create setattr }; -@@ -385,9 +412,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -64916,8 +65523,15 @@ index b6ec597..0c27f81 100644 # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) -@@ -428,8 +461,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) +@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) + corenet_sendrecv_postgresql_client_packets(syslogd_t) + corenet_sendrecv_mysqld_client_packets(syslogd_t) ++tunable_policy(`logging_syslogd_can_sendmail',` ++ # support for ommail module to send logs via mail ++ corenet_tcp_connect_smtp_port(syslogd_t) ++') ++ dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_rand(syslogd_t) @@ -64930,7 +65544,7 @@ index b6ec597..0c27f81 100644 files_read_etc_files(syslogd_t) files_read_usr_files(syslogd_t) -@@ -448,6 +486,7 @@ term_write_console(syslogd_t) +@@ -448,6 +498,7 @@ term_write_console(syslogd_t) # Allow syslog to a terminal term_write_unallocated_ttys(syslogd_t) @@ -64938,7 +65552,7 @@ index b6ec597..0c27f81 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -459,6 +498,7 @@ init_use_fds(syslogd_t) +@@ -459,6 +510,7 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -64946,7 +65560,7 @@ index b6ec597..0c27f81 100644 miscfiles_read_localization(syslogd_t) -@@ -496,11 +536,20 @@ optional_policy(` +@@ -496,11 +548,20 @@ optional_policy(` ') optional_policy(` @@ -66947,7 +67561,7 @@ index 170e2c7..b85fc73 100644 + ') +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 7ed9819..4e8cb38 100644 +index 7ed9819..f2b7643 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -67218,17 +67832,17 @@ index 7ed9819..4e8cb38 100644 -allow semanage_t self:unix_stream_socket create_stream_socket_perms; -allow semanage_t self:unix_dgram_socket create_socket_perms; -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +- +-allow semanage_t policy_config_t:file rw_file_perms; +seutil_semanage_policy(semanage_t) +allow semanage_t self:fifo_file rw_fifo_file_perms; --allow semanage_t policy_config_t:file rw_file_perms; -+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) -+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) - -allow semanage_t semanage_tmp_t:dir manage_dir_perms; -allow semanage_t semanage_tmp_t:file manage_file_perms; -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) -- ++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) ++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t) + -kernel_read_system_state(semanage_t) -kernel_read_kernel_sysctls(semanage_t) - @@ -67257,13 +67871,13 @@ index 7ed9819..4e8cb38 100644 - -# Running genhomedircon requires this for finding all users -auth_use_nsswitch(semanage_t) -+# Admins are creating pp files in random locations -+files_read_non_security_files(semanage_t) - +- -locallogin_use_fds(semanage_t) - -logging_send_syslog_msg(semanage_t) -- ++# Admins are creating pp files in random locations ++files_read_non_security_files(semanage_t) + -miscfiles_read_localization(semanage_t) - -seutil_libselinux_linked(semanage_t) @@ -67280,7 +67894,20 @@ index 7ed9819..4e8cb38 100644 # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -@@ -487,118 +498,72 @@ ifdef(`distro_debian',` +@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t) + userdom_read_user_home_content_files(semanage_t) + userdom_read_user_tmp_files(semanage_t) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_read_nfs_files(semanage_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_read_cifs_files(semanage_t) ++') ++ + ifdef(`distro_debian',` + files_read_var_lib_files(semanage_t) files_read_var_lib_symlinks(semanage_t) ') @@ -67345,23 +67972,23 @@ index 7ed9819..4e8cb38 100644 -mls_file_write_all_levels(setfiles_t) -mls_file_upgrade(setfiles_t) -mls_file_downgrade(setfiles_t) -- ++init_dontaudit_use_fds(setsebool_t) + -selinux_validate_context(setfiles_t) -selinux_compute_access_vector(setfiles_t) -selinux_compute_create_context(setfiles_t) -selinux_compute_relabel_context(setfiles_t) -selinux_compute_user_contexts(setfiles_t) -+init_dontaudit_use_fds(setsebool_t) - --term_use_all_ttys(setfiles_t) --term_use_all_ptys(setfiles_t) --term_use_unallocated_ttys(setfiles_t) +# Bug in semanage +seutil_domtrans_setfiles(setsebool_t) +seutil_manage_file_contexts(setsebool_t) +seutil_manage_default_contexts(setsebool_t) +seutil_manage_config(setsebool_t) +-term_use_all_ttys(setfiles_t) +-term_use_all_ptys(setfiles_t) +-term_use_unallocated_ttys(setfiles_t) +- -# this is to satisfy the assertion: -auth_relabelto_shadow(setfiles_t) - @@ -68033,10 +68660,10 @@ index 0000000..9eaa38e +/var/run/initramfs(/.*)? <> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if new file mode 100644 -index 0000000..eb3673d +index 0000000..25872de --- /dev/null +++ b/policy/modules/system/systemd.if -@@ -0,0 +1,436 @@ +@@ -0,0 +1,454 @@ +## SELinux policy for systemd components + +####################################### @@ -68417,6 +69044,24 @@ index 0000000..eb3673d + +######################################## +## ++## manage systemd unit dirs ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_unit_dirs',` ++ gen_require(` ++ attribute systemd_unit_file_type; ++ ') ++ ++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) ++') ++ ++######################################## ++## +## manage all systemd unit files +## +## @@ -68475,10 +69120,10 @@ index 0000000..eb3673d + diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..e50a989 +index 0000000..0cb5eaa --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,359 @@ +@@ -0,0 +1,372 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -68584,6 +69229,7 @@ index 0000000..e50a989 +# /run/user/.* +# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display) +auth_manage_var_auth(systemd_logind_t) ++auth_use_nsswitch(systemd_logind_t) + +authlogin_read_state(systemd_logind_t) + @@ -68611,6 +69257,15 @@ index 0000000..e50a989 +') + +optional_policy(` ++ # we label /run/user/$USER/dconf as config_home_t ++ gnome_manage_home_config_dirs(systemd_logind_t) ++') ++ ++optional_policy(` ++ nis_use_ypbind(systemd_logind_t) ++') ++ ++optional_policy(` + # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file + xserver_search_xdm_tmp_dirs(systemd_logind_t) +') @@ -68828,6 +69483,9 @@ index 0000000..e50a989 +# +# systemd_sysctl domains local policy +# ++ ++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms; ++ +fs_list_cgroup_dirs(systemctl_domain) +fs_read_cgroup_files(systemctl_domain) + @@ -73444,7 +74102,7 @@ index 4b2878a..fe5913a 100644 + allow $1 unpriv_userdomain:sem rw_sem_perms; +') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9b4a930..02686f5 100644 +index 9b4a930..5cd0c45 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2) @@ -73497,7 +74155,7 @@ index 9b4a930..02686f5 100644 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) files_type(user_home_dir_t) -@@ -71,26 +98,73 @@ ubac_constrained(user_home_dir_t) +@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t) type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -73554,6 +74212,7 @@ index 9b4a930..02686f5 100644 + +# Nautilus causes this avc +dontaudit unpriv_userdomain self:dir setattr; ++allow unpriv_userdomain self:key manage_key_perms; + +optional_policy(` + alsa_read_rw_config(unpriv_userdomain) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2fc698e..29adf53 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,12 +17,12 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 31.1%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F16.patch -patch1: ephemeral.patch +#patch1: ephemeral.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -236,7 +236,6 @@ Based off of reference policy: Checked out revision 2.20091117 %prep %setup -n serefpolicy-%{version} -q %patch -p1 -%patch1 -p1 %install mkdir selinux_config @@ -468,6 +467,23 @@ SELinux Reference policy mls base module. %endif %changelog +* Mon Sep 26 2011 Miroslav Grepl 3.10.0-34 +- Make mta_role() active +- Allow asterisk to connect to jabber client port +- Allow procmail to read utmp +- Add NIS support for systemd_logind_t +- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t +- Fix systemd_manage_unit_dirs() interface +- Allow ssh_t to manage directories passed into it +- init needs to be able to create and delete unit file directories +- Fix typo in apache_exec_sys_script +- Add ability for logrotate to transition to awstat domain + +* Fri Sep 23 2011 Miroslav Grepl 3.10.0-33 +- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state +- Add SELinux support for ssh pre-auth net process in F17 +- Add logging_syslogd_can_sendmail boolean + * Wed Sep 20 2011 Dan Walsh 3.10.0-31.1 - Add definition for ephemeral ports - Define user_tty_device_t as a customizable_type