diff --git a/container-selinux.tgz b/container-selinux.tgz index 001fc23..9d0d555 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 7a71a37..a257b3f 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -6160,7 +6160,7 @@ index 8e0f9cd14..2fe34db47 100644 +create_ibendport_type_interfaces($*) +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index b191055f9..c3bbc8ea2 100644 +index b191055f9..15ec98f76 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2) @@ -6236,7 +6236,7 @@ index b191055f9..c3bbc8ea2 100644 # reserved_port_t is the type of INET port numbers below 1024. # type reserved_port_t, port_type, reserved_port_type; -@@ -76,63 +101,82 @@ type server_packet_t, packet_type, server_packet_type; +@@ -76,63 +101,83 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) @@ -6284,6 +6284,7 @@ index b191055f9..c3bbc8ea2 100644 -network_port(ctdb, tcp,4379,s0, udp,4397,s0) +network_port(conman, tcp,7890,s0, udp,7890,s0) +network_port(connlcli, tcp,1358,s0, udp,1358,s0) ++network_port(conntrackd, udp,3780,s0) +network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0) +network_port(ctdb, tcp,4379,s0, udp,4379,s0) network_port(cvs, tcp,2401,s0, udp,2401,s0) @@ -6329,7 +6330,7 @@ index b191055f9..c3bbc8ea2 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -140,45 +184,61 @@ network_port(hadoop_namenode, tcp,8020,s0) +@@ -140,45 +185,61 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) @@ -6407,7 +6408,7 @@ index b191055f9..c3bbc8ea2 100644 network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) network_port(ms_streaming, tcp,1755,s0, udp,1755,s0) -@@ -186,101 +246,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) +@@ -186,101 +247,130 @@ network_port(munin, tcp,4949,s0, udp,4949,s0) network_port(mxi, tcp,8005,s0, udp,8005,s0) network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0) network_port(mysqlmanagerd, tcp,2273,s0) @@ -6558,7 +6559,7 @@ index b191055f9..c3bbc8ea2 100644 network_port(xserver, tcp,6000-6020,s0) network_port(zarafa, tcp,236,s0, tcp,237,s0) network_port(zabbix, tcp,10051,s0) -@@ -288,19 +377,23 @@ network_port(zabbix_agent, tcp,10050,s0) +@@ -288,19 +378,23 @@ network_port(zabbix_agent, tcp,10050,s0) network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) @@ -6585,7 +6586,7 @@ index b191055f9..c3bbc8ea2 100644 ######################################## # -@@ -333,6 +426,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) +@@ -333,6 +427,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh) build_option(`enable_mls',` network_interface(lo, lo, s0 - mls_systemhigh) @@ -6594,7 +6595,7 @@ index b191055f9..c3bbc8ea2 100644 ',` typealias netif_t alias { lo_netif_t netif_lo_t }; ') -@@ -345,9 +440,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -345,9 +441,34 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -6686,7 +6687,7 @@ index 3f6e16889..abd046c56 100644 +ifelse(`$2',`',`',`declare_ibendportcons($1_ibendport_t,shift($*))')dnl +') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index b31c05491..a7b0f009a 100644 +index b31c05491..b15a7aa05 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -15,15 +15,18 @@ @@ -6779,10 +6780,12 @@ index b31c05491..a7b0f009a 100644 /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) /dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) -@@ -118,6 +138,13 @@ +@@ -118,6 +138,15 @@ ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') ++/dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) ++/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0) +/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0) +/dev/vchiq -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vc-mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) @@ -6793,7 +6796,7 @@ index b31c05491..a7b0f009a 100644 /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) -@@ -129,12 +156,14 @@ ifdef(`distro_suse', ` +@@ -129,12 +158,14 @@ ifdef(`distro_suse', ` /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/watchdog.* -c gen_context(system_u:object_r:watchdog_device_t,s0) @@ -6808,7 +6811,7 @@ index b31c05491..a7b0f009a 100644 /dev/card.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) -@@ -169,18 +198,26 @@ ifdef(`distro_suse', ` +@@ -169,18 +200,26 @@ ifdef(`distro_suse', ` /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -6835,7 +6838,7 @@ index b31c05491..a7b0f009a 100644 ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -@@ -198,12 +235,27 @@ ifdef(`distro_debian',` +@@ -198,12 +237,27 @@ ifdef(`distro_debian',` /lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) /lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) @@ -6866,7 +6869,7 @@ index b31c05491..a7b0f009a 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285ea6..c28d65c08 100644 +index 76f285ea6..8c3bbb82c 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -7309,70 +7312,162 @@ index 76f285ea6..c28d65c08 100644 ####################################### ## ## Set the attributes of the dlm control devices. -@@ -1879,6 +2101,26 @@ interface(`dev_rw_dri',` +@@ -1865,7 +2087,7 @@ interface(`dev_setattr_dri_dev',` + + ######################################## + ## +-## Read and write the dri devices. ++## Mmap the dri devices. + ## + ## + ## +@@ -1873,35 +2095,36 @@ interface(`dev_setattr_dri_dev',` + ## + ## + # +-interface(`dev_rw_dri',` ++interface(`dev_map_dri',` + gen_require(` + type device_t, dri_device_t; ') - rw_chr_files_pattern($1, device_t, dri_device_t) +- rw_chr_files_pattern($1, device_t, dri_device_t) + allow $1 dri_device_t:chr_file map; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Dontaudit read and write on the dri devices. +## Read and write the dri devices. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_inherited_dri',` -+ gen_require(` + ## + ## + # +-interface(`dev_dontaudit_rw_dri',` ++interface(`dev_rw_dri',` + gen_require(` +- type dri_device_t; + type device_t, dri_device_t; -+ ') -+ -+ allow $1 device_t:dir search_dir_perms; -+ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; - ') + ') - ######################################## -@@ -2017,7 +2259,7 @@ interface(`dev_rw_input_dev',` +- dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; ++ rw_chr_files_pattern($1, device_t, dri_device_t) ++ allow $1 dri_device_t:chr_file map; + ') ######################################## ## --## Get the attributes of the framebuffer device node. -+## Read input event devices (/dev/input). +-## Create, read, write, and delete the dri devices. ++## Read and write the dri devices. ## ## ## -@@ -2025,17 +2267,18 @@ interface(`dev_rw_input_dev',` +@@ -1909,26 +2132,63 @@ interface(`dev_dontaudit_rw_dri',` ## ## # --interface(`dev_getattr_framebuffer_dev',` -+interface(`dev_rw_inherited_input_dev',` +-interface(`dev_manage_dri_dev',` ++interface(`dev_rw_inherited_dri',` gen_require(` -- type device_t, framebuf_device_t; -+ type device_t, event_device_t; + type device_t, dri_device_t; ') -- getattr_chr_files_pattern($1, device_t, framebuf_device_t) +- manage_chr_files_pattern($1, device_t, dri_device_t) + allow $1 device_t:dir search_dir_perms; -+ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; ++ allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## --## Set the attributes of the framebuffer device node. -+## Read ipmi devices. +-## Automatic type transition to the type +-## for DRI device nodes when created in /dev. ++## Dontaudit read and write on the dri devices. ## ## ## -@@ -2043,7 +2286,180 @@ interface(`dev_getattr_framebuffer_dev',` +-## Domain allowed access. ++## Domain to not audit. ## ## - # --interface(`dev_setattr_framebuffer_dev',` +-## +-## ++# ++interface(`dev_dontaudit_rw_dri',` ++ gen_require(` ++ type dri_device_t; ++ ') ++ ++ dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; ++') ++ ++######################################## ++## ++## Create, read, write, and delete the dri devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_dri_dev',` ++ gen_require(` ++ type device_t, dri_device_t; ++ ') ++ ++ manage_chr_files_pattern($1, device_t, dri_device_t) ++') ++ ++######################################## ++## ++## Automatic type transition to the type ++## for DRI device nodes when created in /dev. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## + ## The name of the object being created. + ## + ## +@@ -2017,6 +2277,180 @@ interface(`dev_rw_input_dev',` + + ######################################## + ## ++## Read input event devices (/dev/input). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_inherited_input_dev',` ++ gen_require(` ++ type device_t, event_device_t; ++ ') ++ ++ allow $1 device_t:dir search_dir_perms; ++ allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; ++') ++ ++######################################## ++## ++## Read ipmi devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_read_ipmi_dev',` + gen_require(` + type device_t, ipmi_device_t; @@ -7520,60 +7615,269 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## -+## Get the attributes of the framebuffer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_getattr_framebuffer_dev',` -+ gen_require(` -+ type device_t, framebuf_device_t; -+ ') -+ -+ getattr_chr_files_pattern($1, device_t, framebuf_device_t) -+') -+ -+######################################## -+## -+## Set the attributes of the framebuffer device node. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_setattr_framebuffer_dev',` - gen_require(` - type device_t, framebuf_device_t; - ') -@@ -2402,7 +2818,97 @@ interface(`dev_filetrans_lirc',` + ## Get the attributes of the framebuffer device node. + ## + ## +@@ -2402,7 +2836,7 @@ interface(`dev_filetrans_lirc',` ######################################## ## -## Get the attributes of the lvm comtrol device. +## Get the attributes of the loop comtrol device. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -2410,17 +2844,17 @@ interface(`dev_filetrans_lirc',` + ## + ## + # +-interface(`dev_getattr_lvm_control',` +interface(`dev_getattr_loop_control',` -+ gen_require(` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, lvm_control_t) ++ getattr_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## Read the lvm comtrol device. ++## Read the loop comtrol device. + ## + ## + ## +@@ -2428,17 +2862,17 @@ interface(`dev_getattr_lvm_control',` + ## + ## + # +-interface(`dev_read_lvm_control',` ++interface(`dev_read_loop_control',` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- read_chr_files_pattern($1, device_t, lvm_control_t) ++ read_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## Read and write the lvm control device. ++## Read and write the loop control device. + ## + ## + ## +@@ -2446,17 +2880,17 @@ interface(`dev_read_lvm_control',` + ## + ## + # +-interface(`dev_rw_lvm_control',` ++interface(`dev_rw_loop_control',` + gen_require(` +- type device_t, lvm_control_t; ++ type device_t, loop_control_device_t; + ') + +- rw_chr_files_pattern($1, device_t, lvm_control_t) ++ rw_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to read and write lvm control device. ++## Do not audit attempts to read and write loop control device. + ## + ## + ## +@@ -2464,17 +2898,17 @@ interface(`dev_rw_lvm_control',` + ## + ## + # +-interface(`dev_dontaudit_rw_lvm_control',` ++interface(`dev_dontaudit_rw_loop_control',` + gen_require(` +- type lvm_control_t; ++ type loop_control_device_t; + ') + +- dontaudit $1 lvm_control_t:chr_file rw_file_perms; ++ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; + ') + + ######################################## + ## +-## Delete the lvm control device. ++## Delete the loop control device. + ## + ## + ## +@@ -2482,35 +2916,35 @@ interface(`dev_dontaudit_rw_lvm_control',` + ## + ## + # +-interface(`dev_delete_lvm_control_dev',` ++interface(`dev_delete_loop_control_dev',` + gen_require(` +- type device_t, lvm_control_t; + type device_t, loop_control_device_t; + ') + +- delete_chr_files_pattern($1, device_t, lvm_control_t) ++ delete_chr_files_pattern($1, device_t, loop_control_device_t) + ') + + ######################################## + ## +-## dontaudit getattr raw memory devices (e.g. /dev/mem). ++## Get the attributes of the loop comtrol device. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_getattr_memory_dev',` ++interface(`dev_getattr_lvm_control',` + gen_require(` +- type memory_device_t; ++ type device_t, lvm_control_t; + ') + +- dontaudit $1 memory_device_t:chr_file getattr; ++ getattr_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Read raw memory devices (e.g. /dev/mem). ++## Read the lvm comtrol device. + ## + ## + ## +@@ -2518,62 +2952,53 @@ interface(`dev_dontaudit_getattr_memory_dev',` + ## + ## + # +-interface(`dev_read_raw_memory',` ++interface(`dev_read_lvm_control',` + gen_require(` +- type device_t, memory_device_t; +- attribute memory_raw_read; ++ type device_t, lvm_control_t; + ') + +- read_chr_files_pattern($1, device_t, memory_device_t) +- +- allow $1 self:capability sys_rawio; +- typeattribute $1 memory_raw_read; ++ read_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Do not audit attempts to read raw memory devices +-## (e.g. /dev/mem). ++## Read and write the lvm control device. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_read_raw_memory',` ++interface(`dev_rw_lvm_control',` + gen_require(` +- type memory_device_t; ++ type device_t, lvm_control_t; + ') + +- dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ++ rw_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Write raw memory devices (e.g. /dev/mem). ++## Do not audit attempts to read and write lvm control device. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_raw_memory',` ++interface(`dev_dontaudit_rw_lvm_control',` + gen_require(` +- type device_t, memory_device_t; +- attribute memory_raw_write; ++ type lvm_control_t; + ') + +- write_chr_files_pattern($1, device_t, memory_device_t) +- +- allow $1 self:capability sys_rawio; +- typeattribute $1 memory_raw_write; ++ dontaudit $1 lvm_control_t:chr_file rw_file_perms; + ') + + ######################################## + ## +-## Read and execute raw memory devices (e.g. /dev/mem). ++## Delete the lvm control device. + ## + ## + ## +@@ -2581,32 +3006,168 @@ interface(`dev_write_raw_memory',` + ## + ## + # +-interface(`dev_rx_raw_memory',` ++interface(`dev_delete_lvm_control_dev',` + gen_require(` +- type device_t, memory_device_t; ++ type device_t, lvm_control_t; + ') + +- dev_read_raw_memory($1) +- allow $1 memory_device_t:chr_file execute; ++ delete_chr_files_pattern($1, device_t, lvm_control_t) + ') + + ######################################## + ## +-## Write and execute raw memory devices (e.g. /dev/mem). ++## dontaudit getattr raw memory devices (e.g. /dev/mem). + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_wx_raw_memory',` ++interface(`dev_dontaudit_getattr_memory_dev',` + gen_require(` +- type device_t, memory_device_t; ++ type memory_device_t; + ') + -+ getattr_chr_files_pattern($1, device_t, loop_control_device_t) ++ dontaudit $1 memory_device_t:chr_file getattr; +') + +######################################## +## -+## Read the loop comtrol device. ++## Read raw memory devices (e.g. /dev/mem). +## +## +## @@ -7581,17 +7885,22 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_read_loop_control',` ++interface(`dev_read_raw_memory',` + gen_require(` -+ type device_t, loop_control_device_t; ++ type device_t, memory_device_t; ++ attribute memory_raw_read; + ') + -+ read_chr_files_pattern($1, device_t, loop_control_device_t) ++ read_chr_files_pattern($1, device_t, memory_device_t) ++ allow $1 memory_device_t:chr_file map; ++ ++ allow $1 self:capability sys_rawio; ++ typeattribute $1 memory_raw_read; +') + +######################################## +## -+## Read and write the loop control device. ++## Allow to be reader of raw memory devices (e.g. /dev/mem). +## +## +## @@ -7599,17 +7908,18 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_rw_loop_control',` ++interface(`dev_raw_memory_reader',` + gen_require(` -+ type device_t, loop_control_device_t; ++ attribute memory_raw_read; + ') + -+ rw_chr_files_pattern($1, device_t, loop_control_device_t) ++ typeattribute $1 memory_raw_read; +') + +######################################## +## -+## Do not audit attempts to read and write loop control device. ++## Do not audit attempts to read raw memory devices ++## (e.g. /dev/mem). +## +## +## @@ -7617,17 +7927,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_dontaudit_rw_loop_control',` ++interface(`dev_dontaudit_read_raw_memory',` + gen_require(` -+ type loop_control_device_t; ++ type memory_device_t; + ') + -+ dontaudit $1 loop_control_device_t:chr_file rw_file_perms; ++ dontaudit $1 memory_device_t:chr_file read_chr_file_perms; +') + +######################################## +## -+## Delete the loop control device. ++## Write raw memory devices (e.g. /dev/mem). +## +## +## @@ -7635,33 +7945,21 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_delete_loop_control_dev',` ++interface(`dev_write_raw_memory',` + gen_require(` -+ type device_t, loop_control_device_t; ++ type device_t, memory_device_t; ++ attribute memory_raw_write; + ') + -+ delete_chr_files_pattern($1, device_t, loop_control_device_t) ++ write_chr_files_pattern($1, device_t, memory_device_t) ++ ++ allow $1 self:capability sys_rawio; ++ typeattribute $1 memory_raw_write; +') + +######################################## +## -+## Get the attributes of the loop comtrol device. - ## - ## - ## -@@ -2525,6 +3031,7 @@ interface(`dev_read_raw_memory',` - ') - - read_chr_files_pattern($1, device_t, memory_device_t) -+ allow $1 memory_device_t:chr_file map; - - allow $1 self:capability sys_rawio; - typeattribute $1 memory_raw_read; -@@ -2532,6 +3039,24 @@ interface(`dev_read_raw_memory',` - - ######################################## - ## -+## Allow to be reader of raw memory devices (e.g. /dev/mem). ++## Allow to be writer of raw memory devices (e.g. /dev/mem). +## +## +## @@ -7669,24 +7967,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_raw_memory_reader',` ++interface(`dev_raw_memory_writer',` + gen_require(` -+ attribute memory_raw_read; ++ attribute memory_raw_write; + ') + -+ typeattribute $1 memory_raw_read; ++ typeattribute $1 memory_raw_write; +') + +######################################## +## - ## Do not audit attempts to read raw memory devices - ## (e.g. /dev/mem). - ## -@@ -2573,6 +3098,24 @@ interface(`dev_write_raw_memory',` - - ######################################## - ## -+## Allow to be writer of raw memory devices (e.g. /dev/mem). ++## Read and execute raw memory devices (e.g. /dev/mem). +## +## +## @@ -7694,29 +7985,28 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_raw_memory_writer',` ++interface(`dev_rx_raw_memory',` + gen_require(` -+ attribute memory_raw_write; ++ type device_t, memory_device_t; + ') + -+ typeattribute $1 memory_raw_write; ++ dev_read_raw_memory($1) ++ allow $1 memory_device_t:chr_file { map execute }; +') + +######################################## +## - ## Read and execute raw memory devices (e.g. /dev/mem). - ## - ## -@@ -2587,7 +3130,7 @@ interface(`dev_rx_raw_memory',` - ') - - dev_read_raw_memory($1) -- allow $1 memory_device_t:chr_file execute; -+ allow $1 memory_device_t:chr_file { map execute }; - ') - - ######################################## -@@ -2606,7 +3149,7 @@ interface(`dev_wx_raw_memory',` ++## Write and execute raw memory devices (e.g. /dev/mem). ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_wx_raw_memory',` ++ gen_require(` ++ type device_t, memory_device_t; ') dev_write_raw_memory($1) @@ -7725,7 +8015,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -2725,7 +3268,7 @@ interface(`dev_write_misc',` +@@ -2725,7 +3286,7 @@ interface(`dev_write_misc',` ## ## ## @@ -7734,77 +8024,11 @@ index 76f285ea6..c28d65c08 100644 ## ## # -@@ -2811,7 +3354,7 @@ interface(`dev_rw_modem',` +@@ -2811,6 +3372,78 @@ interface(`dev_rw_modem',` ######################################## ## --## Get the attributes of the mouse devices. +## Get the attributes of the monitor devices. - ## - ## - ## -@@ -2819,17 +3362,17 @@ interface(`dev_rw_modem',` - ## - ## - # --interface(`dev_getattr_mouse_dev',` -+interface(`dev_getattr_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; -+ type device_t, monitor_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, mouse_device_t) -+ getattr_chr_files_pattern($1, device_t, monitor_device_t) - ') - - ######################################## - ## --## Set the attributes of the mouse devices. -+## Set the attributes of the monitor devices. - ## - ## - ## -@@ -2837,17 +3380,17 @@ interface(`dev_getattr_mouse_dev',` - ## - ## - # --interface(`dev_setattr_mouse_dev',` -+interface(`dev_setattr_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; -+ type device_t, monitor_device_t; - ') - -- setattr_chr_files_pattern($1, device_t, mouse_device_t) -+ setattr_chr_files_pattern($1, device_t, monitor_device_t) - ') - - ######################################## - ## --## Read the mouse devices. -+## Read the monitor devices. - ## - ## - ## -@@ -2855,12 +3398,84 @@ interface(`dev_setattr_mouse_dev',` - ## - ## - # --interface(`dev_read_mouse',` -+interface(`dev_read_monitor_dev',` - gen_require(` -- type device_t, mouse_device_t; -+ type device_t, monitor_device_t; - ') - -- read_chr_files_pattern($1, device_t, mouse_device_t) -+ read_chr_files_pattern($1, device_t, monitor_device_t) -+') -+ -+######################################## -+## -+## Read and write to monitor devices. +## +## +## @@ -7812,17 +8036,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_rw_monitor_dev',` ++interface(`dev_getattr_monitor_dev',` + gen_require(` + type device_t, monitor_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, monitor_device_t) ++ getattr_chr_files_pattern($1, device_t, monitor_device_t) +') + +######################################## +## -+## Get the attributes of the mouse devices. ++## Set the attributes of the monitor devices. +## +## +## @@ -7830,17 +8054,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_getattr_mouse_dev',` ++interface(`dev_setattr_monitor_dev',` + gen_require(` -+ type device_t, mouse_device_t; ++ type device_t, monitor_device_t; + ') + -+ getattr_chr_files_pattern($1, device_t, mouse_device_t) ++ setattr_chr_files_pattern($1, device_t, monitor_device_t) +') + +######################################## +## -+## Set the attributes of the mouse devices. ++## Read the monitor devices. +## +## +## @@ -7848,17 +8072,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_setattr_mouse_dev',` ++interface(`dev_read_monitor_dev',` + gen_require(` -+ type device_t, mouse_device_t; ++ type device_t, monitor_device_t; + ') + -+ setattr_chr_files_pattern($1, device_t, mouse_device_t) ++ read_chr_files_pattern($1, device_t, monitor_device_t) +') + +######################################## +## -+## Read the mouse devices. ++## Read and write to monitor devices. +## +## +## @@ -7866,16 +8090,20 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_read_mouse',` ++interface(`dev_rw_monitor_dev',` + gen_require(` -+ type device_t, mouse_device_t; ++ type device_t, monitor_device_t; + ') + -+ read_chr_files_pattern($1, device_t, mouse_device_t) - ') - - ######################################## -@@ -2903,20 +3518,20 @@ interface(`dev_getattr_mtrr_dev',` ++ rw_chr_files_pattern($1, device_t, monitor_device_t) ++') ++ ++######################################## ++## + ## Get the attributes of the mouse devices. + ## + ## +@@ -2903,20 +3536,20 @@ interface(`dev_getattr_mtrr_dev',` ######################################## ## @@ -7900,7 +8128,7 @@ index 76f285ea6..c28d65c08 100644 ##

## ## -@@ -2925,43 +3540,34 @@ interface(`dev_getattr_mtrr_dev',` +@@ -2925,43 +3558,34 @@ interface(`dev_getattr_mtrr_dev',` ##
## # @@ -7956,7 +8184,7 @@ index 76f285ea6..c28d65c08 100644 ## range registers (MTRR). ## ## -@@ -2970,13 +3576,32 @@ interface(`dev_write_mtrr',` +@@ -2970,13 +3594,32 @@ interface(`dev_write_mtrr',` ## ## # @@ -7992,47 +8220,81 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3144,6 +3769,80 @@ interface(`dev_create_null_dev',` +@@ -3144,44 +3787,43 @@ interface(`dev_create_null_dev',` ######################################## ## +-## Do not audit attempts to get the attributes +-## of the BIOS non-volatile RAM device. +## Get the status of a null device service. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_dontaudit_getattr_nvram_dev',` +interface(`dev_service_status_null_dev',` -+ gen_require(` + gen_require(` +- type nvram_device_t; + type null_device_t; -+ ') -+ + ') + +- dontaudit $1 nvram_device_t:chr_file getattr; + allow $1 null_device_t:service status; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write BIOS non-volatile RAM. +## Configure null_device as a unit files. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed to transition. -+## -+## -+# + ## + ## + # +-interface(`dev_rw_nvram',` +interface(`dev_config_null_dev_service',` -+ gen_require(` + gen_require(` +- type nvram_device_t; + type null_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, nvram_device_t) + allow $1 null_device_t:service manage_service_perms; + ') + + ######################################## + ## +-## Get the attributes of the printer device nodes. ++## Read Non-Volatile Memory Host Controller Interface. + ## + ## + ## +@@ -3189,12 +3831,105 @@ interface(`dev_rw_nvram',` + ## + ## + # +-interface(`dev_getattr_printer_dev',` ++interface(`dev_read_nvme',` + gen_require(` +- type device_t, printer_device_t; ++ type nvme_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, printer_device_t) ++ read_chr_files_pattern($1, device_t, nvme_device_t) ++ read_blk_files_pattern($1, device_t, nvme_device_t) +') + +######################################## +## -+## Read Non-Volatile Memory Host Controller Interface. ++## Read/Write Non-Volatile Memory Host Controller Interface. +## +## +## @@ -8040,43 +8302,36 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_read_nvme',` ++interface(`dev_rw_nvme',` + gen_require(` + type nvme_device_t; + ') + -+ read_chr_files_pattern($1, device_t, nvme_device_t) -+ read_blk_files_pattern($1, device_t, nvme_device_t) ++ rw_chr_files_pattern($1, device_t, nvme_device_t) ++ rw_blk_files_pattern($1, device_t, nvme_device_t) +') + +######################################## +## -+## Read/Write Non-Volatile Memory Host Controller Interface. ++## Do not audit attempts to get the attributes ++## of the BIOS non-volatile RAM device. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_rw_nvme',` ++interface(`dev_dontaudit_getattr_nvram_dev',` + gen_require(` -+ type nvme_device_t; ++ type nvram_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, nvme_device_t) -+ rw_blk_files_pattern($1, device_t, nvme_device_t) ++ dontaudit $1 nvram_device_t:chr_file getattr; +') + +######################################## +## - ## Do not audit attempts to get the attributes - ## of the BIOS non-volatile RAM device. - ## -@@ -3163,6 +3862,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',` - - ######################################## - ## +## Read BIOS non-volatile RAM. +## +## @@ -8095,10 +8350,42 @@ index 76f285ea6..c28d65c08 100644 + +######################################## +## - ## Read and write BIOS non-volatile RAM. - ## - ## -@@ -3254,7 +3971,25 @@ interface(`dev_rw_printer',` ++## Read and write BIOS non-volatile RAM. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_nvram',` ++ gen_require(` ++ type nvram_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, nvram_device_t) ++') ++ ++######################################## ++## ++## Get the attributes of the printer device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_getattr_printer_dev',` ++ gen_require(` ++ type device_t, printer_device_t; ++ ') ++ ++ getattr_chr_files_pattern($1, device_t, printer_device_t) + ') + + ######################################## +@@ -3254,7 +3989,25 @@ interface(`dev_rw_printer',` ######################################## ## @@ -8125,7 +8412,7 @@ index 76f285ea6..c28d65c08 100644 ## ## ## -@@ -3262,12 +3997,13 @@ interface(`dev_rw_printer',` +@@ -3262,12 +4015,13 @@ interface(`dev_rw_printer',` ## ## # @@ -8142,7 +8429,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3399,7 +4135,7 @@ interface(`dev_dontaudit_read_rand',` +@@ -3399,7 +4153,7 @@ interface(`dev_dontaudit_read_rand',` ######################################## ## @@ -8151,7 +8438,7 @@ index 76f285ea6..c28d65c08 100644 ## number generator devices (e.g., /dev/random) ## ## -@@ -3413,7 +4149,7 @@ interface(`dev_dontaudit_append_rand',` +@@ -3413,7 +4167,7 @@ interface(`dev_dontaudit_append_rand',` type random_device_t; ') @@ -8160,7 +8447,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3633,6 +4369,7 @@ interface(`dev_read_sound',` +@@ -3633,6 +4387,7 @@ interface(`dev_read_sound',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8168,7 +8455,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3669,6 +4406,7 @@ interface(`dev_read_sound_mixer',` +@@ -3669,6 +4424,7 @@ interface(`dev_read_sound_mixer',` ') read_chr_files_pattern($1, device_t, sound_device_t) @@ -8176,7 +8463,7 @@ index 76f285ea6..c28d65c08 100644 ') ######################################## -@@ -3855,7 +4593,7 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4611,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## @@ -8185,7 +8472,7 @@ index 76f285ea6..c28d65c08 100644 ## ## ## -@@ -3863,91 +4601,89 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3863,91 +4619,89 @@ interface(`dev_getattr_sysfs_dirs',` ## ## # @@ -8296,7 +8583,7 @@ index 76f285ea6..c28d65c08 100644 ## ## ## -@@ -3955,60 +4691,215 @@ interface(`dev_dontaudit_write_sysfs_dirs',` +@@ -3955,68 +4709,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # @@ -8362,12 +8649,244 @@ index 76f285ea6..c28d65c08 100644 ') - rw_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) + dontaudit $1 sysfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Read and write the TPM device. ++## List the contents of the sysfs directories. + ## + ## + ## +@@ -4024,114 +4763,97 @@ interface(`dev_rw_sysfs',` + ## + ## + # +-interface(`dev_rw_tpm',` ++interface(`dev_list_sysfs',` + gen_require(` +- type device_t, tpm_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, tpm_device_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read from pseudo random number generator devices (e.g., /dev/urandom). ++## Write in a sysfs directories. + ## +-## +-##

+-## Allow the specified domain to read from pseudo random number +-## generator devices (e.g., /dev/urandom). Typically this is +-## used in situations when a cryptographically secure random +-## number is not necessarily needed. One example is the Stack +-## Smashing Protector (SSP, formerly known as ProPolice) support +-## that may be compiled into programs. +-##

+-##

+-## Related interface: +-##

+-## +-##

+-## Related tunable: +-##

+-## +-##
+ ## + ## + ## Domain allowed access. + ## + ## +-## + # +-interface(`dev_read_urand',` ++# cjp: added for cpuspeed ++interface(`dev_write_sysfs_dirs',` + gen_require(` +- type device_t, urandom_device_t; ++ type sysfs_t; + ') + +- read_chr_files_pattern($1, device_t, urandom_device_t) ++ allow $1 sysfs_t:dir write; + ') + + ######################################## + ## +-## Do not audit attempts to read from pseudo +-## random devices (e.g., /dev/urandom) ++## Access check for a sysfs directories. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_read_urand',` ++interface(`dev_access_check_sysfs',` + gen_require(` +- type urandom_device_t; ++ type sysfs_t; + ') + +- dontaudit $1 urandom_device_t:chr_file { getattr read }; ++ allow $1 sysfs_t:dir audit_access; + ') + + ######################################## + ## +-## Write to the pseudo random device (e.g., /dev/urandom). This +-## sets the random number generator seed. ++## Do not audit attempts to write in a sysfs directory. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_urand',` ++interface(`dev_dontaudit_write_sysfs_dirs',` + gen_require(` +- type device_t, urandom_device_t; ++ type sysfs_t; + ') + +- write_chr_files_pattern($1, device_t, urandom_device_t) ++ dontaudit $1 sysfs_t:dir write; + ') + + ######################################## + ## +-## Getattr generic the USB devices. ++## Read cpu online hardware state information. + ## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++##
+ ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`dev_getattr_generic_usb_dev',` ++interface(`dev_read_cpu_online',` + gen_require(` +- type usb_device_t; ++ type cpu_online_t; + ') + +- getattr_chr_files_pattern($1, device_t, usb_device_t) ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) + ') + + ######################################## + ## +-## Setattr generic the USB devices. ++## Relabel cpu online hardware state information. + ## + ## + ## +@@ -4139,35 +4861,50 @@ interface(`dev_getattr_generic_usb_dev',` + ## + ## + # +-interface(`dev_setattr_generic_usb_dev',` ++interface(`dev_relabel_cpu_online',` + gen_require(` +- type usb_device_t; ++ type cpu_online_t; ++ type sysfs_t; + ') + +- setattr_chr_files_pattern($1, device_t, usb_device_t) ++ dev_search_sysfs($1) ++ allow $1 cpu_online_t:file relabel_file_perms; + ') + ++ + ######################################## + ## +-## Read generic the USB devices. ++## Read hardware state information. + ## ++## ++##

++## Allow the specified domain to read the contents of ++## the sysfs filesystem. This filesystem contains ++## information, parameters, and other settings on the ++## hardware installed on the system. ++##

++##
+ ## + ## + ## Domain allowed access. + ## + ## ++## + # +-interface(`dev_read_generic_usb_dev',` ++interface(`dev_read_sysfs',` + gen_require(` +- type usb_device_t; ++ type sysfs_t; + ') + +- read_chr_files_pattern($1, device_t, usb_device_t) ++ read_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) + ') + + ######################################## + ## +-## Read and write generic the USB devices. ++## Allow caller to modify hardware state information. + ## + ## + ## +@@ -4175,12 +4912,278 @@ interface(`dev_read_generic_usb_dev',` + ## + ## + # +-interface(`dev_rw_generic_usb_dev',` ++interface(`dev_rw_sysfs',` + gen_require(` +- type device_t, usb_device_t; ++ type sysfs_t; + ') + +- rw_chr_files_pattern($1, device_t, usb_device_t) ++ rw_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## List the contents of the sysfs directories. ++## Relabel hardware state directories. +## +## +## @@ -8375,18 +8894,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_list_sysfs',` ++interface(`dev_relabel_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) -+ list_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Write in a sysfs directories. ++## Relabel hardware state files +## +## +## @@ -8394,18 +8912,19 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+# cjp: added for cpuspeed -+interface(`dev_write_sysfs_dirs',` ++interface(`dev_relabel_all_sysfs',` + gen_require(` + type sysfs_t; + ') + -+ allow $1 sysfs_t:dir write; ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Access check for a sysfs directories. ++## Allow caller to modify hardware state information. +## +## +## @@ -8413,59 +8932,115 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_access_check_sysfs',` ++interface(`dev_manage_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + -+ allow $1 sysfs_t:dir audit_access; ++ manage_dirs_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Do not audit attempts to write in a sysfs directory. ++## Allow caller to modify hardware state information. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_write_sysfs_dirs',` ++interface(`dev_manage_sysfs',` + gen_require(` + type sysfs_t; + ') + -+ dontaudit $1 sysfs_t:dir write; ++ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ manage_files_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## -+## Read cpu online hardware state information. ++## Read and write the TPM device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_tpm',` ++ gen_require(` ++ type device_t, tpm_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, tpm_device_t) ++') ++ ++######################################## ++## ++## Read from pseudo random number generator devices (e.g., /dev/urandom). +## +## +##

-+## Allow the specified domain to read /sys/devices/system/cpu/online file. ++## Allow the specified domain to read from pseudo random number ++## generator devices (e.g., /dev/urandom). Typically this is ++## used in situations when a cryptographically secure random ++## number is not necessarily needed. One example is the Stack ++## Smashing Protector (SSP, formerly known as ProPolice) support ++## that may be compiled into programs. ++##

++##

++## Related interface: ++##

++##
    ++##
  • dev_read_rand()
  • ++##
++##

++## Related tunable: +##

++##
    ++##
  • global_ssp
  • ++##
+##
+## +## +## Domain allowed access. +## +## ++## +# -+interface(`dev_read_cpu_online',` ++interface(`dev_read_urand',` + gen_require(` -+ type cpu_online_t; ++ type device_t, urandom_device_t; + ') + -+ dev_search_sysfs($1) -+ read_files_pattern($1, cpu_online_t, cpu_online_t) ++ read_chr_files_pattern($1, device_t, urandom_device_t) +') + +######################################## +## -+## Relabel cpu online hardware state information. ++## Do not audit attempts to read from pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file { getattr read }; ++') ++ ++######################################## ++## ++## Write to the pseudo random device (e.g., /dev/urandom). This ++## sets the random number generator seed. +## +## +## @@ -8473,50 +9048,72 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_relabel_cpu_online',` ++interface(`dev_write_urand',` + gen_require(` -+ type cpu_online_t; -+ type sysfs_t; ++ type device_t, urandom_device_t; + ') + -+ dev_search_sysfs($1) -+ allow $1 cpu_online_t:file relabel_file_perms; ++ write_chr_files_pattern($1, device_t, urandom_device_t) +') + ++######################################## ++## ++## Do not audit attempts to write to pseudo ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_write_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file write; ++') + +######################################## +## -+## Read hardware state information. ++## Getattr generic the USB devices. +## -+## -+##

-+## Allow the specified domain to read the contents of -+## the sysfs filesystem. This filesystem contains -+## information, parameters, and other settings on the -+## hardware installed on the system. -+##

-+##
+## +## +## Domain allowed access. +## +## -+## +# -+interface(`dev_read_sysfs',` ++interface(`dev_getattr_generic_usb_dev',` + gen_require(` -+ type sysfs_t; ++ type usb_device_t,device_t; + ') + -+ read_files_pattern($1, sysfs_t, sysfs_t) -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ getattr_chr_files_pattern($1, device_t, usb_device_t) ++') + -+ list_dirs_pattern($1, sysfs_t, sysfs_t) ++######################################## ++## ++## Setattr generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_generic_usb_dev',` ++ gen_require(` ++ type usb_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## +## -+## Allow caller to modify hardware state information. ++## Read generic the USB devices. +## +## +## @@ -8524,20 +9121,65 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_rw_sysfs',` ++interface(`dev_read_generic_usb_dev',` + gen_require(` -+ type sysfs_t; ++ type usb_device_t; + ') + -+ rw_files_pattern($1, sysfs_t, sysfs_t) - read_lnk_files_pattern($1, sysfs_t, sysfs_t) - - list_dirs_pattern($1, sysfs_t, sysfs_t) -@@ -4016,6 +4907,81 @@ interface(`dev_rw_sysfs',` ++ read_chr_files_pattern($1, device_t, usb_device_t) ++') ++ ++######################################## ++## ++## Read and write generic the USB devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_generic_usb_dev',` ++ gen_require(` ++ type device_t, usb_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, usb_device_t) + ') ######################################## - ## -+## Relabel hardware state directories. +@@ -4249,33 +5252,462 @@ interface(`dev_write_usbmon_dev',` + # + interface(`dev_mount_usbfs',` + gen_require(` +- type usbfs_t; ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:filesystem mount; ++') ++ ++######################################## ++## ++## Associate a file to a usbfs filesystem. ++## ++## ++## ++## The type of the file to be associated to usbfs. ++## ++## ++# ++interface(`dev_associate_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ allow $1 usbfs_t:filesystem associate; ++') ++ ++######################################## ++## ++## Get the attributes of a directory in the usb filesystem. +## +## +## @@ -8545,17 +9187,36 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_relabel_sysfs_dirs',` ++interface(`dev_getattr_usbfs_dirs',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 usbfs_t:dir getattr_dir_perms; +') + +######################################## +## -+## Relabel hardware state files ++## Do not audit attempts to get the attributes ++## of a directory in the usb filesystem. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_usbfs_dirs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ dontaudit $1 usbfs_t:dir getattr_dir_perms; ++') ++ ++######################################## ++## ++## Search the directory containing USB hardware information. +## +## +## @@ -8563,19 +9224,17 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_relabel_all_sysfs',` ++interface(`dev_search_usbfs',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) -+ relabel_files_pattern($1, sysfs_t, sysfs_t) -+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ search_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Allow caller to modify hardware state information. ++## Allow caller to get a list of usb hardware. +## +## +## @@ -8583,17 +9242,20 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_manage_sysfs_dirs',` ++interface(`dev_list_usbfs',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_files_pattern($1, usbfs_t, usbfs_t) ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Allow caller to modify hardware state information. ++## Set the attributes of usbfs filesystem. +## +## +## @@ -8601,110 +9263,205 @@ index 76f285ea6..c28d65c08 100644 +## +## +# -+interface(`dev_manage_sysfs',` ++interface(`dev_setattr_usbfs_files',` + gen_require(` -+ type sysfs_t; ++ type usbfs_t; + ') + -+ manage_dirs_pattern($1, sysfs_t, sysfs_t) -+ manage_files_pattern($1, sysfs_t, sysfs_t) ++ setattr_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## - ## Read and write the TPM device. - ## - ## -@@ -4113,6 +5079,25 @@ interface(`dev_write_urand',` - - ######################################## - ## -+## Do not audit attempts to write to pseudo -+## random devices (e.g., /dev/urandom) ++## Read USB hardware information using ++## the usbfs filesystem interface. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_write_urand',` ++interface(`dev_read_usbfs',` + gen_require(` -+ type urandom_device_t; ++ type usbfs_t; + ') + -+ dontaudit $1 urandom_device_t:chr_file write; ++ read_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## - ## Getattr generic the USB devices. - ## - ## -@@ -4123,7 +5108,7 @@ interface(`dev_write_urand',` - # - interface(`dev_getattr_generic_usb_dev',` - gen_require(` -- type usb_device_t; -+ type usb_device_t,device_t; - ') - - getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5394,9 @@ interface(`dev_rw_usbfs',` - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - ') - --######################################## ++## Allow caller to modify usb hardware configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_usbfs',` ++ gen_require(` ++ type usbfs_t; ++ ') ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++') ++ +###################################### - ## --## Get the attributes of video4linux devices. ++## +## Read and write userio device. - ## - ## - ## -@@ -4419,17 +5404,17 @@ interface(`dev_rw_usbfs',` - ## - ## - # --interface(`dev_getattr_video_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_rw_userio_dev',` - gen_require(` -- type device_t, v4l_device_t; ++ gen_require(` + type device_t, userio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ ') ++ + rw_chr_files_pattern($1, device_t, userio_device_t) - ') - --###################################### ++') ++ +######################################## - ## --## Read and write userio device. ++## +## Get the attributes of video4linux devices. - ## - ## - ## -@@ -4437,12 +5422,12 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`dev_getattr_video_dev',` - gen_require(` -- type device_t, userio_device_t; ++ gen_require(` + type device_t, v4l_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) ++ ') ++ + getattr_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## -@@ -4539,6 +5524,134 @@ interface(`dev_write_video_dev',` - - ######################################## - ## ++') ++ ++######################################## ++## ++## Do not audit attempts to get the attributes ++## of video4linux device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_getattr_video_dev',` ++ gen_require(` ++ type v4l_device_t; ++ ') ++ ++ dontaudit $1 v4l_device_t:chr_file getattr; ++') ++ ++######################################## ++## ++## Set the attributes of video4linux device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_setattr_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ setattr_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of video4linux device nodes. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_setattr_video_dev',` ++ gen_require(` ++ type v4l_device_t; ++ ') ++ ++ dontaudit $1 v4l_device_t:chr_file setattr; ++') ++ ++######################################## ++## ++## Read the video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_read_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ read_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## ++## Mmap the video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_map_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ allow $1 v4l_device_t:chr_file map; ++ ++') ++ ++######################################## ++## ++## Write the video4linux devices. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_video_dev',` ++ gen_require(` ++ type device_t, v4l_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## +## Get the attributes of vfio devices. +## +## @@ -8826,313 +9583,735 @@ index 76f285ea6..c28d65c08 100644 +interface(`dev_rw_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; -+ ') -+ + ') + +- allow $1 usbfs_t:filesystem mount; + rw_chr_files_pattern($1, device_t, vfio_device_t) -+') + ') + + ######################################## + ## +-## Associate a file to a usbfs filesystem. ++## Allow read/write the vhost net device + ## +-## ++## + ## +-## The type of the file to be associated to usbfs. ++## Domain allowed access. + ## + ## + # +-interface(`dev_associate_usbfs',` ++interface(`dev_rw_vhost',` + gen_require(` +- type usbfs_t; ++ type device_t, vhost_device_t; + ') + +- allow $1 usbfs_t:filesystem associate; ++ rw_chr_files_pattern($1, device_t, vhost_device_t) + ') + + ######################################## + ## +-## Get the attributes of a directory in the usb filesystem. ++## Allow read/write inheretid the vhost net device + ## + ## + ## +@@ -4283,36 +5715,35 @@ interface(`dev_associate_usbfs',` + ## + ## + # +-interface(`dev_getattr_usbfs_dirs',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` +- type usbfs_t; ++ type device_t, vhost_device_t; + ') + +- allow $1 usbfs_t:dir getattr_dir_perms; ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of a directory in the usb filesystem. ++## Read and write VMWare devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_getattr_usbfs_dirs',` ++interface(`dev_rw_vmware',` + gen_require(` +- type usbfs_t; ++ type device_t, vmware_device_t; + ') + +- dontaudit $1 usbfs_t:dir getattr_dir_perms; ++ rw_chr_files_pattern($1, device_t, vmware_device_t) + ') + + ######################################## + ## +-## Search the directory containing USB hardware information. ++## Read, write, and mmap VMWare devices. + ## + ## + ## +@@ -4320,17 +5751,18 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',` + ## + ## + # +-interface(`dev_search_usbfs',` ++interface(`dev_rwx_vmware',` + gen_require(` +- type usbfs_t; ++ type device_t, vmware_device_t; + ') + +- search_dirs_pattern($1, usbfs_t, usbfs_t) ++ dev_rw_vmware($1) ++ allow $1 vmware_device_t:chr_file { map execute }; + ') + + ######################################## + ## +-## Allow caller to get a list of usb hardware. ++## Read from watchdog devices. + ## + ## + ## +@@ -4338,20 +5770,17 @@ interface(`dev_search_usbfs',` + ## + ## + # +-interface(`dev_list_usbfs',` ++interface(`dev_read_watchdog',` + gen_require(` +- type usbfs_t; ++ type device_t, watchdog_device_t; + ') + +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- getattr_files_pattern($1, usbfs_t, usbfs_t) +- +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ read_chr_files_pattern($1, device_t, watchdog_device_t) + ') + + ######################################## + ## +-## Set the attributes of usbfs filesystem. ++## Write to watchdog devices. + ## + ## + ## +@@ -4359,19 +5788,17 @@ interface(`dev_list_usbfs',` + ## + ## + # +-interface(`dev_setattr_usbfs_files',` ++interface(`dev_write_watchdog',` + gen_require(` +- type usbfs_t; ++ type device_t, watchdog_device_t; + ') + +- setattr_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ write_chr_files_pattern($1, device_t, watchdog_device_t) + ') + + ######################################## + ## +-## Read USB hardware information using +-## the usbfs filesystem interface. ++## RW to watchdog devices. + ## + ## + ## +@@ -4379,19 +5806,17 @@ interface(`dev_setattr_usbfs_files',` + ## + ## + # +-interface(`dev_read_usbfs',` ++interface(`dev_rw_watchdog',` + gen_require(` +- type usbfs_t; ++ type device_t, watchdog_device_t; + ') + +- read_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_chr_files_pattern($1, device_t, watchdog_device_t) + ') + + ######################################## + ## +-## Allow caller to modify usb hardware configuration files. ++## Read and write the the wireless device. + ## + ## + ## +@@ -4399,19 +5824,17 @@ interface(`dev_read_usbfs',` + ## + ## + # +-interface(`dev_rw_usbfs',` ++interface(`dev_rw_wireless',` + gen_require(` +- type usbfs_t; ++ type device_t, wireless_device_t; + ') + +- list_dirs_pattern($1, usbfs_t, usbfs_t) +- rw_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ rw_chr_files_pattern($1, device_t, wireless_device_t) + ') + + ######################################## + ## +-## Get the attributes of video4linux devices. ++## Read and write Xen devices. + ## + ## + ## +@@ -4419,17 +5842,17 @@ interface(`dev_rw_usbfs',` + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_rw_xen',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, xen_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, xen_device_t) + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Create, read, write, and delete Xen devices. + ## + ## + ## +@@ -4437,36 +5860,41 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_manage_xen',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, xen_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ manage_chr_files_pattern($1, device_t, xen_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of video4linux device nodes. ++## Automatic type transition to the type ++## for xen device nodes when created in /dev. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. ++## ++## ++## ++## ++## The name of the object being created. + ## + ## + # +-interface(`dev_dontaudit_getattr_video_dev',` ++interface(`dev_filetrans_xen',` + gen_require(` +- type v4l_device_t; ++ type device_t, xen_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file getattr; ++ filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) + ') + + ######################################## + ## +-## Set the attributes of video4linux device nodes. ++## Get the attributes of X server miscellaneous devices. + ## + ## + ## +@@ -4474,36 +5902,35 @@ interface(`dev_dontaudit_getattr_video_dev',` + ## + ## + # +-interface(`dev_setattr_video_dev',` ++interface(`dev_getattr_xserver_misc_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- setattr_chr_files_pattern($1, device_t, v4l_device_t) ++ getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to set the attributes +-## of video4linux device nodes. ++## Set the attributes of X server miscellaneous devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_setattr_video_dev',` ++interface(`dev_setattr_xserver_misc_dev',` + gen_require(` +- type v4l_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file setattr; ++ setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + ') + + ######################################## + ## +-## Read the video4linux devices. ++## Read and write X server miscellaneous devices. + ## + ## + ## +@@ -4511,35 +5938,35 @@ interface(`dev_dontaudit_setattr_video_dev',` + ## + ## + # +-interface(`dev_read_video_dev',` ++interface(`dev_rw_xserver_misc',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- read_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + ') + + ######################################## + ## +-## Write the video4linux devices. ++## Dontaudit attempts to Read and write X server miscellaneous devices. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_write_video_dev',` ++interface(`dev_dontaudit_leaked_xserver_misc',` + gen_require(` +- type device_t, v4l_device_t; ++ type xserver_misc_device_t; + ') + +- write_chr_files_pattern($1, device_t, v4l_device_t) ++ dontaudit $1 xserver_misc_device_t:chr_file { read write }; + ') + + ######################################## + ## +-## Allow read/write the vhost net device ++## Read and write X server miscellaneous devices. + ## + ## + ## +@@ -4547,17 +5974,19 @@ interface(`dev_write_video_dev',` + ## + ## + # +-interface(`dev_rw_vhost',` ++interface(`dev_manage_xserver_misc',` + gen_require(` +- type device_t, vhost_device_t; ++ type device_t, xserver_misc_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vhost_device_t) ++ manage_chr_files_pattern($1, device_t, xserver_misc_device_t) + -+######################################## -+## - ## Allow read/write the vhost net device ++ dev_filetrans_xserver_named_dev($1) + ') + + ######################################## + ## +-## Read and write VMWare devices. ++## Read and write to the zero device (/dev/zero). ## ## -@@ -4557,6 +5670,24 @@ interface(`dev_rw_vhost',` + ## +@@ -4565,17 +5994,17 @@ interface(`dev_rw_vhost',` + ## + ## + # +-interface(`dev_rw_vmware',` ++interface(`dev_rw_zero',` + gen_require(` +- type device_t, vmware_device_t; ++ type device_t, zero_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vmware_device_t) ++ rw_chr_files_pattern($1, device_t, zero_device_t) + ') ######################################## ## -+## Allow read/write inheretid the vhost net device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_inherited_vhost',` -+ gen_require(` -+ type device_t, vhost_device_t; -+ ') -+ -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## - ## Read and write VMWare devices. +-## Read, write, and mmap VMWare devices. ++## Read, write, and execute the zero device (/dev/zero). ## ## -@@ -4589,7 +5720,7 @@ interface(`dev_rwx_vmware',` + ## +@@ -4583,18 +6012,18 @@ interface(`dev_rw_vmware',` + ## + ## + # +-interface(`dev_rwx_vmware',` ++interface(`dev_rwx_zero',` + gen_require(` +- type device_t, vmware_device_t; ++ type zero_device_t; ') - dev_rw_vmware($1) +- dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file execute; -+ allow $1 vmware_device_t:chr_file { map execute }; ++ dev_rw_zero($1) ++ allow $1 zero_device_t:chr_file { map execute }; ') ######################################## -@@ -4630,6 +5761,24 @@ interface(`dev_write_watchdog',` - - ######################################## ## -+## RW to watchdog devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_rw_watchdog',` -+ gen_require(` -+ type device_t, watchdog_device_t; -+ ') -+ -+ rw_chr_files_pattern($1, device_t, watchdog_device_t) -+') -+ -+######################################## -+## - ## Read and write the the wireless device. +-## Read from watchdog devices. ++## Execmod the zero device (/dev/zero). ## ## -@@ -4762,6 +5911,44 @@ interface(`dev_rw_xserver_misc',` + ## +@@ -4602,17 +6031,18 @@ interface(`dev_rwx_vmware',` + ## + ## + # +-interface(`dev_read_watchdog',` ++interface(`dev_execmod_zero',` + gen_require(` +- type device_t, watchdog_device_t; ++ type zero_device_t; + ') + +- read_chr_files_pattern($1, device_t, watchdog_device_t) ++ dev_rw_zero($1) ++ allow $1 zero_device_t:chr_file execmod; + ') ######################################## ## -+## Dontaudit attempts to Read and write X server miscellaneous devices. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`dev_dontaudit_leaked_xserver_misc',` -+ gen_require(` -+ type xserver_misc_device_t; -+ ') -+ -+ dontaudit $1 xserver_misc_device_t:chr_file { read write }; -+') -+ -+######################################## -+## -+## Read and write X server miscellaneous devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_manage_xserver_misc',` -+ gen_require(` -+ type device_t, xserver_misc_device_t; -+ ') -+ -+ manage_chr_files_pattern($1, device_t, xserver_misc_device_t) -+ -+ dev_filetrans_xserver_named_dev($1) -+') -+ -+######################################## -+## - ## Read and write to the zero device (/dev/zero). +-## Write to watchdog devices. ++## Create the zero device (/dev/zero). ## ## -@@ -4794,7 +5981,7 @@ interface(`dev_rwx_zero',` + ## +@@ -4620,17 +6050,17 @@ interface(`dev_read_watchdog',` + ## + ## + # +-interface(`dev_write_watchdog',` ++interface(`dev_create_zero_dev',` + gen_require(` +- type device_t, watchdog_device_t; ++ type device_t, zero_device_t; ') - dev_rw_zero($1) -- allow $1 zero_device_t:chr_file execute; -+ allow $1 zero_device_t:chr_file { map execute }; +- write_chr_files_pattern($1, device_t, watchdog_device_t) ++ create_chr_files_pattern($1, device_t, zero_device_t) ') ######################################## -@@ -4851,3 +6038,1064 @@ interface(`dev_unconfined',` + ## +-## Read and write the the wireless device. ++## Unconfined access to devices. + ## + ## + ## +@@ -4638,35 +6068,36 @@ interface(`dev_write_watchdog',` + ## + ## + # +-interface(`dev_rw_wireless',` ++interface(`dev_unconfined',` + gen_require(` +- type device_t, wireless_device_t; ++ attribute devices_unconfined_type; + ') - typeattribute $1 devices_unconfined_type; +- rw_chr_files_pattern($1, device_t, wireless_device_t) ++ typeattribute $1 devices_unconfined_type; ') -+ -+######################################## -+## + + ######################################## + ## +-## Read and write Xen devices. +## Dontaudit getattr on all device nodes. -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`dev_rw_xen',` +interface(`dev_dontaudit_getattr_all',` -+ gen_require(` + gen_require(` +- type device_t, xen_device_t; + attribute device_node; + type device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, xen_device_t) + dontaudit $1 { device_t device_node }:dir_file_class_set getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create, read, write, and delete Xen devices. +## Get the attributes of the mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4674,41 +6105,35 @@ interface(`dev_rw_xen',` + ## + ## + # +-interface(`dev_manage_xen',` +interface(`dev_getattr_mei',` -+ gen_require(` + gen_require(` +- type device_t, xen_device_t; + type device_t, mei_device_t; -+ ') -+ + ') + +- manage_chr_files_pattern($1, device_t, xen_device_t) + getattr_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Automatic type transition to the type +-## for xen device nodes when created in /dev. +## Read the mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## + ## Domain allowed access. + ## + ## +-## +-## +-## The name of the object being created. +-## +-## + # +-interface(`dev_filetrans_xen',` +interface(`dev_read_mei',` -+ gen_require(` + gen_require(` +- type device_t, xen_device_t; + type device_t, mei_device_t; -+ ') -+ + ') + +- filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) + read_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Get the attributes of X server miscellaneous devices. +## Read and write to mei devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4716,17 +6141,17 @@ interface(`dev_filetrans_xen',` + ## + ## + # +-interface(`dev_getattr_xserver_misc_dev',` +interface(`dev_rw_mei',` -+ gen_require(` + gen_require(` +- type device_t, xserver_misc_device_t; + type device_t, mei_device_t; -+ ') -+ + ') + +- getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, mei_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Set the attributes of X server miscellaneous devices. +## Read and write uhid devices. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4734,17 +6159,18 @@ interface(`dev_getattr_xserver_misc_dev',` + ## + ## + # +-interface(`dev_setattr_xserver_misc_dev',` +interface(`dev_rw_uhid_dev',` -+ gen_require(` + gen_require(` +- type device_t, xserver_misc_device_t; + type device_t, uhid_device_t; -+ ') -+ + ') + +- setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, uhid_device_t) -+') -+ + ') + + -+######################################## -+## + ######################################## + ## +-## Read and write X server miscellaneous devices. +## Allow read/write the hypervkvp device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4752,17 +6178,17 @@ interface(`dev_setattr_xserver_misc_dev',` + ## + ## + # +-interface(`dev_rw_xserver_misc',` +interface(`dev_rw_hypervkvp',` -+ gen_require(` + gen_require(` +- type device_t, xserver_misc_device_t; + type device_t, hypervkvp_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, xserver_misc_device_t) + rw_chr_files_pattern($1, device_t, hypervkvp_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write to the zero device (/dev/zero). +## Allow read/write the hypervkvp device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4770,17 +6196,17 @@ interface(`dev_rw_xserver_misc',` + ## + ## + # +-interface(`dev_rw_zero',` +interface(`dev_read_gpfs',` -+ gen_require(` + gen_require(` +- type device_t, zero_device_t; + type device_t, gpfs_device_t; -+ ') -+ + ') + +- rw_chr_files_pattern($1, device_t, zero_device_t) + read_chr_files_pattern($1, device_t, gpfs_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read, write, and execute the zero device (/dev/zero). +## Allow read/write the gpiochip device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4788,18 +6214,17 @@ interface(`dev_rw_zero',` + ## + ## + # +-interface(`dev_rwx_zero',` +interface(`dev_read_gpio',` -+ gen_require(` + gen_require(` +- type zero_device_t; + type device_t, gpio_device_t; -+ ') -+ + ') + +- dev_rw_zero($1) +- allow $1 zero_device_t:chr_file execute; + read_chr_files_pattern($1, device_t, gpio_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execmod the zero device (/dev/zero). +## Allow read/write the hypervvssd device -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4807,47 +6232,911 @@ interface(`dev_rwx_zero',` + ## + ## + # +-interface(`dev_execmod_zero',` +interface(`dev_rw_hypervvssd',` -+ gen_require(` + gen_require(` +- type zero_device_t; + type device_t, hypervvssd_device_t; -+ ') -+ + ') + +- dev_rw_zero($1) +- allow $1 zero_device_t:chr_file execmod; + rw_chr_files_pattern($1, device_t, hypervvssd_device_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Create the zero device (/dev/zero). +## Create all named devices with the correct label -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_create_zero_dev',` +interface(`dev_filetrans_printer_named_dev',` + -+ gen_require(` + gen_require(` +- type device_t, zero_device_t; +- ') + type printer_device_t; -+ + +- create_chr_files_pattern($1, device_t, zero_device_t) + ') + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") @@ -9174,18 +10353,26 @@ index 76f285ea6..c28d65c08 100644 + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") + filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to devices. +## Create all named devices with the correct label -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_unconfined',` +- gen_require(` +- attribute devices_unconfined_type; +- ') +- +- typeattribute $1 devices_unconfined_type; +interface(`dev_filetrans_all_named_dev',` + +gen_require(` @@ -9201,6 +10388,8 @@ index 76f285ea6..c28d65c08 100644 + type dlm_control_device_t; + type clock_device_t; + type v4l_device_t; ++ type vsock_device_t; ++ type vmci_device_t; + type vfio_device_t; + type event_device_t; + type xen_device_t; @@ -9368,6 +10557,8 @@ index 76f285ea6..c28d65c08 100644 + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") + filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") ++ filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock") ++ filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") + filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") @@ -10013,9 +11204,9 @@ index 76f285ea6..c28d65c08 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") -+') + ') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a8715a..5c45b9323 100644 +index 0b1a8715a..849b00191 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -10180,7 +11371,7 @@ index 0b1a8715a..5c45b9323 100644 # # Type for /dev/tpm # -@@ -266,6 +330,15 @@ dev_node(usbmon_device_t) +@@ -266,14 +330,30 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) @@ -10196,7 +11387,14 @@ index 0b1a8715a..5c45b9323 100644 type v4l_device_t; dev_node(v4l_device_t) -@@ -274,6 +347,7 @@ dev_node(v4l_device_t) ++type vsock_device_t; ++dev_node(vsock_device_t) ++ ++type vmci_device_t; ++dev_node(vmci_device_t) ++ + # + # vhost_device_t is the type for /dev/vhost-net # type vhost_device_t; dev_node(vhost_device_t) @@ -10204,7 +11402,7 @@ index 0b1a8715a..5c45b9323 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +393,8 @@ files_associate_tmp(device_node) +@@ -319,5 +399,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -11402,7 +12600,7 @@ index b876c48ad..2e591a538 100644 + +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index f962f76ad..de87579ff 100644 +index f962f76ad..f2b8e4558 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -13353,7 +14551,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -3921,6 +4817,26 @@ interface(`files_read_mnt_symlinks',` +@@ -3921,6 +4817,45 @@ interface(`files_read_mnt_symlinks',` read_lnk_files_pattern($1, mnt_t, mnt_t) ') @@ -13377,10 +14575,29 @@ index f962f76ad..de87579ff 100644 + allow $1 modules_object_t:system module_load; +') + ++######################################## ++## ++## Mmap kernel module files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_map_kernel_modules',` ++ gen_require(` ++ type modules_object_t; ++ ') ++ ++ allow $1 modules_object_t:file map; ++ ++') ++ ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -4012,6 +4928,7 @@ interface(`files_read_kernel_modules',` +@@ -4012,6 +4947,7 @@ interface(`files_read_kernel_modules',` allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) @@ -13388,7 +14605,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -4217,78 +5134,289 @@ interface(`files_read_world_readable_sockets',` +@@ -4217,48 +5153,218 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -13460,26 +14677,18 @@ index f962f76ad..de87579ff 100644 -## Do not audit attempts to get the -## attributes of the tmp directory (/tmp). +## File name transition for system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; -- ') ++## ++# +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t, usr_t; + ') - -- dontaudit $1 tmp_t:dir getattr; ++ + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") + filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") + filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") @@ -13500,24 +14709,18 @@ index f962f76ad..de87579ff 100644 + filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") + filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") + filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") - ') - --######################################## ++') ++ +###################################### - ## --## Search the tmp directory (/tmp). ++## +## Relabel manageable system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_search_tmp',` ++## ++# +interface(`files_relabelto_system_conf_files',` + gen_require(` + type usr_t; @@ -13644,13 +14847,13 @@ index f962f76ad..de87579ff 100644 +######################################## +## +## Get the attributes of the tmp directory (/tmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -4266,6 +5372,45 @@ interface(`files_getattr_tmp_dirs',` + ## + ## + # +interface(`files_getattr_tmp_dirs',` + gen_require(` + type tmp_t; @@ -13690,27 +14893,11 @@ index f962f76ad..de87579ff 100644 +## +## +# -+interface(`files_dontaudit_getattr_tmp_dirs',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ dontaudit $1 tmp_t:dir getattr; -+') -+ -+######################################## -+## -+## Search the tmp directory (/tmp). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_tmp',` + interface(`files_dontaudit_getattr_tmp_dirs',` gen_require(` type tmp_t; +@@ -4289,6 +5434,8 @@ interface(`files_search_tmp',` + type tmp_t; ') + fs_search_tmpfs($1) @@ -13718,7 +14905,7 @@ index f962f76ad..de87579ff 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4325,6 +5453,7 @@ interface(`files_list_tmp',` +@@ -4325,6 +5472,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -13726,7 +14913,7 @@ index f962f76ad..de87579ff 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4334,7 +5463,7 @@ interface(`files_list_tmp',` +@@ -4334,7 +5482,7 @@ interface(`files_list_tmp',` ## ## ## @@ -13735,7 +14922,7 @@ index f962f76ad..de87579ff 100644 ## ## # -@@ -4346,6 +5475,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4346,6 +5494,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -13761,7 +14948,7 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4361,6 +5509,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4361,6 +5528,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -13769,7 +14956,7 @@ index f962f76ad..de87579ff 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4402,6 +5551,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4402,6 +5570,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -13802,7 +14989,7 @@ index f962f76ad..de87579ff 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4456,6 +5631,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4456,6 +5650,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -13845,7 +15032,7 @@ index f962f76ad..de87579ff 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4474,6 +5685,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4474,6 +5704,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -13906,7 +15093,7 @@ index f962f76ad..de87579ff 100644 ## List all tmp directories. ## ## -@@ -4519,7 +5784,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4519,7 +5803,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -13915,7 +15102,7 @@ index f962f76ad..de87579ff 100644 ## ## # -@@ -4579,7 +5844,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4579,7 +5863,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -13924,7 +15111,7 @@ index f962f76ad..de87579ff 100644 ## ## # -@@ -4611,15 +5876,53 @@ interface(`files_read_all_tmp_files',` +@@ -4611,17 +5895,55 @@ interface(`files_read_all_tmp_files',` ######################################## ## @@ -13955,7 +15142,8 @@ index f962f76ad..de87579ff 100644 +## all leaked tmpfiles files. +## +## -+## + ## +-## The type of the object to be created. +## Domain to not audit. +## +## @@ -13979,10 +15167,12 @@ index f962f76ad..de87579ff 100644 +## +## +## - ## - ## The type of the object to be created. ++## ++## The type of the object to be created. ## -@@ -4664,6 +5967,16 @@ interface(`files_purge_tmp',` + ## + ## +@@ -4664,6 +5986,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -13999,7 +15189,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -4814,6 +6127,24 @@ interface(`files_delete_usr_files',` +@@ -4814,6 +6146,24 @@ interface(`files_delete_usr_files',` ######################################## ## @@ -14024,7 +15214,7 @@ index f962f76ad..de87579ff 100644 ## Get the attributes of files in /usr. ## ## -@@ -5112,6 +6443,24 @@ interface(`files_create_kernel_symbol_table',` +@@ -5112,6 +6462,24 @@ interface(`files_create_kernel_symbol_table',` ######################################## ## @@ -14049,7 +15239,7 @@ index f962f76ad..de87579ff 100644 ## Read system.map in the /boot directory. ## ## -@@ -5241,6 +6590,24 @@ interface(`files_list_var',` +@@ -5241,6 +6609,24 @@ interface(`files_list_var',` ######################################## ## @@ -14074,7 +15264,7 @@ index f962f76ad..de87579ff 100644 ## Create, read, write, and delete directories ## in the /var directory. ## -@@ -5328,7 +6695,7 @@ interface(`files_dontaudit_rw_var_files',` +@@ -5328,7 +6714,7 @@ interface(`files_dontaudit_rw_var_files',` type var_t; ') @@ -14083,7 +15273,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5419,6 +6786,24 @@ interface(`files_var_filetrans',` +@@ -5419,6 +6805,24 @@ interface(`files_var_filetrans',` filetrans_pattern($1, var_t, $2, $3, $4) ') @@ -14108,7 +15298,7 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Get the attributes of the /var/lib directory. -@@ -5527,6 +6912,25 @@ interface(`files_rw_var_lib_dirs',` +@@ -5527,6 +6931,25 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## @@ -14134,7 +15324,7 @@ index f962f76ad..de87579ff 100644 ## Create objects in the /var/lib directory ## ## -@@ -5596,6 +7000,25 @@ interface(`files_read_var_lib_symlinks',` +@@ -5596,6 +7019,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -14160,7 +15350,7 @@ index f962f76ad..de87579ff 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5619,6 +7042,42 @@ interface(`files_manage_urandom_seed',` +@@ -5619,6 +7061,42 @@ interface(`files_manage_urandom_seed',` manage_files_pattern($1, var_lib_t, var_lib_t) ') @@ -14203,7 +15393,7 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Allow domain to manage mount tables -@@ -5641,7 +7100,7 @@ interface(`files_manage_mounttab',` +@@ -5641,7 +7119,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -14212,7 +15402,7 @@ index f962f76ad..de87579ff 100644 ## ## ## -@@ -5649,12 +7108,13 @@ interface(`files_manage_mounttab',` +@@ -5649,12 +7127,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -14228,7 +15418,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5672,6 +7132,7 @@ interface(`files_search_locks',` +@@ -5672,6 +7151,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -14236,7 +15426,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5698,7 +7159,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5698,7 +7178,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -14264,7 +15454,7 @@ index f962f76ad..de87579ff 100644 ## ## ## -@@ -5706,13 +7186,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5706,13 +7205,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -14281,7 +15471,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5731,7 +7210,7 @@ interface(`files_rw_lock_dirs',` +@@ -5731,7 +7229,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -14290,7 +15480,7 @@ index f962f76ad..de87579ff 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5764,7 +7243,6 @@ interface(`files_create_lock_dirs',` +@@ -5764,7 +7262,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -14298,7 +15488,7 @@ index f962f76ad..de87579ff 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5779,7 +7257,7 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5779,7 +7276,7 @@ interface(`files_relabel_all_lock_dirs',` ######################################## ## @@ -14307,7 +15497,7 @@ index f962f76ad..de87579ff 100644 ## ## ## -@@ -5787,13 +7265,33 @@ interface(`files_relabel_all_lock_dirs',` +@@ -5787,13 +7284,33 @@ interface(`files_relabel_all_lock_dirs',` ## ## # @@ -14342,7 +15532,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5809,13 +7307,12 @@ interface(`files_getattr_generic_locks',` +@@ -5809,13 +7326,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -14360,7 +15550,7 @@ index f962f76ad..de87579ff 100644 ') ######################################## -@@ -5834,9 +7331,7 @@ interface(`files_manage_generic_locks',` +@@ -5834,9 +7350,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -14371,7 +15561,7 @@ index f962f76ad..de87579ff 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5878,8 +7373,7 @@ interface(`files_read_all_locks',` +@@ -5878,8 +7392,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -14381,7 +15571,7 @@ index f962f76ad..de87579ff 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5901,8 +7395,7 @@ interface(`files_manage_all_locks',` +@@ -5901,8 +7414,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -14391,7 +15581,7 @@ index f962f76ad..de87579ff 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5939,8 +7432,7 @@ interface(`files_lock_filetrans',` +@@ -5939,8 +7451,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -14401,7 +15591,7 @@ index f962f76ad..de87579ff 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5979,7 +7471,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5979,7 +7490,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -14410,7 +15600,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_run_t:dir setattr; ') -@@ -5999,10 +7491,48 @@ interface(`files_search_pids',` +@@ -5999,10 +7510,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -14459,113 +15649,69 @@ index f962f76ad..de87579ff 100644 ######################################## ## ## Do not audit attempts to search -@@ -6025,47 +7555,45 @@ interface(`files_dontaudit_search_pids',` +@@ -6025,6 +7574,43 @@ interface(`files_dontaudit_search_pids',` ######################################## ## --## List the contents of the runtime process --## ID directories (/var/run). +## Do not audit attempts to search +## the all /var/run directory. - ## - ## - ## --## Domain allowed access. ++## ++## ++## +## Domain to not audit. - ## - ## - # --interface(`files_list_pids',` ++## ++## ++# +interface(`files_dontaudit_search_all_pids',` - gen_require(` -- type var_t, var_run_t; -+ attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -+ dontaudit $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Read generic process ID files. -+## Allow search the all /var/run directory. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_read_generic_pids',` -+interface(`files_search_all_pids',` - gen_require(` -- type var_t, var_run_t; -+ attribute pidfile; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, var_run_t) -- read_files_pattern($1, var_run_t, var_run_t) -+ allow $1 pidfile:dir search_dir_perms; - ') - - ######################################## - ## --## Write named generic process ID pipes -+## List the contents of the runtime process -+## ID directories (/var/run). - ## - ## - ## -@@ -6073,12 +7601,51 @@ interface(`files_read_generic_pids',` - ## - ## - # --interface(`files_write_generic_pid_pipes',` -+interface(`files_list_pids',` + gen_require(` -+ type var_t, var_run_t; ++ attribute pidfile; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) ++ dontaudit $1 pidfile:dir search_dir_perms; +') + +######################################## +## -+## Read generic process ID files. ++## Allow search the all /var/run directory. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_read_generic_pids',` ++interface(`files_search_all_pids',` + gen_require(` -+ type var_t, var_run_t; ++ attribute pidfile; + ') + -+ files_search_pids($1) -+ list_dirs_pattern($1, var_t, var_run_t) -+ read_files_pattern($1, var_run_t, var_run_t) ++ allow $1 pidfile:dir search_dir_perms; +') + +######################################## +## -+## Write named generic process ID pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_write_generic_pid_pipes',` - gen_require(` + ## List the contents of the runtime process + ## ID directories (/var/run). + ## +@@ -6039,7 +7625,7 @@ interface(`files_list_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + ') + +@@ -6058,7 +7644,7 @@ interface(`files_read_generic_pids',` + type var_t, var_run_t; + ') + +- allow $1 var_run_t:lnk_file read_lnk_file_perms; ++ files_search_pids($1) + list_dirs_pattern($1, var_t, var_run_t) + read_files_pattern($1, var_run_t, var_run_t) + ') +@@ -6078,7 +7664,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -14574,7 +15720,7 @@ index f962f76ad..de87579ff 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6140,7 +7707,6 @@ interface(`files_pid_filetrans',` +@@ -6140,7 +7726,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -14582,7 +15728,7 @@ index f962f76ad..de87579ff 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6169,6 +7735,24 @@ interface(`files_pid_filetrans_lock_dir',` +@@ -6169,6 +7754,24 @@ interface(`files_pid_filetrans_lock_dir',` ######################################## ## @@ -14607,7 +15753,7 @@ index f962f76ad..de87579ff 100644 ## Read and write generic process ID files. ## ## -@@ -6182,7 +7766,7 @@ interface(`files_rw_generic_pids',` +@@ -6182,7 +7785,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -14616,307 +15762,221 @@ index f962f76ad..de87579ff 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6249,55 +7833,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6249,6 +7852,116 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## --## Read all process ID files. +## Relable all pid directories - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_read_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_dirs',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- list_dirs_pattern($1, var_t, pidfile) -- read_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + relabel_dirs_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Delete all process IDs. ++') ++ ++######################################## ++## +## Delete all pid sockets - ## - ## - ## - ## Domain allowed access. - ## - ## --## - # --interface(`files_delete_all_pids',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- allow $1 var_run_t:dir rmdir; -- allow $1 var_run_t:lnk_file delete_lnk_file_perms; -- delete_files_pattern($1, pidfile, pidfile) -- delete_fifo_files_pattern($1, pidfile, pidfile) -- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file delete_sock_file_perms; - ') - - ######################################## - ## --## Delete all process ID directories. ++') ++ ++######################################## ++## +## Create all pid sockets - ## - ## - ## -@@ -6305,42 +7877,35 @@ interface(`files_delete_all_pids',` - ## - ## - # --interface(`files_delete_all_pid_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_create_all_pid_sockets',` - gen_require(` - attribute pidfile; -- type var_t, var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- allow $1 var_run_t:lnk_file read_lnk_file_perms; -- delete_dirs_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:sock_file create_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write and delete all --## var_run (pid) content ++') ++ ++######################################## ++## +## Create all pid named pipes - ## - ## - ## --## Domain alloed access. ++## ++## ++## +## Domain allowed access. - ## - ## - # --interface(`files_manage_all_pids',` ++## ++## ++# +interface(`files_create_all_pid_pipes',` - gen_require(` - attribute pidfile; - ') - -- manage_dirs_pattern($1, pidfile, pidfile) -- manage_files_pattern($1, pidfile, pidfile) -- manage_lnk_files_pattern($1, pidfile, pidfile) ++ gen_require(` ++ attribute pidfile; ++ ') ++ + allow $1 pidfile:fifo_file create_fifo_file_perms; - ') - - ######################################## - ## --## Mount filesystems on all polyinstantiation --## member directories. ++') ++ ++######################################## ++## +## Delete all pid named pipes - ## - ## - ## -@@ -6348,18 +7913,18 @@ interface(`files_manage_all_pids',` - ## - ## - # --interface(`files_mounton_all_poly_members',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_delete_all_pid_pipes',` - gen_require(` -- attribute polymember; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 polymember:dir mounton; ++ ') ++ + allow $1 pidfile:fifo_file delete_fifo_file_perms; - ') - - ######################################## - ## --## Search the contents of generic spool --## directories (/var/spool). ++') ++ ++######################################## ++## +## manage all pidfile directories +## in the /var/run directory. - ## - ## - ## -@@ -6367,37 +7932,40 @@ interface(`files_mounton_all_poly_members',` - ## - ## - # --interface(`files_search_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pid_dirs',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- search_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + manage_dirs_pattern($1,pidfile,pidfile) - ') - ++') + - ######################################## - ## --## Do not audit attempts to search generic --## spool directories. -+## Read all process ID files. ++ ++######################################## ++## + ## Read all process ID files. ## ## - ## --## Domain to not audit. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_dontaudit_search_spool',` -+interface(`files_read_all_pids',` +@@ -6261,12 +7974,105 @@ interface(`files_dontaudit_ioctl_all_pids',` + interface(`files_read_all_pids',` gen_require(` -- type var_spool_t; -+ attribute pidfile; + attribute pidfile; +- type var_t, var_run_t; + type var_t; ') -- dontaudit $1 var_spool_t:dir search_dir_perms; -+ list_dirs_pattern($1, var_t, pidfile) -+ read_files_pattern($1, pidfile, pidfile) +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, var_t, pidfile) + read_files_pattern($1, pidfile, pidfile) + read_lnk_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## List the contents of generic spool --## (/var/spool) directories. ++') ++ ++######################################## ++## +## Relable all pid files - ## - ## - ## -@@ -6405,18 +7973,17 @@ interface(`files_dontaudit_search_spool',` - ## - ## - # --interface(`files_list_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabel_all_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) ++ ') ++ + relabel_files_pattern($1, pidfile, pidfile) - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool directories (/var/spool). ++') ++ ++######################################## ++## +## Execute generic programs in /var/run in the caller domain. - ## - ## - ## -@@ -6424,18 +7991,18 @@ interface(`files_list_spool',` - ## - ## - # --interface(`files_manage_generic_spool_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_exec_generic_pid_files',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + type var_run_t; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_dirs_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + exec_files_pattern($1, var_run_t, var_run_t) - ') - - ######################################## - ## --## Read generic spool files. ++') ++ ++######################################## ++## +## Write all sockets +## in the /var/run directory. - ## - ## - ## -@@ -6443,19 +8010,18 @@ interface(`files_manage_generic_spool_dirs',` - ## - ## - # --interface(`files_read_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_write_all_pid_sockets',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- list_dirs_pattern($1, var_t, var_spool_t) -- read_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + allow $1 pidfile:sock_file write_sock_file_perms; - ') - - ######################################## - ## --## Create, read, write, and delete generic --## spool files. ++') ++ ++######################################## ++## +## manage all pidfiles +## in the /var/run directory. - ## - ## - ## -@@ -6463,55 +8029,62 @@ interface(`files_read_generic_spool',` - ## - ## - # --interface(`files_manage_generic_spool',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_manage_all_pids',` - gen_require(` -- type var_t, var_spool_t; ++ gen_require(` + attribute pidfile; - ') - -- allow $1 var_t:dir search_dir_perms; -- manage_files_pattern($1, var_spool_t, var_spool_t) ++ ') ++ + manage_files_pattern($1,pidfile,pidfile) - ') - - ######################################## - ## --## Create objects in the spool directory --## with a private type with a type transition. ++') ++ ++######################################## ++## +## Mount filesystems on all polyinstantiation +## member directories. - ## - ## - ## - ## Domain allowed access. - ## - ## --## --## --## Type to which the created node will be transitioned. --## --## --## --## --## Object class(es) (single or set including {}) for which this --## the transition will occur. --## --## --## ++## ++## ++## ++## Domain allowed access. ++## ++## +# +interface(`files_mounton_all_poly_members',` + gen_require(` @@ -14924,100 +15984,33 @@ index f962f76ad..de87579ff 100644 + ') + + allow $1 polymember:dir mounton; -+') -+ -+######################################## -+## -+## Delete all process IDs. -+## -+## - ## --## The name of the object being created. -+## Domain allowed access. - ## - ## -+## - # --interface(`files_spool_filetrans',` -+interface(`files_delete_all_pids',` - gen_require(` -- type var_t, var_spool_t; -+ attribute pidfile; -+ type var_t, var_run_t; + ') + + ######################################## +@@ -6286,8 +8092,8 @@ interface(`files_delete_all_pids',` + type var_t, var_run_t; ') + files_search_pids($1) allow $1 var_t:dir search_dir_perms; -- filetrans_pattern($1, var_spool_t, $2, $3, $4) -+ allow $1 var_run_t:dir rmdir; -+ allow $1 var_run_t:lnk_file delete_lnk_file_perms; -+ delete_files_pattern($1, pidfile, pidfile) -+ delete_fifo_files_pattern($1, pidfile, pidfile) -+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) - ') - - ######################################## - ## --## Allow access to manage all polyinstantiated --## directories on the system. -+## Delete all process ID directories. - ## - ## - ## -@@ -6519,53 +8092,332 @@ interface(`files_spool_filetrans',` - ## - ## - # --interface(`files_polyinstantiate_all',` -+interface(`files_delete_all_pid_dirs',` - gen_require(` -- attribute polydir, polymember, polyparent; -- type poly_t; -+ attribute pidfile; -+ type var_t, var_run_t; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) +@@ -6311,36 +8117,80 @@ interface(`files_delete_all_pid_dirs',` + type var_t, var_run_t; ') -- # Need to give access to /selinux/member -- selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; -- -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; -- allow $1 polydir: dir { write add_name open }; -- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -- -- # Default type for mountpoints -- allow $1 poly_t:dir { create mounton }; -- fs_unmount_xattr_fs($1) -- -- fs_mount_tmpfs($1) -- fs_unmount_tmpfs($1) + files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; -+ delete_dirs_pattern($1, pidfile, pidfile) -+') + allow $1 var_t:dir search_dir_perms; +- allow $1 var_run_t:lnk_file read_lnk_file_perms; + delete_dirs_pattern($1, pidfile, pidfile) + ') -- ifdef(`distro_redhat',` -- # namespace.init -- files_search_tmp($1) -- files_search_home($1) -- corecmd_exec_bin($1) -- seutil_domtrans_setfiles($1) -+######################################## -+## + ######################################## + ## +-## Create, read, write and delete all +-## var_run (pid) content +## Make the specified type a file +## used for spool files. +## @@ -15058,46 +16051,56 @@ index f962f76ad..de87579ff 100644 +interface(`files_spool_file',` + gen_require(` + attribute spoolfile; - ') ++ ') + + files_type($1) + typeattribute $1 spoolfile; - ') - - ######################################## - ## --## Unconfined access to files. ++') ++ ++######################################## ++## +## Create all spool sockets -+## -+## -+## + ## + ## + ## +-## Domain alloed access. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`files_manage_all_pids',` +interface(`files_create_all_spool_sockets',` -+ gen_require(` + gen_require(` +- attribute pidfile; + attribute spoolfile; -+ ') -+ + ') + +- manage_dirs_pattern($1, pidfile, pidfile) +- manage_files_pattern($1, pidfile, pidfile) +- manage_lnk_files_pattern($1, pidfile, pidfile) + allow $1 spoolfile:sock_file create_sock_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Mount filesystems on all polyinstantiation +-## member directories. +## Delete all spool sockets -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6348,12 +8198,33 @@ interface(`files_manage_all_pids',` + ## + ## + # +-interface(`files_mounton_all_poly_members',` +interface(`files_delete_all_spool_sockets',` -+ gen_require(` + gen_require(` +- attribute polymember; + attribute spoolfile; -+ ') -+ + ') + +- allow $1 polymember:dir mounton; + allow $1 spoolfile:sock_file delete_sock_file_perms; +') + @@ -15120,222 +16123,10 @@ index f962f76ad..de87579ff 100644 + ') + + relabel_dirs_pattern($1, spoolfile, spoolfile) -+') -+ -+######################################## -+## -+## Search the contents of generic spool -+## directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_search_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ search_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to search generic -+## spool directories. -+## -+## -+## -+## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_search_spool',` -+ gen_require(` -+ type var_spool_t; -+ ') -+ -+ dontaudit $1 var_spool_t:dir search_dir_perms; -+') -+ -+######################################## -+## -+## List the contents of generic spool -+## (/var/spool) directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_list_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool directories (/var/spool). -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool_dirs',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_dirs_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Read generic spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_read_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ list_dirs_pattern($1, var_t, var_spool_t) -+ read_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create, read, write, and delete generic -+## spool files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_manage_generic_spool',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ manage_files_pattern($1, var_spool_t, var_spool_t) -+') -+ -+######################################## -+## -+## Create objects in the spool directory -+## with a private type with a type transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Type to which the created node will be transitioned. -+## -+## -+## -+## -+## Object class(es) (single or set including {}) for which this -+## the transition will occur. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`files_spool_filetrans',` -+ gen_require(` -+ type var_t, var_spool_t; -+ ') -+ -+ allow $1 var_t:dir search_dir_perms; -+ filetrans_pattern($1, var_spool_t, $2, $3, $4) -+') -+ -+######################################## -+## -+## Allow access to manage all polyinstantiated -+## directories on the system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_polyinstantiate_all',` -+ gen_require(` -+ attribute polydir, polymember, polyparent; -+ type poly_t; -+ ') -+ -+ # Need to give access to /selinux/member -+ selinux_compute_member($1) -+ -+ # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; -+ allow $1 polydir: dir { write add_name open }; -+ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; -+ -+ # Default type for mountpoints -+ allow $1 poly_t:dir { create mounton }; -+ fs_unmount_xattr_fs($1) -+ -+ fs_mount_tmpfs($1) -+ fs_unmount_tmpfs($1) -+ -+ ifdef(`distro_redhat',` -+ # namespace.init -+ files_search_tmp($1) -+ files_search_home($1) -+ corecmd_exec_bin($1) -+ seutil_domtrans_setfiles($1) -+ ') -+') -+ -+######################################## -+## -+## Unconfined access to files. - ## - ## - ## -@@ -6580,3 +8432,623 @@ interface(`files_unconfined',` + ') + + ######################################## +@@ -6580,3 +8451,623 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -24690,10 +25481,10 @@ index 234a940f9..a92415a9d 100644 ######################################## ## diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 0fef1fca2..88ac7d6bb 100644 +index 0fef1fca2..6773aa784 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te -@@ -8,11 +8,73 @@ policy_module(staff, 2.4.0) +@@ -8,11 +8,75 @@ policy_module(staff, 2.4.0) role staff_r; userdom_unpriv_user_template(staff) @@ -24726,6 +25517,7 @@ index 0fef1fca2..88ac7d6bb 100644 + +dev_read_cpuid(staff_t) +dev_read_kmsg(staff_t) ++dev_map_video_dev(staff_t) + +domain_read_all_domains_state(staff_t) +domain_getcap_all_domains(staff_t) @@ -24752,6 +25544,7 @@ index 0fef1fca2..88ac7d6bb 100644 +init_status(staff_t) + +miscfiles_read_hwdata(staff_t) ++miscfiles_map_generic_certs(staff_t) + +ifndef(`enable_mls',` + selinux_read_policy(staff_t) @@ -24767,7 +25560,7 @@ index 0fef1fca2..88ac7d6bb 100644 optional_policy(` apache_role(staff_r, staff_t) -@@ -23,11 +85,128 @@ optional_policy(` +@@ -23,11 +87,132 @@ optional_policy(` ') optional_policy(` @@ -24854,6 +25647,10 @@ index 0fef1fca2..88ac7d6bb 100644 +') + +optional_policy(` ++ mandb_map_cache_files(staff_t) ++') ++ ++optional_policy(` + mock_role(staff_r, staff_t) +') + @@ -24897,7 +25694,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') optional_policy(` -@@ -35,20 +214,74 @@ optional_policy(` +@@ -35,20 +220,74 @@ optional_policy(` ') optional_policy(` @@ -24974,7 +25771,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') optional_policy(` -@@ -56,7 +289,20 @@ optional_policy(` +@@ -56,7 +295,20 @@ optional_policy(` ') optional_policy(` @@ -24996,7 +25793,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') ifndef(`distro_redhat',` -@@ -65,10 +311,6 @@ ifndef(`distro_redhat',` +@@ -65,10 +317,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25007,7 +25804,7 @@ index 0fef1fca2..88ac7d6bb 100644 cdrecord_role(staff_r, staff_t) ') -@@ -78,10 +320,6 @@ ifndef(`distro_redhat',` +@@ -78,10 +326,6 @@ ifndef(`distro_redhat',` optional_policy(` dbus_role_template(staff, staff_r, staff_t) @@ -25018,7 +25815,7 @@ index 0fef1fca2..88ac7d6bb 100644 ') optional_policy(` -@@ -101,10 +339,6 @@ ifndef(`distro_redhat',` +@@ -101,10 +345,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25029,7 +25826,7 @@ index 0fef1fca2..88ac7d6bb 100644 java_role(staff_r, staff_t) ') -@@ -125,10 +359,6 @@ ifndef(`distro_redhat',` +@@ -125,10 +365,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25040,7 +25837,7 @@ index 0fef1fca2..88ac7d6bb 100644 pyzor_role(staff_r, staff_t) ') -@@ -141,10 +371,6 @@ ifndef(`distro_redhat',` +@@ -141,10 +377,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25051,7 +25848,7 @@ index 0fef1fca2..88ac7d6bb 100644 spamassassin_role(staff_r, staff_t) ') -@@ -176,3 +402,24 @@ ifndef(`distro_redhat',` +@@ -176,3 +408,24 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -25105,10 +25902,10 @@ index ff9243078..36740eab3 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 2522ca6c0..800f41930 100644 +index 2522ca6c0..7aeed7254 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te -@@ -5,39 +5,105 @@ policy_module(sysadm, 2.6.1) +@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1) # Declarations # @@ -25179,6 +25976,8 @@ index 2522ca6c0..800f41930 100644 +init_undefined(sysadm_t) + +logging_filetrans_named_content(sysadm_t) ++logging_map_audit_config(sysadm_t) ++logging_map_audit_log(sysadm_t) + +miscfiles_filetrans_named_content(sysadm_t) +miscfiles_read_hwdata(sysadm_t) @@ -25224,7 +26023,7 @@ index 2522ca6c0..800f41930 100644 ifdef(`direct_sysadm_daemon',` optional_policy(` -@@ -55,13 +121,7 @@ ifdef(`distro_gentoo',` +@@ -55,13 +123,7 @@ ifdef(`distro_gentoo',` init_exec_rc(sysadm_t) ') @@ -25239,7 +26038,7 @@ index 2522ca6c0..800f41930 100644 domain_ptrace_all_domains(sysadm_t) ') -@@ -71,9 +131,9 @@ optional_policy(` +@@ -71,9 +133,9 @@ optional_policy(` optional_policy(` apache_run_helper(sysadm_t, sysadm_r) @@ -25250,7 +26049,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -87,6 +147,7 @@ optional_policy(` +@@ -87,6 +149,7 @@ optional_policy(` optional_policy(` asterisk_stream_connect(sysadm_t) @@ -25258,7 +26057,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -110,11 +171,17 @@ optional_policy(` +@@ -110,11 +173,17 @@ optional_policy(` ') optional_policy(` @@ -25276,7 +26075,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -122,11 +189,27 @@ optional_policy(` +@@ -122,11 +191,27 @@ optional_policy(` ') optional_policy(` @@ -25306,7 +26105,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -140,6 +223,10 @@ optional_policy(` +@@ -140,6 +225,10 @@ optional_policy(` ') optional_policy(` @@ -25317,7 +26116,7 @@ index 2522ca6c0..800f41930 100644 dmesg_exec(sysadm_t) ') -@@ -156,6 +243,10 @@ optional_policy(` +@@ -156,6 +245,10 @@ optional_policy(` ') optional_policy(` @@ -25328,7 +26127,7 @@ index 2522ca6c0..800f41930 100644 fstools_run(sysadm_t, sysadm_r) ') -@@ -164,6 +255,11 @@ optional_policy(` +@@ -164,6 +257,11 @@ optional_policy(` ') optional_policy(` @@ -25340,7 +26139,7 @@ index 2522ca6c0..800f41930 100644 hadoop_role(sysadm_r, sysadm_t) ') -@@ -172,13 +268,31 @@ optional_policy(` +@@ -172,13 +270,31 @@ optional_policy(` # at things (e.g., ipsec auto --status) # probably should create an ipsec_admin role for this kind of thing ipsec_exec_mgmt(sysadm_t) @@ -25372,7 +26171,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -190,11 +304,12 @@ optional_policy(` +@@ -190,11 +306,12 @@ optional_policy(` ') optional_policy(` @@ -25387,7 +26186,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -210,22 +325,21 @@ optional_policy(` +@@ -210,22 +327,21 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -25417,7 +26216,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -237,14 +351,32 @@ optional_policy(` +@@ -237,14 +353,32 @@ optional_policy(` ') optional_policy(` @@ -25450,7 +26249,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -252,10 +384,20 @@ optional_policy(` +@@ -252,10 +386,20 @@ optional_policy(` ') optional_policy(` @@ -25471,7 +26270,7 @@ index 2522ca6c0..800f41930 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -266,35 +408,46 @@ optional_policy(` +@@ -266,35 +410,46 @@ optional_policy(` ') optional_policy(` @@ -25525,7 +26324,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -308,6 +461,7 @@ optional_policy(` +@@ -308,6 +463,7 @@ optional_policy(` optional_policy(` screen_role_template(sysadm, sysadm_r, sysadm_t) @@ -25533,7 +26332,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -315,12 +469,20 @@ optional_policy(` +@@ -315,12 +471,20 @@ optional_policy(` ') optional_policy(` @@ -25555,7 +26354,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -345,30 +507,38 @@ optional_policy(` +@@ -345,30 +509,38 @@ optional_policy(` ') optional_policy(` @@ -25603,7 +26402,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -380,10 +550,6 @@ optional_policy(` +@@ -380,10 +552,6 @@ optional_policy(` ') optional_policy(` @@ -25614,7 +26413,7 @@ index 2522ca6c0..800f41930 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -391,6 +557,9 @@ optional_policy(` +@@ -391,6 +559,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -25624,7 +26423,7 @@ index 2522ca6c0..800f41930 100644 ') optional_policy(` -@@ -398,31 +567,34 @@ optional_policy(` +@@ -398,31 +569,34 @@ optional_policy(` ') optional_policy(` @@ -25665,7 +26464,7 @@ index 2522ca6c0..800f41930 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -435,10 +607,6 @@ ifndef(`distro_redhat',` +@@ -435,10 +609,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -25676,7 +26475,7 @@ index 2522ca6c0..800f41930 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -459,15 +627,79 @@ ifndef(`distro_redhat',` +@@ -459,15 +629,79 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -31153,7 +31952,7 @@ index 6bf0ecc2d..29db5fd25 100644 +') + diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index 8b403774f..a03fa4661 100644 +index 8b403774f..af9ee8070 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -26,28 +26,66 @@ gen_require(` @@ -32216,7 +33015,7 @@ index 8b403774f..a03fa4661 100644 manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t) -@@ -627,6 +1129,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) +@@ -627,36 +1129,53 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file }) filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file) @@ -32227,7 +33026,12 @@ index 8b403774f..a03fa4661 100644 manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -638,25 +1144,37 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) + manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) + fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file }) ++allow xserver_t xserver_tmpfs_t:file map; + + manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -32269,11 +33073,12 @@ index 8b403774f..a03fa4661 100644 corenet_all_recvfrom_netlabel(xserver_t) corenet_tcp_sendrecv_generic_if(xserver_t) corenet_udp_sendrecv_generic_if(xserver_t) -@@ -677,23 +1195,28 @@ dev_rw_apm_bios(xserver_t) +@@ -677,23 +1196,29 @@ dev_rw_apm_bios(xserver_t) dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) -dev_filetrans_dri(xserver_t) ++dev_map_dri(xserver_t) dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer @@ -32301,7 +33106,7 @@ index 8b403774f..a03fa4661 100644 # brought on by rhgb files_search_mnt(xserver_t) -@@ -705,6 +1228,14 @@ fs_search_nfs(xserver_t) +@@ -705,6 +1230,14 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -32316,7 +33121,7 @@ index 8b403774f..a03fa4661 100644 mls_xwin_read_to_clearance(xserver_t) selinux_validate_context(xserver_t) -@@ -718,20 +1249,18 @@ init_getpgid(xserver_t) +@@ -718,28 +1251,25 @@ init_getpgid(xserver_t) term_setattr_unallocated_ttys(xserver_t) term_use_unallocated_ttys(xserver_t) @@ -32340,16 +33145,16 @@ index 8b403774f..a03fa4661 100644 userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -739,8 +1268,6 @@ userdom_setattr_user_ttys(xserver_t) + userdom_setattr_user_ttys(xserver_t) userdom_read_user_tmp_files(xserver_t) userdom_rw_user_tmpfs_files(xserver_t) - --xserver_use_user_fonts(xserver_t) - +-xserver_use_user_fonts(xserver_t) ++userdom_map_tmp_files(xserver_t) + ifndef(`distro_redhat',` allow xserver_t self:process { execmem execheap execstack }; - domain_mmap_low_uncond(xserver_t) -@@ -785,17 +1312,54 @@ optional_policy(` +@@ -785,17 +1315,54 @@ optional_policy(` ') optional_policy(` @@ -32406,7 +33211,7 @@ index 8b403774f..a03fa4661 100644 ') optional_policy(` -@@ -803,6 +1367,10 @@ optional_policy(` +@@ -803,6 +1370,10 @@ optional_policy(` ') optional_policy(` @@ -32417,7 +33222,7 @@ index 8b403774f..a03fa4661 100644 xfs_stream_connect(xserver_t) ') -@@ -818,18 +1386,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; +@@ -818,18 +1389,17 @@ allow xserver_t xdm_t:shm rw_shm_perms; # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -32442,7 +33247,7 @@ index 8b403774f..a03fa4661 100644 can_exec(xserver_t, xkb_var_lib_t) # VNC v4 module in X server -@@ -842,26 +1409,21 @@ init_use_fds(xserver_t) +@@ -842,26 +1412,21 @@ init_use_fds(xserver_t) # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -32477,7 +33282,7 @@ index 8b403774f..a03fa4661 100644 ') optional_policy(` -@@ -912,7 +1474,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy +@@ -912,7 +1477,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show }; # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -32486,7 +33291,7 @@ index 8b403774f..a03fa4661 100644 # operations allowed on all windows allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child }; -@@ -966,11 +1528,31 @@ allow x_domain self:x_resource { read write }; +@@ -966,11 +1531,31 @@ allow x_domain self:x_resource { read write }; # can mess with the screensaver allow x_domain xserver_t:x_screen { getattr saver_getattr }; @@ -32518,7 +33323,7 @@ index 8b403774f..a03fa4661 100644 tunable_policy(`! xserver_object_manager',` # should be xserver_unconfined(x_domain), # but typeattribute doesnt work in conditionals -@@ -992,18 +1574,148 @@ tunable_policy(`! xserver_object_manager',` +@@ -992,18 +1577,148 @@ tunable_policy(`! xserver_object_manager',` allow x_domain xevent_type:{ x_event x_synthetic_event } *; ') @@ -40543,7 +41348,7 @@ index b50c5fe81..9eacd9ba1 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e9488463..e7d5f42a5 100644 +index 4e9488463..2db173f77 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -81,6 +81,24 @@ interface(`logging_dontaudit_send_audit_msgs',` @@ -40571,7 +41376,32 @@ index 4e9488463..e7d5f42a5 100644 ## Set login uid ## ## -@@ -233,7 +251,7 @@ interface(`logging_run_auditd',` +@@ -146,6 +164,24 @@ interface(`logging_read_audit_log',` + + ######################################## + ## ++## Map the audit log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_map_audit_log',` ++ gen_require(` ++ type auditd_log_t; ++ ') ++ ++ allow $1 auditd_log_t:file map; ++') ++######################################## ++## + ## Execute auditctl in the auditctl domain. + ## + ## +@@ -233,7 +269,7 @@ interface(`logging_run_auditd',` ######################################## ## @@ -40580,7 +41410,7 @@ index 4e9488463..e7d5f42a5 100644 ## ## ## -@@ -318,7 +336,7 @@ interface(`logging_dispatcher_domain',` +@@ -318,7 +354,7 @@ interface(`logging_dispatcher_domain',` ######################################## ## @@ -40589,7 +41419,7 @@ index 4e9488463..e7d5f42a5 100644 ## ## ## -@@ -496,6 +514,68 @@ interface(`logging_log_filetrans',` +@@ -496,6 +532,68 @@ interface(`logging_log_filetrans',` filetrans_pattern($1, var_log_t, $2, $3, $4) ') @@ -40658,7 +41488,7 @@ index 4e9488463..e7d5f42a5 100644 ######################################## ## ## Send system log messages. -@@ -530,22 +610,107 @@ interface(`logging_log_filetrans',` +@@ -530,22 +628,107 @@ interface(`logging_log_filetrans',` # interface(`logging_send_syslog_msg',` gen_require(` @@ -40778,10 +41608,29 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -571,6 +736,25 @@ interface(`logging_read_audit_config',` +@@ -571,6 +754,44 @@ interface(`logging_read_audit_config',` ######################################## ## ++## Map the auditd configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`logging_map_audit_config',` ++ gen_require(` ++ type auditd_etc_t; ++ ') ++ ++ allow $1 auditd_etc_t:file map; ++') ++ ++######################################## ++## +## dontaudit search of auditd log files. +## +## @@ -40804,7 +41653,7 @@ index 4e9488463..e7d5f42a5 100644 ## dontaudit search of auditd configuration files. ## ## -@@ -609,6 +793,25 @@ interface(`logging_read_syslog_config',` +@@ -609,6 +830,25 @@ interface(`logging_read_syslog_config',` ######################################## ## @@ -40830,7 +41679,7 @@ index 4e9488463..e7d5f42a5 100644 ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -@@ -722,6 +925,25 @@ interface(`logging_setattr_all_log_dirs',` +@@ -722,6 +962,25 @@ interface(`logging_setattr_all_log_dirs',` allow $1 logfile:dir setattr; ') @@ -40856,7 +41705,7 @@ index 4e9488463..e7d5f42a5 100644 ######################################## ## ## Do not audit attempts to get the attributes -@@ -776,7 +998,25 @@ interface(`logging_append_all_logs',` +@@ -776,7 +1035,25 @@ interface(`logging_append_all_logs',` ') files_search_var($1) @@ -40883,7 +41732,7 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -859,7 +1099,7 @@ interface(`logging_manage_all_logs',` +@@ -859,7 +1136,7 @@ interface(`logging_manage_all_logs',` files_search_var($1) manage_files_pattern($1, logfile, logfile) @@ -40892,7 +41741,7 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -880,11 +1120,69 @@ interface(`logging_read_generic_logs',` +@@ -880,11 +1157,69 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -40962,7 +41811,7 @@ index 4e9488463..e7d5f42a5 100644 ## Write generic log files. ## ## -@@ -905,6 +1203,24 @@ interface(`logging_write_generic_logs',` +@@ -905,6 +1240,24 @@ interface(`logging_write_generic_logs',` ######################################## ## @@ -40987,7 +41836,7 @@ index 4e9488463..e7d5f42a5 100644 ## Dontaudit Write generic log files. ## ## -@@ -984,11 +1300,16 @@ interface(`logging_admin_audit',` +@@ -984,11 +1337,16 @@ interface(`logging_admin_audit',` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; @@ -41005,7 +41854,7 @@ index 4e9488463..e7d5f42a5 100644 manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -@@ -1004,6 +1325,55 @@ interface(`logging_admin_audit',` +@@ -1004,6 +1362,55 @@ interface(`logging_admin_audit',` domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; @@ -41061,7 +41910,7 @@ index 4e9488463..e7d5f42a5 100644 ') ######################################## -@@ -1032,10 +1402,15 @@ interface(`logging_admin_syslog',` +@@ -1032,10 +1439,15 @@ interface(`logging_admin_syslog',` type syslogd_initrc_exec_t; ') @@ -41079,7 +41928,7 @@ index 4e9488463..e7d5f42a5 100644 manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) -@@ -1057,6 +1432,8 @@ interface(`logging_admin_syslog',` +@@ -1057,6 +1469,8 @@ interface(`logging_admin_syslog',` manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -41088,7 +41937,7 @@ index 4e9488463..e7d5f42a5 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1462,110 @@ interface(`logging_admin',` +@@ -1085,3 +1499,110 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -41200,7 +42049,7 @@ index 4e9488463..e7d5f42a5 100644 +') + diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 59b04c1a2..370f8a825 100644 +index 59b04c1a2..ba742cd03 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -4,6 +4,29 @@ policy_module(logging, 1.20.1) @@ -41283,7 +42132,7 @@ index 59b04c1a2..370f8a825 100644 ifdef(`enable_mls',` init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) -@@ -94,6 +129,8 @@ ifdef(`enable_mls',` +@@ -94,8 +129,11 @@ ifdef(`enable_mls',` allow auditctl_t self:capability { fsetid dac_read_search dac_override }; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; @@ -41291,8 +42140,11 @@ index 59b04c1a2..370f8a825 100644 + read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; ++allow auditctl_t auditd_etc_t:file map; -@@ -111,7 +148,9 @@ domain_use_interactive_fds(auditctl_t) + # Needed for adding watches + files_getattr_all_dirs(auditctl_t) +@@ -111,7 +149,9 @@ domain_use_interactive_fds(auditctl_t) mls_file_read_all_levels(auditctl_t) @@ -41303,7 +42155,7 @@ index 59b04c1a2..370f8a825 100644 init_dontaudit_use_fds(auditctl_t) -@@ -134,11 +173,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; +@@ -134,11 +174,12 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; @@ -41318,7 +42170,7 @@ index 59b04c1a2..370f8a825 100644 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -@@ -148,6 +188,7 @@ kernel_read_kernel_sysctls(auditd_t) +@@ -148,6 +189,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app kernel_read_system_state(auditd_t) @@ -41326,7 +42178,7 @@ index 59b04c1a2..370f8a825 100644 dev_read_sysfs(auditd_t) -@@ -155,9 +196,6 @@ fs_getattr_all_fs(auditd_t) +@@ -155,9 +197,6 @@ fs_getattr_all_fs(auditd_t) fs_search_auto_mountpoints(auditd_t) fs_rw_anon_inodefs_files(auditd_t) @@ -41336,7 +42188,7 @@ index 59b04c1a2..370f8a825 100644 corenet_all_recvfrom_netlabel(auditd_t) corenet_tcp_sendrecv_generic_if(auditd_t) corenet_tcp_sendrecv_generic_node(auditd_t) -@@ -183,16 +221,17 @@ logging_send_syslog_msg(auditd_t) +@@ -183,16 +222,17 @@ logging_send_syslog_msg(auditd_t) logging_domtrans_dispatcher(auditd_t) logging_signal_dispatcher(auditd_t) @@ -41358,7 +42210,7 @@ index 59b04c1a2..370f8a825 100644 userdom_dontaudit_use_unpriv_user_fds(auditd_t) userdom_dontaudit_search_user_home_dirs(auditd_t) -@@ -219,7 +258,7 @@ optional_policy(` +@@ -219,7 +259,7 @@ optional_policy(` # audit dispatcher local policy # @@ -41367,7 +42219,7 @@ index 59b04c1a2..370f8a825 100644 allow audisp_t self:process { getcap signal_perms setcap setsched }; allow audisp_t self:fifo_file rw_fifo_file_perms; allow audisp_t self:unix_stream_socket create_stream_socket_perms; -@@ -237,19 +276,29 @@ corecmd_exec_shell(audisp_t) +@@ -237,19 +277,29 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) @@ -41399,7 +42251,7 @@ index 59b04c1a2..370f8a825 100644 ') ######################################## -@@ -266,9 +315,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +@@ -266,9 +316,10 @@ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file }) @@ -41411,7 +42263,7 @@ index 59b04c1a2..370f8a825 100644 corenet_all_recvfrom_netlabel(audisp_remote_t) corenet_tcp_sendrecv_generic_if(audisp_remote_t) corenet_tcp_sendrecv_generic_node(audisp_remote_t) -@@ -280,13 +330,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) +@@ -280,13 +331,26 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t) files_read_etc_files(audisp_remote_t) @@ -41439,7 +42291,7 @@ index 59b04c1a2..370f8a825 100644 ######################################## # # klogd local policy -@@ -326,7 +389,6 @@ files_read_etc_files(klogd_t) +@@ -326,7 +390,6 @@ files_read_etc_files(klogd_t) logging_send_syslog_msg(klogd_t) @@ -41447,7 +42299,7 @@ index 59b04c1a2..370f8a825 100644 mls_file_read_all_levels(klogd_t) -@@ -355,13 +417,13 @@ optional_policy(` +@@ -355,13 +418,13 @@ optional_policy(` # sys_admin for the integrated klog of syslog-ng and metalog # sys_nice for rsyslog # cjp: why net_admin! @@ -41465,7 +42317,7 @@ index 59b04c1a2..370f8a825 100644 # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; -@@ -369,15 +431,20 @@ allow syslogd_t self:unix_dgram_socket sendto; +@@ -369,15 +432,20 @@ allow syslogd_t self:unix_dgram_socket sendto; allow syslogd_t self:fifo_file rw_fifo_file_perms; allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; @@ -41487,7 +42339,7 @@ index 59b04c1a2..370f8a825 100644 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) files_search_spool(syslogd_t) -@@ -389,30 +456,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +@@ -389,30 +457,48 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) @@ -41539,7 +42391,7 @@ index 59b04c1a2..370f8a825 100644 # syslog-ng can listen and connect on tcp port 514 (rsh) corenet_tcp_sendrecv_generic_if(syslogd_t) corenet_tcp_sendrecv_generic_node(syslogd_t) -@@ -422,6 +507,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) +@@ -422,6 +508,8 @@ corenet_tcp_bind_rsh_port(syslogd_t) corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) @@ -41548,7 +42400,7 @@ index 59b04c1a2..370f8a825 100644 corenet_tcp_connect_syslogd_port(syslogd_t) corenet_tcp_connect_postgresql_port(syslogd_t) corenet_tcp_connect_mysqld_port(syslogd_t) -@@ -432,9 +519,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) +@@ -432,9 +520,32 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t) corenet_sendrecv_postgresql_client_packets(syslogd_t) corenet_sendrecv_mysqld_client_packets(syslogd_t) @@ -41582,7 +42434,7 @@ index 59b04c1a2..370f8a825 100644 domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) -@@ -448,13 +558,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) +@@ -448,13 +559,17 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) fs_search_auto_mountpoints(syslogd_t) @@ -41600,7 +42452,7 @@ index 59b04c1a2..370f8a825 100644 # for sending messages to logged in users init_read_utmp(syslogd_t) init_dontaudit_write_utmp(syslogd_t) -@@ -466,11 +580,12 @@ init_use_fds(syslogd_t) +@@ -466,11 +581,12 @@ init_use_fds(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) @@ -41616,7 +42468,7 @@ index 59b04c1a2..370f8a825 100644 ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel -@@ -497,6 +612,7 @@ optional_policy(` +@@ -497,6 +613,7 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") @@ -41624,7 +42476,7 @@ index 59b04c1a2..370f8a825 100644 ') optional_policy(` -@@ -507,15 +623,44 @@ optional_policy(` +@@ -507,15 +624,44 @@ optional_policy(` ') optional_policy(` @@ -41669,7 +42521,7 @@ index 59b04c1a2..370f8a825 100644 ') optional_policy(` -@@ -526,3 +671,29 @@ optional_policy(` +@@ -526,3 +672,29 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') @@ -42154,7 +43006,7 @@ index 58bc27f22..90f567300 100644 + + diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 79048c410..b0cb1e565 100644 +index 79048c410..924fa2e75 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -42280,7 +43132,7 @@ index 79048c410..b0cb1e565 100644 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t) -@@ -202,8 +222,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) +@@ -202,10 +222,13 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file }) manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t) @@ -42291,8 +43143,11 @@ index 79048c410..b0cb1e565 100644 +init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) ++allow lvm_t lvm_etc_t:file map; read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) -@@ -220,6 +242,7 @@ kernel_read_kernel_sysctls(lvm_t) + # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d + manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) +@@ -220,6 +243,7 @@ kernel_read_kernel_sysctls(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -42300,7 +43155,7 @@ index 79048c410..b0cb1e565 100644 kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -230,11 +253,13 @@ dev_delete_generic_dirs(lvm_t) +@@ -230,11 +254,13 @@ dev_delete_generic_dirs(lvm_t) dev_read_rand(lvm_t) dev_read_urand(lvm_t) dev_rw_lvm_control(lvm_t) @@ -42315,7 +43170,7 @@ index 79048c410..b0cb1e565 100644 # cjp: this has no effect since LVM does not # have lnk_file relabelto for anything else. # perhaps this should be blk_files? -@@ -246,6 +271,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) +@@ -246,6 +272,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t) dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -42323,7 +43178,7 @@ index 79048c410..b0cb1e565 100644 domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -255,17 +281,21 @@ files_read_etc_files(lvm_t) +@@ -255,17 +282,21 @@ files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -42346,7 +43201,7 @@ index 79048c410..b0cb1e565 100644 selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -285,7 +315,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) +@@ -285,7 +316,7 @@ storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? storage_manage_fixed_disk(lvm_t) @@ -42355,7 +43210,7 @@ index 79048c410..b0cb1e565 100644 init_use_fds(lvm_t) init_dontaudit_getattr_initctl(lvm_t) -@@ -293,15 +323,23 @@ init_use_script_ptys(lvm_t) +@@ -293,15 +324,23 @@ init_use_script_ptys(lvm_t) init_read_script_state(lvm_t) logging_send_syslog_msg(lvm_t) @@ -42380,7 +43235,7 @@ index 79048c410..b0cb1e565 100644 ifdef(`distro_redhat',` # this is from the initrd: -@@ -313,6 +351,11 @@ ifdef(`distro_redhat',` +@@ -313,6 +352,11 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -42392,7 +43247,7 @@ index 79048c410..b0cb1e565 100644 bootloader_rw_tmp_files(lvm_t) ') -@@ -321,6 +364,10 @@ optional_policy(` +@@ -321,6 +365,10 @@ optional_policy(` ') optional_policy(` @@ -42403,7 +43258,7 @@ index 79048c410..b0cb1e565 100644 gpm_dontaudit_getattr_gpmctl(lvm_t) ') -@@ -333,14 +380,30 @@ optional_policy(` +@@ -333,14 +381,30 @@ optional_policy(` ') optional_policy(` @@ -43062,7 +43917,7 @@ index 7449974f6..b79290062 100644 + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") +') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index 7a363b8b2..aa59857ad 100644 +index 7a363b8b2..3a6ded940 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0) @@ -43177,7 +44032,7 @@ index 7a363b8b2..aa59857ad 100644 # Read module config and dependency information list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t) -@@ -115,20 +124,28 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) +@@ -115,20 +124,29 @@ read_files_pattern(insmod_t, modules_conf_t, modules_conf_t) list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t) read_files_pattern(insmod_t, modules_dep_t, modules_dep_t) @@ -43193,6 +44048,7 @@ index 7a363b8b2..aa59857ad 100644 kernel_load_module(insmod_t) -kernel_request_load_module(insmod_t) +files_manage_kernel_modules(insmod_t) ++files_map_kernel_modules(insmod_t) kernel_read_system_state(insmod_t) kernel_read_network_state(insmod_t) kernel_write_proc_files(insmod_t) @@ -43208,7 +44064,7 @@ index 7a363b8b2..aa59857ad 100644 kernel_setsched(insmod_t) corecmd_exec_bin(insmod_t) -@@ -142,40 +159,55 @@ dev_rw_agp(insmod_t) +@@ -142,40 +160,55 @@ dev_rw_agp(insmod_t) dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -43268,7 +44124,7 @@ index 7a363b8b2..aa59857ad 100644 kernel_domtrans_to(insmod_t, insmod_exec_t) -@@ -184,28 +216,33 @@ optional_policy(` +@@ -184,28 +217,33 @@ optional_policy(` ') optional_policy(` @@ -43309,7 +44165,7 @@ index 7a363b8b2..aa59857ad 100644 ') optional_policy(` -@@ -225,6 +262,7 @@ optional_policy(` +@@ -225,6 +263,7 @@ optional_policy(` optional_policy(` rpm_rw_pipes(insmod_t) @@ -43317,7 +44173,7 @@ index 7a363b8b2..aa59857ad 100644 ') optional_policy(` -@@ -233,6 +271,10 @@ optional_policy(` +@@ -233,6 +272,10 @@ optional_policy(` ') optional_policy(` @@ -43328,7 +44184,7 @@ index 7a363b8b2..aa59857ad 100644 # cjp: why is this needed: dev_rw_xserver_misc(insmod_t) -@@ -291,11 +333,10 @@ init_use_script_ptys(update_modules_t) +@@ -291,11 +334,10 @@ init_use_script_ptys(update_modules_t) logging_send_syslog_msg(update_modules_t) @@ -45143,7 +45999,7 @@ index 38220721d..abac74231 100644 + allow semanage_t $1:dbus send_msg; +') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index dc4642022..27d8d49ba 100644 +index dc4642022..0e7086c60 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -11,14 +11,16 @@ gen_require(` @@ -45556,7 +46412,7 @@ index dc4642022..27d8d49ba 100644 ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(run_init_t) -@@ -440,81 +512,85 @@ optional_policy(` +@@ -440,81 +512,86 @@ optional_policy(` # semodule local policy # @@ -45640,6 +46496,7 @@ index dc4642022..27d8d49ba 100644 userdom_read_user_home_content_files(semanage_t) userdom_read_user_tmp_files(semanage_t) +userdom_home_reader(semanage_t) ++userdom_map_tmp_files(semanage_t) ifdef(`distro_debian',` files_read_var_lib_files(semanage_t) @@ -45698,7 +46555,7 @@ index dc4642022..27d8d49ba 100644 ') ######################################## -@@ -522,111 +598,204 @@ ifdef(`distro_ubuntu',` +@@ -522,111 +599,204 @@ ifdef(`distro_ubuntu',` # Setfiles local policy # @@ -51529,7 +52386,7 @@ index db7597682..c54480a1d 100644 +/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0) + diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 9dc60c6c0..597fe227f 100644 +index 9dc60c6c0..6a26bba87 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -51844,7 +52701,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -273,6 +316,82 @@ interface(`userdom_manage_home_role',` +@@ -273,6 +316,101 @@ interface(`userdom_manage_home_role',` ## ## Manage user temporary files ## @@ -51865,6 +52722,25 @@ index 9dc60c6c0..597fe227f 100644 + +####################################### +## ++## Mmap user temporary files ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`userdom_map_tmp_files',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ allow $1 user_tmp_t:file map; ++') ++ ++####################################### ++## +## Manage user temporary sockets +## +## @@ -51927,7 +52803,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## Role allowed access. -@@ -287,17 +406,65 @@ interface(`userdom_manage_home_role',` +@@ -287,17 +425,65 @@ interface(`userdom_manage_home_role',` # interface(`userdom_manage_tmp_role',` gen_require(` @@ -51998,7 +52874,7 @@ index 9dc60c6c0..597fe227f 100644 ') ####################################### -@@ -317,11 +484,31 @@ interface(`userdom_exec_user_tmp_files',` +@@ -317,11 +503,31 @@ interface(`userdom_exec_user_tmp_files',` ') exec_files_pattern($1, user_tmp_t, user_tmp_t) @@ -52030,7 +52906,7 @@ index 9dc60c6c0..597fe227f 100644 ## Role access for the user tmpfs type ## that the user has full access. ## -@@ -347,60 +534,45 @@ interface(`userdom_exec_user_tmp_files',` +@@ -347,60 +553,45 @@ interface(`userdom_exec_user_tmp_files',` ## # interface(`userdom_manage_tmpfs_role',` @@ -52111,7 +52987,7 @@ index 9dc60c6c0..597fe227f 100644 ') ####################################### -@@ -431,6 +603,7 @@ template(`userdom_xwindows_client_template',` +@@ -431,6 +622,7 @@ template(`userdom_xwindows_client_template',` dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) @@ -52119,7 +52995,7 @@ index 9dc60c6c0..597fe227f 100644 xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) -@@ -463,8 +636,8 @@ template(`userdom_change_password_template',` +@@ -463,8 +655,8 @@ template(`userdom_change_password_template',` ') optional_policy(` @@ -52130,7 +53006,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -491,51 +664,69 @@ template(`userdom_common_user_template',` +@@ -491,51 +683,69 @@ template(`userdom_common_user_template',` attribute unpriv_userdomain; ') @@ -52224,7 +53100,7 @@ index 9dc60c6c0..597fe227f 100644 # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) -@@ -546,93 +737,137 @@ template(`userdom_common_user_template',` +@@ -546,93 +756,137 @@ template(`userdom_common_user_template',` selinux_compute_user_contexts($1_t) # for eject @@ -52400,7 +53276,7 @@ index 9dc60c6c0..597fe227f 100644 ') optional_policy(` -@@ -642,23 +877,21 @@ template(`userdom_common_user_template',` +@@ -642,23 +896,21 @@ template(`userdom_common_user_template',` optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) @@ -52429,7 +53305,7 @@ index 9dc60c6c0..597fe227f 100644 mysql_stream_connect($1_t) ') ') -@@ -671,7 +904,7 @@ template(`userdom_common_user_template',` +@@ -671,7 +923,7 @@ template(`userdom_common_user_template',` optional_policy(` # to allow monitoring of pcmcia status @@ -52438,7 +53314,7 @@ index 9dc60c6c0..597fe227f 100644 ') optional_policy(` -@@ -680,9 +913,9 @@ template(`userdom_common_user_template',` +@@ -680,9 +932,9 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -52451,7 +53327,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -693,32 +926,35 @@ template(`userdom_common_user_template',` +@@ -693,32 +945,35 @@ template(`userdom_common_user_template',` ') optional_policy(` @@ -52498,7 +53374,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -743,17 +979,32 @@ template(`userdom_common_user_template',` +@@ -743,17 +998,32 @@ template(`userdom_common_user_template',` template(`userdom_login_user_template', ` gen_require(` class context contains; @@ -52535,7 +53411,7 @@ index 9dc60c6c0..597fe227f 100644 userdom_change_password_template($1) -@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', ` +@@ -761,86 +1031,117 @@ template(`userdom_login_user_template', ` # # User domain Local policy # @@ -52627,65 +53503,71 @@ index 9dc60c6c0..597fe227f 100644 - miscfiles_exec_tetex_data($1_t) + miscfiles_read_tetex_data($1_usertype) + miscfiles_exec_tetex_data($1_usertype) -+ + +- seutil_read_config($1_t) + seutil_read_config($1_usertype) + seutil_read_file_contexts($1_usertype) + seutil_read_default_contexts($1_usertype) + seutil_exec_setfiles($1_usertype) -+ -+ optional_policy(` + + optional_policy(` +- cups_read_config($1_t) +- cups_stream_connect($1_t) +- cups_stream_connect_ptal($1_t) + cups_read_config($1_usertype) + cups_stream_connect($1_usertype) + cups_stream_connect_ptal($1_usertype) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- kerberos_use($1_t) + kerberos_use($1_usertype) + init_write_key($1_usertype) -+ ') + ') -- seutil_read_config($1_t) -+ optional_policy(` + optional_policy(` +- mta_dontaudit_read_spool_symlinks($1_t) + mysql_filetrans_named_content($1_usertype) -+ ') + ') optional_policy(` -- cups_read_config($1_t) -- cups_stream_connect($1_t) -- cups_stream_connect_ptal($1_t) +- quota_dontaudit_getattr_db($1_t) + mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` -- kerberos_use($1_t) +- rpm_read_db($1_t) +- rpm_dontaudit_manage_db($1_t) + quota_dontaudit_getattr_db($1_usertype) ') +-') - optional_policy(` -- mta_dontaudit_read_spool_symlinks($1_t) +-####################################### ++ optional_policy(` + rpm_read_db($1_usertype) + rpm_dontaudit_manage_db($1_usertype) + rpm_read_cache($1_usertype) - ') - - optional_policy(` -- quota_dontaudit_getattr_db($1_t) ++ ') ++ ++ optional_policy(` + oddjob_run_mkhomedir($1_t, $1_r) + oddjob_run($1_t, $1_r) - ') - ++ ') ++ + optional_policy(` + ipa_run_helper($1_t, $1_r) + ') + - optional_policy(` -- rpm_read_db($1_t) -- rpm_dontaudit_manage_db($1_t) ++ optional_policy(` + wine_filetrans_named_content($1_usertype) - ') - ') - -@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',` ++ ') ++') ++ ++####################################### + ## + ## The template for creating a unprivileged login user. + ## +@@ -868,6 +1169,12 @@ template(`userdom_restricted_user_template',` typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) @@ -52698,7 +53580,7 @@ index 9dc60c6c0..597fe227f 100644 ############################## # # Local policy -@@ -907,53 +1195,143 @@ template(`userdom_restricted_xwindows_user_template',` +@@ -907,53 +1214,143 @@ template(`userdom_restricted_xwindows_user_template',` # # Local policy # @@ -52720,9 +53602,7 @@ index 9dc60c6c0..597fe227f 100644 + dev_dontaudit_read_rand($1_usertype) + # temporarily allow since openoffice requires this + dev_read_rand($1_usertype) - -- logging_send_syslog_msg($1_t) -- logging_dontaudit_send_audit_msgs($1_t) ++ + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + dev_rw_wireless($1_usertype) @@ -52743,9 +53623,9 @@ index 9dc60c6c0..597fe227f 100644 + storage_raw_read_removable_device($1_usertype) + storage_raw_write_removable_device($1_usertype) + ') -+ -+ logging_send_syslog_msg($1_t) -+ logging_dontaudit_send_audit_msgs($1_t) + + logging_send_syslog_msg($1_t) + logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain - logging_send_audit_msgs($1_t) @@ -52856,7 +53736,7 @@ index 9dc60c6c0..597fe227f 100644 ') ####################################### -@@ -987,27 +1365,36 @@ template(`userdom_unpriv_user_template', ` +@@ -987,27 +1384,36 @@ template(`userdom_unpriv_user_template', ` # # Inherit rules for ordinary users. @@ -52897,7 +53777,7 @@ index 9dc60c6c0..597fe227f 100644 fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies -@@ -1018,23 +1405,64 @@ template(`userdom_unpriv_user_template', ` +@@ -1018,23 +1424,64 @@ template(`userdom_unpriv_user_template', ` ') ') @@ -52935,11 +53815,9 @@ index 9dc60c6c0..597fe227f 100644 + + optional_policy(` + cron_role($1_r, $1_t) - ') - - optional_policy(` -- netutils_run_ping_cond($1_t, $1_r) -- netutils_run_traceroute_cond($1_t, $1_r) ++ ') ++ ++ optional_policy(` + games_manage_data_files($1_usertype) + ') + @@ -52964,15 +53842,17 @@ index 9dc60c6c0..597fe227f 100644 + + optional_policy(` + wine_role_template($1, $1_r, $1_t) -+ ') -+ -+ optional_policy(` + ') + + optional_policy(` +- netutils_run_ping_cond($1_t, $1_r) +- netutils_run_traceroute_cond($1_t, $1_r) + postfix_run_postdrop($1_t, $1_r) + postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user -@@ -1043,7 +1471,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1043,7 +1490,9 @@ template(`userdom_unpriv_user_template', ` ') optional_policy(` @@ -52983,7 +53863,7 @@ index 9dc60c6c0..597fe227f 100644 ') ') -@@ -1079,7 +1509,9 @@ template(`userdom_unpriv_user_template', ` +@@ -1079,7 +1528,9 @@ template(`userdom_unpriv_user_template', ` template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -52994,7 +53874,7 @@ index 9dc60c6c0..597fe227f 100644 ') ############################## -@@ -1095,6 +1527,7 @@ template(`userdom_admin_user_template',` +@@ -1095,6 +1546,7 @@ template(`userdom_admin_user_template',` role system_r types $1_t; typeattribute $1_t admindomain; @@ -53002,7 +53882,7 @@ index 9dc60c6c0..597fe227f 100644 ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) -@@ -1105,14 +1538,8 @@ template(`userdom_admin_user_template',` +@@ -1105,14 +1557,8 @@ template(`userdom_admin_user_template',` # $1_t local policy # @@ -53019,7 +53899,7 @@ index 9dc60c6c0..597fe227f 100644 kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1128,6 +1555,8 @@ template(`userdom_admin_user_template',` +@@ -1128,6 +1574,8 @@ template(`userdom_admin_user_template',` kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -53028,7 +53908,7 @@ index 9dc60c6c0..597fe227f 100644 corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1145,10 +1574,15 @@ template(`userdom_admin_user_template',` +@@ -1145,10 +1593,15 @@ template(`userdom_admin_user_template',` dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) @@ -53044,7 +53924,7 @@ index 9dc60c6c0..597fe227f 100644 domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) -@@ -1159,29 +1593,40 @@ template(`userdom_admin_user_template',` +@@ -1159,29 +1612,40 @@ template(`userdom_admin_user_template',` domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) @@ -53089,7 +53969,7 @@ index 9dc60c6c0..597fe227f 100644 # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator -@@ -1191,6 +1636,8 @@ template(`userdom_admin_user_template',` +@@ -1191,6 +1655,8 @@ template(`userdom_admin_user_template',` # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -53098,7 +53978,7 @@ index 9dc60c6c0..597fe227f 100644 userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) -@@ -1198,13 +1645,21 @@ template(`userdom_admin_user_template',` +@@ -1198,13 +1664,21 @@ template(`userdom_admin_user_template',` userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) @@ -53121,7 +54001,7 @@ index 9dc60c6c0..597fe227f 100644 optional_policy(` postgresql_unconfined($1_t) ') -@@ -1240,7 +1695,7 @@ template(`userdom_admin_user_template',` +@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',` ## ## # @@ -53130,7 +54010,7 @@ index 9dc60c6c0..597fe227f 100644 allow $1 self:capability { dac_read_search dac_override }; corecmd_exec_shell($1) -@@ -1250,6 +1705,8 @@ template(`userdom_security_admin_template',` +@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',` dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -53139,7 +54019,7 @@ index 9dc60c6c0..597fe227f 100644 # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1262,8 +1719,10 @@ template(`userdom_security_admin_template',` +@@ -1262,8 +1738,10 @@ template(`userdom_security_admin_template',` selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) @@ -53151,7 +54031,7 @@ index 9dc60c6c0..597fe227f 100644 auth_relabel_shadow($1) init_exec($1) -@@ -1274,29 +1733,31 @@ template(`userdom_security_admin_template',` +@@ -1274,29 +1752,31 @@ template(`userdom_security_admin_template',` logging_read_audit_config($1) seutil_manage_bin_policy($1) @@ -53194,7 +54074,7 @@ index 9dc60c6c0..597fe227f 100644 ') optional_policy(` -@@ -1357,14 +1818,17 @@ interface(`userdom_user_home_content',` +@@ -1357,14 +1837,17 @@ interface(`userdom_user_home_content',` gen_require(` attribute user_home_content_type; type user_home_t; @@ -53213,7 +54093,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1397,12 +1861,52 @@ interface(`userdom_user_tmp_file',` +@@ -1397,12 +1880,52 @@ interface(`userdom_user_tmp_file',` ## # interface(`userdom_user_tmpfs_file',` @@ -53267,7 +54147,7 @@ index 9dc60c6c0..597fe227f 100644 ## Allow domain to attach to TUN devices created by administrative users. ## ## -@@ -1509,11 +2013,31 @@ interface(`userdom_search_user_home_dirs',` +@@ -1509,11 +2032,31 @@ interface(`userdom_search_user_home_dirs',` ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -53299,7 +54179,7 @@ index 9dc60c6c0..597fe227f 100644 ## Do not audit attempts to search user home directories. ## ## -@@ -1555,6 +2079,14 @@ interface(`userdom_list_user_home_dirs',` +@@ -1555,6 +2098,14 @@ interface(`userdom_list_user_home_dirs',` allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -53314,7 +54194,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1570,9 +2102,11 @@ interface(`userdom_list_user_home_dirs',` +@@ -1570,9 +2121,11 @@ interface(`userdom_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -53326,7 +54206,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1613,6 +2147,24 @@ interface(`userdom_manage_user_home_dirs',` +@@ -1613,6 +2166,24 @@ interface(`userdom_manage_user_home_dirs',` ######################################## ## @@ -53351,7 +54231,7 @@ index 9dc60c6c0..597fe227f 100644 ## Relabel to user home directories. ## ## -@@ -1631,6 +2183,59 @@ interface(`userdom_relabelto_user_home_dirs',` +@@ -1631,6 +2202,59 @@ interface(`userdom_relabelto_user_home_dirs',` ######################################## ## @@ -53411,7 +54291,7 @@ index 9dc60c6c0..597fe227f 100644 ## Create directories in the home dir root with ## the user home directory type. ## -@@ -1704,10 +2309,12 @@ interface(`userdom_user_home_domtrans',` +@@ -1704,10 +2328,12 @@ interface(`userdom_user_home_domtrans',` # interface(`userdom_dontaudit_search_user_home_content',` gen_require(` @@ -53426,7 +54306,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1741,10 +2348,12 @@ interface(`userdom_list_all_user_home_content',` +@@ -1741,10 +2367,12 @@ interface(`userdom_list_all_user_home_content',` # interface(`userdom_list_user_home_content',` gen_require(` @@ -53441,7 +54321,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1769,7 +2378,7 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1769,7 +2397,7 @@ interface(`userdom_manage_user_home_content_dirs',` ######################################## ## @@ -53450,7 +54330,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1777,19 +2386,17 @@ interface(`userdom_manage_user_home_content_dirs',` +@@ -1777,19 +2405,17 @@ interface(`userdom_manage_user_home_content_dirs',` ## ## # @@ -53474,7 +54354,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1797,55 +2404,55 @@ interface(`userdom_delete_all_user_home_content_dirs',` +@@ -1797,47 +2423,157 @@ interface(`userdom_delete_all_user_home_content_dirs',` ## ## # @@ -53532,30 +54412,21 @@ index 9dc60c6c0..597fe227f 100644 gen_require(` - type user_home_t; + type user_tmp_t; - ') - -- dontaudit $1 user_home_t:file setattr_file_perms; ++ ') ++ + allow $1 user_tmp_t:file setattr; - ') - - ######################################## - ## --## Mmap user home files. ++') ++ ++######################################## ++## +## Create a user tmp sockets. - ## - ## - ## -@@ -1853,18 +2460,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` - ## - ## - # --interface(`userdom_mmap_user_home_content_files',` -- gen_require(` -- type user_home_dir_t, user_home_t; -- ') -- -- mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -- files_search_home($1) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_create_user_tmp_sockets',` + gen_require(` + type user_tmp_t; @@ -53564,29 +54435,23 @@ index 9dc60c6c0..597fe227f 100644 + files_search_tmp($1) + allow $1 user_tmp_t:dir list_dir_perms; + create_sock_files_pattern($1, user_tmp_t, user_tmp_t) - ') - - ######################################## - ## --## Read user home files. ++') ++ ++######################################## ++## +## Dontaudit getattr on user tmp sockets. - ## - ## - ## -@@ -1872,17 +2480,167 @@ interface(`userdom_mmap_user_home_content_files',` - ## - ## - # --interface(`userdom_read_user_home_content_files',` -- gen_require(` -- type user_home_dir_t, user_home_t; -- ') ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`usedom_dontaudit_user_getattr_tmp_sockets',` + refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') + userdom_getattr_user_tmp_files($1) +') - -- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) ++ +######################################## +## +## Dontaudit getattr on user tmp sockets. @@ -53657,13 +54522,13 @@ index 9dc60c6c0..597fe227f 100644 +interface(`userdom_dontaudit_setattr_user_home_content_files',` + gen_require(` + type user_home_t; -+ ') -+ -+ dontaudit $1 user_home_t:file setattr_file_perms; -+') -+ -+######################################## -+## + ') + + dontaudit $1 user_home_t:file setattr_file_perms; +@@ -1845,6 +2581,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',` + + ######################################## + ## +## Set the attributes of all user home directories. +## +## @@ -53683,39 +54548,17 @@ index 9dc60c6c0..597fe227f 100644 + +######################################## +## -+## Mmap user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_mmap_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; -+ ') -+ -+ mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) -+ files_search_home($1) -+') -+ -+######################################## -+## -+## Read user home files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_read_user_home_content_files',` -+ gen_require(` -+ type user_home_dir_t, user_home_t; + ## Mmap user home files. + ## + ## +@@ -1875,14 +2630,36 @@ interface(`userdom_mmap_user_home_content_files',` + interface(`userdom_read_user_home_content_files',` + gen_require(` + type user_home_dir_t, user_home_t; + attribute user_home_type; -+ ') -+ + ') + +- read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; + list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) + read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) @@ -53746,7 +54589,7 @@ index 9dc60c6c0..597fe227f 100644 ## Do not audit attempts to read user home files. ## ## -@@ -1893,11 +2651,14 @@ interface(`userdom_read_user_home_content_files',` +@@ -1893,11 +2670,14 @@ interface(`userdom_read_user_home_content_files',` # interface(`userdom_dontaudit_read_user_home_content_files',` gen_require(` @@ -53764,7 +54607,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -1938,7 +2699,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1938,7 +2718,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ######################################## ## @@ -53773,7 +54616,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1946,10 +2707,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` +@@ -1946,10 +2726,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',` ## ## # @@ -53786,7 +54629,7 @@ index 9dc60c6c0..597fe227f 100644 ') userdom_search_user_home_content($1) -@@ -1958,7 +2718,7 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1958,7 +2737,7 @@ interface(`userdom_delete_all_user_home_content_files',` ######################################## ## @@ -53795,7 +54638,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -1966,12 +2726,66 @@ interface(`userdom_delete_all_user_home_content_files',` +@@ -1966,12 +2745,66 @@ interface(`userdom_delete_all_user_home_content_files',` ## ## # @@ -53864,7 +54707,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2007,8 +2821,7 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2007,8 +2840,7 @@ interface(`userdom_read_user_home_content_symlinks',` type user_home_dir_t, user_home_t; ') @@ -53874,7 +54717,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2024,20 +2837,14 @@ interface(`userdom_read_user_home_content_symlinks',` +@@ -2024,20 +2856,14 @@ interface(`userdom_read_user_home_content_symlinks',` # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -53899,7 +54742,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## -@@ -2120,7 +2927,7 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2120,7 +2946,7 @@ interface(`userdom_manage_user_home_content_symlinks',` ######################################## ## @@ -53908,7 +54751,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2128,19 +2935,17 @@ interface(`userdom_manage_user_home_content_symlinks',` +@@ -2128,19 +2954,17 @@ interface(`userdom_manage_user_home_content_symlinks',` ## ## # @@ -53932,7 +54775,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2148,12 +2953,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` +@@ -2148,12 +2972,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',` ## ## # @@ -53948,7 +54791,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2388,18 +3193,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` +@@ -2388,18 +3212,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` ## ## # @@ -54006,7 +54849,7 @@ index 9dc60c6c0..597fe227f 100644 ## Do not audit attempts to read users ## temporary files. ## -@@ -2414,7 +3255,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` +@@ -2414,7 +3274,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` type user_tmp_t; ') @@ -54015,7 +54858,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2455,6 +3296,25 @@ interface(`userdom_rw_user_tmp_files',` +@@ -2455,6 +3315,25 @@ interface(`userdom_rw_user_tmp_files',` rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) ') @@ -54041,7 +54884,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## -@@ -2538,7 +3398,7 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2538,7 +3417,7 @@ interface(`userdom_manage_user_tmp_files',` ######################################## ## ## Create, read, write, and delete user @@ -54050,7 +54893,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2546,19 +3406,60 @@ interface(`userdom_manage_user_tmp_files',` +@@ -2546,19 +3425,19 @@ interface(`userdom_manage_user_tmp_files',` ## ## # @@ -54070,6 +54913,54 @@ index 9dc60c6c0..597fe227f 100644 ## Create, read, write, and delete user -## temporary named pipes. +## temporary symbolic links. + ## + ## + ## +@@ -2566,19 +3445,19 @@ interface(`userdom_manage_user_tmp_symlinks',` + ## + ## + # +-interface(`userdom_manage_user_tmp_pipes',` ++interface(`userdom_manage_user_tmp_symlinks',` + gen_require(` + type user_tmp_t; + ') + +- manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) ++ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) + ') + + ######################################## + ## + ## Create, read, write, and delete user +-## temporary named sockets. ++## temporary named pipes. + ## + ## + ## +@@ -2586,19 +3465,60 @@ interface(`userdom_manage_user_tmp_pipes',` + ## + ## + # +-interface(`userdom_manage_user_tmp_sockets',` ++interface(`userdom_rw_inherited_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + +- manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) ++ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; + files_search_tmp($1) + ') + ++ + ######################################## + ## +-## Create objects in a user temporary directory +-## with an automatic type transition to ++## Create, read, write, and delete user ++## temporary named pipes. +## +## +## @@ -54077,19 +54968,19 @@ index 9dc60c6c0..597fe227f 100644 +## +## +# -+interface(`userdom_manage_user_tmp_symlinks',` ++interface(`userdom_manage_user_tmp_pipes',` + gen_require(` + type user_tmp_t; + ') + -+ manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) ++ manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + +######################################## +## +## Create, read, write, and delete user -+## temporary named pipes. ++## temporary named sockets. +## +## +## @@ -54097,24 +54988,23 @@ index 9dc60c6c0..597fe227f 100644 +## +## +# -+interface(`userdom_rw_inherited_user_tmp_pipes',` ++interface(`userdom_manage_user_tmp_sockets',` + gen_require(` + type user_tmp_t; + ') + -+ allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; ++ manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +') + -+ +######################################## +## -+## Create, read, write, and delete user -+## temporary named pipes. ++## Create objects in a user temporary directory ++## with an automatic type transition to + ## a specified private type. ## ## - ## -@@ -2661,6 +3562,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2661,6 +3581,21 @@ interface(`userdom_tmp_filetrans_user_tmp',` files_tmp_filetrans($1, user_tmp_t, $2, $3) ') @@ -54136,7 +55026,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Read user tmpfs files. -@@ -2672,18 +3588,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` +@@ -2672,18 +3607,13 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## # interface(`userdom_read_user_tmpfs_files',` @@ -54158,7 +55048,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2692,19 +3603,13 @@ interface(`userdom_read_user_tmpfs_files',` +@@ -2692,19 +3622,13 @@ interface(`userdom_read_user_tmpfs_files',` ## # interface(`userdom_rw_user_tmpfs_files',` @@ -54181,7 +55071,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2713,13 +3618,56 @@ interface(`userdom_rw_user_tmpfs_files',` +@@ -2713,13 +3637,56 @@ interface(`userdom_rw_user_tmpfs_files',` ## # interface(`userdom_manage_user_tmpfs_files',` @@ -54242,7 +55132,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2814,6 +3762,24 @@ interface(`userdom_use_user_ttys',` +@@ -2814,6 +3781,24 @@ interface(`userdom_use_user_ttys',` ######################################## ## @@ -54267,7 +55157,7 @@ index 9dc60c6c0..597fe227f 100644 ## Read and write a user domain pty. ## ## -@@ -2832,22 +3798,34 @@ interface(`userdom_use_user_ptys',` +@@ -2832,22 +3817,34 @@ interface(`userdom_use_user_ptys',` ######################################## ## @@ -54310,7 +55200,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -2856,14 +3834,33 @@ interface(`userdom_use_user_ptys',` +@@ -2856,14 +3853,33 @@ interface(`userdom_use_user_ptys',` ## ## # @@ -54348,7 +55238,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2882,8 +3879,27 @@ interface(`userdom_dontaudit_use_user_terminals',` +@@ -2882,8 +3898,27 @@ interface(`userdom_dontaudit_use_user_terminals',` type user_tty_device_t, user_devpts_t; ') @@ -54378,7 +55268,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -2955,6 +3971,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` +@@ -2955,6 +3990,42 @@ interface(`userdom_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54421,7 +55311,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This -@@ -2978,24 +4030,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` +@@ -2978,24 +4049,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',` allow unpriv_userdomain $1:process sigchld; ') @@ -54446,7 +55336,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Manage unpriviledged user SysV sempaphores. -@@ -3014,9 +4048,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3014,9 +4067,9 @@ interface(`userdom_manage_unpriv_user_semaphores',` allow $1 unpriv_userdomain:sem create_sem_perms; ') @@ -54458,7 +55348,7 @@ index 9dc60c6c0..597fe227f 100644 ## memory segments. ## ## -@@ -3025,17 +4059,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` +@@ -3025,17 +4078,17 @@ interface(`userdom_manage_unpriv_user_semaphores',` ## ## # @@ -54479,7 +55369,7 @@ index 9dc60c6c0..597fe227f 100644 ## memory segments. ## ## -@@ -3044,12 +4078,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` +@@ -3044,12 +4097,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',` ## ## # @@ -54494,7 +55384,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -3094,7 +4128,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3094,7 +4147,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -54503,7 +55393,7 @@ index 9dc60c6c0..597fe227f 100644 allow unpriv_userdomain $1:process sigchld; ') -@@ -3110,29 +4144,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` +@@ -3110,29 +4163,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` # interface(`userdom_search_user_home_content',` gen_require(` @@ -54537,7 +55427,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -3214,7 +4232,25 @@ interface(`userdom_dontaudit_use_user_ptys',` +@@ -3214,7 +4251,25 @@ interface(`userdom_dontaudit_use_user_ptys',` type user_devpts_t; ') @@ -54564,7 +55454,7 @@ index 9dc60c6c0..597fe227f 100644 ') ######################################## -@@ -3269,12 +4305,13 @@ interface(`userdom_write_user_tmp_files',` +@@ -3269,12 +4324,13 @@ interface(`userdom_write_user_tmp_files',` type user_tmp_t; ') @@ -54580,7 +55470,7 @@ index 9dc60c6c0..597fe227f 100644 ## ## ## -@@ -3282,54 +4319,56 @@ interface(`userdom_write_user_tmp_files',` +@@ -3282,49 +4338,125 @@ interface(`userdom_write_user_tmp_files',` ## ## # @@ -54642,21 +55532,19 @@ index 9dc60c6c0..597fe227f 100644 - allow $1 userdomain:process getattr; + dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; - ') - - ######################################## - ## --## Inherit the file descriptors from all user domains ++') ++ ++######################################## ++## +## Allow domain to read/write inherited users +## fifo files. - ## - ## - ## -@@ -3337,7 +4376,81 @@ interface(`userdom_getattr_all_users',` - ## - ## - # --interface(`userdom_use_all_users_fds',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`userdom_rw_inherited_user_pipes',` + gen_require(` + attribute userdomain; @@ -54719,23 +55607,10 @@ index 9dc60c6c0..597fe227f 100644 + ') + + allow $1 userdomain:process getattr; -+') -+ -+######################################## -+## -+## Inherit the file descriptors from all user domains -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_use_all_users_fds',` - gen_require(` - attribute userdomain; - ') -@@ -3382,6 +4495,42 @@ interface(`userdom_signal_all_users',` + ') + + ######################################## +@@ -3382,6 +4514,42 @@ interface(`userdom_signal_all_users',` allow $1 userdomain:process signal; ') @@ -54778,7 +55653,7 @@ index 9dc60c6c0..597fe227f 100644 ######################################## ## ## Send a SIGCHLD signal to all user domains. -@@ -3402,6 +4551,60 @@ interface(`userdom_sigchld_all_users',` +@@ -3402,6 +4570,60 @@ interface(`userdom_sigchld_all_users',` ######################################## ## @@ -54839,7 +55714,7 @@ index 9dc60c6c0..597fe227f 100644 ## Create keys for all user domains. ## ## -@@ -3435,4 +4638,1817 @@ interface(`userdom_dbus_send_all_users',` +@@ -3435,4 +4657,1835 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -55067,6 +55942,24 @@ index 9dc60c6c0..597fe227f 100644 + +######################################## +## ++## dontaudit manage files /root ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`userdom_dontaudit_manage_admin_files',` ++ gen_require(` ++ type admin_home_t; ++ ') ++ ++ dontaudit $1 admin_home_t:file manage_file_perms; ++') ++ ++######################################## ++## +## RW unpriviledged user SysV sempaphores. +## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index b3a8a86..e8ea30d 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -18519,7 +18519,7 @@ index ad0bae948..615a947aa 100644 +/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ') diff --git a/cron.if b/cron.if -index 1303b3036..f13c53200 100644 +index 1303b3036..f5bd4aee8 100644 --- a/cron.if +++ b/cron.if @@ -2,11 +2,12 @@ @@ -18705,6 +18705,15 @@ index 1303b3036..f13c53200 100644 - # - # Declarations - # +- +- role $1 types { unconfined_cronjob_t crontab_t }; +- +- ############################## +- # +- # Local policy +- # +- +- domtrans_pattern($2, crontab_exec_t, crontab_t) + ############################## + # + # Declarations @@ -18712,41 +18721,32 @@ index 1303b3036..f13c53200 100644 + + role $1 types unconfined_cronjob_t; -- role $1 types { unconfined_cronjob_t crontab_t }; +- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; +- allow $2 crond_t:process sigchld; + ############################## + # + # Local policy + # -- ############################## -- # -- # Local policy -- # -+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - -- domtrans_pattern($2, crontab_exec_t, crontab_t) -+ allow $2 crond_t:process sigchld; - -- dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; -- allow $2 crond_t:process sigchld; -+ allow $2 user_cron_spool_t:file { getattr read write ioctl }; - - allow $2 user_cron_spool_t:file { getattr read write ioctl }; -+ # cronjob shows up in user ps -+ ps_process_pattern($2, unconfined_cronjob_t) -+ allow $2 unconfined_cronjob_t:process signal_perms; ++ dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; - allow $2 crontab_t:process { ptrace signal_perms }; - ps_process_pattern($2, crontab_t) -- ++ allow $2 crond_t:process sigchld; + - corecmd_exec_bin(crontab_t) - corecmd_exec_shell(crontab_t) -- ++ allow $2 user_cron_spool_t:file { getattr read write ioctl }; + - tunable_policy(`cron_userdomain_transition',` - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; -- ++ # cronjob shows up in user ps ++ ps_process_pattern($2, unconfined_cronjob_t) ++ allow $2 unconfined_cronjob_t:process signal_perms; + - allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`deny_ptrace',`',` + allow $2 unconfined_cronjob_t:process ptrace; @@ -18871,25 +18871,23 @@ index 1303b3036..f13c53200 100644 - allow crond_t $2:process transition; - allow crond_t $2:fd use; - allow crond_t $2:key manage_key_perms; -- -- allow $2 user_cron_spool_t:file entrypoint; + tunable_policy(`cron_userdomain_transition',` + allow crond_t $2:process transition; + allow crond_t $2:fd use; + allow crond_t $2:key manage_key_perms; -- allow $2 crond_t:fifo_file rw_fifo_file_perms; +- allow $2 user_cron_spool_t:file entrypoint; + allow $2 user_cron_spool_t:file entrypoint; +- allow $2 crond_t:fifo_file rw_fifo_file_perms; ++ allow $2 crond_t:fifo_file rw_fifo_file_perms; + - allow $2 cronjob_t:process { ptrace signal_perms }; - ps_process_pattern($2, cronjob_t) - ',` - dontaudit crond_t $2:process transition; - dontaudit crond_t $2:fd use; - dontaudit crond_t $2:key manage_key_perms; -+ allow $2 crond_t:fifo_file rw_fifo_file_perms; - -- dontaudit $2 user_cron_spool_t:file entrypoint; + allow $2 cronjob_t:process { signal_perms }; + ps_process_pattern($2, cronjob_t) + ',` @@ -18897,6 +18895,8 @@ index 1303b3036..f13c53200 100644 + dontaudit crond_t $2:fd use; + dontaudit crond_t $2:key manage_key_perms; +- dontaudit $2 user_cron_spool_t:file entrypoint; +- - dontaudit $2 crond_t:fifo_file rw_fifo_file_perms; - - dontaudit $2 cronjob_t:process { ptrace signal_perms }; @@ -19205,10 +19205,11 @@ index 1303b3036..f13c53200 100644 - allow $1 crond_t:fifo_file rw_fifo_file_perms; + allow $1 user_cron_spool_t:file rw_inherited_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read and write crond TCP sockets. +## Read and write inherited spool files. +## +## @@ -19223,11 +19224,10 @@ index 1303b3036..f13c53200 100644 + ') + + allow $1 cron_spool_t:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Read and write crond TCP sockets. ++') ++ ++######################################## ++## +## Read, and write cron daemon TCP sockets. ## ## @@ -19455,7 +19455,7 @@ index 1303b3036..f13c53200 100644 ## ## ## -@@ -829,7 +876,97 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` +@@ -829,7 +876,126 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` interface(`cron_dontaudit_write_system_job_tmp_files',` gen_require(` type system_cronjob_tmp_t; @@ -19552,9 +19552,38 @@ index 1303b3036..f13c53200 100644 + ') + + logging_log_filetrans($1, cron_log_t, $2, $3) ++') ++ ++####################################### ++## ++## Create specified objects in generic ++## log directories with the cron log file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`cron_generic_log_filetrans_log_insights',` ++ gen_require(` ++ type var_log_t; ++ ') ++ ++ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") ') diff --git a/cron.te b/cron.te -index 7de385956..61dcff6a5 100644 +index 7de385956..e4c99bdd4 100644 --- a/cron.te +++ b/cron.te @@ -11,46 +11,54 @@ gen_require(` @@ -20221,7 +20250,7 @@ index 7de385956..61dcff6a5 100644 selinux_validate_context(system_cronjob_t) selinux_compute_access_vector(system_cronjob_t) selinux_compute_create_context(system_cronjob_t) -@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',` +@@ -539,10 +549,22 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` @@ -20237,10 +20266,14 @@ index 7de385956..61dcff6a5 100644 + +optional_policy(` + bind_read_config(system_cronjob_t) ++') ++ ++optional_policy(` ++ cron_generic_log_filetrans_log_insights(system_cronjob_t) ') optional_policy(` -@@ -551,10 +569,6 @@ optional_policy(` +@@ -551,10 +573,6 @@ optional_policy(` optional_policy(` dbus_system_bus_client(system_cronjob_t) @@ -20251,7 +20284,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -567,6 +581,10 @@ optional_policy(` +@@ -567,6 +585,10 @@ optional_policy(` ') optional_policy(` @@ -20262,7 +20295,7 @@ index 7de385956..61dcff6a5 100644 ftp_read_log(system_cronjob_t) ') -@@ -591,6 +609,8 @@ optional_policy(` +@@ -591,6 +613,8 @@ optional_policy(` optional_policy(` mta_read_config(system_cronjob_t) mta_send_mail(system_cronjob_t) @@ -20271,7 +20304,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -598,7 +618,31 @@ optional_policy(` +@@ -598,7 +622,31 @@ optional_policy(` ') optional_policy(` @@ -20303,7 +20336,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -607,7 +651,12 @@ optional_policy(` +@@ -607,7 +655,12 @@ optional_policy(` ') optional_policy(` @@ -20316,7 +20349,7 @@ index 7de385956..61dcff6a5 100644 ') optional_policy(` -@@ -615,12 +664,27 @@ optional_policy(` +@@ -615,12 +668,27 @@ optional_policy(` ') optional_policy(` @@ -20346,7 +20379,7 @@ index 7de385956..61dcff6a5 100644 # allow cronjob_t self:process { signal_perms setsched }; -@@ -628,12 +692,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; +@@ -628,12 +696,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; @@ -20380,7 +20413,7 @@ index 7de385956..61dcff6a5 100644 corenet_all_recvfrom_netlabel(cronjob_t) corenet_tcp_sendrecv_generic_if(cronjob_t) corenet_udp_sendrecv_generic_if(cronjob_t) -@@ -641,66 +725,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) +@@ -641,66 +729,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t) corenet_udp_sendrecv_generic_node(cronjob_t) corenet_tcp_sendrecv_all_ports(cronjob_t) corenet_udp_sendrecv_all_ports(cronjob_t) @@ -26116,7 +26149,7 @@ index 41c3f6770..653a1ecbb 100644 ## ## Execute dmidecode in the dmidecode diff --git a/dmidecode.te b/dmidecode.te -index aa0ef6e94..02bdb681d 100644 +index aa0ef6e94..3c52d892c 100644 --- a/dmidecode.te +++ b/dmidecode.te @@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t) @@ -26127,7 +26160,7 @@ index aa0ef6e94..02bdb681d 100644 +userdom_use_inherited_user_terminals(dmidecode_t) + +optional_policy(` -+ rhsmcertd_rw_inherited_lock_files(dmidecode_t) ++ rhsmcertd_rw_lock_files(dmidecode_t) +') diff --git a/dnsmasq.fc b/dnsmasq.fc index 23ab808d8..84735a8cb 100644 @@ -36837,7 +36870,7 @@ index 180f1b7cc..3c8757e47 100644 + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") +') diff --git a/gpg.te b/gpg.te -index 0e97e82f1..2569781e9 100644 +index 0e97e82f1..4bcee621d 100644 --- a/gpg.te +++ b/gpg.te @@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0) @@ -37194,7 +37227,7 @@ index 0e97e82f1..2569781e9 100644 manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file) -@@ -287,53 +322,87 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) +@@ -287,53 +322,88 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t) fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir }) @@ -37246,6 +37279,7 @@ index 0e97e82f1..2569781e9 100644 -') +userdom_home_reader(gpg_pinentry_t) +userdom_stream_connect(gpg_pinentry_t) ++userdom_map_tmp_files(gpg_pinentry_t) -tunable_policy(`use_samba_home_dirs',` - fs_read_cifs_files(gpg_pinentry_t) @@ -43283,10 +43317,10 @@ index 000000000..bd7e7fa17 +') diff --git a/keepalived.te b/keepalived.te new file mode 100644 -index 000000000..202ac2b59 +index 000000000..923edd01e --- /dev/null +++ b/keepalived.te -@@ -0,0 +1,99 @@ +@@ -0,0 +1,100 @@ +policy_module(keepalived, 1.0.0) + +######################################## @@ -43312,7 +43346,7 @@ index 000000000..202ac2b59 +# keepalived local policy +# + -+allow keepalived_t self:capability { net_admin net_raw kill }; ++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search sys_ptrace }; +allow keepalived_t self:process { signal_perms }; +allow keepalived_t self:netlink_socket create_socket_perms; +allow keepalived_t self:netlink_generic_socket create_socket_perms; @@ -43343,6 +43377,7 @@ index 000000000..202ac2b59 +corenet_tcp_connect_squid_port(keepalived_t) + +domain_read_all_domains_state(keepalived_t) ++domain_getattr_all_domains(keepalived_t) + +dev_read_urand(keepalived_t) + @@ -49535,7 +49570,7 @@ index 8ae78b5bf..b365cddec 100644 + +/root/.manpath -- gen_context(system_u:object_r:mandb_home_t,s0) diff --git a/mandb.if b/mandb.if -index 327f3f726..4f6156138 100644 +index 327f3f726..36d4af101 100644 --- a/mandb.if +++ b/mandb.if @@ -1,14 +1,14 @@ @@ -49611,60 +49646,78 @@ index 327f3f726..4f6156138 100644 ######################################## ## -## Search mandb cache directories. -+## Relabel mandb cache files/directories ++## Mmap mandb cache files. ## ## ## -@@ -56,13 +68,18 @@ interface(`mandb_run',` +@@ -56,13 +68,17 @@ interface(`mandb_run',` ## ## # -interface(`mandb_search_cache',` - refpolicywarn(`$0($*) has been deprecated') -+interface(`mandb_relabel_cache',` ++interface(`mandb_map_cache_files',` + gen_require(` + type mandb_cache_t; + ') + -+ allow $1 mandb_cache_t:dir relabel_dir_perms; -+ allow $1 mandb_cache_t:file relabel_file_perms; ++ allow $1, mandb_cache_t:file map; ') ######################################## ## -## Delete mandb cache content. -+## Set attributes on mandb cache files. ++## Relabel mandb cache files/directories ## ## ## -@@ -70,13 +87,18 @@ interface(`mandb_search_cache',` +@@ -70,13 +86,18 @@ interface(`mandb_search_cache',` ## ## # -interface(`mandb_delete_cache_content',` - refpolicywarn(`$0($*) has been deprecated') -+interface(`mandb_setattr_cache_dirs',` ++interface(`mandb_relabel_cache',` + gen_require(` + type mandb_cache_t; + ') + -+ files_search_var($1) -+ allow $1 mandb_cache_t:dir setattr; ++ allow $1 mandb_cache_t:dir relabel_dir_perms; ++ allow $1 mandb_cache_t:file relabel_file_perms; ') ######################################## ## -## Read mandb cache content. -+## Delete mandb cache files. ++## Set attributes on mandb cache files. ## ## ## -@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',` +@@ -84,8 +105,35 @@ interface(`mandb_delete_cache_content',` ## ## # -interface(`mandb_read_cache_content',` - refpolicywarn(`$0($*) has been deprecated') ++interface(`mandb_setattr_cache_dirs',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ allow $1 mandb_cache_t:dir setattr; ++') ++ ++######################################## ++## ++## Delete mandb cache files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`mandb_delete_cache',` + gen_require(` + type mandb_cache_t; @@ -49678,7 +49731,7 @@ index 327f3f726..4f6156138 100644 ') ######################################## -@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',` +@@ -99,37 +147,82 @@ interface(`mandb_read_cache_content',` ## ## # @@ -49691,34 +49744,13 @@ index 327f3f726..4f6156138 100644 + + files_search_var($1) + manage_files_pattern($1, mandb_cache_t, mandb_cache_t) -+') -+ -+######################################## -+## -+## Manage mandb cache dirs. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`mandb_manage_cache_dirs',` -+ gen_require(` -+ type mandb_cache_t; -+ ') -+ -+ files_search_var($1) -+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ') ######################################## ## -## All of the rules required to -## administrate an mandb environment. -+## Create configuration files in user -+## home directories with a named file -+## type transition. ++## Manage mandb cache dirs. ## ## ## @@ -49727,6 +49759,27 @@ index 327f3f726..4f6156138 100644 ## -## +# ++interface(`mandb_manage_cache_dirs',` ++ gen_require(` ++ type mandb_cache_t; ++ ') ++ ++ files_search_var($1) ++ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) ++') ++ ++######################################## ++## ++## Create configuration files in user ++## home directories with a named file ++## type transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`mandb_filetrans_named_home_content',` + gen_require(` + type mandb_home_t; @@ -49761,12 +49814,12 @@ index 327f3f726..4f6156138 100644 - mandb_run($1, $2) + files_search_var($1) + admin_pattern($1, mandb_cache_t) -+ -+ files_search_locks($1) -+ admin_pattern($1, mandb_lock_t) - # pending - # miscfiles_manage_man_cache_content(mandb_t) ++ files_search_locks($1) ++ admin_pattern($1, mandb_lock_t) ++ + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) @@ -60730,9 +60783,15 @@ index 86dc29dfa..cb39739a5 100644 + logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 55f20095e..4419e3531 100644 +index 55f20095e..3ed3ed0b3 100644 --- a/networkmanager.te +++ b/networkmanager.te +@@ -1,4 +1,4 @@ +-policy_module(networkmanager, 1.15.2) ++policy_module(networkmanager, 1.15.3) + + ######################################## + # @@ -9,15 +9,18 @@ type NetworkManager_t; type NetworkManager_exec_t; init_daemon_domain(NetworkManager_t, NetworkManager_exec_t) @@ -60950,10 +61009,10 @@ index 55f20095e..4419e3531 100644 -# certificates in user home directories (cert_home_t in ~/\.pki) -userdom_read_user_home_content_files(NetworkManager_t) +systemd_machined_read_pid_files(NetworkManager_t) -+ -+term_use_unallocated_ttys(NetworkManager_t) -userdom_write_user_tmp_sockets(NetworkManager_t) ++term_use_unallocated_ttys(NetworkManager_t) ++ +userdom_stream_connect(NetworkManager_t) userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) userdom_dontaudit_use_user_ttys(NetworkManager_t) @@ -61019,16 +61078,16 @@ index 55f20095e..4419e3531 100644 dnsmasq_signal(NetworkManager_t) dnsmasq_signull(NetworkManager_t) + dnsmasq_systemctl(NetworkManager_t) ++') ++ ++optional_policy(` ++ dnssec_trigger_domtrans(NetworkManager_t) ++ dnssec_trigger_signull(NetworkManager_t) ++ dnssec_trigger_sigkill(NetworkManager_t) ') optional_policy(` - gnome_stream_connect_all_gkeyringd(NetworkManager_t) -+ dnssec_trigger_domtrans(NetworkManager_t) -+ dnssec_trigger_signull(NetworkManager_t) -+ dnssec_trigger_sigkill(NetworkManager_t) -+') -+ -+optional_policy(` + fcoe_dgram_send_fcoemon(NetworkManager_t) ') @@ -61157,7 +61216,7 @@ index 55f20095e..4419e3531 100644 ') optional_policy(` -@@ -338,12 +431,19 @@ optional_policy(` +@@ -338,12 +431,23 @@ optional_policy(` vpn_relabelfrom_tun_socket(NetworkManager_t) ') @@ -61168,6 +61227,10 @@ index 55f20095e..4419e3531 100644 + openfortivpn_signull(NetworkManager_t) +') + ++optional_policy(` ++ openvswitch_stream_connect(NetworkManager_t) ++') ++ ######################################## # # wpa_cli local policy @@ -61178,7 +61241,7 @@ index 55f20095e..4419e3531 100644 allow wpa_cli_t self:unix_dgram_socket create_socket_perms; allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto; -@@ -357,6 +457,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -357,6 +461,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -87845,7 +87908,7 @@ index 16c8ecbe3..4e021eca7 100644 + ') ') diff --git a/redis.te b/redis.te -index 25cd4175f..61de8277a 100644 +index 25cd4175f..84c02e325 100644 --- a/redis.te +++ b/redis.te @@ -12,6 +12,9 @@ init_daemon_domain(redis_t, redis_exec_t) @@ -87877,7 +87940,7 @@ index 25cd4175f..61de8277a 100644 manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) manage_files_pattern(redis_t, redis_log_t, redis_log_t) manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) -@@ -42,14 +50,17 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +@@ -42,24 +50,27 @@ manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) @@ -87895,7 +87958,12 @@ index 25cd4175f..61de8277a 100644 corenet_sendrecv_redis_server_packets(redis_t) corenet_tcp_bind_redis_port(redis_t) -@@ -60,6 +71,4 @@ dev_read_urand(redis_t) + corenet_tcp_sendrecv_redis_port(redis_t) + ++corecmd_exec_shell(redis_t) ++ + dev_read_sysfs(redis_t) + dev_read_urand(redis_t) logging_send_syslog_msg(redis_t) @@ -90773,7 +90841,7 @@ index 8c0280418..896c8c67f 100644 /var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0) diff --git a/rhsmcertd.if b/rhsmcertd.if -index 6dbc905b3..4b17c933e 100644 +index 6dbc905b3..42e4306c8 100644 --- a/rhsmcertd.if +++ b/rhsmcertd.if @@ -1,8 +1,8 @@ @@ -90869,23 +90937,21 @@ index 6dbc905b3..4b17c933e 100644 ## ## ## -@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',` +@@ -196,10 +192,47 @@ interface(`rhsmcertd_read_pid_files',` allow $1 rhsmcertd_var_run_t:file read_file_perms; ') -#################################### +######################################## - ## --## Connect to rhsmcertd with a --## unix domain stream socket. ++## +## Read rhsmcertd PID files. - ## - ## - ## -@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',` - ## - ## - # ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`rhsmcertd_manage_pid_files',` + gen_require(` + type rhsmcertd_var_run_t; @@ -90914,6 +90980,27 @@ index 6dbc905b3..4b17c933e 100644 + allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms; +') + ++######################################## + ## +-## Connect to rhsmcertd with a +-## unix domain stream socket. ++## Read/wirte lock files. + ## + ## + ## +@@ -207,6 +240,26 @@ interface(`rhsmcertd_read_pid_files',` + ## + ## + # ++interface(`rhsmcertd_rw_lock_files',` ++ gen_require(` ++ type rhsmcertd_lock_t; ++ ') ++ ++ files_search_locks($1) ++ allow $1 rhsmcertd_lock_t:file rw_file_perms; ++') ++ +#################################### +## +## Connect to rhsmcertd over a unix domain @@ -90928,7 +91015,7 @@ index 6dbc905b3..4b17c933e 100644 interface(`rhsmcertd_stream_connect',` gen_require(` type rhsmcertd_t, rhsmcertd_var_run_t; -@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',` +@@ -239,30 +292,29 @@ interface(`rhsmcertd_dbus_chat',` ###################################### ## @@ -90972,7 +91059,7 @@ index 6dbc905b3..4b17c933e 100644 ## ## ## -@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` +@@ -270,35 +322,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',` ## ## ## @@ -91004,24 +91091,24 @@ index 6dbc905b3..4b17c933e 100644 + tunable_policy(`deny_ptrace',`',` + allow $1 rhsmcertd_t:process ptrace; + ') -+ + +- logging_search_logs($1) +- admin_pattern($1, rhsmcertd_log_t) + rhsmcertd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 rhsmcertd_initrc_exec_t system_r; + allow $2 system_r; -- logging_search_logs($1) -- admin_pattern($1, rhsmcertd_log_t) -+ logging_search_logs($1) -+ admin_pattern($1, rhsmcertd_log_t) - - files_search_var_lib($1) - admin_pattern($1, rhsmcertd_var_lib_t) -+ files_search_var_lib($1) -+ admin_pattern($1, rhsmcertd_var_lib_t) ++ logging_search_logs($1) ++ admin_pattern($1, rhsmcertd_log_t) - files_search_pids($1) - admin_pattern($1, rhsmcertd_var_run_t) ++ files_search_var_lib($1) ++ admin_pattern($1, rhsmcertd_var_lib_t) ++ + files_search_pids($1) + admin_pattern($1, rhsmcertd_var_run_t) + @@ -120344,10 +120431,10 @@ index 4815a93f4..24dcf5174 100644 + rhcs_rw_cluster_tmpfs(wdmd_t) ') diff --git a/webadm.te b/webadm.te -index 2a6cae773..6d0a2a1c5 100644 +index 2a6cae773..d2752d9bb 100644 --- a/webadm.te +++ b/webadm.te -@@ -25,6 +25,9 @@ role webadm_r; +@@ -25,12 +25,21 @@ role webadm_r; userdom_base_user_template(webadm) @@ -120357,26 +120444,43 @@ index 2a6cae773..6d0a2a1c5 100644 ######################################## # # Local policy -@@ -32,6 +35,12 @@ userdom_base_user_template(webadm) - - allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; + # +-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice }; ++allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource }; ++ +manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t) +files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir }) +can_exec(webadm_t, webadm_tmp_t) -+ + files_dontaudit_search_all_dirs(webadm_t) files_list_var(webadm_t) +@@ -38,12 +47,26 @@ files_list_var(webadm_t) + selinux_get_enforce_mode(webadm_t) + seutil_domtrans_setfiles(webadm_t) -@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t) ++init_rw_pipes(webadm_t) ++init_status(webadm_t) ++ + logging_send_audit_msgs(webadm_t) + logging_send_syslog_msg(webadm_t) userdom_dontaudit_search_user_home_dirs(webadm_t) ++userdom_dontaudit_manage_admin_files(webadm_t) ++ ++optional_policy(` ++ apache_admin(webadm_t, webadm_r) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(webadm_t) ++') -apache_admin(webadm_t, webadm_r) +optional_policy(` -+ apache_admin(webadm_t, webadm_r) ++ policykit_dbus_chat(webadm_t) +') tunable_policy(`webadm_manage_user_files',` diff --git a/selinux-policy.spec b/selinux-policy.spec index 56ba655..8636194 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 281%{?dist} +Release: 282%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -681,6 +681,20 @@ exit 0 %endif %changelog +* Mon Sep 11 2017 Lukas Vrabec - 3.13.1-282 +- Add new bunch of map rules +- Merge pull request #25 from NetworkManager/nm-ovs +- Make working webadm_t userdomain +- Allow redis domain to execute shell scripts. +- Allow system_cronjob_t to create redhat-access-insights.log with var_log_t +- Add couple capabilities to keepalived domain and allow get attributes of all domains +- Allow dmidecode read rhsmcertd lock files +- Add new interface rhsmcertd_rw_lock_files() +- Add new bunch of map rules +- Merge pull request #199 from mscherer/add_conntrackd +- Add support labeling for vmci and vsock device +- Add userdom_dontaudit_manage_admin_files() interface + * Mon Sep 11 2017 Lukas Vrabec - 3.13.1-281 - Allow domains reading raw memory also use mmap.