diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index 7e6a578..3397939 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -5548,7 +5548,7 @@ index b31c054..3035b45 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..09ccba4 100644 +index 76f285e..e26dfc3 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -6339,175 +6339,223 @@ index 76f285e..09ccba4 100644 ') ######################################## -@@ -3855,6 +4185,78 @@ interface(`dev_getattr_sysfs_dirs',` +@@ -3855,7 +4185,7 @@ interface(`dev_getattr_sysfs_dirs',` ######################################## ## +-## Search the sysfs directories. +## Set the attributes of sysfs directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3863,53 +4193,53 @@ interface(`dev_getattr_sysfs_dirs',` + ## + ## + # +-interface(`dev_search_sysfs',` +interface(`dev_setattr_sysfs_dirs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- search_dirs_pattern($1, sysfs_t, sysfs_t) + allow $1 sysfs_t:dir setattr_dir_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to search sysfs. +## Get attributes of sysfs filesystems. -+## -+## -+## + ## + ## + ## +-## Domain to not audit. +## Domain allowed access. -+## -+## -+# + ## + ## + # +-interface(`dev_dontaudit_search_sysfs',` +interface(`dev_getattr_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- dontaudit $1 sysfs_t:dir search_dir_perms; + allow $1 sysfs_t:filesystem getattr; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## List the contents of the sysfs directories. ++## Mount a filesystem on /sys + ## + ## + ## +-## Domain allowed access. ++## Domain allow access. + ## + ## + # +-interface(`dev_list_sysfs',` ++interface(`dev_mounton_sysfs',` + gen_require(` + type sysfs_t; + ') + +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 sysfs_t:dir mounton; + ') + + ######################################## + ## +-## Write in a sysfs directories. +## Mount sysfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -3917,37 +4247,35 @@ interface(`dev_list_sysfs',` + ## + ## + # +-# cjp: added for cpuspeed +-interface(`dev_write_sysfs_dirs',` +interface(`dev_mount_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ + gen_require(` + type sysfs_t; + ') + +- allow $1 sysfs_t:dir write; + allow $1 sysfs_t:filesystem mount; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to write in a sysfs directory. +## Unmount sysfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_unmount_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:filesystem unmount; -+') -+ -+######################################## -+## - ## Search the sysfs directories. ## ## -@@ -3904,6 +4306,7 @@ interface(`dev_list_sysfs',` + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_write_sysfs_dirs',` ++interface(`dev_unmount_sysfs_fs',` + gen_require(` type sysfs_t; ') -+ read_lnk_files_pattern($1, sysfs_t, sysfs_t) - list_dirs_pattern($1, sysfs_t, sysfs_t) +- dontaudit $1 sysfs_t:dir write; ++ allow $1 sysfs_t:filesystem unmount; ') -@@ -3946,23 +4349,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',` - ######################################## ## -## Create, read, write, and delete sysfs -## directories. -+## Read cpu online hardware state information. ++## Search the sysfs directories. ## -+## -+##

-+## Allow the specified domain to read /sys/devices/system/cpu/online file. -+##

-+## ## ## - ## Domain allowed access. +@@ -3955,47 +4283,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',` ## ## # -interface(`dev_manage_sysfs_dirs',` -+interface(`dev_read_cpu_online',` -+ gen_require(` -+ type cpu_online_t; -+ ') -+ -+ dev_search_sysfs($1) -+ read_files_pattern($1, cpu_online_t, cpu_online_t) -+') -+ -+######################################## -+## -+## Relabel cpu online hardware state information. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_relabel_cpu_online',` ++interface(`dev_search_sysfs',` gen_require(` -+ type cpu_online_t; type sysfs_t; ') - manage_dirs_pattern($1, sysfs_t, sysfs_t) -+ dev_search_sysfs($1) -+ allow $1 cpu_online_t:file relabel_file_perms; ++ search_dirs_pattern($1, sysfs_t, sysfs_t) ') -+ ######################################## ## - ## Read hardware state information. -@@ -4016,7 +4445,7 @@ interface(`dev_rw_sysfs',` +-## Read hardware state information. ++## Do not audit attempts to search sysfs. + ## +-## +-##

+-## Allow the specified domain to read the contents of +-## the sysfs filesystem. This filesystem contains +-## information, parameters, and other settings on the +-## hardware installed on the system. +-##

+-## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## +-## + # +-interface(`dev_read_sysfs',` ++interface(`dev_dontaudit_search_sysfs',` + gen_require(` + type sysfs_t; + ') + +- read_files_pattern($1, sysfs_t, sysfs_t) +- read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- +- list_dirs_pattern($1, sysfs_t, sysfs_t) ++ dontaudit $1 sysfs_t:dir search_dir_perms; + ') + + ######################################## + ## +-## Allow caller to modify hardware state information. ++## List the contents of the sysfs directories. + ## + ## + ## +@@ -4003,20 +4319,18 @@ interface(`dev_read_sysfs',` + ## + ## + # +-interface(`dev_rw_sysfs',` ++interface(`dev_list_sysfs',` + gen_require(` + type sysfs_t; + ') + +- rw_files_pattern($1, sysfs_t, sysfs_t) + read_lnk_files_pattern($1, sysfs_t, sysfs_t) +- + list_dirs_pattern($1, sysfs_t, sysfs_t) + ') ######################################## ## -## Read and write the TPM device. -+## Relabel hardware state directories. ++## Write in a sysfs directories. ## ## ## -@@ -4024,58 +4453,114 @@ interface(`dev_rw_sysfs',` +@@ -4024,78 +4338,60 @@ interface(`dev_rw_sysfs',` ## ## # -interface(`dev_rw_tpm',` -+interface(`dev_relabel_sysfs_dirs',` ++# cjp: added for cpuspeed ++interface(`dev_write_sysfs_dirs',` gen_require(` - type device_t, tpm_device_t; + type sysfs_t; ') - rw_chr_files_pattern($1, device_t, tpm_device_t) -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ allow $1 sysfs_t:dir write; ') ######################################## ## -## Read from pseudo random number generator devices (e.g., /dev/urandom). -+## Relabel hardware state files ++## Do not audit attempts to write in a sysfs directory. ## -## -##

@@ -6533,27 +6581,172 @@ index 76f285e..09ccba4 100644 -## ## ##

- ## Domain allowed access. +-## Domain allowed access. ++## Domain to not audit. ## ## -## # -interface(`dev_read_urand',` -+interface(`dev_relabel_all_sysfs',` ++interface(`dev_dontaudit_write_sysfs_dirs',` gen_require(` - type device_t, urandom_device_t; + type sysfs_t; ') - read_chr_files_pattern($1, device_t, urandom_device_t) -+ relabel_dirs_pattern($1, sysfs_t, sysfs_t) -+ relabel_files_pattern($1, sysfs_t, sysfs_t) -+ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ dontaudit $1 sysfs_t:dir write; ') ######################################## ## -## Do not audit attempts to read from pseudo +-## random devices (e.g., /dev/urandom) ++## Read cpu online hardware state information. + ## ++## ++##

++## Allow the specified domain to read /sys/devices/system/cpu/online file. ++##

++## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_read_urand',` ++interface(`dev_read_cpu_online',` + gen_require(` +- type urandom_device_t; ++ type cpu_online_t; + ') + +- dontaudit $1 urandom_device_t:chr_file { getattr read }; ++ dev_search_sysfs($1) ++ read_files_pattern($1, cpu_online_t, cpu_online_t) + ') + + ######################################## + ## +-## Write to the pseudo random device (e.g., /dev/urandom). This +-## sets the random number generator seed. ++## Relabel cpu online hardware state information. + ## + ## + ## +@@ -4103,19 +4399,245 @@ interface(`dev_dontaudit_read_urand',` + ## + ## + # +-interface(`dev_write_urand',` ++interface(`dev_relabel_cpu_online',` + gen_require(` +- type device_t, urandom_device_t; ++ type cpu_online_t; ++ type sysfs_t; + ') + +- write_chr_files_pattern($1, device_t, urandom_device_t) ++ dev_search_sysfs($1) ++ allow $1 cpu_online_t:file relabel_file_perms; + ') + ++ + ######################################## + ## +-## Getattr generic the USB devices. ++## Read hardware state information. + ## +-## ++## ++##

++## Allow the specified domain to read the contents of ++## the sysfs filesystem. This filesystem contains ++## information, parameters, and other settings on the ++## hardware installed on the system. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_read_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ read_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Allow caller to modify hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ rw_files_pattern($1, sysfs_t, sysfs_t) ++ read_lnk_files_pattern($1, sysfs_t, sysfs_t) ++ ++ list_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Relabel hardware state directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_sysfs_dirs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## ++## Relabel hardware state files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_relabel_all_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ relabel_dirs_pattern($1, sysfs_t, sysfs_t) ++ relabel_files_pattern($1, sysfs_t, sysfs_t) ++ relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## +## Allow caller to modify hardware state information. +## +## @@ -6632,13 +6825,43 @@ index 76f285e..09ccba4 100644 +######################################## +## +## Do not audit attempts to read from pseudo - ## random devices (e.g., /dev/urandom) - ## - ## -@@ -4113,6 +4598,25 @@ interface(`dev_write_urand',` - - ######################################## - ## ++## random devices (e.g., /dev/urandom) ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`dev_dontaudit_read_urand',` ++ gen_require(` ++ type urandom_device_t; ++ ') ++ ++ dontaudit $1 urandom_device_t:chr_file { getattr read }; ++') ++ ++######################################## ++## ++## Write to the pseudo random device (e.g., /dev/urandom). This ++## sets the random number generator seed. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_write_urand',` ++ gen_require(` ++ type device_t, urandom_device_t; ++ ') ++ ++ write_chr_files_pattern($1, device_t, urandom_device_t) ++') ++ ++######################################## ++## +## Do not audit attempts to write to pseudo +## random devices (e.g., /dev/urandom) +## @@ -6658,10 +6881,13 @@ index 76f285e..09ccba4 100644 + +######################################## +## - ## Getattr generic the USB devices. - ## - ## -@@ -4409,9 +4913,9 @@ interface(`dev_rw_usbfs',` ++## Getattr generic the USB devices. ++## ++## + ## + ## Domain allowed access. + ## +@@ -4409,9 +4931,9 @@ interface(`dev_rw_usbfs',` read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') @@ -6673,7 +6899,7 @@ index 76f285e..09ccba4 100644 ## ## ## -@@ -4419,17 +4923,17 @@ interface(`dev_rw_usbfs',` +@@ -4419,17 +4941,17 @@ interface(`dev_rw_usbfs',` ## ## # @@ -6696,7 +6922,7 @@ index 76f285e..09ccba4 100644 ## ## ## -@@ -4437,12 +4941,12 @@ interface(`dev_getattr_video_dev',` +@@ -4437,12 +4959,12 @@ interface(`dev_getattr_video_dev',` ## ## # @@ -6712,7 +6938,7 @@ index 76f285e..09ccba4 100644 ') ######################################## -@@ -4539,6 +5043,134 @@ interface(`dev_write_video_dev',` +@@ -4539,6 +5061,134 @@ interface(`dev_write_video_dev',` ######################################## ## @@ -6847,7 +7073,7 @@ index 76f285e..09ccba4 100644 ## Allow read/write the vhost net device ## ## -@@ -4557,6 +5189,24 @@ interface(`dev_rw_vhost',` +@@ -4557,6 +5207,24 @@ interface(`dev_rw_vhost',` ######################################## ## @@ -6872,7 +7098,7 @@ index 76f285e..09ccba4 100644 ## Read and write VMWare devices. ## ## -@@ -4762,6 +5412,26 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5430,26 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -6899,7 +7125,7 @@ index 76f285e..09ccba4 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5521,943 @@ interface(`dev_unconfined',` +@@ -4851,3 +5539,943 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ') @@ -8074,7 +8300,7 @@ index 6a1e4d1..adafd25 100644 + dontaudit $1 domain:socket_class_set { read write }; ') diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index cf04cb5..8542b3d 100644 +index cf04cb5..5376a48 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0) @@ -8202,7 +8428,7 @@ index cf04cb5..8542b3d 100644 # Create/access any System V IPC objects. allow unconfined_domain_type domain:{ sem msgq shm } *; -@@ -166,5 +229,271 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; +@@ -166,5 +229,275 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; # act on all domains keys allow unconfined_domain_type domain:key *; @@ -8272,6 +8498,10 @@ index cf04cb5..8542b3d 100644 +') + +optional_policy(` ++ clock_filetrans_named_content(unconfined_domain_type) ++') ++ ++optional_policy(` + cups_filetrans_named_content(unconfined_domain_type) +') + @@ -8348,7 +8578,7 @@ index cf04cb5..8542b3d 100644 + systemd_login_reboot(unconfined_domain_type) + systemd_login_halt(unconfined_domain_type) + systemd_login_undefined(unconfined_domain_type) -+ systemd_filetrans_named_hostname(unconfined_domain_type) ++ systemd_filetrans_named_hostname(unconfined_domain_type) +') + +optional_policy(` @@ -8360,11 +8590,11 @@ index cf04cb5..8542b3d 100644 +') + +optional_policy(` -+ virt_filetrans_named_content(unconfined_domain_type) ++ ssh_filetrans_admin_home_content(unconfined_domain_type) +') + +optional_policy(` -+ ssh_filetrans_admin_home_content(unconfined_domain_type) ++ virt_filetrans_named_content(unconfined_domain_type) +') + +selinux_getattr_fs(domain) @@ -8718,7 +8948,7 @@ index c2c6e05..be423a7 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 64ff4d7..92d80ef 100644 +index 64ff4d7..455cc6c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -19,6 +19,136 @@ @@ -9147,7 +9377,7 @@ index 64ff4d7..92d80ef 100644 ## Get the attributes of all named sockets. ## ## -@@ -991,6 +1303,25 @@ interface(`files_dontaudit_getattr_all_sockets',` +@@ -991,6 +1303,44 @@ interface(`files_dontaudit_getattr_all_sockets',` ######################################## ## @@ -9170,10 +9400,29 @@ index 64ff4d7..92d80ef 100644 + +######################################## +## ++## Do not audit attempts to read ++## of all security file types. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_read_all_non_security_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ dontaudit $1 non_security_file_type:file read_file_perms; ++') ++ ++######################################## ++## ## Do not audit attempts to get the attributes ## of non security named sockets. ## -@@ -1073,10 +1404,8 @@ interface(`files_relabel_all_files',` +@@ -1073,10 +1423,8 @@ interface(`files_relabel_all_files',` relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -9186,7 +9435,7 @@ index 64ff4d7..92d80ef 100644 # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1182,24 +1511,6 @@ interface(`files_list_all',` +@@ -1182,24 +1530,6 @@ interface(`files_list_all',` ######################################## ## @@ -9211,19 +9460,17 @@ index 64ff4d7..92d80ef 100644 ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. -@@ -1443,10 +1754,7 @@ interface(`files_relabel_non_auth_files',` +@@ -1443,9 +1773,6 @@ interface(`files_relabel_non_auth_files',` # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_relabelto_bin_policy($1) --') -+') + ') ############################################# - ## -@@ -1583,6 +1891,24 @@ interface(`files_getattr_all_mountpoints',` +@@ -1583,6 +1910,24 @@ interface(`files_getattr_all_mountpoints',` ######################################## ## @@ -9248,7 +9495,7 @@ index 64ff4d7..92d80ef 100644 ## Set the attributes of all mount points. ## ## -@@ -1673,6 +1999,24 @@ interface(`files_dontaudit_list_all_mountpoints',` +@@ -1673,6 +2018,24 @@ interface(`files_dontaudit_list_all_mountpoints',` ######################################## ## @@ -9273,7 +9520,7 @@ index 64ff4d7..92d80ef 100644 ## Do not audit attempts to write to mount points. ## ## -@@ -1691,6 +2035,24 @@ interface(`files_dontaudit_write_all_mountpoints',` +@@ -1691,6 +2054,24 @@ interface(`files_dontaudit_write_all_mountpoints',` ######################################## ## @@ -9298,7 +9545,7 @@ index 64ff4d7..92d80ef 100644 ## List the contents of the root directory. ## ## -@@ -1874,25 +2236,25 @@ interface(`files_delete_root_dir_entry',` +@@ -1874,25 +2255,25 @@ interface(`files_delete_root_dir_entry',` ######################################## ## @@ -9330,7 +9577,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -1905,7 +2267,7 @@ interface(`files_relabel_rootfs',` +@@ -1905,7 +2286,7 @@ interface(`files_relabel_rootfs',` type root_t; ') @@ -9339,7 +9586,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -1928,6 +2290,24 @@ interface(`files_unmount_rootfs',` +@@ -1928,6 +2309,24 @@ interface(`files_unmount_rootfs',` ######################################## ## @@ -9364,7 +9611,7 @@ index 64ff4d7..92d80ef 100644 ## Get attributes of the /boot directory. ## ## -@@ -2627,6 +3007,24 @@ interface(`files_rw_etc_dirs',` +@@ -2627,6 +3026,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -9389,7 +9636,7 @@ index 64ff4d7..92d80ef 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2698,6 +3096,7 @@ interface(`files_read_etc_files',` +@@ -2698,6 +3115,7 @@ interface(`files_read_etc_files',` allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -9397,7 +9644,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -2706,7 +3105,7 @@ interface(`files_read_etc_files',` +@@ -2706,7 +3124,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -9406,7 +9653,7 @@ index 64ff4d7..92d80ef 100644 ## ## # -@@ -2762,6 +3161,25 @@ interface(`files_manage_etc_files',` +@@ -2762,6 +3180,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -9432,7 +9679,7 @@ index 64ff4d7..92d80ef 100644 ## Delete system configuration files in /etc. ## ## -@@ -2780,6 +3198,24 @@ interface(`files_delete_etc_files',` +@@ -2780,6 +3217,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -9457,7 +9704,7 @@ index 64ff4d7..92d80ef 100644 ## Execute generic files in /etc. ## ## -@@ -2945,24 +3381,6 @@ interface(`files_delete_boot_flag',` +@@ -2945,24 +3400,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -9482,7 +9729,7 @@ index 64ff4d7..92d80ef 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3003,9 +3421,7 @@ interface(`files_read_etc_runtime_files',` +@@ -3003,9 +3440,7 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -9493,7 +9740,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -3013,18 +3429,17 @@ interface(`files_read_etc_runtime_files',` +@@ -3013,18 +3448,17 @@ interface(`files_read_etc_runtime_files',` ## ## # @@ -9515,7 +9762,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -3042,6 +3457,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` +@@ -3042,6 +3476,26 @@ interface(`files_dontaudit_write_etc_runtime_files',` ######################################## ## @@ -9542,7 +9789,7 @@ index 64ff4d7..92d80ef 100644 ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -3059,6 +3494,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -3059,6 +3513,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -9550,7 +9797,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -3080,6 +3516,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -3080,6 +3535,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -9558,7 +9805,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -3132,6 +3569,25 @@ interface(`files_getattr_isid_type_dirs',` +@@ -3132,6 +3588,25 @@ interface(`files_getattr_isid_type_dirs',` ######################################## ## @@ -9584,7 +9831,7 @@ index 64ff4d7..92d80ef 100644 ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## -@@ -3208,6 +3664,25 @@ interface(`files_delete_isid_type_dirs',` +@@ -3208,6 +3683,25 @@ interface(`files_delete_isid_type_dirs',` ######################################## ## @@ -9610,7 +9857,7 @@ index 64ff4d7..92d80ef 100644 ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## -@@ -3455,6 +3930,25 @@ interface(`files_rw_isid_type_blk_files',` +@@ -3455,6 +3949,25 @@ interface(`files_rw_isid_type_blk_files',` ######################################## ## @@ -9636,7 +9883,7 @@ index 64ff4d7..92d80ef 100644 ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## -@@ -3796,20 +4290,38 @@ interface(`files_list_mnt',` +@@ -3796,20 +4309,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -9680,7 +9927,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -4199,58 +4711,225 @@ interface(`files_read_world_readable_sockets',` +@@ -4199,52 +4730,219 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -9733,38 +9980,25 @@ index 64ff4d7..92d80ef 100644 ## # -interface(`files_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; -- ') +interface(`files_manage_system_conf_files',` + gen_require(` + type etc_t, system_conf_t; + ') - -- allow $1 tmp_t:dir getattr; ++ + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) + files_filetrans_system_conf_named_files($1) - ') - --######################################## ++') ++ +##################################### - ## --## Do not audit attempts to get the --## attributes of the tmp directory (/tmp). ++## +## File name transition for system configuration files in /etc. - ## - ## --## --## Domain allowed access. --## ++## ++## +## +## Domain allowed access. +## - ## - # --interface(`files_dontaudit_getattr_tmp_dirs',` -- gen_require(` -- type tmp_t; ++## ++# +interface(`files_filetrans_system_conf_named_files',` + gen_require(` + type etc_t, system_conf_t; @@ -9894,16 +10128,16 @@ index 64ff4d7..92d80ef 100644 +## +# +interface(`files_getattr_tmp_dirs',` -+ gen_require(` -+ type tmp_t; -+ ') -+ + gen_require(` + type tmp_t; + ') + + read_lnk_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmp_t:dir getattr; -+') -+ -+######################################## -+## + allow $1 tmp_t:dir getattr; + ') + + ######################################## + ## +## Do not audit attempts to check the +## access on tmp files +## @@ -9923,22 +10157,17 @@ index 64ff4d7..92d80ef 100644 + +######################################## +## -+## Do not audit attempts to get the -+## attributes of the tmp directory (/tmp). -+## -+## -+## + ## Do not audit attempts to get the + ## attributes of the tmp directory (/tmp). + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# -+interface(`files_dontaudit_getattr_tmp_dirs',` -+ gen_require(` -+ type tmp_t; - ') - - dontaudit $1 tmp_t:dir getattr; -@@ -4271,6 +4950,7 @@ interface(`files_search_tmp',` + ## + ## + # +@@ -4271,6 +4969,7 @@ interface(`files_search_tmp',` type tmp_t; ') @@ -9946,7 +10175,7 @@ index 64ff4d7..92d80ef 100644 allow $1 tmp_t:dir search_dir_perms; ') -@@ -4307,6 +4987,7 @@ interface(`files_list_tmp',` +@@ -4307,6 +5006,7 @@ interface(`files_list_tmp',` type tmp_t; ') @@ -9954,7 +10183,7 @@ index 64ff4d7..92d80ef 100644 allow $1 tmp_t:dir list_dir_perms; ') -@@ -4316,7 +4997,7 @@ interface(`files_list_tmp',` +@@ -4316,7 +5016,7 @@ interface(`files_list_tmp',` ## ## ## @@ -9963,7 +10192,7 @@ index 64ff4d7..92d80ef 100644 ## ## # -@@ -4328,6 +5009,25 @@ interface(`files_dontaudit_list_tmp',` +@@ -4328,6 +5028,25 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -9989,7 +10218,7 @@ index 64ff4d7..92d80ef 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4343,6 +5043,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4343,6 +5062,7 @@ interface(`files_delete_tmp_dir_entry',` type tmp_t; ') @@ -9997,7 +10226,7 @@ index 64ff4d7..92d80ef 100644 allow $1 tmp_t:dir del_entry_dir_perms; ') -@@ -4384,6 +5085,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4384,6 +5104,32 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## @@ -10030,7 +10259,7 @@ index 64ff4d7..92d80ef 100644 ## Manage temporary files and directories in /tmp. ## ## -@@ -4438,6 +5165,42 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -4438,6 +5184,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## @@ -10073,7 +10302,7 @@ index 64ff4d7..92d80ef 100644 ## Set the attributes of all tmp directories. ## ## -@@ -4456,6 +5219,60 @@ interface(`files_setattr_all_tmp_dirs',` +@@ -4456,6 +5238,60 @@ interface(`files_setattr_all_tmp_dirs',` ######################################## ## @@ -10134,7 +10363,7 @@ index 64ff4d7..92d80ef 100644 ## List all tmp directories. ## ## -@@ -4501,7 +5318,7 @@ interface(`files_relabel_all_tmp_dirs',` +@@ -4501,7 +5337,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -10143,7 +10372,7 @@ index 64ff4d7..92d80ef 100644 ## ## # -@@ -4561,7 +5378,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4561,7 +5397,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -10152,124 +10381,52 @@ index 64ff4d7..92d80ef 100644 ## ## # -@@ -4593,59 +5410,107 @@ interface(`files_read_all_tmp_files',` +@@ -4593,6 +5429,44 @@ interface(`files_read_all_tmp_files',` ######################################## ## --## Create an object in the tmp directories, with a private --## type using a type transition. +## Do not audit attempts to read or write +## all leaked tmpfiles files. - ## - ## - ## --## Domain allowed access. --## --## --## --## --## The type of the object to be created. --## --## --## --## --## The object class of the object being created. --## --## --## --## --## The name of the object being created. -+## Domain to not audit. - ## - ## - # --interface(`files_tmp_filetrans',` -+interface(`files_dontaudit_tmp_file_leaks',` - gen_require(` -- type tmp_t; -+ attribute tmpfile; - ') - -- filetrans_pattern($1, tmp_t, $2, $3, $4) -+ dontaudit $1 tmpfile:file rw_inherited_file_perms; - ') - - ######################################## - ## --## Delete the contents of /tmp. -+## Do allow attempts to read or write -+## all leaked tmpfiles files. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`files_purge_tmp',` -+interface(`files_rw_tmp_file_leaks',` - gen_require(` - attribute tmpfile; - ') - -- allow $1 tmpfile:dir list_dir_perms; -- delete_dirs_pattern($1, tmpfile, tmpfile) -+ allow $1 tmpfile:file rw_inherited_file_perms; -+') -+ -+######################################## -+## -+## Create an object in the tmp directories, with a private -+## type using a type transition. +## +## +## -+## Domain allowed access. -+## -+## -+## -+## -+## The type of the object to be created. -+## -+## -+## -+## -+## The object class of the object being created. -+## -+## -+## -+## -+## The name of the object being created. ++## Domain to not audit. +## +## +# -+interface(`files_tmp_filetrans',` ++interface(`files_dontaudit_tmp_file_leaks',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ filetrans_pattern($1, tmp_t, $2, $3, $4) ++ dontaudit $1 tmpfile:file rw_inherited_file_perms; +') + +######################################## +## -+## Delete the contents of /tmp. ++## Do allow attempts to read or write ++## all leaked tmpfiles files. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`files_purge_tmp',` ++interface(`files_rw_tmp_file_leaks',` + gen_require(` + attribute tmpfile; + ') + -+ allow $1 tmpfile:dir list_dir_perms; -+ delete_dirs_pattern($1, tmpfile, tmpfile) - delete_files_pattern($1, tmpfile, tmpfile) ++ allow $1 tmpfile:file rw_inherited_file_perms; ++') ++ ++######################################## ++## + ## Create an object in the tmp directories, with a private + ## type using a type transition. + ## +@@ -4646,6 +5520,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10286,32 +10443,67 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -5223,6 +6088,24 @@ interface(`files_list_var',` +@@ -5223,26 +6107,26 @@ interface(`files_list_var',` ######################################## ## +-## Create, read, write, and delete directories +-## in the /var directory. +## Do not audit listing of the var directory (/var). -+## -+## -+## + ## + ## + ## +-## Domain allowed access. +## Domain to not audit. -+## -+## -+# + ## + ## + # +-interface(`files_manage_var_dirs',` +interface(`files_dontaudit_list_var',` + gen_require(` + type var_t; + ') + +- allow $1 var_t:dir manage_dir_perms; ++ dontaudit $1 var_t:dir list_dir_perms; + ') + + ######################################## + ## +-## Read files in the /var directory. ++## Create, read, write, and delete directories ++## in the /var directory. + ## + ## + ## +@@ -5250,7 +6134,25 @@ interface(`files_manage_var_dirs',` + ## + ## + # +-interface(`files_read_var_files',` ++interface(`files_manage_var_dirs',` + gen_require(` + type var_t; + ') + -+ dontaudit $1 var_t:dir list_dir_perms; ++ allow $1 var_t:dir manage_dir_perms; +') + +######################################## +## - ## Create, read, write, and delete directories - ## in the /var directory. - ## -@@ -5578,6 +6461,25 @@ interface(`files_read_var_lib_symlinks',` ++## Read files in the /var directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_read_var_files',` + gen_require(` + type var_t; + ') +@@ -5578,6 +6480,25 @@ interface(`files_read_var_lib_symlinks',` read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) ') @@ -10337,7 +10529,7 @@ index 64ff4d7..92d80ef 100644 # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. -@@ -5623,7 +6525,7 @@ interface(`files_manage_mounttab',` +@@ -5623,7 +6544,7 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -10346,7 +10538,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -5631,12 +6533,13 @@ interface(`files_manage_mounttab',` +@@ -5631,12 +6552,13 @@ interface(`files_manage_mounttab',` ## ## # @@ -10362,7 +10554,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -5654,6 +6557,7 @@ interface(`files_search_locks',` +@@ -5654,6 +6576,7 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -10370,7 +10562,7 @@ index 64ff4d7..92d80ef 100644 allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5680,7 +6584,26 @@ interface(`files_dontaudit_search_locks',` +@@ -5680,7 +6603,26 @@ interface(`files_dontaudit_search_locks',` ######################################## ## @@ -10398,7 +10590,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -5688,13 +6611,12 @@ interface(`files_dontaudit_search_locks',` +@@ -5688,13 +6630,12 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -10415,7 +10607,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -5713,7 +6635,7 @@ interface(`files_rw_lock_dirs',` +@@ -5713,7 +6654,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -10424,7 +10616,7 @@ index 64ff4d7..92d80ef 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5746,7 +6668,6 @@ interface(`files_create_lock_dirs',` +@@ -5746,7 +6687,6 @@ interface(`files_create_lock_dirs',` ## Domain allowed access. ## ## @@ -10432,7 +10624,7 @@ index 64ff4d7..92d80ef 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5774,8 +6695,7 @@ interface(`files_getattr_generic_locks',` +@@ -5774,8 +6714,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -10442,7 +10634,7 @@ index 64ff4d7..92d80ef 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5791,13 +6711,12 @@ interface(`files_getattr_generic_locks',` +@@ -5791,13 +6730,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -10460,7 +10652,7 @@ index 64ff4d7..92d80ef 100644 ') ######################################## -@@ -5816,9 +6735,7 @@ interface(`files_manage_generic_locks',` +@@ -5816,9 +6754,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -10471,7 +10663,7 @@ index 64ff4d7..92d80ef 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5860,8 +6777,7 @@ interface(`files_read_all_locks',` +@@ -5860,8 +6796,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -10481,7 +10673,7 @@ index 64ff4d7..92d80ef 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5883,8 +6799,7 @@ interface(`files_manage_all_locks',` +@@ -5883,8 +6818,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -10491,7 +10683,7 @@ index 64ff4d7..92d80ef 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5921,8 +6836,7 @@ interface(`files_lock_filetrans',` +@@ -5921,8 +6855,7 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -10501,7 +10693,7 @@ index 64ff4d7..92d80ef 100644 filetrans_pattern($1, var_lock_t, $2, $3, $4) ') -@@ -5961,7 +6875,7 @@ interface(`files_setattr_pid_dirs',` +@@ -5961,7 +6894,7 @@ interface(`files_setattr_pid_dirs',` type var_run_t; ') @@ -10510,7 +10702,7 @@ index 64ff4d7..92d80ef 100644 allow $1 var_run_t:dir setattr; ') -@@ -5981,10 +6895,48 @@ interface(`files_search_pids',` +@@ -5981,10 +6914,48 @@ interface(`files_search_pids',` type var_t, var_run_t; ') @@ -10559,7 +10751,7 @@ index 64ff4d7..92d80ef 100644 ######################################## ## ## Do not audit attempts to search -@@ -6007,6 +6959,25 @@ interface(`files_dontaudit_search_pids',` +@@ -6007,6 +6978,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -10585,7 +10777,7 @@ index 64ff4d7..92d80ef 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -6021,7 +6992,7 @@ interface(`files_list_pids',` +@@ -6021,7 +7011,7 @@ interface(`files_list_pids',` type var_t, var_run_t; ') @@ -10594,7 +10786,7 @@ index 64ff4d7..92d80ef 100644 list_dirs_pattern($1, var_t, var_run_t) ') -@@ -6040,7 +7011,7 @@ interface(`files_read_generic_pids',` +@@ -6040,7 +7030,7 @@ interface(`files_read_generic_pids',` type var_t, var_run_t; ') @@ -10603,7 +10795,7 @@ index 64ff4d7..92d80ef 100644 list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) ') -@@ -6060,7 +7031,7 @@ interface(`files_write_generic_pid_pipes',` +@@ -6060,7 +7050,7 @@ interface(`files_write_generic_pid_pipes',` type var_run_t; ') @@ -10612,7 +10804,7 @@ index 64ff4d7..92d80ef 100644 allow $1 var_run_t:fifo_file write; ') -@@ -6122,7 +7093,6 @@ interface(`files_pid_filetrans',` +@@ -6122,7 +7112,6 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -10620,7 +10812,7 @@ index 64ff4d7..92d80ef 100644 filetrans_pattern($1, var_run_t, $2, $3, $4) ') -@@ -6164,7 +7134,7 @@ interface(`files_rw_generic_pids',` +@@ -6164,7 +7153,7 @@ interface(`files_rw_generic_pids',` type var_t, var_run_t; ') @@ -10629,7 +10821,7 @@ index 64ff4d7..92d80ef 100644 list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) ') -@@ -6231,55 +7201,43 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -6231,55 +7220,43 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -10692,7 +10884,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6287,42 +7245,35 @@ interface(`files_delete_all_pids',` +@@ -6287,42 +7264,35 @@ interface(`files_delete_all_pids',` ## ## # @@ -10742,7 +10934,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6330,18 +7281,18 @@ interface(`files_manage_all_pids',` +@@ -6330,18 +7300,18 @@ interface(`files_manage_all_pids',` ## ## # @@ -10766,7 +10958,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6349,37 +7300,40 @@ interface(`files_mounton_all_poly_members',` +@@ -6349,37 +7319,40 @@ interface(`files_mounton_all_poly_members',` ## ## # @@ -10818,7 +11010,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6387,18 +7341,17 @@ interface(`files_dontaudit_search_spool',` +@@ -6387,18 +7360,17 @@ interface(`files_dontaudit_search_spool',` ## ## # @@ -10841,7 +11033,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6406,18 +7359,18 @@ interface(`files_list_spool',` +@@ -6406,18 +7378,18 @@ interface(`files_list_spool',` ## ## # @@ -10865,7 +11057,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6425,19 +7378,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -6425,19 +7397,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -10890,7 +11082,7 @@ index 64ff4d7..92d80ef 100644 ## ## ## -@@ -6445,29 +7397,296 @@ interface(`files_read_generic_spool',` +@@ -6445,55 +7416,43 @@ interface(`files_read_generic_spool',` ## ## # @@ -10921,44 +11113,77 @@ index 64ff4d7..92d80ef 100644 -## -## Type to which the created node will be transitioned. -## +-## +-## +-## +-## Object class(es) (single or set including {}) for which this +-## the transition will occur. +-## +-## +-## +-## +-## The name of the object being created. +-## +-## +## -+# + # +-interface(`files_spool_filetrans',` +interface(`files_delete_all_pids',` -+ gen_require(` + gen_require(` +- type var_t, var_spool_t; + attribute pidfile; + type var_t, var_run_t; -+ ') -+ + ') + + files_search_pids($1) -+ allow $1 var_t:dir search_dir_perms; + allow $1 var_t:dir search_dir_perms; +- filetrans_pattern($1, var_spool_t, $2, $3, $4) + allow $1 var_run_t:dir rmdir; + allow $1 var_run_t:lnk_file delete_lnk_file_perms; + delete_files_pattern($1, pidfile, pidfile) + delete_fifo_files_pattern($1, pidfile, pidfile) + delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Allow access to manage all polyinstantiated +-## directories on the system. +## Delete all process ID directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## +@@ -6501,64 +7460,814 @@ interface(`files_spool_filetrans',` + ## + ## + # +-interface(`files_polyinstantiate_all',` +interface(`files_delete_all_pid_dirs',` -+ gen_require(` + gen_require(` +- attribute polydir, polymember, polyparent; +- type poly_t; + attribute pidfile; + type var_t, var_run_t; -+ ') -+ + ') + +- # Need to give access to /selinux/member +- selinux_compute_member($1) +- +- # Need sys_admin capability for mounting +- allow $1 self:capability { chown fsetid sys_admin fowner }; +- +- # Need to give access to the directories to be polyinstantiated +- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; +- +- # Need to give access to the polyinstantiated subdirectories +- allow $1 polymember:dir search_dir_perms; + files_search_pids($1) + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') -+ + +- # Need to give access to parent directories where original +- # is remounted for polyinstantiation aware programs (like gdm) +######################################## +## +## Make the specified type a file @@ -11194,13 +11419,105 @@ index 64ff4d7..92d80ef 100644 +## +## Type to which the created node will be transitioned. +## - ## - ## - ## -@@ -6562,3 +7781,467 @@ interface(`files_unconfined',` ++## ++## ++## ++## Object class(es) (single or set including {}) for which this ++## the transition will occur. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`files_spool_filetrans',` ++ gen_require(` ++ type var_t, var_spool_t; ++ ') ++ ++ allow $1 var_t:dir search_dir_perms; ++ filetrans_pattern($1, var_spool_t, $2, $3, $4) ++') ++ ++######################################## ++## ++## Allow access to manage all polyinstantiated ++## directories on the system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_polyinstantiate_all',` ++ gen_require(` ++ attribute polydir, polymember, polyparent; ++ type poly_t; ++ ') ++ ++ # Need to give access to /selinux/member ++ selinux_compute_member($1) ++ ++ # Need sys_admin capability for mounting ++ allow $1 self:capability { chown fsetid sys_admin fowner }; ++ ++ # Need to give access to the directories to be polyinstantiated ++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; ++ ++ # Need to give access to the polyinstantiated subdirectories ++ allow $1 polymember:dir search_dir_perms; ++ ++ # Need to give access to parent directories where original ++ # is remounted for polyinstantiation aware programs (like gdm) + allow $1 polyparent:dir { getattr mounton }; - typeattribute $1 files_unconfined_type; - ') +- # Need to give permission to create directories where applicable +- allow $1 self:process setfscreate; +- allow $1 polymember: dir { create setattr relabelto }; +- allow $1 polydir: dir { write add_name open }; +- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ # Need to give permission to create directories where applicable ++ allow $1 self:process setfscreate; ++ allow $1 polymember: dir { create setattr relabelto }; ++ allow $1 polydir: dir { write add_name open }; ++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; ++ ++ # Default type for mountpoints ++ allow $1 poly_t:dir { create mounton }; ++ fs_unmount_xattr_fs($1) ++ ++ fs_mount_tmpfs($1) ++ fs_unmount_tmpfs($1) ++ ++ ifdef(`distro_redhat',` ++ # namespace.init ++ files_search_tmp($1) ++ files_search_home($1) ++ corecmd_exec_bin($1) ++ seutil_domtrans_setfiles($1) ++ ') ++') ++ ++######################################## ++## ++## Unconfined access to files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_unconfined',` ++ gen_require(` ++ attribute files_unconfined_type; ++ ') ++ ++ typeattribute $1 files_unconfined_type; ++') + +######################################## +## @@ -11326,10 +11643,15 @@ index 64ff4d7..92d80ef 100644 + gen_require(` + attribute tmpfsfile; + ') -+ + +- # Default type for mountpoints +- allow $1 poly_t:dir { create mounton }; +- fs_unmount_xattr_fs($1) + allow $1 tmpfsfile:file { read write }; +') -+ + +- fs_mount_tmpfs($1) +- fs_unmount_tmpfs($1) +######################################## +## +## Do not audit attempts to read security files @@ -11344,7 +11666,13 @@ index 64ff4d7..92d80ef 100644 + gen_require(` + attribute security_file_type; + ') -+ + +- ifdef(`distro_redhat',` +- # namespace.init +- files_search_tmp($1) +- files_search_home($1) +- corecmd_exec_bin($1) +- seutil_domtrans_setfiles($1) + dontaudit $1 security_file_type:file read_file_perms; +') + @@ -11366,32 +11694,36 @@ index 64ff4d7..92d80ef 100644 +interface(`files_rw_all_inherited_files',` + gen_require(` + attribute file_type; -+ ') + ') + + allow $1 { file_type $2 }:file rw_inherited_file_perms; + allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; + allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; + allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Unconfined access to files. +## Allow any file point to be the entrypoint of this domain -+## -+## -+## -+## Domain allowed access. -+## -+## + ## + ## + ## + ## Domain allowed access. + ## + ## +## -+# + # +-interface(`files_unconfined',` +interface(`files_entrypoint_all_files',` -+ gen_require(` + gen_require(` +- attribute files_unconfined_type; + attribute file_type; -+ ') + ') + allow $1 file_type:file entrypoint; +') -+ + +- typeattribute $1 files_unconfined_type; +######################################## +## +## Do not audit attempts to rw inherited file perms @@ -11518,6 +11850,7 @@ index 64ff4d7..92d80ef 100644 +# +interface(`files_filetrans_named_content',` + gen_require(` ++ type etc_t; + type mnt_t; + type usr_t; + type tmp_t; @@ -11540,6 +11873,12 @@ index 64ff4d7..92d80ef 100644 + files_root_filetrans($1, tmp_t, dir, "sandbox") + files_root_filetrans($1, tmp_t, dir, "tmp") + files_root_filetrans($1, var_t, dir, "nsr") ++ files_etc_filetrans($1, etc_t, file, "system-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "postlogin-ac") ++ files_etc_filetrans($1, etc_t, file, "password-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") ++ files_etc_filetrans($1, etc_t, file, "hwdb.bin") + files_etc_filetrans_etc_runtime($1, file, "runtime") + files_etc_filetrans_etc_runtime($1, dir, "blkid") + files_etc_filetrans_etc_runtime($1, dir, "cmtab") @@ -11579,7 +11918,7 @@ index 64ff4d7..92d80ef 100644 + ') + files_type($1) + typeattribute $1 base_file_type; -+') + ') + +######################################## +## @@ -13176,7 +13515,7 @@ index 8416beb..0776923 100644 + fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") +') diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 9e603f5..698aaee 100644 +index 9e603f5..e0209df 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); @@ -13236,7 +13575,14 @@ index 9e603f5..698aaee 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -125,6 +139,10 @@ type oprofilefs_t; +@@ -119,12 +133,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) + + type nfsd_fs_t; + fs_type(nfsd_fs_t) ++files_mountpoint(nfsd_fs_t) + genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) + + type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -13247,7 +13593,7 @@ index 9e603f5..698aaee 100644 type ramfs_t; fs_type(ramfs_t) files_mountpoint(ramfs_t) -@@ -145,11 +163,6 @@ fs_type(spufs_t) +@@ -145,11 +164,6 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -13259,7 +13605,7 @@ index 9e603f5..698aaee 100644 type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) -@@ -167,6 +180,8 @@ type vxfs_t; +@@ -167,6 +181,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -13268,7 +13614,7 @@ index 9e603f5..698aaee 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -176,6 +191,8 @@ fs_type(tmpfs_t) +@@ -176,6 +192,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -13277,7 +13623,7 @@ index 9e603f5..698aaee 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -255,6 +272,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -255,6 +273,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -13286,7 +13632,7 @@ index 9e603f5..698aaee 100644 files_mountpoint(removable_t) # -@@ -274,6 +293,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -274,6 +294,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -13921,7 +14267,7 @@ index 649e458..cc924ae 100644 + list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) ') diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 6fac350..b5b2f00 100644 +index 6fac350..1470f08 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -14102,7 +14448,18 @@ index 6fac350..b5b2f00 100644 ') optional_policy(` -@@ -334,7 +390,6 @@ optional_policy(` +@@ -312,6 +368,10 @@ optional_policy(` + ') + + optional_policy(` ++ plymouthd_create_log(kernel_t) ++') ++ ++optional_policy(` + # nfs kernel server needs kernel UDP access. It is less risky and painful + # to just give it everything. + allow kernel_t self:tcp_socket create_stream_socket_perms; +@@ -334,7 +394,6 @@ optional_policy(` rpc_manage_nfs_ro_content(kernel_t) rpc_manage_nfs_rw_content(kernel_t) @@ -14110,7 +14467,7 @@ index 6fac350..b5b2f00 100644 rpc_udp_rw_nfs_sockets(kernel_t) tunable_policy(`nfs_export_all_ro',` -@@ -343,9 +398,7 @@ optional_policy(` +@@ -343,9 +402,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -14121,7 +14478,7 @@ index 6fac350..b5b2f00 100644 ') tunable_policy(`nfs_export_all_rw',` -@@ -354,7 +407,7 @@ optional_policy(` +@@ -354,7 +411,7 @@ optional_policy(` fs_read_noxattr_fs_files(kernel_t) fs_read_noxattr_fs_symlinks(kernel_t) @@ -14130,7 +14487,7 @@ index 6fac350..b5b2f00 100644 ') ') -@@ -367,6 +420,15 @@ optional_policy(` +@@ -367,6 +424,15 @@ optional_policy(` unconfined_domain_noaudit(kernel_t) ') @@ -14146,7 +14503,7 @@ index 6fac350..b5b2f00 100644 ######################################## # # Unlabeled process local policy -@@ -409,4 +471,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; +@@ -409,4 +475,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *; allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; @@ -16500,7 +16857,7 @@ index ff92430..36740ea 100644 ## ## Execute a generic bin program in the sysadm domain. diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 88d0028..4cc476f 100644 +index 88d0028..45f4d0a 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -5,39 +5,79 @@ policy_module(sysadm, 2.5.1) @@ -16628,7 +16985,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -110,6 +145,10 @@ optional_policy(` +@@ -110,11 +145,17 @@ optional_policy(` ') optional_policy(` @@ -16639,7 +16996,14 @@ index 88d0028..4cc476f 100644 certwatch_run(sysadm_t, sysadm_r) ') -@@ -122,11 +161,19 @@ optional_policy(` + optional_policy(` + clock_run(sysadm_t, sysadm_r) ++ clock_manage_adjtime(sysadm_t) ++ clock_filetrans_named_content(sysadm_t) + ') + + optional_policy(` +@@ -122,11 +163,19 @@ optional_policy(` ') optional_policy(` @@ -16661,7 +17025,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -140,6 +187,10 @@ optional_policy(` +@@ -140,6 +189,10 @@ optional_policy(` ') optional_policy(` @@ -16672,7 +17036,7 @@ index 88d0028..4cc476f 100644 dmesg_exec(sysadm_t) ') -@@ -156,11 +207,11 @@ optional_policy(` +@@ -156,11 +209,11 @@ optional_policy(` ') optional_policy(` @@ -16686,7 +17050,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -179,6 +230,13 @@ optional_policy(` +@@ -179,6 +232,13 @@ optional_policy(` ipsec_stream_connect(sysadm_t) # for lsof ipsec_getattr_key_sockets(sysadm_t) @@ -16700,7 +17064,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -186,15 +244,20 @@ optional_policy(` +@@ -186,15 +246,20 @@ optional_policy(` ') optional_policy(` @@ -16724,7 +17088,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -214,22 +277,20 @@ optional_policy(` +@@ -214,22 +279,20 @@ optional_policy(` modutils_run_depmod(sysadm_t, sysadm_r) modutils_run_insmod(sysadm_t, sysadm_r) modutils_run_update_mods(sysadm_t, sysadm_r) @@ -16753,7 +17117,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -241,14 +302,27 @@ optional_policy(` +@@ -241,14 +304,27 @@ optional_policy(` ') optional_policy(` @@ -16781,7 +17145,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -256,10 +330,20 @@ optional_policy(` +@@ -256,10 +332,20 @@ optional_policy(` ') optional_policy(` @@ -16802,7 +17166,7 @@ index 88d0028..4cc476f 100644 portage_run(sysadm_t, sysadm_r) portage_run_fetch(sysadm_t, sysadm_r) portage_run_gcc_config(sysadm_t, sysadm_r) -@@ -270,31 +354,36 @@ optional_policy(` +@@ -270,31 +356,36 @@ optional_policy(` ') optional_policy(` @@ -16846,7 +17210,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -319,12 +408,18 @@ optional_policy(` +@@ -319,12 +410,18 @@ optional_policy(` ') optional_policy(` @@ -16866,7 +17230,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -349,7 +444,18 @@ optional_policy(` +@@ -349,7 +446,18 @@ optional_policy(` ') optional_policy(` @@ -16886,7 +17250,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -360,19 +466,15 @@ optional_policy(` +@@ -360,19 +468,15 @@ optional_policy(` ') optional_policy(` @@ -16908,7 +17272,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -384,10 +486,6 @@ optional_policy(` +@@ -384,10 +488,6 @@ optional_policy(` ') optional_policy(` @@ -16919,7 +17283,7 @@ index 88d0028..4cc476f 100644 usermanage_run_admin_passwd(sysadm_t, sysadm_r) usermanage_run_groupadd(sysadm_t, sysadm_r) usermanage_run_useradd(sysadm_t, sysadm_r) -@@ -395,6 +493,9 @@ optional_policy(` +@@ -395,6 +495,9 @@ optional_policy(` optional_policy(` virt_stream_connect(sysadm_t) @@ -16929,7 +17293,7 @@ index 88d0028..4cc476f 100644 ') optional_policy(` -@@ -402,31 +503,34 @@ optional_policy(` +@@ -402,31 +505,34 @@ optional_policy(` ') optional_policy(` @@ -16970,7 +17334,7 @@ index 88d0028..4cc476f 100644 auth_role(sysadm_r, sysadm_t) ') -@@ -439,10 +543,6 @@ ifndef(`distro_redhat',` +@@ -439,10 +545,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -16981,7 +17345,7 @@ index 88d0028..4cc476f 100644 dbus_role_template(sysadm, sysadm_r, sysadm_t) optional_policy(` -@@ -463,15 +563,75 @@ ifndef(`distro_redhat',` +@@ -463,15 +565,75 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17740,10 +18104,10 @@ index 0000000..cf6582f + diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te new file mode 100644 -index 0000000..699d0dd +index 0000000..c8f13da --- /dev/null +++ b/policy/modules/roles/unconfineduser.te -@@ -0,0 +1,336 @@ +@@ -0,0 +1,329 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -17768,13 +18132,6 @@ index 0000000..699d0dd + +## +##

-+## Allow video playing tools to run unconfined -+##

-+## -+gen_tunable(unconfined_mplayer, false) -+ -+## -+##

+## Allow a user to login as an unconfined domain +##

+## @@ -20120,7 +20477,7 @@ index 5fc0391..b87b076 100644 + xserver_rw_xdm_pipes(ssh_agent_type) +') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc -index d1f64a0..3be3d00 100644 +index d1f64a0..97140ee 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -2,13 +2,35 @@ @@ -20182,7 +20539,7 @@ index d1f64a0..3be3d00 100644 /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) -@@ -46,26 +76,31 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) +@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) # /tmp # @@ -20210,6 +20567,7 @@ index d1f64a0..3be3d00 100644 + /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) ++/usr/bin/razor-lightdm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0) +/usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -20220,7 +20578,7 @@ index d1f64a0..3be3d00 100644 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -@@ -92,25 +127,49 @@ ifndef(`distro_debian',` +@@ -92,25 +128,49 @@ ifndef(`distro_debian',` /var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) @@ -23407,7 +23765,7 @@ index 28ad538..ebe81bf 100644 -/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 3efd5b6..5188076 100644 +index 3efd5b6..c7f52c2 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -23,11 +23,17 @@ interface(`auth_role',` @@ -23429,11 +23787,12 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -53,10 +59,12 @@ interface(`auth_use_pam',` +@@ -53,10 +59,13 @@ interface(`auth_use_pam',` auth_read_login_records($1) auth_append_login_records($1) auth_rw_lastlog($1) - auth_rw_faillog($1) ++ auth_create_lastlog($1) + auth_manage_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) @@ -23443,7 +23802,7 @@ index 3efd5b6..5188076 100644 logging_send_audit_msgs($1) logging_send_syslog_msg($1) -@@ -78,8 +86,19 @@ interface(`auth_use_pam',` +@@ -78,8 +87,19 @@ interface(`auth_use_pam',` ') optional_policy(` @@ -23463,7 +23822,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -95,48 +114,21 @@ interface(`auth_use_pam',` +@@ -95,48 +115,21 @@ interface(`auth_use_pam',` interface(`auth_login_pgm_domain',` gen_require(` type var_auth_t, auth_cache_t; @@ -23518,7 +23877,7 @@ index 3efd5b6..5188076 100644 mls_file_read_all_levels($1) mls_file_write_all_levels($1) -@@ -146,18 +138,43 @@ interface(`auth_login_pgm_domain',` +@@ -146,18 +139,43 @@ interface(`auth_login_pgm_domain',` mls_fd_share_all_levels($1) auth_use_pam($1) @@ -23570,7 +23929,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -231,6 +248,25 @@ interface(`auth_domtrans_login_program',` +@@ -231,6 +249,25 @@ interface(`auth_domtrans_login_program',` ######################################## ## @@ -23596,7 +23955,7 @@ index 3efd5b6..5188076 100644 ## Execute a login_program in the target domain, ## with a range transition. ## -@@ -395,6 +431,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -395,6 +432,8 @@ interface(`auth_domtrans_chk_passwd',` ') optional_policy(` @@ -23605,7 +23964,7 @@ index 3efd5b6..5188076 100644 pcscd_read_pid_files($1) pcscd_stream_connect($1) ') -@@ -402,6 +440,8 @@ interface(`auth_domtrans_chk_passwd',` +@@ -402,6 +441,8 @@ interface(`auth_domtrans_chk_passwd',` optional_policy(` samba_stream_connect_winbind($1) ') @@ -23614,7 +23973,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -448,6 +488,25 @@ interface(`auth_run_chk_passwd',` +@@ -448,6 +489,25 @@ interface(`auth_run_chk_passwd',` auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -23640,7 +23999,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -467,7 +526,6 @@ interface(`auth_domtrans_upd_passwd',` +@@ -467,7 +527,6 @@ interface(`auth_domtrans_upd_passwd',` domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) @@ -23648,7 +24007,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -664,6 +722,10 @@ interface(`auth_manage_shadow',` +@@ -664,6 +723,10 @@ interface(`auth_manage_shadow',` allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; @@ -23659,7 +24018,7 @@ index 3efd5b6..5188076 100644 ') ####################################### -@@ -763,7 +825,50 @@ interface(`auth_rw_faillog',` +@@ -763,7 +826,50 @@ interface(`auth_rw_faillog',` ') logging_search_logs($1) @@ -23711,8 +24070,30 @@ index 3efd5b6..5188076 100644 ') ####################################### -@@ -826,7 +931,7 @@ interface(`auth_rw_lastlog',` +@@ -824,9 +930,29 @@ interface(`auth_rw_lastlog',` + allow $1 lastlog_t:file { rw_file_perms lock setattr }; + ') ++####################################### ++## ++## Manage create logins log. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_create_lastlog',` ++ gen_require(` ++ type lastlog_t; ++ ') ++ ++ logging_search_logs($1) ++ allow $1 lastlog_t:file create; ++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog") ++') ++ ######################################## ## -## Execute pam programs in the pam domain. @@ -23720,7 +24101,7 @@ index 3efd5b6..5188076 100644 ## ## ## -@@ -834,12 +939,27 @@ interface(`auth_rw_lastlog',` +@@ -834,12 +960,27 @@ interface(`auth_rw_lastlog',` ## ## # @@ -23751,7 +24132,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -854,15 +974,15 @@ interface(`auth_domtrans_pam',` +@@ -854,15 +995,15 @@ interface(`auth_domtrans_pam',` # interface(`auth_signal_pam',` gen_require(` @@ -23770,7 +24151,7 @@ index 3efd5b6..5188076 100644 ## ## ## -@@ -875,13 +995,33 @@ interface(`auth_signal_pam',` +@@ -875,13 +1016,33 @@ interface(`auth_signal_pam',` ## ## # @@ -23808,7 +24189,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -959,9 +1099,30 @@ interface(`auth_manage_var_auth',` +@@ -959,9 +1120,30 @@ interface(`auth_manage_var_auth',` ') files_search_var($1) @@ -23842,7 +24223,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -1040,6 +1201,10 @@ interface(`auth_manage_pam_pid',` +@@ -1040,6 +1222,10 @@ interface(`auth_manage_pam_pid',` files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; @@ -23853,7 +24234,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -1176,6 +1341,7 @@ interface(`auth_manage_pam_console_data',` +@@ -1176,6 +1362,7 @@ interface(`auth_manage_pam_console_data',` files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) @@ -23861,7 +24242,7 @@ index 3efd5b6..5188076 100644 ') ####################################### -@@ -1576,6 +1742,25 @@ interface(`auth_setattr_login_records',` +@@ -1576,6 +1763,25 @@ interface(`auth_setattr_login_records',` ######################################## ## @@ -23887,7 +24268,7 @@ index 3efd5b6..5188076 100644 ## Read login records files (/var/log/wtmp). ## ## -@@ -1726,24 +1911,7 @@ interface(`auth_manage_login_records',` +@@ -1726,24 +1932,7 @@ interface(`auth_manage_login_records',` logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; @@ -23913,7 +24294,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -1767,11 +1935,13 @@ interface(`auth_relabel_login_records',` +@@ -1767,11 +1956,13 @@ interface(`auth_relabel_login_records',` ## # interface(`auth_use_nsswitch',` @@ -23930,7 +24311,7 @@ index 3efd5b6..5188076 100644 ') ######################################## -@@ -1805,3 +1975,219 @@ interface(`auth_unconfined',` +@@ -1805,3 +1996,219 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -24600,6 +24981,51 @@ index c5e05ca..c9ddbee 100644 +/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0) + +diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if +index d475c2d..55305d5 100644 +--- a/policy/modules/system/clock.if ++++ b/policy/modules/system/clock.if +@@ -117,3 +117,40 @@ interface(`clock_rw_adjtime',` + allow $1 adjtime_t:file rw_file_perms; + files_list_etc($1) + ') ++ ++######################################## ++## ++## Manage clock drift adjustments. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_manage_adjtime',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ allow $1 adjtime_t:file manage_file_perms; ++ files_list_etc($1) ++') ++ ++######################################## ++## ++## Transition to systemd clock content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`clock_filetrans_named_content',` ++ gen_require(` ++ type adjtime_t; ++ ') ++ ++ files_etc_filetrans($1, adjtime_t, file, "adjtime" ) ++') diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 3694bfe..7fcd27a 100644 --- a/policy/modules/system/clock.te @@ -27639,19 +28065,20 @@ index dd3be8d..969bda2 100644 + allow direct_run_init direct_init_entry:file { getattr open read execute }; +') diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc -index 662e79b..626a689 100644 +index 662e79b..93aad6f 100644 --- a/policy/modules/system/ipsec.fc +++ b/policy/modules/system/ipsec.fc -@@ -1,6 +1,8 @@ +@@ -1,13 +1,17 @@ /etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) /etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0) +-/etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) +/usr/lib/systemd/system/strongswan.* -- gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0) + - /etc/ipsec\.secrets -- gen_context(system_u:object_r:ipsec_key_file_t,s0) ++/etc/ipsec\.secrets.* -- gen_context(system_u:object_r:ipsec_key_file_t,s0) /etc/ipsec\.conf -- gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/psk\.txt -- gen_context(system_u:object_r:ipsec_key_file_t,s0) -@@ -8,6 +10,8 @@ + /etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0) /etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0) @@ -27673,11 +28100,80 @@ index 662e79b..626a689 100644 /var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0) +@@ -39,3 +45,5 @@ + + /var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0) + /var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0) ++/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) ++/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0) diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if -index 0d4c8d3..3375525 100644 +index 0d4c8d3..a89c4a2 100644 --- a/policy/modules/system/ipsec.if +++ b/policy/modules/system/ipsec.if -@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',` +@@ -55,6 +55,62 @@ interface(`ipsec_domtrans_mgmt',` + domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) + ') + ++####################################### ++## ++## Allow to create OBJECT in /etc with ipsec_key_file_t. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_filetrans_key_file',` ++ gen_require(` ++ type ipsec_key_file_t; ++ ') ++ ++ files_etc_filetrans($1, ipsec_key_file_t, file) ++') ++ ++####################################### ++## ++## Allow to manage ipsec key files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_manage_key_file',` ++ gen_require(` ++ type ipsec_key_file_t; ++ ') ++ ++ manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t) ++') ++ ++######################################## ++## ++## Read the ipsec_mgmt_var_run_t files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipsec_mgmt_read_pid',` ++ gen_require(` ++ type ipsec_mgmt_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ read_files_pattern($1, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t) ++') ++ ++ + ######################################## + ## + ## Connect to racoon using a unix domain stream socket. +@@ -120,7 +176,6 @@ interface(`ipsec_exec_mgmt',` ## ## # @@ -27685,7 +28181,7 @@ index 0d4c8d3..3375525 100644 interface(`ipsec_signal_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -139,7 +138,6 @@ interface(`ipsec_signal_mgmt',` +@@ -139,7 +194,6 @@ interface(`ipsec_signal_mgmt',` ## ## # @@ -27693,7 +28189,7 @@ index 0d4c8d3..3375525 100644 interface(`ipsec_signull_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -158,7 +156,6 @@ interface(`ipsec_signull_mgmt',` +@@ -158,7 +212,6 @@ interface(`ipsec_signull_mgmt',` ## ## # @@ -27701,7 +28197,7 @@ index 0d4c8d3..3375525 100644 interface(`ipsec_kill_mgmt',` gen_require(` type ipsec_mgmt_t; -@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',` +@@ -167,6 +220,60 @@ interface(`ipsec_kill_mgmt',` allow $1 ipsec_mgmt_t:process sigkill; ') @@ -27762,7 +28258,7 @@ index 0d4c8d3..3375525 100644 ###################################### ## ## Send and receive messages from -@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',` +@@ -225,6 +332,7 @@ interface(`ipsec_match_default_spd',` allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; @@ -27770,7 +28266,7 @@ index 0d4c8d3..3375525 100644 ') ######################################## -@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',` +@@ -369,3 +477,26 @@ interface(`ipsec_run_setkey',` ipsec_domtrans_setkey($1) role $2 types setkey_t; ') @@ -29058,7 +29554,7 @@ index c04ac46..e06286c 100644 - nscd_use(sulogin_t) -') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc -index b50c5fe..286351e 100644 +index b50c5fe..2faaaf2 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -2,10 +2,13 @@ @@ -29102,7 +29598,7 @@ index b50c5fe..286351e 100644 /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) -@@ -38,13 +54,14 @@ ifdef(`distro_suse', ` +@@ -38,13 +54,13 @@ ifdef(`distro_suse', ` /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -29112,13 +29608,13 @@ index b50c5fe..286351e 100644 /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) - /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +-/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/log(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) +/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -@@ -53,6 +70,7 @@ ifndef(`distro_gentoo',` +@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',` ifdef(`distro_redhat',` /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) @@ -29126,7 +29622,7 @@ index b50c5fe..286351e 100644 ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh) -@@ -65,11 +83,16 @@ ifdef(`distro_redhat',` +@@ -65,11 +82,16 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -29145,7 +29641,7 @@ index b50c5fe..286351e 100644 +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 4e94884..23894f4 100644 +index 4e94884..5481f47 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -233,7 +233,7 @@ interface(`logging_run_auditd',` @@ -29518,7 +30014,7 @@ index 4e94884..23894f4 100644 init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) -@@ -1085,3 +1323,29 @@ interface(`logging_admin',` +@@ -1085,3 +1323,33 @@ interface(`logging_admin',` logging_admin_audit($1, $2) logging_admin_syslog($1, $2) ') @@ -29538,6 +30034,7 @@ index 4e94884..23894f4 100644 + type var_log_t; + type audit_spool_t; + type syslogd_var_run_t; ++ type syslog_conf_t; + ') + + files_pid_filetrans($1, syslogd_var_run_t, dir, "log") @@ -29546,6 +30043,9 @@ index 4e94884..23894f4 100644 + files_spool_filetrans($1, audit_spool_t, dir, "audit") + files_var_filetrans($1, var_log_t, dir, "webmin") + ++ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") ++ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") ++ + init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") +') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te @@ -33326,7 +33826,7 @@ index 1447687..d5e6fb9 100644 seutil_read_config(setrans_t) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 346a7cc..b44bb0c 100644 +index 346a7cc..42a48b6 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -17,16 +17,17 @@ ifdef(`distro_debian',` @@ -33372,11 +33872,12 @@ index 346a7cc..b44bb0c 100644 /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0) # -@@ -72,3 +87,5 @@ ifdef(`distro_redhat',` +@@ -72,3 +87,6 @@ ifdef(`distro_redhat',` ifdef(`distro_gentoo',` /var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) ') + ++/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0) +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 6944526..ec17624 100644 @@ -33681,7 +34182,7 @@ index 6944526..ec17624 100644 + files_etc_filetrans($1, net_conf_t, file, "ntp.conf") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index b7686d5..50102d0 100644 +index b7686d5..fda9b8a 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6) @@ -33709,9 +34210,14 @@ index b7686d5..50102d0 100644 type dhcpc_state_t; files_type(dhcpc_state_t) -@@ -37,17 +46,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t) +@@ -36,18 +45,22 @@ type ifconfig_exec_t; + init_system_domain(ifconfig_t, ifconfig_exec_t) role system_r types ifconfig_t; ++type ifconfig_var_run_t; ++files_pid_file(ifconfig_var_run_t) ++files_mountpoint(ifconfig_var_run_t) ++ type net_conf_t alias resolv_conf_t; -files_type(net_conf_t) +files_config_file(net_conf_t) @@ -33730,7 +34236,7 @@ index b7686d5..50102d0 100644 allow dhcpc_t self:fifo_file rw_fifo_file_perms; allow dhcpc_t self:tcp_socket create_stream_socket_perms; -@@ -60,8 +69,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) allow dhcpc_t dhcp_state_t:file read_file_perms; @@ -33742,7 +34248,7 @@ index b7686d5..50102d0 100644 # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) -@@ -70,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) +@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir }) # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # in /etc created by dhcpcd will be labelled net_conf_t. @@ -33751,7 +34257,7 @@ index b7686d5..50102d0 100644 sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) -@@ -91,14 +105,13 @@ kernel_rw_net_sysctls(dhcpc_t) +@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t) corecmd_exec_bin(dhcpc_t) corecmd_exec_shell(dhcpc_t) @@ -33772,7 +34278,7 @@ index b7686d5..50102d0 100644 corenet_tcp_sendrecv_all_ports(dhcpc_t) corenet_udp_sendrecv_all_ports(dhcpc_t) corenet_tcp_bind_all_nodes(dhcpc_t) -@@ -108,21 +121,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) +@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t) corenet_tcp_connect_all_ports(dhcpc_t) corenet_sendrecv_dhcpd_client_packets(dhcpc_t) corenet_sendrecv_dhcpc_server_packets(dhcpc_t) @@ -33798,7 +34304,7 @@ index b7686d5..50102d0 100644 fs_getattr_all_fs(dhcpc_t) fs_search_auto_mountpoints(dhcpc_t) -@@ -132,11 +147,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) +@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t) term_dontaudit_use_unallocated_ttys(dhcpc_t) term_dontaudit_use_generic_ptys(dhcpc_t) @@ -33815,7 +34321,7 @@ index b7686d5..50102d0 100644 modutils_run_insmod(dhcpc_t, dhcpc_roles) -@@ -156,7 +175,14 @@ ifdef(`distro_ubuntu',` +@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',` ') optional_policy(` @@ -33831,7 +34337,7 @@ index b7686d5..50102d0 100644 ') optional_policy(` -@@ -174,10 +200,6 @@ optional_policy(` +@@ -174,10 +204,6 @@ optional_policy(` ') optional_policy(` @@ -33842,7 +34348,7 @@ index b7686d5..50102d0 100644 hotplug_getattr_config_dirs(dhcpc_t) hotplug_search_config(dhcpc_t) -@@ -190,23 +212,36 @@ optional_policy(` +@@ -190,23 +216,36 @@ optional_policy(` optional_policy(` netutils_run_ping(dhcpc_t, dhcpc_roles) netutils_run(dhcpc_t, dhcpc_roles) @@ -33879,7 +34385,7 @@ index b7686d5..50102d0 100644 ') optional_policy(` -@@ -216,7 +251,11 @@ optional_policy(` +@@ -216,7 +255,11 @@ optional_policy(` optional_policy(` seutil_sigchld_newrole(dhcpc_t) @@ -33892,7 +34398,7 @@ index b7686d5..50102d0 100644 ') optional_policy(` -@@ -259,6 +298,7 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -259,12 +302,20 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -33900,12 +34406,34 @@ index b7686d5..50102d0 100644 # for /sbin/ip allow ifconfig_t self:packet_socket create_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; -@@ -277,11 +317,20 @@ corenet_rw_tun_tap_dev(ifconfig_t) + allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; + allow ifconfig_t self:tcp_socket { create ioctl }; + ++can_exec(ifconfig_t, ifconfig_exec_t) ++ ++manage_files_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) ++create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) ++files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) ++allow ifconfig_t ifconfig_var_run_t:file mounton; ++ + kernel_use_fds(ifconfig_t) + kernel_read_system_state(ifconfig_t) + kernel_read_network_state(ifconfig_t) +@@ -274,14 +325,29 @@ kernel_rw_net_sysctls(ifconfig_t) + + corenet_rw_tun_tap_dev(ifconfig_t) + ++corecmd_exec_bin(ifconfig_t) ++corecmd_exec_shell(ifconfig_t) ++ dev_read_sysfs(ifconfig_t) # for IPSEC setup: dev_read_urand(ifconfig_t) +# needed by tuned +dev_rw_netcontrol(ifconfig_t) ++dev_mounton_sysfs(ifconfig_t) ++dev_mount_sysfs_fs(ifconfig_t) ++dev_unmount_sysfs_fs(ifconfig_t) domain_use_interactive_fds(ifconfig_t) @@ -33921,7 +34449,7 @@ index b7686d5..50102d0 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -294,22 +343,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -294,22 +360,22 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -33949,7 +34477,7 @@ index b7686d5..50102d0 100644 userdom_use_all_users_fds(ifconfig_t) ifdef(`distro_ubuntu',` -@@ -318,7 +367,22 @@ ifdef(`distro_ubuntu',` +@@ -318,7 +384,22 @@ ifdef(`distro_ubuntu',` ') ') @@ -33972,17 +34500,21 @@ index b7686d5..50102d0 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -329,8 +393,7 @@ ifdef(`hide_broken_symptoms',` +@@ -329,8 +410,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` - hal_dontaudit_rw_pipes(ifconfig_t) - hal_dontaudit_rw_dgram_sockets(ifconfig_t) ++ dnsmasq_domtrans(ifconfig_t) ++') ++ ++optional_policy(` + devicekit_dontaudit_read_pid_files(ifconfig_t) ') optional_policy(` -@@ -339,7 +402,11 @@ optional_policy(` +@@ -339,7 +423,11 @@ optional_policy(` ') optional_policy(` @@ -33995,7 +34527,7 @@ index b7686d5..50102d0 100644 ') optional_policy(` -@@ -360,3 +427,9 @@ optional_policy(` +@@ -360,3 +448,9 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') @@ -35256,10 +35788,10 @@ index 0000000..2e5b822 +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te new file mode 100644 -index 0000000..3916463 +index 0000000..35c1a7d --- /dev/null +++ b/policy/modules/system/systemd.te -@@ -0,0 +1,644 @@ +@@ -0,0 +1,645 @@ +policy_module(systemd, 1.0.0) + +####################################### @@ -35824,7 +36356,8 @@ index 0000000..3916463 +') + +optional_policy(` -+ clock_read_adjtime(systemd_timedated_t) ++ clock_manage_adjtime(systemd_timedated_t) ++ clock_filetrans_named_content(systemd_timedated_t) + clock_domtrans(systemd_timedated_t) +') + @@ -37276,7 +37809,7 @@ index db75976..65191bd 100644 + +/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 3c5dba7..e27d755 100644 +index 3c5dba7..08ce1e5 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -30,9 +30,11 @@ template(`userdom_base_user_template',` @@ -39943,7 +40476,7 @@ index 3c5dba7..e27d755 100644 ## Create keys for all user domains. ## ## -@@ -3438,4 +4197,1415 @@ interface(`userdom_dbus_send_all_users',` +@@ -3438,4 +4197,1455 @@ interface(`userdom_dbus_send_all_users',` ') allow $1 userdomain:dbus send_msg; @@ -40308,6 +40841,46 @@ index 3c5dba7..e27d755 100644 + +') + ++###################################### ++## ++## Manage all dirs in the homedir ++## ++## ++## ++## The user domain ++## ++## ++# ++interface(`userdom_manage_all_user_home_type_dirs',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ attribute user_home_type; ++ ') ++ ++ files_list_home($1) ++ manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++') ++ ++###################################### ++## ++## Manage all files in the homedir ++## ++## ++## ++## The user domain ++## ++## ++# ++interface(`userdom_manage_all_user_home_type_files',` ++ gen_require(` ++ type user_home_dir_t, user_home_t; ++ attribute user_home_type; ++ ') ++ ++ files_list_home($1) ++ manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++ manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) ++') + +######################################## +## diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 1038f5b..407bc60 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -1,8 +1,8 @@ diff --git a/abrt.fc b/abrt.fc -index e4f84de..94697ea 100644 +index e4f84de..ad5a65f 100644 --- a/abrt.fc +++ b/abrt.fc -@@ -1,30 +1,38 @@ +@@ -1,30 +1,39 @@ -/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) -/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) @@ -20,6 +20,7 @@ index e4f84de..94697ea 100644 + +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0) ++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0) -/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0) /usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0) @@ -516,7 +517,7 @@ index 058d908..702b716 100644 +') + diff --git a/abrt.te b/abrt.te -index cc43d25..a19d427 100644 +index cc43d25..ffbe9e5 100644 --- a/abrt.te +++ b/abrt.te @@ -1,4 +1,4 @@ @@ -733,7 +734,7 @@ index cc43d25..a19d427 100644 dev_getattr_all_chr_files(abrt_t) dev_getattr_all_blk_files(abrt_t) -@@ -163,29 +174,36 @@ files_getattr_all_files(abrt_t) +@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t) files_read_config_files(abrt_t) files_read_etc_runtime_files(abrt_t) files_read_var_symlinks(abrt_t) @@ -746,6 +747,7 @@ index cc43d25..a19d427 100644 files_dontaudit_read_all_symlinks(abrt_t) files_dontaudit_getattr_all_sockets(abrt_t) files_list_mnt(abrt_t) ++fs_list_all(abrt_t) +fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) @@ -773,7 +775,7 @@ index cc43d25..a19d427 100644 tunable_policy(`abrt_anon_write',` miscfiles_manage_public_files(abrt_t) -@@ -193,15 +211,11 @@ tunable_policy(`abrt_anon_write',` +@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',` optional_policy(` apache_list_modules(abrt_t) @@ -790,7 +792,7 @@ index cc43d25..a19d427 100644 ') optional_policy(` -@@ -209,6 +223,12 @@ optional_policy(` +@@ -209,6 +224,12 @@ optional_policy(` ') optional_policy(` @@ -803,7 +805,7 @@ index cc43d25..a19d427 100644 policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) policykit_read_reload(abrt_t) -@@ -220,6 +240,7 @@ optional_policy(` +@@ -220,6 +241,7 @@ optional_policy(` corecmd_exec_all_executables(abrt_t) ') @@ -811,7 +813,7 @@ index cc43d25..a19d427 100644 optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) -@@ -230,6 +251,7 @@ optional_policy(` +@@ -230,6 +252,7 @@ optional_policy(` rpm_signull(abrt_t) ') @@ -819,7 +821,7 @@ index cc43d25..a19d427 100644 optional_policy(` sendmail_domtrans(abrt_t) ') -@@ -240,9 +262,17 @@ optional_policy(` +@@ -240,9 +263,17 @@ optional_policy(` sosreport_delete_tmp_files(abrt_t) ') @@ -838,7 +840,7 @@ index cc43d25..a19d427 100644 # allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms; -@@ -253,9 +283,13 @@ tunable_policy(`abrt_handle_event',` +@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',` can_exec(abrt_t, abrt_handle_event_exec_t) ') @@ -853,7 +855,7 @@ index cc43d25..a19d427 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -268,6 +302,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) +@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) @@ -861,7 +863,7 @@ index cc43d25..a19d427 100644 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) -@@ -276,15 +311,20 @@ corecmd_read_all_executables(abrt_helper_t) +@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t) domain_read_all_domains_state(abrt_helper_t) @@ -882,7 +884,7 @@ index cc43d25..a19d427 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -292,11 +332,25 @@ ifdef(`hide_broken_symptoms',` +@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -909,7 +911,7 @@ index cc43d25..a19d427 100644 # allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; -@@ -314,10 +368,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) +@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t) dev_read_urand(abrt_retrace_coredump_t) @@ -923,7 +925,7 @@ index cc43d25..a19d427 100644 optional_policy(` rpm_exec(abrt_retrace_coredump_t) rpm_dontaudit_manage_db(abrt_retrace_coredump_t) -@@ -330,10 +386,11 @@ optional_policy(` +@@ -330,10 +387,11 @@ optional_policy(` ####################################### # @@ -937,7 +939,7 @@ index cc43d25..a19d427 100644 allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) -@@ -352,30 +409,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) +@@ -352,30 +410,38 @@ corecmd_exec_shell(abrt_retrace_worker_t) dev_read_urand(abrt_retrace_worker_t) @@ -979,7 +981,7 @@ index cc43d25..a19d427 100644 kernel_read_kernel_sysctls(abrt_dump_oops_t) kernel_read_ring_buffer(abrt_dump_oops_t) -@@ -384,14 +449,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) +@@ -384,14 +450,15 @@ domain_use_interactive_fds(abrt_dump_oops_t) fs_list_inotifyfs(abrt_dump_oops_t) logging_read_generic_logs(abrt_dump_oops_t) @@ -997,7 +999,7 @@ index cc43d25..a19d427 100644 read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t) -@@ -400,16 +466,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) +@@ -400,16 +467,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t) corecmd_exec_bin(abrt_watch_log_t) logging_read_all_logs(abrt_watch_log_t) @@ -1878,10 +1880,23 @@ index cda6d20..fbe259e 100644 userdom_manage_unpriv_user_shared_mem(alsa_t) userdom_search_user_home_dirs(alsa_t) diff --git a/amanda.te b/amanda.te -index ed45974..b09436e 100644 +index ed45974..46e2c0d 100644 --- a/amanda.te +++ b/amanda.te -@@ -60,7 +60,7 @@ optional_policy(` +@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles; + roleattribute system_r amanda_recover_roles; + + type amanda_t; ++type amanda_exec_t; + type amanda_inetd_exec_t; + inetd_service_domain(amanda_t, amanda_inetd_exec_t) + +-type amanda_exec_t; +-domain_entry_file(amanda_t, amanda_exec_t) + + type amanda_log_t; + logging_log_file(amanda_log_t) +@@ -60,7 +59,7 @@ optional_policy(` # allow amanda_t self:capability { chown dac_override setuid kill }; @@ -1890,7 +1905,7 @@ index ed45974..b09436e 100644 allow amanda_t self:fifo_file rw_fifo_file_perms; allow amanda_t self:unix_stream_socket { accept listen }; allow amanda_t self:tcp_socket { accept listen }; -@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms; +@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms; manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t) manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t) @@ -1898,7 +1913,7 @@ index ed45974..b09436e 100644 filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir }) allow amanda_t amanda_dumpdates_t:file rw_file_perms; -@@ -100,7 +101,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) +@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t) corecmd_exec_shell(amanda_t) corecmd_exec_bin(amanda_t) @@ -1906,7 +1921,7 @@ index ed45974..b09436e 100644 corenet_all_recvfrom_netlabel(amanda_t) corenet_tcp_sendrecv_generic_if(amanda_t) corenet_tcp_sendrecv_generic_node(amanda_t) -@@ -170,7 +170,6 @@ kernel_read_system_state(amanda_recover_t) +@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t) corecmd_exec_shell(amanda_recover_t) corecmd_exec_bin(amanda_recover_t) @@ -1914,7 +1929,7 @@ index ed45974..b09436e 100644 corenet_all_recvfrom_netlabel(amanda_recover_t) corenet_tcp_sendrecv_generic_if(amanda_recover_t) corenet_udp_sendrecv_generic_if(amanda_recover_t) -@@ -195,12 +194,12 @@ files_search_tmp(amanda_recover_t) +@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t) auth_use_nsswitch(amanda_recover_t) @@ -2508,10 +2523,10 @@ index 0000000..df5b3be +') diff --git a/antivirus.te b/antivirus.te new file mode 100644 -index 0000000..b334e9a +index 0000000..1a35e88 --- /dev/null +++ b/antivirus.te -@@ -0,0 +1,245 @@ +@@ -0,0 +1,248 @@ +policy_module(antivirus, 1.0.0) + +######################################## @@ -2684,8 +2699,11 @@ index 0000000..b334e9a + +tunable_policy(`antivirus_can_scan_system',` + files_read_non_security_files(antivirus_domain) ++ files_dontaudit_read_all_non_security_files(antivirus_domain) + files_getattr_all_pipes(antivirus_domain) + files_getattr_all_sockets(antivirus_domain) ++ dev_getattr_all_blk_files(antivirus_domain) ++ dev_getattr_all_chr_files(antivirus_domain) +') + +tunable_policy(`antivirus_use_jit',` @@ -4453,10 +4471,10 @@ index 83e899c..c5be77c 100644 + filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") ') diff --git a/apache.te b/apache.te -index 1a82e29..6893a8e 100644 +index 1a82e29..3a12c26 100644 --- a/apache.te +++ b/apache.te -@@ -1,297 +1,367 @@ +@@ -1,297 +1,360 @@ -policy_module(apache, 2.6.10) +policy_module(apache, 2.4.0) + @@ -4885,13 +4903,6 @@ index 1a82e29..6893a8e 100644 +## +gen_tunable(httpd_sys_script_anon_write, false) + -+## -+##

-+## Allow httpd to communicate with oddjob to start up a service -+##

-+## -+gen_tunable(httpd_use_oddjob, false) -+ attribute httpdcontent; -attribute httpd_htaccess_type; +attribute httpd_user_content_type; @@ -4973,7 +4984,7 @@ index 1a82e29..6893a8e 100644 type httpd_rotatelogs_t; type httpd_rotatelogs_exec_t; init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) -@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) +@@ -299,10 +362,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t) type httpd_squirrelmail_t; files_type(httpd_squirrelmail_t) @@ -4986,7 +4997,7 @@ index 1a82e29..6893a8e 100644 type httpd_suexec_exec_t; domain_type(httpd_suexec_t) domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t) -@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t; +@@ -311,9 +372,19 @@ role system_r types httpd_suexec_t; type httpd_suexec_tmp_t; files_tmp_file(httpd_suexec_tmp_t) @@ -5008,7 +5019,7 @@ index 1a82e29..6893a8e 100644 type httpd_tmp_t; files_tmp_file(httpd_tmp_t) -@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t) +@@ -323,12 +394,19 @@ files_tmpfs_file(httpd_tmpfs_t) apache_content_template(user) ubac_constrained(httpd_user_script_t) @@ -5028,7 +5039,7 @@ index 1a82e29..6893a8e 100644 typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t }; typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t }; typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t }; -@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad +@@ -343,33 +421,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t }; typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t }; @@ -5079,7 +5090,7 @@ index 1a82e29..6893a8e 100644 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow httpd_t self:fd use; allow httpd_t self:sock_file read_sock_file_perms; -@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms; +@@ -378,28 +463,36 @@ allow httpd_t self:shm create_shm_perms; allow httpd_t self:sem create_sem_perms; allow httpd_t self:msgq create_msgq_perms; allow httpd_t self:msg { send receive }; @@ -5121,7 +5132,7 @@ index 1a82e29..6893a8e 100644 logging_log_filetrans(httpd_t, httpd_log_t, file) allow httpd_t httpd_modules_t:dir list_dir_perms; -@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) +@@ -407,6 +500,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) @@ -5130,7 +5141,7 @@ index 1a82e29..6893a8e 100644 allow httpd_t httpd_rotatelogs_t:process signal_perms; manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) -@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) +@@ -415,6 +510,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) allow httpd_t httpd_suexec_exec_t:file read_file_perms; @@ -5141,7 +5152,7 @@ index 1a82e29..6893a8e 100644 allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) -@@ -445,140 +551,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) +@@ -445,140 +544,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) @@ -5369,7 +5380,7 @@ index 1a82e29..6893a8e 100644 ') tunable_policy(`httpd_enable_cgi && httpd_use_nfs',` -@@ -589,28 +717,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` +@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',` fs_cifs_domtrans(httpd_t, httpd_sys_script_t) ') @@ -5429,7 +5440,7 @@ index 1a82e29..6893a8e 100644 ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -619,68 +769,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` +@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` fs_read_nfs_symlinks(httpd_t) ') @@ -5475,18 +5486,18 @@ index 1a82e29..6893a8e 100644 - tunable_policy(`httpd_can_network_connect_zabbix',` - zabbix_tcp_connect(httpd_t) - ') +-') +- +-optional_policy(` +- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` +- spamassassin_domtrans_client(httpd_t) +- ') +tunable_policy(`httpd_use_cifs',` + fs_manage_cifs_dirs(httpd_t) + fs_manage_cifs_files(httpd_t) + fs_manage_cifs_symlinks(httpd_t) ') --optional_policy(` -- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',` -- spamassassin_domtrans_client(httpd_t) -- ') --') -- -tunable_policy(`httpd_graceful_shutdown',` - corenet_sendrecv_http_client_packets(httpd_t) - corenet_tcp_connect_http_port(httpd_t) @@ -5514,7 +5525,7 @@ index 1a82e29..6893a8e 100644 ') tunable_policy(`httpd_setrlimit',` -@@ -690,49 +810,38 @@ tunable_policy(`httpd_setrlimit',` +@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',` tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) @@ -5546,35 +5557,38 @@ index 1a82e29..6893a8e 100644 - -tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',` - fs_exec_cifs_files(httpd_t) --') -- ++ userdom_use_inherited_user_terminals(httpd_t) ++ userdom_use_inherited_user_terminals(httpd_suexec_t) + ') + -tunable_policy(`httpd_use_fusefs',` - fs_list_auto_mountpoints(httpd_t) - fs_manage_fusefs_dirs(httpd_t) - fs_manage_fusefs_files(httpd_t) - fs_read_fusefs_symlinks(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_t) -+ userdom_use_inherited_user_terminals(httpd_suexec_t) - ') - --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_t) -') +optional_policy(` + cobbler_list_config(httpd_t) + cobbler_read_config(httpd_t) --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_t) -- fs_manage_nfs_dirs(httpd_t) -- fs_manage_nfs_files(httpd_t) -- fs_manage_nfs_symlinks(httpd_t) +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_t) +-') + tunable_policy(`httpd_serve_cobbler_files',` + cobbler_manage_lib_files(httpd_t) +',` + cobbler_read_lib_files(httpd_t) + cobbler_search_lib(httpd_t) + ') + +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_t) +- fs_manage_nfs_dirs(httpd_t) +- fs_manage_nfs_files(httpd_t) +- fs_manage_nfs_symlinks(httpd_t) ++ tunable_policy(`httpd_can_network_connect_cobbler',` ++ corenet_tcp_connect_cobbler_port(httpd_t) ++ ') ') -tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` @@ -5588,7 +5602,7 @@ index 1a82e29..6893a8e 100644 ') optional_policy(` -@@ -743,14 +852,6 @@ optional_policy(` +@@ -743,14 +849,6 @@ optional_policy(` ccs_read_config(httpd_t) ') @@ -5603,7 +5617,7 @@ index 1a82e29..6893a8e 100644 optional_policy(` cron_system_entry(httpd_t, httpd_exec_t) -@@ -765,6 +866,23 @@ optional_policy(` +@@ -765,6 +863,23 @@ optional_policy(` ') optional_policy(` @@ -5627,7 +5641,7 @@ index 1a82e29..6893a8e 100644 dbus_system_bus_client(httpd_t) tunable_policy(`httpd_dbus_avahi',` -@@ -781,34 +899,42 @@ optional_policy(` +@@ -781,34 +896,42 @@ optional_policy(` ') optional_policy(` @@ -5681,7 +5695,7 @@ index 1a82e29..6893a8e 100644 tunable_policy(`httpd_manage_ipa',` memcached_manage_pid_files(httpd_t) -@@ -816,8 +942,18 @@ optional_policy(` +@@ -816,8 +939,18 @@ optional_policy(` ') optional_policy(` @@ -5700,7 +5714,7 @@ index 1a82e29..6893a8e 100644 tunable_policy(`httpd_can_network_connect_db',` mysql_tcp_connect(httpd_t) -@@ -826,6 +962,7 @@ optional_policy(` +@@ -826,6 +959,7 @@ optional_policy(` optional_policy(` nagios_read_config(httpd_t) @@ -5708,7 +5722,7 @@ index 1a82e29..6893a8e 100644 ') optional_policy(` -@@ -836,20 +973,38 @@ optional_policy(` +@@ -836,20 +970,38 @@ optional_policy(` ') optional_policy(` @@ -5741,19 +5755,19 @@ index 1a82e29..6893a8e 100644 - ') +optional_policy(` + puppet_read_lib(httpd_t) ++') ++ ++optional_policy(` ++ pwauth_domtrans(httpd_t) ') optional_policy(` - puppet_read_lib_files(httpd_t) -+ pwauth_domtrans(httpd_t) -+') -+ -+optional_policy(` + rpm_dontaudit_read_db(httpd_t) ') optional_policy(` -@@ -857,6 +1012,16 @@ optional_policy(` +@@ -857,6 +1009,16 @@ optional_policy(` ') optional_policy(` @@ -5770,7 +5784,7 @@ index 1a82e29..6893a8e 100644 seutil_sigchld_newrole(httpd_t) ') -@@ -865,6 +1030,7 @@ optional_policy(` +@@ -865,6 +1027,7 @@ optional_policy(` ') optional_policy(` @@ -5778,7 +5792,7 @@ index 1a82e29..6893a8e 100644 snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -877,65 +1043,166 @@ optional_policy(` +@@ -877,65 +1040,166 @@ optional_policy(` yam_read_content(httpd_t) ') @@ -5844,11 +5858,10 @@ index 1a82e29..6893a8e 100644 -',` - userdom_dontaudit_use_user_terminals(httpd_helper_t) + userdom_use_inherited_user_terminals(httpd_helper_t) - ') - - ######################################## - # --# Suexec local policy ++') ++ ++######################################## ++# +# Apache PHP script local policy +# + @@ -5907,10 +5920,11 @@ index 1a82e29..6893a8e 100644 + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_php_t) + ') -+') -+ -+######################################## -+# + ') + + ######################################## + # +-# Suexec local policy +# Apache suexec local policy # @@ -5967,7 +5981,7 @@ index 1a82e29..6893a8e 100644 files_dontaudit_search_pids(httpd_suexec_t) files_search_home(httpd_suexec_t) -@@ -944,123 +1211,74 @@ auth_use_nsswitch(httpd_suexec_t) +@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t) logging_search_logs(httpd_suexec_t) logging_send_syslog_msg(httpd_suexec_t) @@ -6122,7 +6136,7 @@ index 1a82e29..6893a8e 100644 mysql_read_config(httpd_suexec_t) tunable_policy(`httpd_can_network_connect_db',` -@@ -1077,172 +1295,104 @@ optional_policy(` +@@ -1077,172 +1292,104 @@ optional_policy(` ') ') @@ -6144,11 +6158,11 @@ index 1a82e29..6893a8e 100644 -allow httpd_script_domains self:unix_stream_socket connectto; - -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms; -- --append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) --read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +allow httpd_sys_script_t self:process getsched; +-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t) +- -kernel_dontaudit_search_sysctl(httpd_script_domains) -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains) - @@ -6303,12 +6317,12 @@ index 1a82e29..6893a8e 100644 -kernel_read_kernel_sysctls(httpd_sys_script_t) - -fs_search_auto_mountpoints(httpd_sys_script_t) -- ++corenet_all_recvfrom_netlabel(httpd_sys_script_t) + -files_read_var_symlinks(httpd_sys_script_t) -files_search_var_lib(httpd_sys_script_t) -files_search_spool(httpd_sys_script_t) -+corenet_all_recvfrom_netlabel(httpd_sys_script_t) - +- -apache_domtrans_rotatelogs(httpd_sys_script_t) - -auth_use_nsswitch(httpd_sys_script_t) @@ -6358,7 +6372,7 @@ index 1a82e29..6893a8e 100644 ') tunable_policy(`httpd_read_user_content',` -@@ -1250,64 +1400,70 @@ tunable_policy(`httpd_read_user_content',` +@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',` ') tunable_policy(`httpd_use_cifs',` @@ -6381,10 +6395,6 @@ index 1a82e29..6893a8e 100644 fs_manage_fusefs_dirs(httpd_sys_script_t) fs_manage_fusefs_files(httpd_sys_script_t) - fs_read_fusefs_symlinks(httpd_sys_script_t) --') -- --tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` -- fs_exec_fusefs_files(httpd_sys_script_t) + fs_manage_fusefs_symlinks(httpd_sys_script_t) + fs_manage_fusefs_dirs(httpd_suexec_t) + fs_manage_fusefs_files(httpd_suexec_t) @@ -6392,25 +6402,26 @@ index 1a82e29..6893a8e 100644 + fs_exec_fusefs_files(httpd_suexec_t) ') --tunable_policy(`httpd_use_nfs',` -- fs_list_auto_mountpoints(httpd_sys_script_t) -- fs_manage_nfs_dirs(httpd_sys_script_t) -- fs_manage_nfs_files(httpd_sys_script_t) -- fs_manage_nfs_symlinks(httpd_sys_script_t) +-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',` +- fs_exec_fusefs_files(httpd_sys_script_t) +tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` + fs_read_cifs_files(httpd_sys_script_t) + fs_read_cifs_symlinks(httpd_sys_script_t) ') --tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` -- fs_exec_nfs_files(httpd_sys_script_t) +-tunable_policy(`httpd_use_nfs',` +- fs_list_auto_mountpoints(httpd_sys_script_t) +- fs_manage_nfs_dirs(httpd_sys_script_t) +- fs_manage_nfs_files(httpd_sys_script_t) +- fs_manage_nfs_symlinks(httpd_sys_script_t) +optional_policy(` + clamav_domtrans_clamscan(httpd_sys_script_t) + clamav_domtrans_clamscan(httpd_t) ') - optional_policy(` -- clamav_domtrans_clamscan(httpd_sys_script_t) +-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',` +- fs_exec_nfs_files(httpd_sys_script_t) ++optional_policy(` + mysql_stream_connect(httpd_sys_script_t) + mysql_rw_db_sockets(httpd_sys_script_t) + mysql_read_config(httpd_sys_script_t) @@ -6421,14 +6432,20 @@ index 1a82e29..6893a8e 100644 ') optional_policy(` +- clamav_domtrans_clamscan(httpd_sys_script_t) + postgresql_stream_connect(httpd_sys_script_t) - postgresql_unpriv_client(httpd_sys_script_t) ++ postgresql_unpriv_client(httpd_sys_script_t) + + tunable_policy(`httpd_can_network_connect_db',` + postgresql_tcp_connect(httpd_sys_script_t) + ') ') + optional_policy(` +- postgresql_unpriv_client(httpd_sys_script_t) ++ snmp_read_snmp_var_lib_files(httpd_sys_script_t) + ') + ######################################## # -# Rotatelogs local policy @@ -6452,7 +6469,7 @@ index 1a82e29..6893a8e 100644 ######################################## # -@@ -1315,8 +1471,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) +@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t) # optional_policy(` @@ -6469,7 +6486,7 @@ index 1a82e29..6893a8e 100644 ') ######################################## -@@ -1324,49 +1487,36 @@ optional_policy(` +@@ -1324,49 +1488,36 @@ optional_policy(` # User content local policy # @@ -6533,7 +6550,7 @@ index 1a82e29..6893a8e 100644 kernel_read_system_state(httpd_passwd_t) corecmd_exec_bin(httpd_passwd_t) -@@ -1376,38 +1526,99 @@ dev_read_urand(httpd_passwd_t) +@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t) domain_use_interactive_fds(httpd_passwd_t) @@ -10368,10 +10385,10 @@ index 0000000..5977d96 +') diff --git a/chrome.te b/chrome.te new file mode 100644 -index 0000000..7267a85 +index 0000000..ba0a059 --- /dev/null +++ b/chrome.te -@@ -0,0 +1,222 @@ +@@ -0,0 +1,236 @@ +policy_module(chrome,1.0.0) + +######################################## @@ -10442,21 +10459,35 @@ index 0000000..7267a85 +corecmd_exec_bin(chrome_sandbox_t) + +corenet_all_recvfrom_netlabel(chrome_sandbox_t) ++corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t) +corenet_tcp_connect_aol_port(chrome_sandbox_t) +corenet_tcp_connect_asterisk_port(chrome_sandbox_t) ++corenet_tcp_connect_commplex_link_port(chrome_sandbox_t) ++corenet_tcp_connect_couchdb_port(chrome_sandbox_t) +corenet_tcp_connect_flash_port(chrome_sandbox_t) -+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t) -+corenet_tcp_connect_rtsp_port(chrome_sandbox_t) -+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) -+corenet_tcp_connect_http_port(chrome_sandbox_t) ++corenet_tcp_connect_ftp_port(chrome_sandbox_t) ++corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t) ++corenet_tcp_connect_generic_port(chrome_sandbox_t) +corenet_tcp_connect_http_cache_port(chrome_sandbox_t) ++corenet_tcp_connect_http_port(chrome_sandbox_t) ++corenet_tcp_connect_ipp_port(chrome_sandbox_t) ++corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t) ++corenet_tcp_connect_jabber_client_port(chrome_sandbox_t) ++corenet_tcp_connect_jboss_management_port(chrome_sandbox_t) ++corenet_tcp_connect_mmcc_port(chrome_sandbox_t) ++corenet_tcp_connect_monopd_port(chrome_sandbox_t) +corenet_tcp_connect_msnp_port(chrome_sandbox_t) ++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t) ++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t) ++corenet_tcp_connect_rtsp_port(chrome_sandbox_t) ++corenet_tcp_connect_soundd_port(chrome_sandbox_t) ++corenet_tcp_connect_speech_port(chrome_sandbox_t) +corenet_tcp_connect_squid_port(chrome_sandbox_t) +corenet_tcp_connect_tor_port(chrome_sandbox_t) ++corenet_tcp_connect_transproxy_port(chrome_sandbox_t) ++corenet_tcp_connect_vnc_port(chrome_sandbox_t) +corenet_tcp_sendrecv_generic_if(chrome_sandbox_t) +corenet_tcp_sendrecv_generic_node(chrome_sandbox_t) -+corenet_tcp_connect_ipp_port(chrome_sandbox_t) -+corenet_tcp_connect_speech_port(chrome_sandbox_t) + +domain_dontaudit_read_all_domains_state(chrome_sandbox_t) + @@ -11680,7 +11711,7 @@ index 973d208..2b650a7 100644 /var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) diff --git a/cobbler.if b/cobbler.if -index c223f81..83d5104 100644 +index c223f81..3bcdf6a 100644 --- a/cobbler.if +++ b/cobbler.if @@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',` @@ -11712,15 +11743,24 @@ index c223f81..83d5104 100644 ######################################## ## ## Read cobbler configuration files. -@@ -132,6 +154,7 @@ interface(`cobbler_manage_lib_files',` +@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',` + + files_search_var_lib($1) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + ') + + ######################################## +@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',` files_search_var_lib($1) manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) + manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) ') ######################################## -@@ -199,7 +222,4 @@ interface(`cobbler_admin',` +@@ -199,7 +224,4 @@ interface(`cobbler_admin',` logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) @@ -16390,7 +16430,7 @@ index 06da9a0..ca832e1 100644 + ps_process_pattern($1, cupsd_t) ') diff --git a/cups.te b/cups.te -index 9f34c2e..52c170f 100644 +index 9f34c2e..c7268a7 100644 --- a/cups.te +++ b/cups.te @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9) @@ -16478,7 +16518,7 @@ index 9f34c2e..52c170f 100644 type ptal_t; type ptal_exec_t; -@@ -97,21 +94,48 @@ ifdef(`enable_mls',` +@@ -97,21 +94,49 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh) ') @@ -16491,6 +16531,7 @@ index 9f34c2e..52c170f 100644 +allow cups_domain self:process { getsched setsched signal_perms }; +allow cups_domain self:fifo_file rw_fifo_file_perms; +allow cups_domain self:tcp_socket { accept listen }; ++allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms; + +kernel_read_kernel_sysctls(cups_domain) +kernel_read_network_state(cups_domain) @@ -16531,7 +16572,7 @@ index 9f34c2e..52c170f 100644 allow cupsd_t self:appletalk_socket create_socket_perms; allow cupsd_t cupsd_etc_t:dir setattr_dir_perms; -@@ -120,6 +144,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) +@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t) manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t) @@ -16539,7 +16580,7 @@ index 9f34c2e..52c170f 100644 manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t) -@@ -139,22 +164,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) +@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t) logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir }) @@ -16567,7 +16608,7 @@ index 9f34c2e..52c170f 100644 stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t) allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; -@@ -162,11 +188,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; +@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms; can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t }) kernel_read_system_state(cupsd_t) @@ -16579,7 +16620,7 @@ index 9f34c2e..52c170f 100644 corenet_all_recvfrom_netlabel(cupsd_t) corenet_tcp_sendrecv_generic_if(cupsd_t) corenet_udp_sendrecv_generic_if(cupsd_t) -@@ -189,12 +213,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) +@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t) corenet_tcp_bind_all_rpc_ports(cupsd_t) corenet_tcp_connect_all_ports(cupsd_t) @@ -16604,7 +16645,7 @@ index 9f34c2e..52c170f 100644 dev_rw_input_dev(cupsd_t) dev_rw_generic_usb_dev(cupsd_t) dev_rw_usbfs(cupsd_t) -@@ -206,7 +238,6 @@ domain_use_interactive_fds(cupsd_t) +@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t) files_getattr_boot_dirs(cupsd_t) files_list_spool(cupsd_t) files_read_etc_runtime_files(cupsd_t) @@ -16612,7 +16653,7 @@ index 9f34c2e..52c170f 100644 files_exec_usr_files(cupsd_t) # for /var/lib/defoma files_read_var_lib_files(cupsd_t) -@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t) +@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t) files_read_world_readable_symlinks(cupsd_t) files_read_var_files(cupsd_t) files_read_var_symlinks(cupsd_t) @@ -16632,7 +16673,7 @@ index 9f34c2e..52c170f 100644 mls_fd_use_all_levels(cupsd_t) mls_file_downgrade(cupsd_t) -@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t) +@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t) term_search_ptys(cupsd_t) term_use_unallocated_ttys(cupsd_t) @@ -16641,7 +16682,7 @@ index 9f34c2e..52c170f 100644 selinux_compute_access_vector(cupsd_t) selinux_validate_context(cupsd_t) -@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) +@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t) auth_rw_faillog(cupsd_t) auth_use_nsswitch(cupsd_t) @@ -16667,7 +16708,7 @@ index 9f34c2e..52c170f 100644 userdom_dontaudit_search_user_home_content(cupsd_t) optional_policy(` -@@ -275,6 +308,8 @@ optional_policy(` +@@ -275,6 +309,8 @@ optional_policy(` optional_policy(` dbus_system_bus_client(cupsd_t) @@ -16676,7 +16717,7 @@ index 9f34c2e..52c170f 100644 userdom_dbus_send_all_users(cupsd_t) optional_policy(` -@@ -285,8 +320,10 @@ optional_policy(` +@@ -285,8 +321,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -16687,7 +16728,7 @@ index 9f34c2e..52c170f 100644 ') ') -@@ -299,8 +336,8 @@ optional_policy(` +@@ -299,8 +337,8 @@ optional_policy(` ') optional_policy(` @@ -16697,7 +16738,7 @@ index 9f34c2e..52c170f 100644 ') optional_policy(` -@@ -309,7 +346,6 @@ optional_policy(` +@@ -309,7 +347,6 @@ optional_policy(` optional_policy(` lpd_exec_lpr(cupsd_t) @@ -16705,16 +16746,20 @@ index 9f34c2e..52c170f 100644 lpd_read_config(cupsd_t) lpd_relabel_spool(cupsd_t) ') -@@ -337,7 +373,7 @@ optional_policy(` +@@ -337,7 +374,11 @@ optional_policy(` ') optional_policy(` - virt_rw_all_image_chr_files(cupsd_t) + virt_rw_chr_files(cupsd_t) ++') ++ ++optional_policy(` ++ vmware_read_system_config(cupsd_t) ') ######################################## -@@ -345,12 +381,11 @@ optional_policy(` +@@ -345,12 +386,11 @@ optional_policy(` # Configuration daemon local policy # @@ -16730,7 +16775,7 @@ index 9f34c2e..52c170f 100644 allow cupsd_config_t cupsd_t:process signal; ps_process_pattern(cupsd_config_t, cupsd_t) -@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run +@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t) files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file }) @@ -16751,7 +16796,7 @@ index 9f34c2e..52c170f 100644 corenet_all_recvfrom_netlabel(cupsd_config_t) corenet_tcp_sendrecv_generic_if(cupsd_config_t) corenet_tcp_sendrecv_generic_node(cupsd_config_t) -@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) +@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t) corenet_sendrecv_all_client_packets(cupsd_config_t) corenet_tcp_connect_all_ports(cupsd_config_t) @@ -16772,7 +16817,7 @@ index 9f34c2e..52c170f 100644 fs_search_auto_mountpoints(cupsd_config_t) domain_use_interactive_fds(cupsd_config_t) -@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t) +@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t) logging_send_syslog_msg(cupsd_config_t) @@ -16784,7 +16829,7 @@ index 9f34c2e..52c170f 100644 userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) -@@ -452,9 +472,12 @@ optional_policy(` +@@ -452,9 +477,12 @@ optional_policy(` ') optional_policy(` @@ -16798,7 +16843,7 @@ index 9f34c2e..52c170f 100644 ') optional_policy(` -@@ -490,10 +513,6 @@ optional_policy(` +@@ -490,10 +518,6 @@ optional_policy(` # Lpd local policy # @@ -16809,7 +16854,7 @@ index 9f34c2e..52c170f 100644 allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms; allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms; -@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) +@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) kernel_read_system_state(cupsd_lpd_t) @@ -16842,7 +16887,7 @@ index 9f34c2e..52c170f 100644 optional_policy(` inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t) ') -@@ -546,7 +556,6 @@ optional_policy(` +@@ -546,7 +561,6 @@ optional_policy(` # allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override }; @@ -16850,7 +16895,7 @@ index 9f34c2e..52c170f 100644 allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms; append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) -@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t) +@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t) kernel_read_system_state(cups_pdf_t) @@ -17002,7 +17047,7 @@ index 9f34c2e..52c170f 100644 ######################################## # -@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t) +@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t) kernel_list_proc(ptal_t) kernel_read_proc_symlinks(ptal_t) @@ -17010,7 +17055,7 @@ index 9f34c2e..52c170f 100644 corenet_all_recvfrom_netlabel(ptal_t) corenet_tcp_sendrecv_generic_if(ptal_t) corenet_tcp_sendrecv_generic_node(ptal_t) -@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) +@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t) corenet_tcp_bind_ptal_port(ptal_t) corenet_tcp_sendrecv_ptal_port(ptal_t) @@ -17024,7 +17069,7 @@ index 9f34c2e..52c170f 100644 files_read_etc_runtime_files(ptal_t) fs_getattr_all_fs(ptal_t) -@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t) +@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t) logging_send_syslog_msg(ptal_t) @@ -17033,6 +17078,11 @@ index 9f34c2e..52c170f 100644 sysnet_read_config(ptal_t) userdom_dontaudit_use_unpriv_user_fds(ptal_t) +@@ -769,3 +653,4 @@ optional_policy(` + optional_policy(` + udev_read_db(ptal_t) + ') ++ diff --git a/cvs.if b/cvs.if index 9fa7ffb..fd3262c 100644 --- a/cvs.if @@ -17205,7 +17255,7 @@ index 6508280..a2860e3 100644 domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; diff --git a/cyrus.te b/cyrus.te -index 395f97c..e157463 100644 +index 395f97c..bf8db3c 100644 --- a/cyrus.te +++ b/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -17263,14 +17313,17 @@ index 395f97c..e157463 100644 kerberos_keytab_template(cyrus, cyrus_t) ') -@@ -128,6 +131,7 @@ optional_policy(` +@@ -128,8 +131,8 @@ optional_policy(` ') optional_policy(` +- snmp_read_snmp_var_lib_files(cyrus_t) +- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) + files_dontaudit_write_usr_dirs(cyrus_t) - snmp_read_snmp_var_lib_files(cyrus_t) - snmp_dontaudit_write_snmp_var_lib_files(cyrus_t) ++ snmp_manage_var_lib_files(cyrus_t) snmp_stream_connect(cyrus_t) + ') + diff --git a/daemontools.if b/daemontools.if index 3b3d9a0..6c8106a 100644 --- a/daemontools.if @@ -19111,7 +19164,7 @@ index d294865..3b4f593 100644 + logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") ') diff --git a/devicekit.te b/devicekit.te -index ff933af..fc9d3f4 100644 +index ff933af..101bc81 100644 --- a/devicekit.te +++ b/devicekit.te @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1) @@ -19151,7 +19204,7 @@ index ff933af..fc9d3f4 100644 # -allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio }; + allow devicekit_disk_t self:process { getsched signal_perms }; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; @@ -20617,7 +20670,7 @@ index 19aa0b8..b303b37 100644 + allow $1 dnsmasq_unit_file_t:service all_service_perms; ') diff --git a/dnsmasq.te b/dnsmasq.te -index ba14bcf..07bcb8e 100644 +index ba14bcf..869bba7 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t) @@ -20641,16 +20694,19 @@ index ba14bcf..07bcb8e 100644 corenet_all_recvfrom_netlabel(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) corenet_udp_sendrecv_generic_if(dnsmasq_t) -@@ -88,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t) +@@ -86,9 +91,9 @@ fs_search_auto_mountpoints(dnsmasq_t) + + auth_use_nsswitch(dnsmasq_t) - logging_send_syslog_msg(dnsmasq_t) +-logging_send_syslog_msg(dnsmasq_t) ++libs_exec_ldconfig(dnsmasq_t) -miscfiles_read_localization(dnsmasq_t) -- ++logging_send_syslog_msg(dnsmasq_t) + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) userdom_dontaudit_search_user_home_dirs(dnsmasq_t) - -@@ -98,12 +101,21 @@ optional_policy(` +@@ -98,12 +103,21 @@ optional_policy(` ') optional_policy(` @@ -20673,7 +20729,7 @@ index ba14bcf..07bcb8e 100644 ') optional_policy(` -@@ -124,6 +136,7 @@ optional_policy(` +@@ -124,6 +138,13 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) @@ -20681,6 +20737,12 @@ index ba14bcf..07bcb8e 100644 virt_read_pid_files(dnsmasq_t) virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) ') ++ ++optional_policy(` ++ quantum_manage_lib_files(dnsmasq_t) ++ quantum_rw_fifo_file(dnsmasq_t) ++ quantum_sigchld(dnsmasq_t) ++') diff --git a/dnssec.fc b/dnssec.fc new file mode 100644 index 0000000..9e231a8 @@ -23351,10 +23413,18 @@ index c12c067..a415012 100644 optional_policy(` diff --git a/fprintd.te b/fprintd.te -index c81b6e8..7575a9b 100644 +index c81b6e8..fcb022d 100644 --- a/fprintd.te +++ b/fprintd.te -@@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t) +@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t) + allow fprintd_t self:capability sys_nice; + allow fprintd_t self:process { getsched setsched signal sigkill }; + allow fprintd_t self:fifo_file rw_fifo_file_perms; ++allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) + manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t) +@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t) dev_read_sysfs(fprintd_t) dev_rw_generic_usb_dev(fprintd_t) @@ -23369,7 +23439,7 @@ index c81b6e8..7575a9b 100644 userdom_use_user_ptys(fprintd_t) userdom_read_all_users_state(fprintd_t) -@@ -54,8 +50,13 @@ optional_policy(` +@@ -54,8 +51,13 @@ optional_policy(` ') ') @@ -23492,7 +23562,7 @@ index d062080..97fb494 100644 ftp_run_ftpdctl($1, $2) ') diff --git a/ftp.te b/ftp.te -index e50f33c..5e6cdb8 100644 +index e50f33c..d9dca45 100644 --- a/ftp.te +++ b/ftp.te @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1) @@ -23653,7 +23723,7 @@ index e50f33c..5e6cdb8 100644 ') tunable_policy(`ftpd_use_passive_mode',` -@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',` +@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',` corenet_sendrecv_mssql_client_packets(ftpd_t) corenet_tcp_connect_mssql_port(ftpd_t) corenet_tcp_sendrecv_mssql_port(ftpd_t) @@ -23666,11 +23736,13 @@ index e50f33c..5e6cdb8 100644 ') tunable_policy(`ftp_home_dir',` -@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',` + allow ftpd_t self:capability { dac_override dac_read_search }; - userdom_manage_user_home_content_dirs(ftpd_t) - userdom_manage_user_home_content_files(ftpd_t) +- userdom_manage_user_home_content_dirs(ftpd_t) +- userdom_manage_user_home_content_files(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file }) ++ userdom_manage_all_user_home_type_dirs(ftpd_t) ++ userdom_manage_all_user_home_type_files(ftpd_t) userdom_manage_user_tmp_dirs(ftpd_t) userdom_manage_user_tmp_files(ftpd_t) - userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file }) @@ -28097,10 +28169,10 @@ index 3226f52..68b2eb8 100644 optional_policy(` seutil_sigchld_newrole(gpm_t) diff --git a/gpsd.te b/gpsd.te -index 25f09ae..aa94571 100644 +index 25f09ae..3085534 100644 --- a/gpsd.te +++ b/gpsd.te -@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t) +@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t) # allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; @@ -28109,7 +28181,12 @@ index 25f09ae..aa94571 100644 allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; allow gpsd_t self:unix_dgram_socket sendto; -@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t) + allow gpsd_t self:tcp_socket { accept listen }; ++allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) + manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) +@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t) term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) @@ -32392,7 +32469,7 @@ index d5d1572..82267a7 100644 /var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0) /var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0) diff --git a/l2tp.if b/l2tp.if -index 73e2803..562d25b 100644 +index 73e2803..2fc7570 100644 --- a/l2tp.if +++ b/l2tp.if @@ -1,9 +1,45 @@ @@ -32484,7 +32561,7 @@ index 73e2803..562d25b 100644 ## ## ## -@@ -56,14 +110,32 @@ interface(`l2tpd_stream_connect',` +@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',` ') files_search_pids($1) @@ -32516,12 +32593,87 @@ index 73e2803..562d25b 100644 + +######################################## +## ++## Allow send a signal to l2tpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_signal',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:process signal; ++') ++ ++######################################## ++## ++## Allow send signull to l2tpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_signull',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:process signull; ++') ++ ++######################################## ++## ++## Allow send sigkill to l2tpd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_sigkill',` ++ gen_require(` ++ type l2tpd_t; ++ ') ++ ++ allow $1 l2tpd_t:process sigkill; ++') ++ ++######################################## ++## ++## Send and receive messages from ++## l2tpd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`l2tpd_dbus_chat',` ++ gen_require(` ++ type l2tpd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 l2tpd_t:dbus send_msg; ++ allow l2tpd_t $1:dbus send_msg; ++') ++ ++######################################## ++## +## All of the rules required to administrate +## an l2tpd environment ## ## ## -@@ -77,22 +149,26 @@ interface(`l2tpd_stream_connect',` +@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',` ## ## # @@ -32554,7 +32706,7 @@ index 73e2803..562d25b 100644 files_search_pids($1) admin_pattern($1, l2tpd_var_run_t) diff --git a/l2tp.te b/l2tp.te -index 19f2b97..23321e4 100644 +index 19f2b97..fbc0e48 100644 --- a/l2tp.te +++ b/l2tp.te @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t) @@ -32566,7 +32718,16 @@ index 19f2b97..23321e4 100644 allow l2tpd_t self:fifo_file rw_fifo_file_perms; allow l2tpd_t self:netlink_socket create_socket_perms; allow l2tpd_t self:rawip_socket create_socket_perms; -@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t) +@@ -47,6 +47,8 @@ files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file }) + manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t) + files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file) + ++can_exec(l2tpd_t, l2tpd_exec_t) ++ + corenet_all_recvfrom_unlabeled(l2tpd_t) + corenet_all_recvfrom_netlabel(l2tpd_t) + corenet_raw_sendrecv_generic_if(l2tpd_t) +@@ -75,19 +77,35 @@ corecmd_exec_bin(l2tpd_t) dev_read_urand(l2tpd_t) @@ -32583,6 +32744,22 @@ index 19f2b97..23321e4 100644 sysnet_dns_name_resolve(l2tpd_t) optional_policy(` ++ dbus_system_bus_client(l2tpd_t) ++ dbus_connect_system_bus(l2tpd_t) ++ ++ optional_policy(` ++ networkmanager_dbus_chat(l2tpd_t) ++ ') ++') ++ ++optional_policy(` ++ ipsec_domtrans_mgmt(l2tpd_t) ++ ipsec_mgmt_read_pid(l2tpd_t) ++ ipsec_filetrans_key_file(l2tpd_t) ++ ipsec_manage_key_file(l2tpd_t) ++') ++ ++optional_policy(` + networkmanager_read_pid_files(l2tpd_t) +') + @@ -33119,7 +33296,7 @@ index dff21a7..b6981c8 100644 init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) diff --git a/lircd.te b/lircd.te -index 98b5405..b1d3cdf 100644 +index 98b5405..7d982bb 100644 --- a/lircd.te +++ b/lircd.te @@ -13,7 +13,7 @@ type lircd_initrc_exec_t; @@ -33131,7 +33308,15 @@ index 98b5405..b1d3cdf 100644 type lircd_var_run_t alias lircd_sock_t; files_pid_file(lircd_var_run_t) -@@ -64,9 +64,8 @@ files_manage_generic_locks(lircd_t) +@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin }; + allow lircd_t self:process signal; + allow lircd_t self:fifo_file rw_fifo_file_perms; + allow lircd_t self:tcp_socket { accept listen }; ++allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms; + + read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) + +@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t) files_read_all_locks(lircd_t) term_use_ptmx(lircd_t) @@ -37440,7 +37625,7 @@ index 6194b80..879f5db 100644 ') + diff --git a/mozilla.te b/mozilla.te -index 6a306ee..8f6c0ba 100644 +index 6a306ee..30005c3 100644 --- a/mozilla.te +++ b/mozilla.te @@ -1,4 +1,4 @@ @@ -37449,7 +37634,7 @@ index 6a306ee..8f6c0ba 100644 ######################################## # -@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4) +@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4) # ## @@ -37473,6 +37658,13 @@ index 6a306ee..8f6c0ba 100644 + +## +##

++## Allow mozilla plugin to support GPS. ++##

++## ++gen_tunable(mozilla_plugin_use_gps, false) ++ ++## ++##

+## Allow confined web browsers to read home directory content +##

+## @@ -37489,7 +37681,7 @@ index 6a306ee..8f6c0ba 100644 type mozilla_t; type mozilla_exec_t; typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; -@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; +@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; @@ -37499,7 +37691,7 @@ index 6a306ee..8f6c0ba 100644 type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; -@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t) +@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t) type mozilla_plugin_t; type mozilla_plugin_exec_t; @@ -37534,7 +37726,7 @@ index 6a306ee..8f6c0ba 100644 type mozilla_tmp_t; userdom_user_tmp_file(mozilla_tmp_t) -@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys +@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t }; userdom_user_tmpfs_file(mozilla_tmpfs_t) @@ -37545,7 +37737,7 @@ index 6a306ee..8f6c0ba 100644 ######################################## # # Local policy -@@ -75,27 +86,30 @@ optional_policy(` +@@ -75,27 +93,30 @@ optional_policy(` allow mozilla_t self:capability { sys_nice setgid setuid }; allow mozilla_t self:process { sigkill signal setsched getsched setrlimit }; allow mozilla_t self:fifo_file rw_fifo_file_perms; @@ -37589,7 +37781,7 @@ index 6a306ee..8f6c0ba 100644 manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) -@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) +@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t) fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file }) @@ -37697,7 +37889,7 @@ index 6a306ee..8f6c0ba 100644 term_dontaudit_getattr_pty_dirs(mozilla_t) -@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t) +@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) @@ -37705,15 +37897,15 @@ index 6a306ee..8f6c0ba 100644 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) -userdom_use_user_ptys(mozilla_t) -+userdom_use_inherited_user_ptys(mozilla_t) - +- -userdom_manage_user_tmp_dirs(mozilla_t) -userdom_manage_user_tmp_files(mozilla_t) - -userdom_manage_user_home_content_dirs(mozilla_t) -userdom_manage_user_home_content_files(mozilla_t) -userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file }) -- ++userdom_use_inherited_user_ptys(mozilla_t) + -userdom_write_user_tmp_sockets(mozilla_t) - -mozilla_run_plugin(mozilla_t, mozilla_roles) @@ -37808,7 +38000,7 @@ index 6a306ee..8f6c0ba 100644 ') optional_policy(` -@@ -244,19 +268,12 @@ optional_policy(` +@@ -244,19 +275,12 @@ optional_policy(` optional_policy(` cups_read_rw_config(mozilla_t) @@ -37830,7 +38022,7 @@ index 6a306ee..8f6c0ba 100644 optional_policy(` networkmanager_dbus_chat(mozilla_t) -@@ -265,33 +282,32 @@ optional_policy(` +@@ -265,33 +289,32 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(mozilla_t) @@ -37843,34 +38035,34 @@ index 6a306ee..8f6c0ba 100644 - gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private") + gnome_manage_config(mozilla_t) + gnome_manage_gconf_home_files(mozilla_t) ++') ++ ++optional_policy(` ++ java_domtrans(mozilla_t) ') optional_policy(` - java_exec(mozilla_t) - java_manage_generic_home_content(mozilla_t) - java_home_filetrans_java_home(mozilla_t, dir, ".java") -+ java_domtrans(mozilla_t) ++ lpd_domtrans_lpr(mozilla_t) ') optional_policy(` - lpd_run_lpr(mozilla_t, mozilla_roles) -+ lpd_domtrans_lpr(mozilla_t) ++ mplayer_domtrans(mozilla_t) ++ mplayer_read_user_home_files(mozilla_t) ') optional_policy(` - mplayer_exec(mozilla_t) - mplayer_manage_generic_home_content(mozilla_t) - mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer") -+ mplayer_domtrans(mozilla_t) -+ mplayer_read_user_home_files(mozilla_t) ++ nscd_socket_use(mozilla_t) ') optional_policy(` - pulseaudio_run(mozilla_t, mozilla_roles) -+ nscd_socket_use(mozilla_t) -+') -+ -+optional_policy(` + #pulseaudio_role(mozilla_roles, mozilla_t) + pulseaudio_exec(mozilla_t) + pulseaudio_stream_connect(mozilla_t) @@ -37878,7 +38070,7 @@ index 6a306ee..8f6c0ba 100644 ') optional_policy(` -@@ -300,221 +316,175 @@ optional_policy(` +@@ -300,221 +323,177 @@ optional_policy(` ######################################## # @@ -37960,12 +38152,12 @@ index 6a306ee..8f6c0ba 100644 allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms; -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms; +- +-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t) --dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) --stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t) -- -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t }) +can_exec(mozilla_plugin_t, mozilla_exec_t) @@ -37986,35 +38178,39 @@ index 6a306ee..8f6c0ba 100644 -corenet_tcp_sendrecv_generic_node(mozilla_plugin_t) - -corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t) ++corenet_tcp_bind_generic_node(mozilla_plugin_t) ++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) +corenet_tcp_connect_aol_port(mozilla_plugin_t) corenet_tcp_connect_asterisk_port(mozilla_plugin_t) -corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t) - -corenet_sendrecv_ftp_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_generic_port(mozilla_plugin_t) ++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t) ++corenet_tcp_connect_couchdb_port(mozilla_plugin_t) +corenet_tcp_connect_flash_port(mozilla_plugin_t) corenet_tcp_connect_ftp_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t) - -corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t) --corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) + corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) -corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t) - -corenet_sendrecv_http_client_packets(mozilla_plugin_t) - corenet_tcp_connect_http_port(mozilla_plugin_t) +-corenet_tcp_connect_http_port(mozilla_plugin_t) -corenet_tcp_sendrecv_http_port(mozilla_plugin_t) - -corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t) ++corenet_tcp_connect_generic_port(mozilla_plugin_t) corenet_tcp_connect_http_cache_port(mozilla_plugin_t) -corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t) - -corenet_sendrecv_ipp_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t) ++corenet_tcp_connect_http_port(mozilla_plugin_t) corenet_tcp_connect_ipp_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t) - -corenet_sendrecv_ircd_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t) corenet_tcp_connect_ircd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t) - @@ -38023,20 +38219,23 @@ index 6a306ee..8f6c0ba 100644 -corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t) - -corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t) ++corenet_tcp_connect_jboss_management_port(mozilla_plugin_t) corenet_tcp_connect_mmcc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t) - -corenet_sendrecv_monopd_client_packets(mozilla_plugin_t) --corenet_tcp_connect_monopd_port(mozilla_plugin_t) + corenet_tcp_connect_monopd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t) - -corenet_sendrecv_soundd_client_packets(mozilla_plugin_t) --corenet_tcp_connect_soundd_port(mozilla_plugin_t) ++corenet_tcp_connect_msnp_port(mozilla_plugin_t) ++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t) ++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) ++corenet_tcp_connect_rtsp_port(mozilla_plugin_t) + corenet_tcp_connect_soundd_port(mozilla_plugin_t) -corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t) - -corenet_sendrecv_speech_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_msnp_port(mozilla_plugin_t) -+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) corenet_tcp_connect_speech_port(mozilla_plugin_t) -corenet_tcp_sendrecv_speech_port(mozilla_plugin_t) - @@ -38045,17 +38244,10 @@ index 6a306ee..8f6c0ba 100644 -corenet_tcp_sendrecv_squid_port(mozilla_plugin_t) - -corenet_sendrecv_vnc_client_packets(mozilla_plugin_t) -+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t) -+corenet_tcp_connect_rtsp_port(mozilla_plugin_t) -+corenet_tcp_connect_soundd_port(mozilla_plugin_t) +corenet_tcp_connect_tor_port(mozilla_plugin_t) ++corenet_tcp_connect_transproxy_port(mozilla_plugin_t) corenet_tcp_connect_vnc_port(mozilla_plugin_t) -corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t) -+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t) -+corenet_tcp_connect_couchdb_port(mozilla_plugin_t) -+corenet_tcp_connect_monopd_port(mozilla_plugin_t) -+corenet_tcp_connect_transproxy_port(mozilla_plugin_t) -+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t) +corenet_tcp_bind_generic_node(mozilla_plugin_t) +corenet_udp_bind_generic_node(mozilla_plugin_t) +corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t) @@ -38196,7 +38388,7 @@ index 6a306ee..8f6c0ba 100644 ') optional_policy(` -@@ -523,36 +493,48 @@ optional_policy(` +@@ -523,36 +502,48 @@ optional_policy(` ') optional_policy(` @@ -38258,7 +38450,7 @@ index 6a306ee..8f6c0ba 100644 ') optional_policy(` -@@ -560,7 +542,7 @@ optional_policy(` +@@ -560,7 +551,7 @@ optional_policy(` ') optional_policy(` @@ -38267,7 +38459,7 @@ index 6a306ee..8f6c0ba 100644 ') optional_policy(` -@@ -568,108 +550,113 @@ optional_policy(` +@@ -568,108 +559,118 @@ optional_policy(` ') optional_policy(` @@ -38383,34 +38575,29 @@ index 6a306ee..8f6c0ba 100644 +userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t) -userdom_use_user_ptys(mozilla_plugin_config_t) -- --mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) +domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t) --tunable_policy(`allow_execmem',` -- allow mozilla_plugin_config_t self:process execmem; +-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles) +tunable_policy(`use_ecryptfs_home_dirs',` + fs_read_ecryptfs_files(mozilla_plugin_config_t) ++') + +-tunable_policy(`allow_execmem',` +- allow mozilla_plugin_config_t self:process execmem; ++optional_policy(` ++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) ') -tunable_policy(`mozilla_execstack',` - allow mozilla_plugin_config_t self:process { execmem execstack }; +optional_policy(` -+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t) ++ xserver_use_user_fonts(mozilla_plugin_config_t) ') -tunable_policy(`use_nfs_home_dirs',` - fs_manage_nfs_dirs(mozilla_plugin_config_t) - fs_manage_nfs_files(mozilla_plugin_config_t) - fs_manage_nfs_symlinks(mozilla_plugin_config_t) -+optional_policy(` -+ xserver_use_user_fonts(mozilla_plugin_config_t) - ') - --tunable_policy(`use_samba_home_dirs',` -- fs_manage_cifs_dirs(mozilla_plugin_config_t) -- fs_manage_cifs_files(mozilla_plugin_config_t) -- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +ifdef(`distro_redhat',` + typealias mozilla_plugin_t alias nsplugin_t; + typealias mozilla_plugin_exec_t alias nsplugin_exec_t; @@ -38421,8 +38608,10 @@ index 6a306ee..8f6c0ba 100644 + typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t; ') --optional_policy(` -- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +-tunable_policy(`use_samba_home_dirs',` +- fs_manage_cifs_dirs(mozilla_plugin_config_t) +- fs_manage_cifs_files(mozilla_plugin_config_t) +- fs_manage_cifs_symlinks(mozilla_plugin_config_t) +#tunable_policy(`mozilla_plugin_enable_homedirs',` +# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file }) +#', ` @@ -38436,10 +38625,17 @@ index 6a306ee..8f6c0ba 100644 ') -optional_policy(` -- xserver_use_user_fonts(mozilla_plugin_config_t) +- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t) +tunable_policy(`mozilla_plugin_use_spice',` + dev_rw_generic_usb_dev(mozilla_plugin_t) ') + +-optional_policy(` +- xserver_use_user_fonts(mozilla_plugin_config_t) ++tunable_policy(`mozilla_plugin_use_gps',` ++ fs_manage_dos_dirs(mozilla_plugin_t) ++ fs_manage_dos_files(mozilla_plugin_t) + ') diff --git a/mpd.fc b/mpd.fc index 313ce52..6aa46d2 100644 --- a/mpd.fc @@ -42948,7 +43144,7 @@ index a1fb3c3..8fe1d63 100644 +/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) diff --git a/networkmanager.if b/networkmanager.if -index 0e8508c..2669fe1 100644 +index 0e8508c..0b68b86 100644 --- a/networkmanager.if +++ b/networkmanager.if @@ -2,7 +2,7 @@ @@ -43195,7 +43391,7 @@ index 0e8508c..2669fe1 100644 ## ## ## -@@ -227,33 +292,111 @@ interface(`networkmanager_read_pid_files',` +@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',` ## ## # @@ -43325,10 +43521,11 @@ index 0e8508c..2669fe1 100644 + files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") + files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") -+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf") ++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") ++ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") ') diff --git a/networkmanager.te b/networkmanager.te -index 0b48a30..57fe60f 100644 +index 0b48a30..f3320a3 100644 --- a/networkmanager.te +++ b/networkmanager.te @@ -1,4 +1,4 @@ @@ -43608,7 +43805,7 @@ index 0b48a30..57fe60f 100644 ') optional_policy(` -@@ -257,11 +279,7 @@ optional_policy(` +@@ -257,11 +279,10 @@ optional_policy(` ') optional_policy(` @@ -43618,10 +43815,13 @@ index 0b48a30..57fe60f 100644 -optional_policy(` - modutils_domtrans_insmod(NetworkManager_t) + l2tpd_domtrans(NetworkManager_t) ++ l2tpd_sigkill(NetworkManager_t) ++ l2tpd_signal(NetworkManager_t) ++ l2tpd_signull(NetworkManager_t) ') optional_policy(` -@@ -274,10 +292,17 @@ optional_policy(` +@@ -274,10 +295,17 @@ optional_policy(` nscd_signull(NetworkManager_t) nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) @@ -43639,7 +43839,7 @@ index 0b48a30..57fe60f 100644 ') optional_policy(` -@@ -289,6 +314,7 @@ optional_policy(` +@@ -289,6 +317,7 @@ optional_policy(` ') optional_policy(` @@ -43647,7 +43847,7 @@ index 0b48a30..57fe60f 100644 policykit_domtrans_auth(NetworkManager_t) policykit_read_lib(NetworkManager_t) policykit_read_reload(NetworkManager_t) -@@ -296,7 +322,7 @@ optional_policy(` +@@ -296,7 +325,7 @@ optional_policy(` ') optional_policy(` @@ -43656,7 +43856,7 @@ index 0b48a30..57fe60f 100644 ') optional_policy(` -@@ -307,6 +333,7 @@ optional_policy(` +@@ -307,6 +336,7 @@ optional_policy(` ppp_signal(NetworkManager_t) ppp_signull(NetworkManager_t) ppp_read_config(NetworkManager_t) @@ -43664,7 +43864,7 @@ index 0b48a30..57fe60f 100644 ') optional_policy(` -@@ -320,13 +347,15 @@ optional_policy(` +@@ -320,13 +350,15 @@ optional_policy(` ') optional_policy(` @@ -43684,7 +43884,7 @@ index 0b48a30..57fe60f 100644 ') optional_policy(` -@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru +@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru init_dontaudit_use_fds(wpa_cli_t) init_use_script_ptys(wpa_cli_t) @@ -47105,35 +47305,16 @@ index 57c0161..54bd4d7 100644 + ps_process_pattern($1, swift_t) ') diff --git a/nut.te b/nut.te -index 0c9deb7..ea0ba5c 100644 +index 0c9deb7..98a02f8 100644 --- a/nut.te +++ b/nut.te -@@ -1,121 +1,108 @@ +@@ -1,4 +1,4 @@ -policy_module(nut, 1.2.4) +policy_module(nut, 1.2.0) ######################################## # - # Declarations - # - --attribute nut_domain; -- - type nut_conf_t; - files_config_file(nut_conf_t) - --type nut_upsd_t, nut_domain; -+type nut_upsd_t; - type nut_upsd_exec_t; - init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) - --type nut_upsmon_t, nut_domain; -+type nut_upsmon_t; - type nut_upsmon_exec_t; - init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) - --type nut_upsdrvctl_t, nut_domain; -+type nut_upsdrvctl_t; +@@ -22,100 +22,94 @@ type nut_upsdrvctl_t, nut_domain; type nut_upsdrvctl_exec_t; init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) @@ -47143,11 +47324,12 @@ index 0c9deb7..ea0ba5c 100644 type nut_var_run_t; files_pid_file(nut_var_run_t) -init_daemon_run_dir(nut_var_run_t, "nut") -+ + +-######################################## +type nut_unit_file_t; +systemd_unit_file(nut_unit_file_t) - - ######################################## ++ ++####################################### # -# Common nut domain local policy +# Local policy for upsd @@ -47161,39 +47343,35 @@ index 0c9deb7..ea0ba5c 100644 -allow nut_domain nut_conf_t:dir list_dir_perms; -allow nut_domain nut_conf_t:file read_file_perms; -allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms; -+allow nut_upsd_t self:capability { setgid setuid dac_override }; -+allow nut_upsd_t self:process signal_perms; - +- -manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_domain, nut_var_run_t, { dir file }) -+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; -+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; - +- -kernel_read_kernel_sysctls(nut_domain) -+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; - +- -logging_send_syslog_msg(nut_domain) - -miscfiles_read_localization(nut_domain) -- --######################################## --# ++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms; + + ######################################## + # -# Upsd local policy --# -- ++# Local policy for upsd + # + -allow nut_upsd_t self:tcp_socket { accept listen }; -+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) ++allow nut_upsd_t self:capability { setgid setuid dac_override }; ++allow nut_upsd_t self:process signal_perms; -+# pid file -+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) - manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) +-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file) -+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) ++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; -stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t) -+kernel_read_kernel_sysctls(nut_upsd_t) ++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; -corenet_all_recvfrom_unlabeled(nut_upsd_t) -corenet_all_recvfrom_netlabel(nut_upsd_t) @@ -47201,21 +47379,29 @@ index 0c9deb7..ea0ba5c 100644 -corenet_tcp_sendrecv_generic_node(nut_upsd_t) -corenet_tcp_sendrecv_all_ports(nut_upsd_t) -corenet_tcp_bind_generic_node(nut_upsd_t) -- ++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) + -corenet_sendrecv_ups_server_packets(nut_upsd_t) - corenet_tcp_bind_ups_port(nut_upsd_t) -- +-corenet_tcp_bind_ups_port(nut_upsd_t) ++# pid file ++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) ++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file }) + -corenet_sendrecv_generic_server_packets(nut_upsd_t) - corenet_tcp_bind_generic_port(nut_upsd_t) -+corenet_tcp_bind_all_nodes(nut_upsd_t) +-corenet_tcp_bind_generic_port(nut_upsd_t) ++kernel_read_kernel_sysctls(nut_upsd_t) -files_read_usr_files(nut_upsd_t) ++corenet_tcp_bind_ups_port(nut_upsd_t) ++corenet_tcp_bind_generic_port(nut_upsd_t) ++corenet_tcp_bind_all_nodes(nut_upsd_t) auth_use_nsswitch(nut_upsd_t) +logging_send_syslog_msg(nut_upsd_t) + -+ ######################################## # -# Upsmon local policy @@ -47231,12 +47417,12 @@ index 0c9deb7..ea0ba5c 100644 +allow nut_upsmon_t self:tcp_socket create_socket_perms; + +read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) - ++ +# pid file +manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) -+ + +kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) @@ -47276,7 +47462,7 @@ index 0c9deb7..ea0ba5c 100644 mta_send_mail(nut_upsmon_t) optional_policy(` -@@ -124,14 +111,27 @@ optional_policy(` +@@ -124,14 +118,27 @@ optional_policy(` ######################################## # @@ -47290,9 +47476,9 @@ index 0c9deb7..ea0ba5c 100644 +allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; +allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nut_upsdrvctl_t self:udp_socket create_socket_perms; -+ -+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) ++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) ++ +# pid file +manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) +manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) @@ -47306,7 +47492,7 @@ index 0c9deb7..ea0ba5c 100644 corecmd_exec_bin(nut_upsdrvctl_t) dev_read_sysfs(nut_upsdrvctl_t) -@@ -139,22 +139,34 @@ dev_read_urand(nut_upsdrvctl_t) +@@ -139,22 +146,34 @@ dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) @@ -47594,7 +47780,7 @@ index 8635ea2..eec20b4 100644 + obex_dbus_chat($2) ') diff --git a/obex.te b/obex.te -index cd29ea8..efbf8f8 100644 +index cd29ea8..d01d2c8 100644 --- a/obex.te +++ b/obex.te @@ -1,4 +1,4 @@ @@ -47603,7 +47789,7 @@ index cd29ea8..efbf8f8 100644 ######################################## # -@@ -14,30 +14,25 @@ role obex_roles types obex_t; +@@ -14,30 +14,26 @@ role obex_roles types obex_t; ######################################## # @@ -47613,6 +47799,7 @@ index cd29ea8..efbf8f8 100644 allow obex_t self:fifo_file rw_fifo_file_perms; allow obex_t self:socket create_stream_socket_perms; ++allow obex_t self:netlink_kobject_uevent_socket create_socket_perms; -dev_read_urand(obex_t) +kernel_request_load_module(obex_t) @@ -52758,7 +52945,7 @@ index 735500f..ef1dd7a 100644 -/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0) diff --git a/plymouthd.if b/plymouthd.if -index 30e751f..17c097d 100644 +index 30e751f..3985ff9 100644 --- a/plymouthd.if +++ b/plymouthd.if @@ -1,4 +1,4 @@ @@ -52946,7 +53133,7 @@ index 30e751f..17c097d 100644 gen_require(` type plymouthd_var_run_t; ') -@@ -233,36 +228,74 @@ interface(`plymouthd_read_pid_files',` +@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',` ######################################## ## @@ -52977,14 +53164,11 @@ index 30e751f..17c097d 100644 +## to plymouthd log files. +## +## - ## --## Role allowed access. ++## +## Domain allowed access. - ## - ## --## - # --interface(`plymouthd_admin',` ++## ++## ++# +interface(`plymouthd_manage_log',` + gen_require(` + type plymouthd_var_log_t; @@ -52996,17 +53180,39 @@ index 30e751f..17c097d 100644 + read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) +') + ++####################################### ++## ++## Allow domain to create boot.log ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`plymouthd_create_log',` ++ gen_require(` ++ type plymouthd_var_log_t; ++ ') ++ ++ logging_rw_generic_log_dirs($1) ++ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log") ++') ++ +######################################## +## +## All of the rules required to administrate +## an plymouthd environment +## +## -+## + ## +-## Role allowed access. +## Domain allowed access. -+## -+## -+# + ## + ## +-## + # +-interface(`plymouthd_admin',` +interface(`plymouthd_admin', ` gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; @@ -57005,7 +57211,7 @@ index cd8b8b9..cde0d62 100644 + allow $1 pppd_unit_file_t:service all_service_perms; ') diff --git a/ppp.te b/ppp.te -index b2b5dba..89ded87 100644 +index b2b5dba..49bdf0d 100644 --- a/ppp.te +++ b/ppp.te @@ -1,4 +1,4 @@ @@ -57235,7 +57441,13 @@ index b2b5dba..89ded87 100644 optional_policy(` ddclient_run(pppd_t, pppd_roles) -@@ -190,7 +206,7 @@ optional_policy(` +@@ -186,11 +202,13 @@ optional_policy(` + l2tpd_dgram_send(pppd_t) + l2tpd_rw_socket(pppd_t) + l2tpd_stream_connect(pppd_t) ++ l2tpd_read_pid_files(pppd_t) ++ l2tpd_dbus_chat(pppd_t) + ') optional_policy(` tunable_policy(`pppd_can_insmod',` @@ -57244,7 +57456,7 @@ index b2b5dba..89ded87 100644 ') ') -@@ -218,16 +234,19 @@ optional_policy(` +@@ -218,16 +236,19 @@ optional_policy(` ######################################## # @@ -57267,7 +57479,7 @@ index b2b5dba..89ded87 100644 allow pptp_t pppd_etc_t:dir list_dir_perms; allow pptp_t pppd_etc_t:file read_file_perms; -@@ -236,45 +255,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; +@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms; allow pptp_t pppd_etc_rw_t:dir list_dir_perms; allow pptp_t pppd_etc_rw_t:file read_file_perms; allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms; @@ -57324,7 +57536,7 @@ index b2b5dba..89ded87 100644 fs_getattr_all_fs(pptp_t) fs_search_auto_mountpoints(pptp_t) -@@ -282,12 +299,12 @@ term_ioctl_generic_ptys(pptp_t) +@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t) term_search_ptys(pptp_t) term_use_ptmx(pptp_t) @@ -62300,10 +62512,10 @@ index 70ab68b..e97da31 100644 /var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0) diff --git a/quantum.if b/quantum.if -index afc0068..7616aa4 100644 +index afc0068..b25d41e 100644 --- a/quantum.if +++ b/quantum.if -@@ -2,41 +2,217 @@ +@@ -2,41 +2,252 @@ ######################################## ## @@ -62466,6 +62678,41 @@ index afc0068..7616aa4 100644 + +######################################## +## ++## Read and write quantum fifo files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`quantum_rw_fifo_file',` ++ gen_require(` ++ type quantum_t; ++ ') ++ ++ allow $1 quantum_t:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++######################################## ++## ++## Allow domain to send sigchld to quantum process. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`quantum_sigchld',` ++ gen_require(` ++ type quantum_t; ++ ') ++ ++ allow $1 quantum_t:process sigchld; ++') ++######################################## ++## +## Execute quantum server in the quantum domain. +## +## @@ -62995,22 +63242,51 @@ index 4b2c272..1aee969 100644 + dbus_system_bus_client(quota_nld_t) + dbus_connect_system_bus(quota_nld_t) ') +diff --git a/rabbitmq.fc b/rabbitmq.fc +index c5ad6de..c67dbef 100644 +--- a/rabbitmq.fc ++++ b/rabbitmq.fc +@@ -4,7 +4,9 @@ + /usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0) + + /var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) ++/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0) + + /var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) ++/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0) + + /var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0) diff --git a/rabbitmq.te b/rabbitmq.te -index 3698b51..62a5977 100644 +index 3698b51..a68f9f1 100644 --- a/rabbitmq.te +++ b/rabbitmq.te -@@ -70,10 +70,6 @@ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) - - dev_read_sysfs(rabbitmq_beam_t) +@@ -54,6 +54,8 @@ kernel_read_system_state(rabbitmq_beam_t) + corecmd_exec_bin(rabbitmq_beam_t) + corecmd_exec_shell(rabbitmq_beam_t) + ++corenet_tcp_bind_generic_node(rabbitmq_beam_t) ++corenet_udp_bind_generic_node(rabbitmq_beam_t) + corenet_all_recvfrom_unlabeled(rabbitmq_beam_t) + corenet_all_recvfrom_netlabel(rabbitmq_beam_t) + corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t) +@@ -68,11 +70,13 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t) + corenet_tcp_connect_epmd_port(rabbitmq_beam_t) + corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t) + +-dev_read_sysfs(rabbitmq_beam_t) ++corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t) ++corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t) -files_read_etc_files(rabbitmq_beam_t) -- ++auth_read_passwd(rabbitmq_beam_t) + -miscfiles_read_localization(rabbitmq_beam_t) -- ++dev_read_sysfs(rabbitmq_beam_t) ++dev_read_urand(rabbitmq_beam_t) + sysnet_dns_name_resolve(rabbitmq_beam_t) - ######################################## -@@ -81,7 +77,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t) +@@ -81,7 +85,6 @@ sysnet_dns_name_resolve(rabbitmq_beam_t) # Epmd local policy # @@ -63018,7 +63294,7 @@ index 3698b51..62a5977 100644 allow rabbitmq_epmd_t self:process signal; allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms; allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms; -@@ -99,8 +94,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) +@@ -99,8 +102,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t) corenet_tcp_bind_epmd_port(rabbitmq_epmd_t) corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t) @@ -65925,7 +66201,7 @@ index 56bc01f..895e16e 100644 + allow $1 cluster_unit_file_t:service all_service_perms; ') diff --git a/rhcs.te b/rhcs.te -index 2c2de9a..38a33d7 100644 +index 2c2de9a..2bf6984 100644 --- a/rhcs.te +++ b/rhcs.te @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false) @@ -65956,7 +66232,7 @@ index 2c2de9a..38a33d7 100644 attribute cluster_domain; attribute cluster_log; attribute cluster_pid; -@@ -50,28 +71,263 @@ rhcs_domain_template(qdiskd) +@@ -50,28 +71,267 @@ rhcs_domain_template(qdiskd) type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) @@ -66000,12 +66276,15 @@ index 2c2de9a..38a33d7 100644 allow cluster_domain self:unix_dgram_socket create_socket_perms; -logging_send_syslog_msg(cluster_domain) -- --miscfiles_read_localization(cluster_domain) +manage_dirs_pattern(cluster_domain, cluster_log, cluster_log) +manage_files_pattern(cluster_domain, cluster_log, cluster_log) +manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log) +-miscfiles_read_localization(cluster_domain) ++tunable_policy(`cluster_use_execmem',` ++ allow cluster_domain self:process execmem; ++') + optional_policy(` ccs_stream_connect(cluster_domain) ') @@ -66225,7 +66504,7 @@ index 2c2de9a..38a33d7 100644 ') ##################################### -@@ -79,7 +335,7 @@ optional_policy(` +@@ -79,7 +339,7 @@ optional_policy(` # dlm_controld local policy # @@ -66234,7 +66513,7 @@ index 2c2de9a..38a33d7 100644 allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) -@@ -98,6 +354,16 @@ fs_manage_configfs_dirs(dlm_controld_t) +@@ -98,6 +358,16 @@ fs_manage_configfs_dirs(dlm_controld_t) init_rw_script_tmp_files(dlm_controld_t) @@ -66251,7 +66530,7 @@ index 2c2de9a..38a33d7 100644 ####################################### # # fenced local policy -@@ -105,9 +371,13 @@ init_rw_script_tmp_files(dlm_controld_t) +@@ -105,9 +375,13 @@ init_rw_script_tmp_files(dlm_controld_t) allow fenced_t self:capability { sys_rawio sys_resource }; allow fenced_t self:process { getsched signal_perms }; @@ -66266,7 +66545,7 @@ index 2c2de9a..38a33d7 100644 manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -@@ -118,9 +388,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) +@@ -118,9 +392,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) @@ -66277,7 +66556,7 @@ index 2c2de9a..38a33d7 100644 corecmd_exec_bin(fenced_t) corecmd_exec_shell(fenced_t) -@@ -148,9 +417,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) +@@ -148,9 +421,7 @@ corenet_tcp_sendrecv_http_port(fenced_t) dev_read_sysfs(fenced_t) dev_read_urand(fenced_t) @@ -66288,7 +66567,7 @@ index 2c2de9a..38a33d7 100644 storage_raw_read_fixed_disk(fenced_t) storage_raw_write_fixed_disk(fenced_t) -@@ -160,7 +427,7 @@ term_getattr_pty_fs(fenced_t) +@@ -160,7 +431,7 @@ term_getattr_pty_fs(fenced_t) term_use_generic_ptys(fenced_t) term_use_ptmx(fenced_t) @@ -66297,7 +66576,7 @@ index 2c2de9a..38a33d7 100644 tunable_policy(`fenced_can_network_connect',` corenet_sendrecv_all_client_packets(fenced_t) -@@ -190,10 +457,6 @@ optional_policy(` +@@ -190,10 +461,6 @@ optional_policy(` ') optional_policy(` @@ -66308,7 +66587,7 @@ index 2c2de9a..38a33d7 100644 lvm_domtrans(fenced_t) lvm_read_config(fenced_t) ') -@@ -203,6 +466,13 @@ optional_policy(` +@@ -203,6 +470,13 @@ optional_policy(` snmp_manage_var_lib_dirs(fenced_t) ') @@ -66322,7 +66601,7 @@ index 2c2de9a..38a33d7 100644 ####################################### # # foghorn local policy -@@ -223,14 +493,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) +@@ -223,14 +497,16 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t) dev_read_urand(foghorn_t) @@ -66341,7 +66620,7 @@ index 2c2de9a..38a33d7 100644 snmp_stream_connect(foghorn_t) ') -@@ -257,6 +529,8 @@ storage_getattr_removable_dev(gfs_controld_t) +@@ -257,6 +533,8 @@ storage_getattr_removable_dev(gfs_controld_t) init_rw_script_tmp_files(gfs_controld_t) @@ -66350,7 +66629,7 @@ index 2c2de9a..38a33d7 100644 optional_policy(` lvm_exec(gfs_controld_t) dev_rw_lvm_control(gfs_controld_t) -@@ -275,10 +549,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) +@@ -275,10 +553,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) dev_list_sysfs(groupd_t) @@ -66363,7 +66642,7 @@ index 2c2de9a..38a33d7 100644 ###################################### # # qdiskd local policy -@@ -321,6 +595,8 @@ storage_raw_write_fixed_disk(qdiskd_t) +@@ -321,6 +599,8 @@ storage_raw_write_fixed_disk(qdiskd_t) auth_use_nsswitch(qdiskd_t) @@ -79151,7 +79430,7 @@ index 5e1f053..e7820bc 100644 domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; diff --git a/squid.te b/squid.te -index 221c560..4966b22 100644 +index 221c560..fcf6da0 100644 --- a/squid.te +++ b/squid.te @@ -29,7 +29,7 @@ type squid_cache_t; @@ -79220,7 +79499,15 @@ index 221c560..4966b22 100644 corenet_all_recvfrom_netlabel(squid_t) corenet_tcp_sendrecv_generic_if(squid_t) corenet_udp_sendrecv_generic_if(squid_t) -@@ -156,7 +159,6 @@ dev_read_urand(squid_t) +@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t) + corenet_udp_sendrecv_gopher_port(squid_t) + + corenet_sendrecv_squid_server_packets(squid_t) ++corenet_sendrecv_squid_client_packets(squid_t) + corenet_tcp_bind_squid_port(squid_t) + corenet_udp_bind_squid_port(squid_t) + corenet_tcp_sendrecv_squid_port(squid_t) +@@ -156,7 +160,6 @@ dev_read_urand(squid_t) domain_use_interactive_fds(squid_t) files_read_etc_runtime_files(squid_t) @@ -79228,7 +79515,7 @@ index 221c560..4966b22 100644 files_search_spool(squid_t) files_dontaudit_getattr_tmp_dirs(squid_t) files_getattr_home_dir(squid_t) -@@ -178,7 +180,6 @@ libs_exec_lib_files(squid_t) +@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) @@ -79236,7 +79523,7 @@ index 221c560..4966b22 100644 userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) -@@ -200,6 +201,8 @@ tunable_policy(`squid_use_tproxy',` +@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',` optional_policy(` apache_content_template(squid) @@ -79245,7 +79532,7 @@ index 221c560..4966b22 100644 corenet_all_recvfrom_unlabeled(httpd_squid_script_t) corenet_all_recvfrom_netlabel(httpd_squid_script_t) corenet_tcp_sendrecv_generic_if(httpd_squid_script_t) -@@ -209,18 +212,18 @@ optional_policy(` +@@ -209,18 +213,18 @@ optional_policy(` corenet_tcp_connect_http_cache_port(httpd_squid_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t) @@ -79271,7 +79558,7 @@ index 221c560..4966b22 100644 ') optional_policy(` -@@ -238,3 +241,24 @@ optional_policy(` +@@ -238,3 +242,24 @@ optional_policy(` optional_policy(` udev_read_db(squid_t) ') @@ -85425,10 +85712,10 @@ index 0be8535..b96e329 100644 optional_policy(` diff --git a/virt.fc b/virt.fc -index c30da4c..76e4399 100644 +index c30da4c..f3e9b6d 100644 --- a/virt.fc +++ b/virt.fc -@@ -1,52 +1,83 @@ +@@ -1,52 +1,85 @@ -HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) -HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0) -HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -85541,7 +85828,9 @@ index c30da4c..76e4399 100644 +/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++ +/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0) ++/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) + +/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) +/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0) @@ -87230,7 +87519,7 @@ index 9dec06c..7877729 100644 + allow $1 svirt_image_t:chr_file rw_file_perms; ') diff --git a/virt.te b/virt.te -index 1f22fba..b70a2de 100644 +index 1f22fba..4d026c1 100644 --- a/virt.te +++ b/virt.te @@ -1,94 +1,98 @@ @@ -87436,45 +87725,50 @@ index 1f22fba..b70a2de 100644 ifdef(`enable_mcs',` init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh) ') -@@ -155,290 +165,124 @@ type virt_qmf_exec_t; +@@ -155,290 +165,130 @@ type virt_qmf_exec_t; init_daemon_domain(virt_qmf_t, virt_qmf_exec_t) type virt_bridgehelper_t; -type virt_bridgehelper_exec_t; domain_type(virt_bridgehelper_t) --domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) ++ ++type virt_bridgehelper_exec_t; + domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) -role virt_bridgehelper_roles types virt_bridgehelper_t; ++role system_r types virt_bridgehelper_t; -type virtd_lxc_t; -type virtd_lxc_exec_t; -init_system_domain(virtd_lxc_t, virtd_lxc_exec_t) -+type virt_bridgehelper_exec_t; -+domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t) -+role system_r types virt_bridgehelper_t; - --type virtd_lxc_var_run_t; --files_pid_file(virtd_lxc_var_run_t) +# policy for qemu_ga +type virt_qemu_ga_t; +type virt_qemu_ga_exec_t; +init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t) +-type virtd_lxc_var_run_t; +-files_pid_file(virtd_lxc_var_run_t) ++type virt_qemu_ga_var_run_t; ++files_pid_file(virt_qemu_ga_var_run_t) + -type svirt_lxc_file_t; -files_mountpoint(svirt_lxc_file_t) -fs_noxattr_type(svirt_lxc_file_t) -term_pty(svirt_lxc_file_t) -+type virt_qemu_ga_var_run_t; -+files_pid_file(virt_qemu_ga_var_run_t) - --virt_lxc_domain_template(svirt_lxc_net) +type virt_qemu_ga_log_t; +logging_log_file(virt_qemu_ga_log_t) +-virt_lxc_domain_template(svirt_lxc_net) ++type virt_qemu_ga_tmp_t; ++files_tmp_file(virt_qemu_ga_tmp_t) + -type virsh_t; -type virsh_exec_t; -init_system_domain(virsh_t, virsh_exec_t) -+type virt_qemu_ga_tmp_t; -+files_tmp_file(virt_qemu_ga_tmp_t) ++type virt_qemu_ga_data_t; ++files_type(virt_qemu_ga_data_t) ++ ++type virt_qemu_ga_unconfined_exec_t; ++application_executable_file(virt_qemu_ga_unconfined_exec_t) ######################################## # @@ -87686,24 +87980,24 @@ index 1f22fba..b70a2de 100644 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu") - -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t) -- --corenet_udp_sendrecv_generic_if(svirt_t) --corenet_udp_sendrecv_generic_node(svirt_t) --corenet_udp_sendrecv_all_ports(svirt_t) --corenet_udp_bind_generic_node(svirt_t) +# it was a part of auth_use_nsswitch +allow svirt_t self:netlink_route_socket r_netlink_socket_perms; + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) + corenet_udp_sendrecv_all_ports(svirt_t) + corenet_udp_bind_generic_node(svirt_t) +- -corenet_all_recvfrom_unlabeled(svirt_t) -corenet_all_recvfrom_netlabel(svirt_t) -corenet_tcp_sendrecv_generic_if(svirt_t) - corenet_udp_sendrecv_generic_if(svirt_t) +-corenet_udp_sendrecv_generic_if(svirt_t) -corenet_tcp_sendrecv_generic_node(svirt_t) - corenet_udp_sendrecv_generic_node(svirt_t) +-corenet_udp_sendrecv_generic_node(svirt_t) -corenet_tcp_sendrecv_all_ports(svirt_t) - corenet_udp_sendrecv_all_ports(svirt_t) +-corenet_udp_sendrecv_all_ports(svirt_t) -corenet_tcp_bind_generic_node(svirt_t) - corenet_udp_bind_generic_node(svirt_t) +-corenet_udp_bind_generic_node(svirt_t) - -corenet_sendrecv_all_server_packets(svirt_t) corenet_udp_bind_all_ports(svirt_t) @@ -87799,7 +88093,7 @@ index 1f22fba..b70a2de 100644 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) -@@ -448,42 +292,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) +@@ -448,42 +298,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) @@ -87845,7 +88139,7 @@ index 1f22fba..b70a2de 100644 logging_log_filetrans(virtd_t, virt_log_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) -@@ -496,16 +326,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -496,16 +332,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t) files_pid_filetrans(virtd_t, virt_var_run_t, { file dir }) @@ -87855,18 +88149,18 @@ index 1f22fba..b70a2de 100644 - -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) -- --can_exec(virtd_t, virt_tmp_t) +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +-can_exec(virtd_t, virt_tmp_t) +- -kernel_read_crypto_sysctls(virtd_t) kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) -@@ -513,6 +338,7 @@ kernel_read_kernel_sysctls(virtd_t) +@@ -513,6 +344,7 @@ kernel_read_kernel_sysctls(virtd_t) kernel_request_load_module(virtd_t) kernel_search_debugfs(virtd_t) kernel_setsched(virtd_t) @@ -87874,7 +88168,7 @@ index 1f22fba..b70a2de 100644 corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -520,24 +346,15 @@ corecmd_exec_shell(virtd_t) +@@ -520,24 +352,15 @@ corecmd_exec_shell(virtd_t) corenet_all_recvfrom_netlabel(virtd_t) corenet_tcp_sendrecv_generic_if(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t) @@ -87901,7 +88195,7 @@ index 1f22fba..b70a2de 100644 dev_rw_sysfs(virtd_t) dev_read_urand(virtd_t) dev_read_rand(virtd_t) -@@ -548,22 +365,23 @@ dev_rw_vhost(virtd_t) +@@ -548,22 +371,23 @@ dev_rw_vhost(virtd_t) dev_setattr_generic_usb_dev(virtd_t) dev_relabel_generic_usb_dev(virtd_t) @@ -87930,7 +88224,7 @@ index 1f22fba..b70a2de 100644 fs_rw_anon_inodefs_files(virtd_t) fs_list_inotifyfs(virtd_t) fs_manage_cgroup_dirs(virtd_t) -@@ -594,15 +412,18 @@ term_use_ptmx(virtd_t) +@@ -594,15 +418,18 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) @@ -87950,20 +88244,20 @@ index 1f22fba..b70a2de 100644 selinux_validate_context(virtd_t) -@@ -613,18 +434,24 @@ seutil_read_file_contexts(virtd_t) +@@ -613,18 +440,24 @@ seutil_read_file_contexts(virtd_t) sysnet_signull_ifconfig(virtd_t) sysnet_signal_ifconfig(virtd_t) sysnet_domtrans_ifconfig(virtd_t) +sysnet_read_config(virtd_t) -userdom_read_all_users_state(virtd_t) -+systemd_dbus_chat_logind(virtd_t) -+systemd_write_inhibit_pipes(virtd_t) - +- -ifdef(`hide_broken_symptoms',` - dontaudit virtd_t self:capability { sys_module sys_ptrace }; -') -- ++systemd_dbus_chat_logind(virtd_t) ++systemd_write_inhibit_pipes(virtd_t) + -tunable_policy(`virt_use_fusefs',` - fs_manage_fusefs_dirs(virtd_t) - fs_manage_fusefs_files(virtd_t) @@ -87985,7 +88279,7 @@ index 1f22fba..b70a2de 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -633,7 +460,7 @@ tunable_policy(`virt_use_nfs',` +@@ -633,7 +466,7 @@ tunable_policy(`virt_use_nfs',` ') tunable_policy(`virt_use_samba',` @@ -87994,24 +88288,17 @@ index 1f22fba..b70a2de 100644 fs_manage_cifs_files(virtd_t) fs_read_cifs_symlinks(virtd_t) ') -@@ -653,100 +480,326 @@ optional_policy(` - avahi_dbus_chat(virtd_t) +@@ -658,95 +491,321 @@ optional_policy(` ') -- optional_policy(` -- consolekit_dbus_chat(virtd_t) -- ') -+ optional_policy(` -+ consolekit_dbus_chat(virtd_t) -+ ') -+ -+ optional_policy(` + optional_policy(` +- firewalld_dbus_chat(virtd_t) + hal_dbus_chat(virtd_t) + ') + + optional_policy(` + networkmanager_dbus_chat(virtd_t) -+ ') + ') +') + +optional_policy(` @@ -88193,10 +88480,7 @@ index 1f22fba..b70a2de 100644 +files_read_mnt_symlinks(virt_domain) +files_read_var_files(virt_domain) +files_search_all(virt_domain) - -- optional_policy(` -- firewalld_dbus_chat(virtd_t) -- ') ++ +fs_getattr_xattr_fs(virt_domain) +fs_getattr_tmpfs(virt_domain) +fs_rw_anon_inodefs_files(virt_domain) @@ -88205,27 +88489,27 @@ index 1f22fba..b70a2de 100644 +fs_rw_inherited_nfs_files(virt_domain) +fs_rw_inherited_cifs_files(virt_domain) +fs_rw_inherited_noxattr_fs_files(virt_domain) - -- optional_policy(` -- hal_dbus_chat(virtd_t) -- ') ++ +# I think we need these for now. +miscfiles_read_public_files(virt_domain) +storage_raw_read_removable_device(virt_domain) - optional_policy(` -- networkmanager_dbus_chat(virtd_t) +- hal_dbus_chat(virtd_t) - ') +sysnet_read_config(virt_domain) - optional_policy(` -- policykit_dbus_chat(virtd_t) +- networkmanager_dbus_chat(virtd_t) - ') +term_use_all_inherited_terms(virt_domain) +term_getattr_pty_fs(virt_domain) +term_use_generic_ptys(virt_domain) +term_use_ptmx(virt_domain) -+ + +- optional_policy(` +- policykit_dbus_chat(virtd_t) +- ') +tunable_policy(`virt_use_execmem',` + allow virt_domain self:process { execmem execstack }; ') @@ -88374,7 +88658,7 @@ index 1f22fba..b70a2de 100644 manage_files_pattern(virsh_t, virt_image_type, virt_image_type) manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type) -@@ -758,23 +811,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -758,23 +817,15 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t) @@ -88387,12 +88671,12 @@ index 1f22fba..b70a2de 100644 -dontaudit virsh_t virt_var_lib_t:file read_file_perms; - -allow virsh_t svirt_lxc_domain:process transition; +- +-can_exec(virsh_t, virsh_exec_t) +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t) +virt_filetrans_named_content(virsh_t) --can_exec(virsh_t, virsh_exec_t) -- -virt_domtrans(virsh_t) -virt_manage_images(virsh_t) -virt_manage_config(virsh_t) @@ -88404,7 +88688,7 @@ index 1f22fba..b70a2de 100644 kernel_read_system_state(virsh_t) kernel_read_network_state(virsh_t) kernel_read_kernel_sysctls(virsh_t) -@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t) +@@ -785,25 +836,18 @@ kernel_write_xen_state(virsh_t) corecmd_exec_bin(virsh_t) corecmd_exec_shell(virsh_t) @@ -88431,7 +88715,7 @@ index 1f22fba..b70a2de 100644 fs_getattr_all_fs(virsh_t) fs_manage_xenfs_dirs(virsh_t) -@@ -812,24 +850,22 @@ fs_search_auto_mountpoints(virsh_t) +@@ -812,24 +856,22 @@ fs_search_auto_mountpoints(virsh_t) storage_raw_read_fixed_disk(virsh_t) @@ -88463,7 +88747,7 @@ index 1f22fba..b70a2de 100644 tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virsh_t) fs_manage_nfs_files(virsh_t) -@@ -847,14 +883,20 @@ optional_policy(` +@@ -847,14 +889,20 @@ optional_policy(` ') optional_policy(` @@ -88485,7 +88769,7 @@ index 1f22fba..b70a2de 100644 xen_stream_connect(virsh_t) xen_stream_connect_xenstore(virsh_t) ') -@@ -879,34 +921,44 @@ optional_policy(` +@@ -879,34 +927,44 @@ optional_policy(` kernel_read_xen_state(virsh_ssh_t) kernel_write_xen_state(virsh_ssh_t) @@ -88539,7 +88823,7 @@ index 1f22fba..b70a2de 100644 manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -916,12 +968,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -916,12 +974,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t) allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom }; allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom }; @@ -88557,7 +88841,7 @@ index 1f22fba..b70a2de 100644 corecmd_exec_bin(virtd_lxc_t) corecmd_exec_shell(virtd_lxc_t) -@@ -933,10 +990,8 @@ dev_read_urand(virtd_lxc_t) +@@ -933,10 +996,8 @@ dev_read_urand(virtd_lxc_t) domain_use_interactive_fds(virtd_lxc_t) @@ -88568,7 +88852,7 @@ index 1f22fba..b70a2de 100644 files_relabel_rootfs(virtd_lxc_t) files_mounton_non_security(virtd_lxc_t) files_mount_all_file_type_fs(virtd_lxc_t) -@@ -944,6 +999,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) +@@ -944,6 +1005,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t) files_list_isid_type_dirs(virtd_lxc_t) files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set) @@ -88576,7 +88860,7 @@ index 1f22fba..b70a2de 100644 fs_getattr_all_fs(virtd_lxc_t) fs_manage_tmpfs_dirs(virtd_lxc_t) fs_manage_tmpfs_chr_files(virtd_lxc_t) -@@ -955,15 +1011,11 @@ fs_rw_cgroup_files(virtd_lxc_t) +@@ -955,15 +1017,11 @@ fs_rw_cgroup_files(virtd_lxc_t) fs_unmount_all_fs(virtd_lxc_t) fs_relabelfrom_tmpfs(virtd_lxc_t) @@ -88595,7 +88879,7 @@ index 1f22fba..b70a2de 100644 term_use_generic_ptys(virtd_lxc_t) term_use_ptmx(virtd_lxc_t) -@@ -973,21 +1025,36 @@ auth_use_nsswitch(virtd_lxc_t) +@@ -973,21 +1031,36 @@ auth_use_nsswitch(virtd_lxc_t) logging_send_syslog_msg(virtd_lxc_t) @@ -88640,7 +88924,7 @@ index 1f22fba..b70a2de 100644 allow svirt_lxc_domain self:fifo_file manage_file_perms; allow svirt_lxc_domain self:sem create_sem_perms; allow svirt_lxc_domain self:shm create_shm_perms; -@@ -995,18 +1062,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; +@@ -995,18 +1068,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms; allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto }; allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms }; @@ -88667,7 +88951,7 @@ index 1f22fba..b70a2de 100644 manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) -@@ -1015,17 +1080,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) +@@ -1015,17 +1086,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t) @@ -88686,7 +88970,7 @@ index 1f22fba..b70a2de 100644 kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain) corecmd_exec_all_executables(svirt_lxc_domain) -@@ -1037,21 +1099,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) +@@ -1037,21 +1105,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain) files_dontaudit_getattr_all_sockets(svirt_lxc_domain) files_dontaudit_list_all_mountpoints(svirt_lxc_domain) files_dontaudit_write_etc_runtime_files(svirt_lxc_domain) @@ -88713,7 +88997,7 @@ index 1f22fba..b70a2de 100644 auth_dontaudit_read_login_records(svirt_lxc_domain) auth_dontaudit_write_login_records(svirt_lxc_domain) auth_search_pam_console_data(svirt_lxc_domain) -@@ -1063,96 +1124,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) +@@ -1063,96 +1130,92 @@ init_dontaudit_write_utmp(svirt_lxc_domain) libs_dontaudit_setattr_lib_files(svirt_lxc_domain) @@ -88732,12 +89016,12 @@ index 1f22fba..b70a2de 100644 + apache_exec_modules(svirt_lxc_domain) + apache_read_sys_content(svirt_lxc_domain) +') -+ + +-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +optional_policy(` + mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) +') - --mta_dontaudit_read_spool_symlinks(svirt_lxc_domain) ++ +optional_policy(` + ssh_use_ptys(svirt_lxc_net_t) +') @@ -88852,7 +89136,7 @@ index 1f22fba..b70a2de 100644 allow virt_qmf_t self:tcp_socket create_stream_socket_perms; allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms; -@@ -1165,12 +1222,12 @@ dev_read_sysfs(virt_qmf_t) +@@ -1165,12 +1228,12 @@ dev_read_sysfs(virt_qmf_t) dev_read_rand(virt_qmf_t) dev_read_urand(virt_qmf_t) @@ -88867,7 +89151,7 @@ index 1f22fba..b70a2de 100644 sysnet_read_config(virt_qmf_t) optional_policy(` -@@ -1183,9 +1240,8 @@ optional_policy(` +@@ -1183,9 +1246,8 @@ optional_policy(` ######################################## # @@ -88878,7 +89162,7 @@ index 1f22fba..b70a2de 100644 allow virt_bridgehelper_t self:process { setcap getcap }; allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin }; allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms; -@@ -1198,5 +1254,85 @@ kernel_read_network_state(virt_bridgehelper_t) +@@ -1198,5 +1260,114 @@ kernel_read_network_state(virt_bridgehelper_t) corenet_rw_tun_tap_dev(virt_bridgehelper_t) @@ -88896,6 +89180,7 @@ index 1f22fba..b70a2de 100644 +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms; +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms; + ++allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms; +can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t) + +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t) @@ -88906,6 +89191,9 @@ index 1f22fba..b70a2de 100644 +manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t) +files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } ) + ++manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) ++manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t) ++ +manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t) +logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, file ) + @@ -88959,6 +89247,31 @@ index 1f22fba..b70a2de 100644 + +####################################### +# ++# qemu-ga unconfined hook script local policy ++# ++ ++optional_policy(` ++ type virt_qemu_ga_unconfined_t; ++ domain_type(virt_qemu_ga_unconfined_t) ++ ++ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t) ++ role system_r types virt_qemu_ga_unconfined_t; ++ ++ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t) ++ ++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms; ++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms; ++ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl; ++ ++ init_domtrans_script(virt_qemu_ga_unconfined_t) ++ ++ optional_policy(` ++ unconfined_domain(virt_qemu_ga_unconfined_t) ++ ') ++') ++ ++####################################### ++# +# tye for svirt sockets +# + diff --git a/selinux-policy.spec b/selinux-policy.spec index 27a30bd..24da236 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.12.1 -Release: 46%{?dist} +Release: 47%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -530,6 +530,64 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed May 29 2013 Miroslav Grepl 3.12.1-47 +- Add transition rules to unconfined domains and to sysadm_t to create /etc/adjtime +- with the proper label. +- Update files_filetrans_named_content() interface to get right labeling for pam.d conf files +- Allow systemd-timedated to create adjtime +- Add clock_create_adjtime() +- Additional fix ifconfing for #966106 +- Allow kernel_t to create boot.log with correct labeling +- Remove unconfined_mplayer for which we don't have rules +- Rename interfaces +- Add userdom_manage_user_home_files/dirs interfaces +- Fix files_dontaudit_read_all_non_security_files +- Fix ipsec_manage_key_file() +- Fix ipsec_filetrans_key_file() +- Label /usr/bin/razor-lightdm-greeter as xdm_exec_t instead of spamc_exec_t +- Fix labeling for ipse.secrets +- Add interfaces for ipsec and labeling for ipsec.info and ipsec_setup.pid +- Add files_dontaudit_read_all_non_security_files() interface +- /var/log/syslog-ng should be labeled var_log_t +- Make ifconfig_var_run_t a mountpoint +- Add transition from ifconfig to dnsmasq +- Allow ifconfig to execute bin_t/shell_exec_t +- We want to have hwdb.bin labeled as etc_t +- update logging_filetrans_named_content() interface +- Allow systemd_timedate_t to manage /etc/adjtime +- Allow NM to send signals to l2tpd +- Update antivirus_can_scan_system boolean +- Allow devicekit_disk_t to sys_config_tty +- Run abrt-harvest programs as abrt_t, and allow abrt_t to list all filesystem directories +- Make printing from vmware working +- Allow php-cgi from php54 collection to access /var/lib/net-snmp/mib_indexes +- Add virt_qemu_ga_data_t for qemu-ga +- Make chrome and mozilla able to connect to same ports, add jboss_management_port_t to both +- Fix typo in virt.te +- Add virt_qemu_ga_unconfined_t for hook scripts +- Make sure NetworkManager files get created with the correct label +- Add mozilla_plugin_use_gps boolean +- Fix cyrus to have support for net-snmp +- Additional fixes for dnsmasq and quantum for #966106 +- Add plymouthd_create_log() +- remove httpd_use_oddjob for which we don't have rules +- Add missing rules for httpd_can_network_connect_cobbler +- Add missing cluster_use_execmem boolean +- Call userdom_manage_all_user_home_type_files/dirs +- Additional fix for ftp_home_dir +- Fix ftp_home_dir boolean +- Allow squit to recv/send client squid packet +- Fix nut.te to have nut_domain attribute +- Add support for ejabberd; TODO: revisit jabberd and rabbit policy +- Fix amanda policy +- Add more fixes for domains which use libusb +- Make domains which use libusb working correctly +- Allow l2tpd to create ipsec key files with correct labeling and manage them +- Fix cobbler_manage_lib_files/cobbler_read_lib_files to cover also lnk files +- Allow rabbitmq-beam to bind generic node +- Allow l2tpd to read ipse-mgmt pid files +- more fixes for l2tpd, NM and pppd from #967072 + * Wed May 22 2013 Miroslav Grepl 3.12.1-46 - Dontaudit to getattr on dirs for dovecot-deliver - Allow raiudusd server connect to postgresql socket